=Paper=
{{Paper
|id=None
|storemode=property
|title=A Semantic Approach to Evaluate the Impact of Cyber Actions to the Physical Domain
|pdfUrl=https://ceur-ws.org/Vol-966/STIDS2012_T08_BarretoEtAl_EvaluateImpactOfCyberActions.pdf
|volume=Vol-966
|dblpUrl=https://dblp.org/rec/conf/stids/BarretoCY12
}}
==A Semantic Approach to Evaluate the Impact of Cyber Actions to the Physical Domain==
https://ceur-ws.org/Vol-966/STIDS2012_T08_BarretoEtAl_EvaluateImpactOfCyberActions.pdf
A Semantic Approach to Evaluate the Impact of
Cyber Actions on the Physical Domain
Alexandre de Barros Barreto Paulo Cesar G. Costa Edgar T. Yano
Instituto Tecnológico de Aeronáutica George Mason University Instituto Tecnológico de Aeronáutica
São José dos Campos, SP, Brazil Fairfax, VA, USA São José dos Campos, SP, Brazil
Email: adebarro@c4i.gmu.edu Email: pcosta@gmu.edu Email: yano@ita.br
Abstract—Evaluating the impact that events within the cyber and what it means to the overall mission. Existing tools and
domain have on a military operation and its critical infrastruc- methodologies cannot provide this level of information, and
ture is a non-trivial question, which remains unanswered so are not suitable to support complex cyber threat assessment
far in spite of the various research efforts addressing it. The
key issue underlying this question is the difficulty in correlating in real situations. This is a major gap that to our knowledge
cyber and physical behaviors in an integrated view, thus allowing has not been successfully filled, in spite of the relatively large
for real-time analysis. This paper addresses the issue with the body of research focused on the subject.
development of an ontology-based framework in which the cyber This paper addresses this gap by proposing a semantic
and physical behaviors are integrated in a consolidated view, framework that fuses physical and cyber data collected from
using a combination of open standards protocols and semantic
technologies. In our approach, the mission and its physical aspects existing sensors and retrieving information that is relevant
are modeled using a business process language (e.g., BPMN) to the assessment of cyber impact. It is designed to support
and an information infrastructure based on Simple Network analysts with an integrated view, one that correlates actions in
Management Protocol (SNMP). In this scheme, changes in the the cyber domain with effects in other domains, allowing the
environment are captured using the output of sensor components evaluation of its impact on the operational objectives.
existing in the infrastructure. In order to ensure a complete
and integrated analysis of the accruing data, we have developed The proposed framework and its main aspects are illustrated
a Cyber Situation ontology (in OWL) and a methodology for and evaluated via a simulated air traffic scenario, which
mapping the cyber and the physical domains. In this framework, includes a large number of simulated flights.
mission data from the environment is retrieved and fused using This paper is organized as follows. Section II presents the
an engine based on the Semantic Web Rule Language (SWRL). main concepts necessary to understand the framework being
The output of this process is then presented to an analyst in a
way that only the most important information needed to support proposed, as well as a sample of the most relevant approaches
his/her decisions is shown. To validate our approach, a real air attained so far to address the problem. Section III describes
traffic scenario was modeled and many simulated flights were the framework for evaluating the impact of a cyber attack on
generated to support of our experiments. an operation occurring in the physical domain. The approach
is discussed in Section IV, and illustrated with an analysis
I. I NTRODUCTION
of a fictitious air traffic scenario build specifically to evaluate
With the increasing automation of processes and systems our research. Finally, Section V presents a few considerations
that are part of critical infrastructures supporting military and and issues that must be addressed in future research aimed to
vital civilian operations, the cyber domain became one of most improve the approach.
important aspects in strategic planning.
