1

MURI: Computer-aided Human Centric Cyber Situation

Awareness

Peng LiuProfessor & Director, The LIONS

CenterPennsylvania State University

ARO Cyber Situation Awareness MURI

Security Analysts

Computer network Mu

lti-

Sen

sory

Hu

man

C

om

pu

ter

Inte

ract

ion

• Enterprise Model• Activity Logs

• IDS reports• Vulnerabilities

Cognitive Models & Decision Aids

• Instance Based Learning Models• Simulation

• Measures of SA & Shared SA

• • •

Da

ta C

on

dit

ion

ing

As

so

cia

tio

n &

Co

rre

lati

on

Automated Reasoning Tools• R-CAST•Plan-based narratives•Graphical models•Uncertainty analysis

Information Aggregation

& Fusion• Transaction Graph methods•Damage assessment

Computer network

• •

•

Real World

Test-bed

2

Publications

• Year 4– 13 journals– 24 conferences– 3 book chapters– 9 presentations

• Year 3– 40 papers – One journal special

issue on Cyber SA– 13 presentations

3

Y1 to Y4 accumulation: around 140 papers

Students

• Year 4– 18 graduate students– 5 post-docs– 4 earned a PhD

degree– 2 earned a MS degree

• Year 3– 17 graduate students– 8 post-docs– 4 earned a PhD

degree

4

Awards

5

CogSIMA 2012 Best Paper Award

Best Paper Award, SECRYPT 2013, “An Efficient Approach to Assessing the Risk of Zero-Day Vulnerabilities” by M. Albanese, S. Jajodia, A. Singhal, and L. Wang.

HFES 2013 Alphonse Chapanis Award for best student paper, Prashanth Rajivan

Sushil Jajodia, IEEE Fellow, January 2013. VAST Challenge 2013 Honorable Mention, by C. Zhong, M.

Zhao, J. Xu, and G. Xiao

Grace Hopper Scholarship 2013: Chen Zhong

6

Tech Transfer

Deep collaboration with ARL-- ARSCA tool is now being used at ARL to understand the RPs of security analysts-- Adapting ARSCA to directly operate on ARL datasets -- Weekly teleconferences: joint research team

DoD STTR that involves a higher fidelity version of CyberCog, DEXTAR, in which we will integrate CAULDRON

DoD SBIR 12.3 Phase I OSD12-IA5 project “An Integrated Threat feed Aggregation, Analysis, and Visualization (TAAV) Tool for Cyber Situational Awareness,” funded, led by Intelligent Automation, Inc. (IAI).

7

Tech Transfer (cont’d)

The source code for NSDMiner is now released through SourceForge at http://sourceforge.net/projects/nsdminer/. There have been 63 downloads to date.

Briefings to Deloitte, Lockheed Martin, Raytheon Corporation, MITRE, Computer Sciences Corporation, and MIT Lincoln Laboratory.

Briefings to NSA, DTRA, ONR, DHS, and DoDII.

Year 5 Plan: Technology Transitions (1)

8

Partner:

Contact:Opportunity:

Partners:Contacts:

Opportunity:

Partner:

Contact:Opportunity:

Partner:Contact:

Opportunity:

Partner:Contact:

Opportunity:

AFRL – Human Effectiveness Directorate711th Human Performance Wing, Wright-Patterson AFB, OHBenjamin Knott and Vince MancusoHuman performance and measurement of cognition

Deloitte, Ernst and Young, KPMG, Price Waterhouse CoopersJ.B. O’Kane (Vigilant by Deloitte), Jenna McAuley (EY-ASC) and othersObserve practicing analysts, test visualization toolkits and fusion tools, measure human cognition and performance

MIT Lincoln LaboratoriesCyber Security Information Sciences DivisionStephen Rejto and Tony PensaConduct human-in-the-loop experiments; evaluate MIT-LL/PSU analyst tools

ARL (Tactical Information Analysis)Tim HanrattyTransition knowledge elicitation and visualization toolkits to the demonstration lab at ARL Aberdeen

ARL – Adelphi, MDHasan CamApplied research in risk and resilience in cyber security

Year 5 Plan: Tech Transitions (2)

9

Partner:Contact:

Opportunity:

Partners:Contacts:

Opportunity:

Partner:Contact:

Opportunity:

Partner:Contact:

Opportunity:

Partner:Contact:

Opportunity:

ARL (Network division) Bill Glodek, Rob Erbacher, Steve Hutchinson, Hasan Cam, Renee EtotyTracing and analyzing the reasoning processes of security analysts

Sandia Research, Inc. CookeDoD STTR: A higher fidelity version of CyberCog/DEXTAR/CAULDRON

Intelligent Automation, Inc. (Network and Security Division)Jason LiDoD SBIR: Integrated Threat feed Aggregation, Analysis, and Visualization (TAAV) Tool for Cyber Situational Awareness

NISTA. Singhal Cloud-wide vulnerability analysis

NEC Labs America, Inc. Z. Qian, Z. Li Whole enterprise system-call-level security intelligence