Showing 1–50 of 54 results for author: Kott, A

Autonomous Intelligent Cyber-defense Agent: Introduction and Overview

Authors: Alexander Kott

Abstract: This chapter introduces the concept of Autonomous Intelligent Cyber-defense Agents (AICAs), and briefly explains the importance of this field and the motivation for its emergence. AICA is a software agent that resides on a system, and is responsible for defending the system from cyber compromises and enabling the response and recovery of the system, usually autonomously. The autonomy of the agent… ▽ More This chapter introduces the concept of Autonomous Intelligent Cyber-defense Agents (AICAs), and briefly explains the importance of this field and the motivation for its emergence. AICA is a software agent that resides on a system, and is responsible for defending the system from cyber compromises and enabling the response and recovery of the system, usually autonomously. The autonomy of the agent is a necessity because of the growing scarcity of human cyber-experts who could defend systems, either remotely or onsite, and because sophisticated malware could degrade or spoof the communications of a system that uses a remote monitoring center. An AICA Reference Architecture has been proposed and defines five main functions: (1) sensing and world state identification, (2) planning and action selection, (3) collaboration and negotiation, (4) action execution and (5) learning and knowledge improvement. The chapter reviews the details of AICA's environment, functions and operations. As AICA is intended to make changes within its environment, there is a risk that an agent's action could harm a friendly computer. This risk must be balanced against the losses that could occur if the agent does not act. The chapter discusses means by which this risk can be managed and how AICA's design features could help build trust among its users. △ Less

Submitted 24 April, 2023; originally announced April 2023.

Quantitative Measurement of Cyber Resilience: Modeling and Experimentation

Authors: Michael J. Weisman, Alexander Kott, Jason E. Ellis, Brian J. Murphy, Travis W. Parker, Sidney Smith, Joachim Vandekerckhove

Abstract: Cyber resilience is the ability of a system to resist and recover from a cyber attack, thereby restoring the system's functionality. Effective design and development of a cyber resilient system requires experimental methods and tools for quantitative measuring of cyber resilience. This paper describes an experimental method and test bed for obtaining resilience-relevant data as a system (in our ca… ▽ More Cyber resilience is the ability of a system to resist and recover from a cyber attack, thereby restoring the system's functionality. Effective design and development of a cyber resilient system requires experimental methods and tools for quantitative measuring of cyber resilience. This paper describes an experimental method and test bed for obtaining resilience-relevant data as a system (in our case -- a truck) traverses its route, in repeatable, systematic experiments. We model a truck equipped with an autonomous cyber-defense system and which also includes inherent physical resilience features. When attacked by malware, this ensemble of cyber-physical features (i.e., "bonware") strives to resist and recover from the performance degradation caused by the malware's attack. We propose parsimonious mathematical models to aid in quantifying systems' resilience to cyber attacks. Using the models, we identify quantitative characteristics obtainable from experimental data, and show that these characteristics can serve as useful quantitative measures of cyber resilience. △ Less

Submitted 28 March, 2023; originally announced March 2023.

Comments: arXiv admin note: text overlap with arXiv:2302.04413, arXiv:2302.07941

An Experimentation Infrastructure for Quantitative Measurements of Cyber Resilience

Authors: Jason E. Ellis, Travis W. Parker, Joachim Vandekerckhove, Brian J. Murphy, Sidney Smith, Alexander Kott, Michael J. Weisman

Abstract: The vulnerability of cyber-physical systems to cyber attack is well known, and the requirement to build cyber resilience into these systems has been firmly established. The key challenge this paper addresses is that maturing this discipline requires the development of techniques, tools, and processes for objectively, rigorously, and quantitatively measuring the attributes of cyber resilience. Rese… ▽ More The vulnerability of cyber-physical systems to cyber attack is well known, and the requirement to build cyber resilience into these systems has been firmly established. The key challenge this paper addresses is that maturing this discipline requires the development of techniques, tools, and processes for objectively, rigorously, and quantitatively measuring the attributes of cyber resilience. Researchers and program managers need to be able to determine if the implementation of a resilience solution actually increases the resilience of the system. In previous work, a table top exercise was conducted using a notional heavy vehicle on a fictitious military mission while under a cyber attack. While this exercise provided some useful data, more and higher fidelity data is required to refine the measurement methodology. This paper details the efforts made to construct a cost-effective experimentation infrastructure to provide such data. It also presents a case study using some of the data generated by the infrastructure. △ Less

Submitted 15 February, 2023; originally announced February 2023.