Society’s dependence on this domain [1] has reached a point II. BACKGROUND AND R ELATED R ESEARCH
in which it is now considered as a new dimension of war, The main concept to present is mission. As discussed in
together with air, land and sea. In this new paradigm, a key [4], a mission is the task (or set of tasks), together with its
aspect is to understand how actions performed in the cyber (their) associated purpose, that clearly indicates the action to
domain (space and time) affect the operations taking place in be taken assigned to an individual or unit.
the other domains, so one can leverage actions in the cyber Three other important concepts are Situation Awareness, Im-
domain as tools to achieve the campaign objectives [2], [3] pact Assessment and Threat Assessment. The first, as described
Unfortunately, this is no trivial task, since it requires cor- in [5], is the perception of the elements of the environment
relating cyber and physical behaviors in an integrated view within a volume of time and space, the comprehension of their
that allows tasks to be evaluated in real time. The complexity meaning, and the projection of their status into the near future
embedded in this requirement implies, among other things, to enable decision superiority.
that an IT manager supporting critical infrastructures must be The second important concept, Impact Assessment, involves
able to access all relevant data pertaining to the network and the task of estimating the effects on situations of planned
translate it to the support team in a way that allows them or estimated/predicted actions by the participants, including
to understand the real impact of cyber threats to the network interactions between action plans of multiple players [6].
� The third and last concept, Threat Assessment, can be on Mission-Oriented Risk and Design Analysis (MORDA)
understood as an expression of intention to inflict evil, injury, [14] and on the Security Optimization Countermeasures Risk
or damage. The focus of threat analysis is to assess the and Threat Evaluation System (SOCRATES) [15]. In this
likelihood of truly hostile actions and, if they were to occur, approach, all components that exist in the problem (mission,
projected possible outcomes [6]. resources and threats) are mapped and used in the analysis.
From a general perspective, the second and third concepts However, the mapping process is very complex and requires
can be seen as being part of the first, but with a difference continuous iteration with the human analyst (i.e. human-in-the-
in their focus. More specifically, while impact assessment loop), who needs to provide constant feedback and input to
looks for an “internal” understanding (i.e., what is happening the methodology. As a consequence of its demand for human
and why should I care?), threat assessment seeks the same interaction, this approach tends to be applied in the planning
understanding from the enemy’s viewpoint (i.e., how they phase, while being less suitable to the more time intensive
can hurt us). More important to our research is the fact they environment found in real time decision making scenarios.
all these concepts imply a means to assess the mission. In Another methodology that relates to the problem addressed
other words, all must go through the process of specifying in this paper is Cyber Mission Impact Assessment (CMIA) [7],
and maintaining a reasonable degree of confidence in mission [16]. CMIA presents a way to (manually) associate mission
success, which is linked to the concept of Mission Assurance and infrastructure, and use the resulting association to support
[7]. the assessment of mission assurance.
Literature on the subject of measuring effectiveness of a In a typical analytical process using CMIA, each attack is
mission points to two major approaches. The first is to use simulated and its associated impact is calculated. Then, all
the concept of task as the evaluation basis, while the second attacks and assets are correlated and the paths with the highest
instead focuses to the effects [8]. The framework presented in cost are prioritized. The major deficiency of this approach is
this paper adopts the second approach. its inability to evaluate more than one attack simultaneously,
The main approach to provide mission understanding in- which prevents an assessment of the synergistic effect of
volves using a set of distributed sensors to detect intrusions coordinated attacks. This is a major liability, since in most
and to uncover attack paths. The preliminary research on the cases the enemy would attempt to achieve an overall effect
subject is due to Denning [9] and Bass [10]. Schneier [11] with parallel attacks that is much greater than the sum of the
proposed the use of an attack-tree to measure effect, which isolated effects of these same attacks.
