Modeling and Integrating Cognitive Agents Within the Emerging Cyber Domain

One of the elements missing from virtual environments in the emerging cyber domain is an element of active opposition. For example, in a training simulation the instructor assigns the student a task or objective, and the student then practices within the environment (the “cyber range”) until they feel comfortable with the task or are able to demonstrate the requisite level of mastery. The environment may have static defenses, such as access control or firewalls, or a fixed set of intrusion methods to defend against, but it typically lacks any active opposition that might adapt defensive or offensive actions (e.g., monitor logs, blocked connections, exploit switching or information gathering). This is akin to training fighter pilots against adversaries who know how to use their weapons, but do not have any tactical or strategic goals beyond that. This is unfortunate for two reasons: 1) it trains cyber operators to behave as though opponents do not have a tangible existence or do not have higher-level goals, and 2) it ignores an opportunity to tailor the student’s learning experience through adjustable adversary behavior. Cognitive agents have the potential to transform the cyber operations training experience. The application of cognitive agents to the roles of cyber offense and defense would provide a more complete cyber ecology for training purposes and thus a more realistic training experience for the student. There are two key challenges to creating such cyber agents: 1) modeling the complex, and continually evolving, processes of cyber operations within a cognitive architecture, and 2) defining the tools and data standards to enable cognitive agents to interoperate with networks in a portable way. This paper discusses novel models of cyber offensive and defensive behavior based on observation and elaboration of human expertise, as well as an approach to the creation of software adapters that translate from task-level actions to network-level events to support agent-network interoperability. ABOUT THE AUTHORS Randolph M. Jones, PhD, is a senior artificial intelligence engineer at Soar Technology, and co-founded Soar Technology in 1998. Dr. Jones received his BS in mathematics and computer science from UCLA, and he received his M.S. and Ph.D. in information and computer science from the University of California, Irvine. Ryan O’Grady is the technical lead for Soar Technology’s emerging business area in cyberspace training and visualization, and a senior software engineer in the Intelligent Training business area. Mr. O’Grady received a BSE in Computer Science Engineering from the University of Michigan in 2004. Certifications: Security+, CPTE, OSCP Denise Nicholson, PhD, CMSP, is the Director of Soar Technology’s new Technology Area "X" leading an effort to explore, identify and pursue innovative applications of intelligent systems for critical and challenging problems, such as Cyber Security. Dr. Nicholson has a Ph.D. and M.S. in Optical Sciences from the University of Arizona, and a B.S. in Electrical Computer Engineering from Clarkson University. Robert Hoffman, PhD, is a Senior Research Scientist at the Florida Institute for Human and Machine Cognition (IHMC). He is senior editor of the Department on Human-Centered Computing of IEEE: Intelligent Systems. His latest book is Accelerated Expertise: Training to High Proficiency in A Complex World (2014, Taylor & Francis). Larry Bunch is a Senior Research Associate at IHMC. He received his BS in computer science from the University of West Florida and has published extensively concerning software agents, semantic policies and reasoning, and large-scale event visualizations. Jeffrey M. Bradshaw, PhD, is a Senior Research Scientist at IHMC. He co-edits the HCC Department of IEEE Intelligent Systems and has published widely in software agents, semantic technologies, digital policy management, and human-agent-robot teamwork (HART). Ami Bolton, PhD, is a Program Officer at the Office of Naval Research (ONR). Her programs focus on enhancing individual and team decision-making and combat effectiveness through advances that improve perception, cognition, and team coordination. Dr. Bolton received a M.S. in Human Factors from the Florida Institute of Technology, and Ph.D. in Applied Experimental & Human Factors Psychology from University of Central Florida. Interservice/Industry Training, Simulation, and Education Conference (I/ITSEC) 2015 2015 Paper No. #15232 Page 2 of 10 Modeling and Integrating Cognitive Agents Within the Emerging Cyber Domain Randolph M. Jones, Ryan O'Grady, Denise Nicholson, Robert Hoffman, Larry Bunch, Jeffrey Bradshaw, and Ami Bolton Soar Technology IHMC Office of Naval Research Ann Arbor, MI Pensacola, FL Arlington, VA rjones@soartech.com, ryan.ogrady@soartech.com, denise.nicholson@soartech.com, rhoffman@ihmc.us, lbunch@ihmc.us, jbradshaw@ihmc.us, amy.bolton@navy.mil Cyber warfare presents a persistent