Comments: 6 pages, 2022 IEEE Military Communications Conference, pp. 855-860

Piecewise Linear and Stochastic Models for the Analysis of Cyber Resilience

Authors: Michael J. Weisman, Alexander Kott, Joachim Vandekerckhove

Abstract: We model a vehicle equipped with an autonomous cyber-defense system in addition to its inherent physical resilience features. When attacked, this ensemble of cyber-physical features (i.e., ``bonware'') strives to resist and recover from the performance degradation caused by the malware's attack. We model the underlying differential equations governing such attacks for piecewise linear characteriza… ▽ More We model a vehicle equipped with an autonomous cyber-defense system in addition to its inherent physical resilience features. When attacked, this ensemble of cyber-physical features (i.e., ``bonware'') strives to resist and recover from the performance degradation caused by the malware's attack. We model the underlying differential equations governing such attacks for piecewise linear characterizations of malware and bonware, develop a discrete time stochastic model, and show that averages of instantiations of the stochastic model approximate solutions to the continuous differential equation. We develop a theory and methodology for approximating the parameters associated with these equations. △ Less

Submitted 16 February, 2023; v1 submitted 9 February, 2023; originally announced February 2023.

Comments: 6 pages, Invited Session on "Estimation and Learning in Stochastic Systems" for the 57th Annual Conference on Information Sciences and Systems. Co-sponsorship of Johns Hopkins University and the IEEE Information Theory Society

Mathematical Modeling of Cyber Resilience

Authors: Alexander Kott, Michael J. Weisman, Joachim Vandekerckhove

Abstract: We identify quantitative characteristics of responses to cyber compromises that can be learned from repeatable, systematic experiments. We model a vehicle equipped with an autonomous cyber-defense system and which also has some inherent physical resilience features. When attacked by malware, this ensemble of cyber-physical features (i.e., "bonware") strives to resist and recover from the performan… ▽ More We identify quantitative characteristics of responses to cyber compromises that can be learned from repeatable, systematic experiments. We model a vehicle equipped with an autonomous cyber-defense system and which also has some inherent physical resilience features. When attacked by malware, this ensemble of cyber-physical features (i.e., "bonware") strives to resist and recover from the performance degradation caused by the malware's attack. We propose parsimonious continuous models, and develop stochastic models to aid in quantifying systems' resilience to cyber attacks. △ Less

Submitted 27 February, 2023; v1 submitted 8 February, 2023; originally announced February 2023.

Comments: 7 pages, 2022 IEEE Military Communications Conference

Cyber Resilience: by Design or by Intervention?

Authors: Alexander Kott, Maureen S. Golan, Benjamin D. Trump, Igor Linkov

Abstract: The term "cyber resilience by design" is growing in popularity. Here, by cyber resilience we refer to the ability of the system to resist, minimize and mitigate a degradation caused by a successful cyber-attack on a system or network of computing and communicating devices. Some use the term "by design" when arguing that systems must be designed and implemented in a provable mission assurance fashi… ▽ More The term "cyber resilience by design" is growing in popularity. Here, by cyber resilience we refer to the ability of the system to resist, minimize and mitigate a degradation caused by a successful cyber-attack on a system or network of computing and communicating devices. Some use the term "by design" when arguing that systems must be designed and implemented in a provable mission assurance fashion, with the system's intrinsic properties ensuring that a cyber-adversary is unable to cause a meaningful degradation. Others recommend that a system should include a built-in autonomous intelligent agent responsible for thinking and acting towards continuous observation, detection, minimization and remediation of a cyber degradation. In all cases, the qualifier "by design" indicates that the source of resilience is somehow inherent in the structure and operation of the system. But what, then, is the other resilience, not by design? Clearly, there has to be another type of resilience, otherwise what's the purpose of the qualifier "by design"? Indeed, while mentioned less frequently, there exists an alternative form of resilience called "resilience by intervention." In this article we explore differences and mutual reliance of resilience by design and resilience by intervention. △ Less