allows understanding of the relationships between attacks, The above mentioned works are a representative subset
as well as how one attack over a cyber asset affects other of current research related to evaluation of the impact of
assets. In spite of the advances above cited, the problem of cyber threats, and can thus support the claim that the research
determining the impact of a cyber attack on a (mission) task problem remains unsolved. In summary, each approach suffers
still persists, since no methodology exists to effectively map from in at least one of the two issues that can be singled out
cyber assets to tasks. Furthermore, these techniques are not as the main causes for this situation. The first is the lack of
capable of dealing with some common types of cyber attacks, a correlation (and, in some cases, computation) between the
rendering them unsuitable for impact assessment in the current main components that are needed for impact assessment, the
state of the art in cyber warfare. For instance, when an attack mission and its supporting infrastructure. The second cause for
is new (e.g. a zero-day attack), its signature is unknown and failures is the inability to provide real-time analysis of these
there will be no attack-tree associated with it. As a result, it two components and their interactions. The proposed frame-
will be extremely difficult to identify its attack pattern by the work is meant to address both, with a unique combination
time it occurs. of semantic technologies, operations research, and simulation,
The above limitation illustrates the need for new approaches. which we explain in the next Section.
A more comprehensive one would involve identifying attacks, III. E VALUATING THE I MPACT OF C YBER T HREATS
highlighting significant events and then understanding the
This paper proposes ARGUS, a new Framework that eval-
importance of them in a system [12]. To assess the importance
uate the impact of a cyber attack on a mission. ARGUS is
of events, one must understand how the process of planning
comprised of four main phases: 1) modeling of mission, 2)
and implementing a mission works. Topological Analysis of
modeling of network architecture, 3) collecting cyber and
Network Vulnerability (TVA) [13] is meant to provide such
mission information, and 4) developing impact assessment.
understanding. TVA supports an analyst in measuring the
These phases are depicted in Figure 1.
impact of a threat through the evaluation of topological aspects
As implied in the diagram, the core idea within ARGUS
of the environment. The main weakness of this approach is
is to capture the mission and infrastructure information and
the absence of an explicit mapping between the mission and
consolidate it in an integrated data representation, which
the infrastructure supporting it. As a result, this becomes yet
allows for a comprehensive analysis to be performed.
another cognitive burden implicitly assigned to the analyst, a
solution that clearly does not scale well with the increasing A. Modeling of Mission
complexity of the operational environment. The first phase in ARGUS involves modeling of mission,
Another related approach can be summarized by the work which is achieved by the use of a business process language.
� and 3 illustrate some of the extended attributes (marked with a
circle in the figures), which are present in the mission ontology
supporting the repository.
The use of a business language (BPMN in the current
implementation) was not only convenient as a development
tool for the framework, but also proved to be rather suitable
for capturing the main aspects of a mission, especially when it
is used in civilian environments such as air traffic management,
nuclear power plants, and others. Its business-oriented notation
made it easier to accommodate the concepts of a mission in
the Air Traffic Domain that we are using in the evaluation
of the research, while also having a relatively straightforward
mapping to the associated concepts in the mission ontology.
One example of a business-oriented concept being mapped
Figure 1. ARGUS major phases
to the mission ontology is that of a Pool. To model a mission,
an analyst starts by describing the Organizations that partici-
pate in the process of accomplishing the mission. These can be
The goal of this phase is to capture the most important
squadrons, sectors, departments, battalions, or any functional
information of the mission within the model. Importance here,
structure involved with the mission details. Pool is the BPMN
of course, is measured with respect to its relevance to impact
concept used to describe such organizations.
assessment, and includes the tasks, relationships between the
tasks, objectives, resources required to develop the mission We expect the currently developed mapping to be relatively
and, finally, performer (i.e., entity or set of entities that has robust when applied along with the framework to other do-
the responsibility to perform the mission). mains. Table I summarizes of the mapping developed in this
In our current research, we leveraged previous experience initial phase of our research.