and evolving threat to military and civilian information systems. Both DoD (Parrish, 2013) and ODNI (Pellerin, 2013) rank cyber warfare as our top national security concern. In addition to threats to our defensive forces, cyber attacks pose an economic threat on the order of one trillion dollars (Ponemon, 2013). Although individual cyber-warfare tools operate at extremely fast speeds, aggressors increasingly pursue a “cyber kill-chain” (Hutchins et al., 2010) over days, weeks, or months. Would-be cyber aggressors are constantly changing their attack vectors to take advantage of security lapses by human resources and the latest vulnerabilities in information technology. These human-speed activities are guided by cognitive behavior that includes a variety of types of goals and expertise: script-kiddies, ideological activists, investigators, financial criminals, intelligence agents, or cyber warfighters (Lathrop et al., 2010). At the human, cognitive level, offense depends on and reacts to responses of defenders (Pfleeger & Caputo, 2012) and users (Bowen et al., 2012) that are also cognitively driven. Current cyber-warfare tools comprise suites of technical mechanisms that respond to the tools that aggressors and defenders use, but not to the individuals themselves. Human tactics are currently addressed through human-staffed wargames at cyber ranges (Merit, 2013; Pridmore, 2012). Human role-players are expensive, not repeatable, and not deployable as an automated system. There is an emerging need for cognitive-level synthetic cyber offense and defense, to ensure realistic cyber simulation and training. Building effective training systems for cyber warfare presents a suite of unique problems: Offensive and defensive activity is highly dynamic. The characteristics of target network environments are driven by the users of the system and their current activities, which are highly variable and unpredictable. User behavior often creates vulnerabilities that can be exploited. Cyber warfighters themselves are extremely adaptive and creative. In order to meet their objectives they will change tactics or tools based on opportunities detected in a computer network or responses initiated by adversaries or users. Current training environments do not adequately capture the dynamic and cognitive-level characteristics of cyber warfare. They are unable to capture the purposefulness, creativity, and adaptability of actual cyber warfighters. Studying previous offensive and defensive scenarios in a classroom environment is an effective means of understanding the building blocks of cyber warfare, but falls short of creating the skills needed to deal with a creative and time-sensitive event or a sophisticated but dynamic plan. Computerized unit tests can build fundamentals for dealing with individual components cyber warfare, but they do not help the trainee learn to recognize and make sense of the larger picture, nor do they capture the dynamic nature of networks and users. If cyber warfighters are to learn to respond to a cunning and adaptive opponent, they need to train against cunning and adaptive opponents. An effective cyber-warfare training system must be adaptable and deal with the changing nature of a networked environment. It must be able to model the dynamic nature of cyber aggressors, users, and defenders. It must create a virtual environment that replicates the environment that the trainee will ultimately operate in. An appropriate virtual environment also creates the opportunity for accurate post-event forensic analysis by providing access to databases, configurations, and system logs. This paper presents our efforts to address these issues through the development of cognitive agents for cyber offense and defense. The Soar cognitive architecture described in this paper is not to be confused with Soar Technology, the affiliation of some of the authors. Soar is not a commercial product, but is available under a General Public License from http://soar.eecs.umich.edu/ maintained by the University of Michigan. The Soar architecture provides the technological foundation for the cognitive agents described here. Interservice/Industry Training, Simulation, and Education Conference (I/ITSEC) 2015 2015 Paper No. #15232 Page 3 of 10 MODELING AND INTEGRATION CHALLENGES In order to build realistic cognitive agents, the agents must encode appropriate domain expertise, and they must interact with a realistic cyber environment (Jones & Laird, 1997). In addition to realism, cost effective cognitive agents also need to address these related issues: Reduce cost of realistic role playing in cyber-warfare simulation, system engineering, and analysis of cyber operations. Enable end-user updating of agent knowledge with minimal support from software engineers, both through coaching by instructor Subject-Matter Experts (SMEs) and through explicit addition of new knowledge about cyber tactics. Be readily adaptable to a wide range of network structures, devices, and protocols. In o