Submitted 26 January, 2022; originally announced January 2022.

Autonomous Cyber Defense Introduces Risk: Can We Manage the Risk?

Authors: Alexandre K. Ligo, Alexander Kott, Igor Linkov

Abstract: From denial-of-service attacks to spreading of ransomware or other malware across an organization's network, it is possible that manually operated defenses are not able to respond in real time at the scale required, and when a breach is detected and remediated the damage is already made. Autonomous cyber defenses therefore become essential to mitigate the risk of successful attacks and their damag… ▽ More From denial-of-service attacks to spreading of ransomware or other malware across an organization's network, it is possible that manually operated defenses are not able to respond in real time at the scale required, and when a breach is detected and remediated the damage is already made. Autonomous cyber defenses therefore become essential to mitigate the risk of successful attacks and their damage, especially when the response time, effort and accuracy required in those defenses is impractical or impossible through defenses operated exclusively by humans. Autonomous agents have the potential to use ML with large amounts of data about known cyberattacks as input, in order to learn patterns and predict characteristics of future attacks. Moreover, learning from past and present attacks enable defenses to adapt to new threats that share characteristics with previous attacks. On the other hand, autonomous cyber defenses introduce risks of unintended harm. Actions arising from autonomous defense agents may have harmful consequences of functional, safety, security, ethical, or moral nature. Here we focus on machine learning training, algorithmic feedback, and algorithmic constraints, with the aim of motivating a discussion on achieving trust in autonomous cyber defenses. △ Less

Submitted 26 January, 2022; originally announced January 2022.

Cybertrust: From Explainable to Actionable and Interpretable AI (AI2)

Authors: Stephanie Galaitsi, Benjamin D. Trump, Jeffrey M. Keisler, Igor Linkov, Alexander Kott

Abstract: To benefit from AI advances, users and operators of AI systems must have reason to trust it. Trust arises from multiple interactions, where predictable and desirable behavior is reinforced over time. Providing the system's users with some understanding of AI operations can support predictability, but forcing AI to explain itself risks constraining AI capabilities to only those reconcilable with hu… ▽ More To benefit from AI advances, users and operators of AI systems must have reason to trust it. Trust arises from multiple interactions, where predictable and desirable behavior is reinforced over time. Providing the system's users with some understanding of AI operations can support predictability, but forcing AI to explain itself risks constraining AI capabilities to only those reconcilable with human cognition. We argue that AI systems should be designed with features that build trust by bringing decision-analytic perspectives and formal tools into AI. Instead of trying to achieve explainable AI, we should develop interpretable and actionable AI. Actionable and Interpretable AI (AI2) will incorporate explicit quantifications and visualizations of user confidence in AI recommendations. In doing so, it will allow examining and testing of AI system predictions to establish a basis for trust in the systems' decision making and ensure broad benefits from deploying and advancing its computational capabilities. △ Less

Submitted 26 January, 2022; originally announced January 2022.