within our group and made the design decision of capturing
these aspects using the Business Process Modeling Notation Table I
M APPING BPMN TO THE M ISSION O NTOLOGY
(BPMN) language [17]. However, any business modeling
language with the ability to capture the information described Concept Source
above could have been used and, therefore, might be used with Mission Model BPMN
the framework in the future. Organization Pool
One of the most important features of the ARGUS is its System Lane
reliance on semantic technologies to ensure consistency when
Activity Task
used in multiple domains. Therefore, although a business mod-
Service Performer
eling language is used as the basis for information elicitation
Condition Gateway or Event
(BPMN, in the current implementation of the ARGUS), all
information captured is stored in an ontology-based informa-
tion representation repository. The ontology supporting the
repository was developed using the most recent version of the The ARGUS approach only builds mappings between au-
W3C recommended OWL 2 Web Ontology Language [18]. In tomated processes, although BPMN is able to support non-
fact, to illustrate the advantages of using an ontology-based automated ones. A service is understood as the entity respon-
framework, it should be emphasized that we didn’t have to sible for performing tasks (activities), while a system is a
actually develop a mission ontology from scratch, but we collection of services. To ensure a proper correlation between
simply imported and made some adaptations to existing work business and infrastructure data, the analyst must describe
by others. That is, the ontology itself is an adaptation of the where the service is provided, using his address and ports.
one defined in D’Amico et al. [19], while architecture is based The framework supports the identification of relevant in-
on that of Mateus et al. [20]. formation from raw data captured by the sensors. In order
In our context, the main concept in a mission is activity for this to be accomplished, information regarding the effect,
(see figure 2). An activity has a set of pre and post conditions conditions and service level are described using rules. More
and one goal. His goal is to produce one or more effects over specifically, an effect is the result, outcome, or consequence
a resource. An activity can be measure, enabling that can be of an action (task) over a resource. Further, a condition can
understand the state of the mission’s components. be understood as the state of the environment or of a situation
Due to its main focus on business, BPMN lacks native in which a performer (service) performs or is disposed to
support for some of the mission information that needed perform an task. Finally, service level refers to the minimum
to be captured. Thus, we had to extend its basic structure (or maximum, depending on the requirement) standard that a
to accommodate our representational requirements. Figures 2 service is expected to reach with confidence.
� Figure 2. The Mission Ontology
B. Modeling of Network Architecture depicted in Figure 3. Cyber Assets are responsible for to host
one or more service (which is who performs the activities
The second phase in ARGUS, modeling of network archi-
needed by the mission). Through services, ARGUS maps the
tecture, is in fact performed almost in parallel with the first. In
infrastructure in mission and vice versa.
this phase, all information about the infrastructure is captured
using Simple Network Management Protocol (SNMP) [21] Another important concept from BPMN is that of a per-
and stored in the ontology-supported information represen- former, which was mapped to the mission ontology as service
tation repository. The main concept in the ontology used (cf. Table I). In BPMN, the performer concept defines the
to represent the infrastructure is Cyber Asset, which is also resource that is responsible for an activity. It can be specified in
Figure 3. The Resource Ontology
�the form of a specific individual, a group, an organization role Once all information needed from the business and in-
or position, or an organization. Due to the above mentioned frastructure is retrieved, the events are captured from the
mapping, in ARGUS performers are services, which explains sensors’ input, and classified in accordance with relevant
the need for analysts to specify the implementation address situations using rules. Then the framework is ready to evaluate
during the modeling. In other words, the correlation between the impact of the current state of the system on its main
the services and the cyber assets is made automatically by the mission. In ARGUS, this evaluation is performed through four
framework via SNMP queries, which collect the UDP/TCP distinct types of analysis: dependence paths, temporal, cost,
ports of the services via two tables residing in the Manage- and history degradation.
ment Information Base (MIB) of each of the network hosts The first type of analysis, dependence paths, aims to un-
(tcpConnLocalPort and udpLocalPort). cover problems in topology that have the potential to affect the
To build the network archiecture and its variations, the accomplishment of the mission. The typical questions involved
framework performs queries on the other three tables residing in this analysis include (but are not limited to) the following:
in each host’s MIB, the ipRouteDest, the ipRouteMetric, and • In this state of the system, can the mission goal be
the ipRouteNextHop. The combination of the information reached?
retrieved from these tables allows the Framework algorithm to • If task C fails, is there any path left to reach the goal?
infer the neighbors of the host, as well as the network distance
The second type of analysis, temporal, seeks to define a
between the host and nodes that were eventually discovered
window of interest in which the problem is solvable. The
via the routing protocol embedded in the framework algorithm.
typical questions that are raised in this type of analysis include
Finally, the framework uses changes in those attributes (e.g.
but are not limited to:
nodes added, nodes deleted, changes in nodes IP route metrics,
etc.) as parameters for inferring the network dynamics. Besides • What tasks need to be monitored at time T ?
the network information mentioned above, the framework also • How much time is needed to finish the task and accom-
uses SNMP to retrieve a set of other infrastructure properties, plish its objective?
such as memory (persistent and volatile) size, operating sys- The third type of analysis, cost, is meant to identify when
tem, uptime, etc. It is outside the scope of this paper to explain the cost starts to become a serious threat to the task execution.
in detail the framework algorithms and how each network In other words, it evaluates the cost / benefit ratio of each task
parameter is assessed, more information on these details can be with respect to the overall mission. The typical questions to
obtained from the work at the GMU/ITA C2 testbed (cf. [22]). be answered in this analysis include:
C. Collecting Cyber and Mission Information • How much does this task cost?
• Do the benefits of this task justify the costs involved in
The third phase in ARGUS involves the collection of its execution?
relevant information. In this case, the criteria for information • If task C is compromised, does an alternative route have
to be considered relevant is related to the value it adds to an acceptable cost?
the overall understanding of the environment (i.e. how it
improves situation awareness). This assessment is performed The last type of analysis, history degradation, has the goal
in accordance with the general scheme depicted in Figure 4. of understanding how fast the infrastructure is degrading. Its
The main concept in the scheme is Situation, which is an typical questions can be similar to the ones in each of the
event or set of events that are meaningful to the mission. In above tasks, but with a focus on the way the infrastructure
ARGUS, events can be captured in any different ways. In assets are degrading and its associated impact on the overall
our first implementation, we can retrieving the data existing mission.
in the SYSLOG Database [23] or by capturing network
D. Developing Impact Assessment
packets via a packet capture (PCAP) interface (e.g.through an
intrusion detection system) [24]. Once an event is captured, The fourth phase in ARGUS, impact analysis, is the main
the framework uses rules to classify it as being part of a part of the framework. In order for this phase to be executed in
situation. As previously mentioned, these rules will be applied real time, so the impact evaluation would be done as the mis-
to information retrieved from the network sensors and inserted sion unfolds, we have developed the reference implementation
into the framework through the BPMN’s and Ontology’s depicted in Figure 5.
interfaces (cf. Figures 2, 3, and 4). The Cyber Situation Awareness engine (CyberSA Engine)
The design choice for describing the rules was the Semantic is comprised of six modules. The first is the BPMN Module,
Web Rule Language (SWRL) [25]. SWRL extends a set of which performs the tasks of getting mission information from
OWL axioms to include Horn-like rules, thus enabling Horn- a BPMN file, parsing it, and mapping the retrieved concepts
like rules to be combined with an OWL knowledge base. The to the mission ontology.
expressiveness achieved by this rule scheme is key to the The SNMP and SYSLOG modules perform queries on
framework’s ability to capture aspects that cannot be easily all hosts and on the SYSLOG Server, respectively. When
captured using OWL, such as utilization of resources, mission the associated answers are received, the module parses and
requirements, and others. converts them to the format they will be used in the system.