Doers, not Watchers: Intelligent Autonomous Agents are a Path to Cyber Resilience

Authors: Alexander Kott, Paul Theron

Abstract: Today's cyber defense tools are mostly watchers. They are not active doers. To be sure, watching too is a demanding affair. These tools monitor the traffic and events; they detect malicious signatures, patterns and anomalies; they might classify and characterize what they observe; they issue alerts, and they might even learn while doing all this. But they don't act. They do little to plan and exec… ▽ More Today's cyber defense tools are mostly watchers. They are not active doers. To be sure, watching too is a demanding affair. These tools monitor the traffic and events; they detect malicious signatures, patterns and anomalies; they might classify and characterize what they observe; they issue alerts, and they might even learn while doing all this. But they don't act. They do little to plan and execute responses to attacks, and they don't plan and execute recovery activities. Response and recovery - core elements of cyber resilience are left to the human cyber analysts, incident responders and system administrators. We believe things should change. Cyber defense tools should not be merely watchers. They need to become doers - active fighters in maintaining a system's resilience against cyber threats. This means that their capabilities should include a significant degree of autonomy and intelligence for the purposes of rapid response to a compromise - either incipient or already successful - and rapid recovery that aids the resilience of the overall system. Often, the response and recovery efforts need to be undertaken in absence of any human involvement, and with an intelligent consideration of risks and ramifications of such efforts. Recently an international team published a report that proposes a vision of an autonomous intelligent cyber defense agent (AICA) and offers a high-level reference architecture of such an agent. In this paper we explore this vision. △ Less

Submitted 26 January, 2022; originally announced January 2022.

On games and simulators as a platform for development of artificial intelligence for command and control

Authors: Vinicius G. Goecks, Nicholas Waytowich, Derrik E. Asher, Song Jun Park, Mark Mittrick, John Richardson, Manuel Vindiola, Anne Logie, Mark Dennison, Theron Trout, Priya Narayanan, Alexander Kott

Abstract: Games and simulators can be a valuable platform to execute complex multi-agent, multiplayer, imperfect information scenarios with significant parallels to military applications: multiple participants manage resources and make decisions that command assets to secure specific areas of a map or neutralize opposing forces. These characteristics have attracted the artificial intelligence (AI) community… ▽ More Games and simulators can be a valuable platform to execute complex multi-agent, multiplayer, imperfect information scenarios with significant parallels to military applications: multiple participants manage resources and make decisions that command assets to secure specific areas of a map or neutralize opposing forces. These characteristics have attracted the artificial intelligence (AI) community by supporting development of algorithms with complex benchmarks and the capability to rapidly iterate over new ideas. The success of artificial intelligence algorithms in real-time strategy games such as StarCraft II have also attracted the attention of the military research community aiming to explore similar techniques in military counterpart scenarios. Aiming to bridge the connection between games and military applications, this work discusses past and current efforts on how games and simulators, together with the artificial intelligence algorithms, have been adapted to simulate certain aspects of military missions and how they might impact the future battlefield. This paper also investigates how advances in virtual reality and visual augmentation systems open new possibilities in human interfaces with gaming platforms and their military parallels. △ Less

Submitted 21 October, 2021; originally announced October 2021.

Comments: Preprint submitted to the Journal of Defense Modeling and Simulation (JDMS) for peer review

ACM Class: I.2.6; I.6.3; A.1

To Improve Cyber Resilience, Measure It

Authors: Alexander Kott, Igor Linkov

Abstract: We are not very good at measuring -- rigorously and quantitatively -- the cyber security of systems. Our ability to measure cyber resilience is even worse. And without measuring cyber resilience, we can neither improve it nor trust its efficacy. It is difficult to know if we are improving or degrading cyber resilience when we add another control, or a mix of controls, to harden the system. The onl… ▽ More We are not very good at measuring -- rigorously and quantitatively -- the cyber security of systems. Our ability to measure cyber resilience is even worse. And without measuring cyber resilience, we can neither improve it nor trust its efficacy. It is difficult to know if we are improving or degrading cyber resilience when we add another control, or a mix of controls, to harden the system. The only way to know is to specifically measure cyber resilience with and without a particular set of controls. What needs to be measured are temporal patterns of recovery and adaptation, and not time-independent failure probabilities. In this paper, we offer a set of criteria that would ensure decision-maker confidence in the reliability of the methodology used in obtaining a meaningful measurement. △ Less

Submitted 18 February, 2021; originally announced February 2021.