� Figure 4. Capturing the Details of an Event
The PCAP module retrieves event data from the network. in a consistent way so the CyberSA Engine can provide it to
However, analysing the retrieved raw data is a time consuming the users. This consistency is also achieved with the support of
and non-trivial task, so in our implementation we have made semantic technologies, via the implementation of a Semantic
the design decision of using an external tool, TSHARK [26]. Fusion Module. The main services this module provides are
This tool is a terminal-oriented version of Wireshark designed making inferences and applying rules, which were written by
for capturing and displaying packets when an interactive user analysts using the GUI.
interface is not necessary or not available. It has a set of filters
that produces information in a format that is more readable to The Semantic Fusion Module uses two libraries to provide
analysts. its features. The first is the OWL-API [27], a Java API
and reference implementation for creating, manipulating and
Once the four modules above collect and process their serializing OWL Ontologies. The second is Pellet [28], which
respective information, the result needs to be made available is an OWL 2 reasoner that provides standard and cutting-edge
Figure 5. The CyberSA Engine
�reasoning services for OWL ontologies. service where the aircraft consume the smaller amount of fuel
The last module of the CyberSA Engine is the View Module, and the system generates a low number of collision resolution
which provides the interface to analysts. The main goals of events. A collision resolution event happens when two aircraft
this interface are to allow analysts to provide information the fly within a distance (vertical or horizontal) that is smaller
system cannot obtain automatically, and to write the rules used than the safety rules defined by law.
by the system’s inference engine. The simulation includes three distinct air traffic services
Figure 6 is an example of a typical form of the system’s organizations (cf. Figure 7). The first is the AIS (Aeronautical
GUI, in this case one that allows the analyst to setup a task. In Information Service), which has the responsibilities of insert-
the combo box depicted in the figure (named as “Activity”), the ing the flight plan into the system and getting all clearance
analyst chooses the type of activity he wants to set, as well as necessary for the aircraft to fly. The second service modeled
the associated fields - which are shown in a contextual fashion is the Radio Station, which gets information on flight tracks
with support from the mission ontology. In the example, the (i.e. aircraft) within its area of coverage and sends it to the
analyst chose the activity “FlightStartWarning”, and was then APP (Ground-controlled Approach) Service. Finally, the APP
presented with three fields. In the first field, the analyst is service performs three main tasks: fuse track information,
presented with the resources that he needs to do the task. In present it in a controller view and generate alerts to be used
the remaining two fields, the analyst is expected to describe, by a monitoring system.
using rules in SWRL syntax, how to measure the task progress The simulation was developed using the C2 Simulation
and the conditions this measure will be performed. Testbed [22], a joint project between the C4I Center at
George Mason University (GMU) and the C2 Lab at the
Instituto Tecnológico de Aeronáutica (ITA) in Brazil. The
testbed allows the emulation of any infrastructure behavior
and the simulation of all aspects of the physical environ-
ment (aircraft flights, collisions, etc). The current evaluation
scenario includes fourteen aircraft that take off from three
different airports and go to the oil platforms. The flight plan
was developed to generate collision warnings, allowing the
framework to generate situations of interest. A view of this
scenario using the C2 Simulation Testbed is presented in
Figure 7.
Figure 6. The ARGUS User Interface
By means of this GUI, the system will guide the analyst
through a process in which he will be able to define the
activity, the cost of resources, the service’s SLA, and other
rules that must be defined given the relevant situations. The Figure 7. The Simulation in VRForces
View Module also provides classification of the event (i.e. the
situation(s) it pertains to). A major aspect that is needed for the framework to de-
fine relevant situations is the proper definition of the rules
IV. D ISCUSSION by analysts. Among other things, these rules formally es-
A simulation of an air traffic scenario was developed to tablish to the system the conditions that restrict the task,
evaluate the framework, verifying its ability to generate the the goal of mission in general, the objective of each task,
relevant situation assessment and present it to the analyst. The and other aspects that are important in filtering the raw
simulation is based on a real scenario, located at the Campos data coming from the sensors. In addition to these aspects,
basin in Brazil, where a heavy helicopter operation is held to another key use of rules is to create relations that are not
support maritime oil platforms sixty to eighty miles offshore. explicit in the domain. As an example, the link between
The mission described in this scenario thus involves air traffic cyber assets and services can be defined by this simple rule:
�CyberAsset(?y), OntoService(?x), ipv4Address(?x, ?k), [10] T. Bass, “Multisensor Data Fusion for Next Generation Distributed
ipv4Address(?y, ?k) → isHostingIn(?x, ?y). Therefore, it Intrusion Detection Systems,” in IRIS National Symposion, 1999.