How to Measure Cyber Resilience of an Autonomous Agent: Approaches and Challenges

Authors: Alexandre Ligo, Alexander Kott, Igor Linkov

Abstract: Several approaches have been used to assess the performance of cyberphysical systems and their exposure to various types of risks. Such assessments have become increasingly important as autonomous attackers ramp up the frequency, duration and intensity of threats while autonomous agents have the potential to respond to cyber-attacks with unprecedented speed and scale. However, most assessment appr… ▽ More Several approaches have been used to assess the performance of cyberphysical systems and their exposure to various types of risks. Such assessments have become increasingly important as autonomous attackers ramp up the frequency, duration and intensity of threats while autonomous agents have the potential to respond to cyber-attacks with unprecedented speed and scale. However, most assessment approaches have limitations with respect to measuring cyber resilience, or the ability of systems to absorb, recover from, and adapt to cyberattacks. In this paper, we provide an overview of several common approaches, discuss practical challenges and propose research directions for the development of effective cyber resilience measures. △ Less

Submitted 31 January, 2021; originally announced February 2021.

When Autonomous Intelligent Goodware will Fight Autonomous Intelligent Malware: A Possible Future of Cyber Defense

Authors: Paul Théron, Alexander Kott

Abstract: In the coming years, the future of military combat will include, on one hand, artificial intelligence-optimized complex command, control, communications, computers, intelligence, surveillance and reconnaissance (C4ISR) and networks and, on the other hand, autonomous intelligent Things fighting autonomous intelligent Things at a fast pace. Under this perspective, enemy forces will seek to disable o… ▽ More In the coming years, the future of military combat will include, on one hand, artificial intelligence-optimized complex command, control, communications, computers, intelligence, surveillance and reconnaissance (C4ISR) and networks and, on the other hand, autonomous intelligent Things fighting autonomous intelligent Things at a fast pace. Under this perspective, enemy forces will seek to disable or disturb our autonomous Things and our complex infrastructures and systems. Autonomy, scale and complexity in our defense systems will trigger new cyber-attack strategies, and autonomous intelligent malware (AIM) will be part of the picture. Should these cyber-attacks succeed while human operators remain unaware or unable to react fast enough due to the speed, scale or complexity of the mission, systems or attacks, missions would fail, our networks and C4ISR would be heavily disrupted, and command and control would be disabled. New cyber-defense doctrines and technologies are therefore required. Autonomous cyber defense (ACyD) is a new field of research and technology driven by the defense sector in anticipation of such threats to future military infrastructures, systems and operations. It will be implemented via swarms of autonomous intelligent cyber-defense agents (AICAs) that will fight AIM within our networks and systems. This paper presents this cyber-defense technology of the future, the current state of the art in this field and its main challenges. First, we review the rationale of the ACyD concept and its associated AICA technology. Then, we present the current research results from NATO's IST-152 Research Task Group on the AICA Reference Architecture. We then develop the 12 main technological challenges that must be resolved in the coming years, besides ethical and political issues. △ Less

Submitted 25 November, 2019; originally announced December 2019.

Comments: MILCOM-2019

Discovering a Regularity: the Case of An 800-year Law of Advances in Small-Arms Technologies

Authors: Alexander Kott, Philip Perconti, Nandi Leslie

Abstract: Considering a broad family of technologies where a measure of performance (MoP) is difficult or impossible to formulate, we seek an alternative measure that exhibits a regular pattern of evolution over time, similar to how a MoP may follow a Moore's law. In an empirical case study, we explore an approach to identifying such a composite measure called a Figure of Regularity (FoR). We use the propos… ▽ More Considering a broad family of technologies where a measure of performance (MoP) is difficult or impossible to formulate, we seek an alternative measure that exhibits a regular pattern of evolution over time, similar to how a MoP may follow a Moore's law. In an empirical case study, we explore an approach to identifying such a composite measure called a Figure of Regularity (FoR). We use the proposed approach to identify a novel FoR for diverse classes of small arms - bows, crossbows, harquebuses, muskets, rifles, repeaters, and assault rifles - and show that this FoR agrees well with the empirical data. We identify a previously unreported regular trend in the FoR of an exceptionally long duration - from approximately 1200 CE to the present - and discuss how research managers can analyze long-term trends in conjunction with a portfolio of research directions. △ Less

Submitted 9 August, 2019; originally announced August 2019.

Comments: under review, Technology Analysis and Strategic Management journal

Features and Operation of an Autonomous Agent for Cyber Defense

Authors: Michael J. De Lucia, Allison Newcomb, Alexander Kott

Abstract: An ever increasing number of battlefield devices that are capable of collecting, processing, storing, and communicating information are rapidly becoming interconnected. The staggering number of connected devices on the battlefield greatly increases the possibility that an adversary could find ways to exploit hardware or software vulnerabilities, degrading or denying Warfighters the assured and sec… ▽ More An ever increasing number of battlefield devices that are capable of collecting, processing, storing, and communicating information are rapidly becoming interconnected. The staggering number of connected devices on the battlefield greatly increases the possibility that an adversary could find ways to exploit hardware or software vulnerabilities, degrading or denying Warfighters the assured and secure use of those devices. Autonomous software agents will become necessities to manage, defend, and react to cyber threats in the future battlespace. The number of connected devices increases disproportionately to the number of cyber experts that could be available within an operational environment. In this paper, an autonomous agent capability and a scenario of how it could operate are proposed. The goal of develo** such capability is to increase the security posture of the Internet of Battlefield Things and meet the challenges of an increasingly complex battlefield. This paper describes an illustrative scenario in a notional use case and discusses the challenges associated with such autonomous agents. We conclude by offering ideas for potential research into develo** autonomous agents suitable for cyber defense in a battlefield environment. △ Less

Submitted 13 May, 2019; originally announced May 2019.

Journal ref: CSIAC Journal, v.7, n.1, April 2019, pp.6-13

Intelligent Autonomous Things on the Battlefield

Authors: Alexander Kott, Ethan Stump

Abstract: Numerous, artificially intelligent, networked things will populate the battlefield of the future, operating in close collaboration with human warfighters, and fighting as teams in highly adversarial environments. This chapter explores the characteristics, capabilities and intelli-gence required of such a network of intelligent things and humans - Internet of Battle Things (IOBT). The IOBT will exp… ▽ More Numerous, artificially intelligent, networked things will populate the battlefield of the future, operating in close collaboration with human warfighters, and fighting as teams in highly adversarial environments. This chapter explores the characteristics, capabilities and intelli-gence required of such a network of intelligent things and humans - Internet of Battle Things (IOBT). The IOBT will experience unique challenges that are not yet well addressed by the current generation of AI and machine learning. △ Less

Submitted 26 February, 2019; originally announced February 2019.

Comments: This is a much expanded version of an earlier conference paper available at arXiv:803.11256

Journal ref: In Artificial Intelligence for the Internet of Everything, pp. 47-65. Academic Press, 2019