[11] B. Schneier, “Attack trees: Modeling security threats,” Dr. Dobb’s
is fair to say that the combination of SWRL rules and OWL journal, December 1999.
2 statements to link the physical and cyber domains is at the [12] O. S. Saydjari, “Cyber defense: Art to Science.” Communications of the
heart of the system’s goal of evaluating mission impact. ACM - Homeland Security, vol. 47, no. 3, March 2004.
[13] S. Jajodia, S. Noel, and B. O’Berry, “Topological Analysis of Network
Attack Vulnerability.” Managing Cyber Threats, vol. 5, pp. 247–266,
V. F UTURE R ESEARCH 2005.
This paper presented an approach for connecting the cyber [14] S. Evans, D. Heinbuch, E. Kyle, J. Piorkowski, and J. Wallner, “Risk-
based systems security engineering: stopping attacks with intention,”
and physical domains, with the objective of assessing the IEEE Security and Privacy, vol. 2, pp. 59–62, 2004.
impact that actions in the former have in the latter. This is [15] D. L. Buckshaw, G. S. Parnell, W. L. Unkenholz, D. L. Parks, J. M.
research in progress in an area where clear answers are usually Wallner, and O. S. Saydjari, “Mission Oriented Risk and Design Anal-
ysis of Critical Information Systems,” Military Operations Research,
not attainable, mostly due to the complexity as well as to the vol. 2, pp. 19–38, 2005.
level of subjectivity involved in real time impact assessment. [16] S. Musman, M. Tanner, A. Temin, E. Elsaesser, and L. Loren, “Com-
As such, the framework presented here should be seen as a puting the impact of cyber attacks on complex missions.” in 2011 IEEE
International Systems Conference (SysCon), 2011, pp. 46–51.
first step of a steep ladder. Yet, it is a firm step, since after [17] OMG, Business Process Model and Notation (BPMN) 2.0,
attempting various approaches we remain convinced that the http://www.omg.org/spec/BPMN/2.0, OMG Std., 2011.
solution to this problem relies in a combination of techniques [18] W3C, OWL 2 Web Ontology Language, http://www.w3.org/TR/owl2-
overview/, W3C Std., October 2009.
where semantic technologies and simulation play a major role. [19] A. D’Amico, L. Buchanan, J. Goodall, and P. Walczak, “Mission Impact
The software modules, including the ontology and some of of Cyber Events: Scenarios and Ontology to Express the Relationships
the rules, that together comprise the framework are already im- between Cyber Assets, Missions, and Users.” AFRL/RIEF, Tech. Rep.
OMB No. 0704-0188, December 2009.
plemented, and we are currently evaluating its performance via [20] C. J. Matheus, M. M. Kokar, K. Baclawski, J. A. Letkowski,
the C2 Simulation Testbed. Preliminary results are promising C. Call, M. Hinman, J. Salerno, and D. Boulware, “SAWA: An
and should be available soon. Our future work path includes assistant for higher-level fusion and situation awareness,” Proceedings
of SPIE, vol. 5813, no. 1, pp. 75–85, 2006. [Online]. Available:
aspects such as the usability of the system, and others that rely http://link.aip.org/link/?PSI/5813/75/1&Agg=doi
on semantic technologies to alleviate the reliance on analysts [21] J. Case, M. Fedor, M. Schoffstall, and J. Davin, A Simple
to provide domain knowledge in the form of SWRL rules. Network Management Protocol (SNMP), The Internet Engineering
Task Force (IETF) Std. RFC 1157, May 1990. [Online]. Available:
http://www.ietf.org/rfc/rfc1157.txt
ACKNOWLEDGMENT [22] A. B. Barreto, M. Hieb, and E. T. Yano, “Developing a Complex
The authors recognize VT MÄK and Scalable Network Simulation Environment for Evaluating Cyber Attacks,” in I/ITSEC.
I/ITSEC, 2012, will be published in I/ITSEC 2012.
Technologies for providing the tools and support needed to [23] R. Gerhards, The Syslog Protocol, http://tools.ietf.org/html/rfc5424,
develop the Testbed. Our gratitude is also extended to Latin- IETF Std. rfc5424, March 2009.
Media SA, who provided support for the testbed in Brazil. [24] E. Nemeth, G. Snyder, S. Seebass, and T. Hein, UNIX System Adminis-
tration Handbook. Prentice Hall, 2000.
[25] I. Horrocks, P. F. Patel-Schneider, H. Boley, S. Tabet, B. Grosof, and
R EFERENCES M. Dean, “SWRL: A Semantic Web Rule Language Combining OWL
[1] G. Eason, B. Noble, and I. N. Sneddon, “On Certain Integrals and RuleML,” http://www.w3.org/Submission/SWRL/, W3C Member
of Lipschitz-Hankel Type Involving Products of Bessel Functions,” Submission, May 2004.
Philosophical Transactions of the Royal Society of London. Series A, [26] Wireshark, “Wireshark,” http://www.wireshark.org/, 2012.
Mathematical and Physical Sciences, vol. 247, no. 935, pp. 529–551, [27] M. Horridge and S. Bechhofer., “The OWL API: A Java API for OWL
Apr. 1955. [Online]. Available: http://rsta.royalsocietypublishing.org/ Ontologies.” Semantic Web Journal 2(1), Special Issue on Semantic Web
content/247/935/529 Tools and Systems,, pp. 11–21, 2011.
[2] M. Endsley, “The application of human factors to the development of [28] “Pellet: OWL 2 Reasoner for Java,” http://clarkparsia.com/pellet/, 2012.
expert system for advanced cockpits.” in Annual Meeting of Human
Factors and Ergonomics Society. Human Factors Society, 1987, pp.
1388–1392.
[3] J. Boyd, “OODA Loop.” Center for Defense Information, Tech. Rep.,
1995.
[4] DoD, DODAF. DoD Architecture Framework Version 2.0 - Volume 1:
Introduction, Overview, and Concepts., DoD Std., 2009.
[5] J. Salerno, M. Hinman, and D. Boulware, “A situation awareness model
applied to multiple domains,” in Proceedings of SPIE, vol. 5813, 2005,
p. 65.
[6] E. Bosse, J. Roy, and S. Wark, Concepts, models, and tools for
information fusion, A. House, Ed. Artech House, 2007 2007.
[7] S. Musman, M. Tanner, A. Temin, E. Elsaesser, and L. Loren, “A
systems engineering approach for crown jewels estimation and mission
assurance decision making.” in IEEE Symposium on Computational
Intelligence in Cyber Security (CICS), 2011.
[8] M. J. Fiebrandt, C. Mills, and T. Beach., “Modeling and simulation
in the analysis of a joint test and evaluation methodology,” in Spring
Simulation Multiconference, vol. 3. Society for Computer Simulation
International, 2007, pp. 251–256.
[9] D. E. Denning, “An intrusion-detection model,” IEEE Transactions on
Software Engineering, vol. 13, pp. 222–232, 1987.