Statistical Models for the Number of Successful Cyber Intrusions

Authors: Nandi O. Leslie, Richard E. Harang, Lawrence P. Knachel, Alexander Kott

Abstract: We propose several generalized linear models (GLMs) to predict the number of successful cyber intrusions (or "intrusions") into an organization's computer network, where the rate at which intrusions occur is a function of the following observable characteristics of the organization: (i) domain name server (DNS) traffic classified by their top-level domains (TLDs); (ii) the number of network securi… ▽ More We propose several generalized linear models (GLMs) to predict the number of successful cyber intrusions (or "intrusions") into an organization's computer network, where the rate at which intrusions occur is a function of the following observable characteristics of the organization: (i) domain name server (DNS) traffic classified by their top-level domains (TLDs); (ii) the number of network security policy violations; and (iii) a set of predictors that we collectively call "cyber footprint" that is comprised of the number of hosts on the organization's network, the organization's similarity to educational institution behavior (SEIB), and its number of records on scholar.google.com (ROSG). In addition, we evaluate the number of intrusions to determine whether these events follow a Poisson or negative binomial (NB) probability distribution. We reveal that the NB GLM provides the best fit model for the observed count data, number of intrusions per organization, because the NB model allows the variance of the count data to exceed the mean. We also show that there are restricted and simpler NB regression models that omit selected predictors and improve the goodness-of-fit of the NB GLM for the observed data. With our model simulations, we identify certain TLDs in the DNS traffic as having significant impact on the number of intrusions. In addition, we use the models and regression results to conclude that the number of network security policy violations are consistently predictive of the number of intrusions. △ Less

Submitted 14 January, 2019; originally announced January 2019.

Journal ref: The Journal of Defense Modeling and Simulation, 15(1), 49-63

Intelligent Autonomous Agents are Key to Cyber Defense of the Future Army Networks

Authors: Alexander Kott

Abstract: Intelligent autonomous agents will be widely present on the battlefield of the future. The proliferation of intelligent agents is the emerging reality of warfare, and they will form an ever growing fraction of total military assets. By necessity, intelligent autonomous cyber defense agents are likely to become primary cyber fighters on the future battlefield. Initial explorations have identified t… ▽ More Intelligent autonomous agents will be widely present on the battlefield of the future. The proliferation of intelligent agents is the emerging reality of warfare, and they will form an ever growing fraction of total military assets. By necessity, intelligent autonomous cyber defense agents are likely to become primary cyber fighters on the future battlefield. Initial explorations have identified the key functions, components and their interactions for a potential reference architecture of such an agent. However, it is beyond the current state of AI to support an agent that could operate intelligently in an environment as complex as the real battlefield. A number of difficult challenges are yet to be overcome. At the same time, a growing body of research in Government and academia demonstrates promising steps towards solving some of the challenges. The industry is beginning to embrace approaches that may contribute to technologies of autonomous intelligent agents for cyber defense of the Army networks. △ Less

Submitted 18 December, 2018; originally announced December 2018.

Comments: This is a pre-print version of the article appearing in The Cyber Defense Review journal, Fall 2018. arXiv admin note: text overlap with arXiv:1803.11256

Game-Theoretic Model and Experimental Investigation of Cyber Wargaming

Authors: Edward Colbert, Alexander Kott, Lawrence Knachel

Abstract: We demonstrate that game-theoretic calculations serve as a useful tool for assisting cyber wargaming teams in identifying useful strategies. We note a significant similarity between formulating cyber wargaming strategies and the methodology known in military practice as Course of Action (COA) generation. For scenarios in which the attacker must penetrate multiple layers in a defense-in-depth secur… ▽ More We demonstrate that game-theoretic calculations serve as a useful tool for assisting cyber wargaming teams in identifying useful strategies. We note a significant similarity between formulating cyber wargaming strategies and the methodology known in military practice as Course of Action (COA) generation. For scenarios in which the attacker must penetrate multiple layers in a defense-in-depth security configuration, an accounting of attacker and defender costs and penetration probabilities provides cost-utility payoff matrices and penetration probability matrices. These can be used as decision tools by both the defender and attacker. Inspection of the matrices allows players to deduce preferred strategies (or COAs) based on game-theoretical equilibrium solutions. The matrices also help in analyzing anticipated effects of potential human-based choices of wargame strategies and counter-strategies. We describe a mathematical game-theoretic formalism and offer detailed analysis of a table-top cyber wargame executed at the US Army Research Laboratory. Our analysis shows how game-theoretical calculations can provide an effective tool for decision-making during cyber wargames. △ Less

Submitted 27 September, 2018; originally announced September 2018.

Comments: Preliminary version to be published in JDMS

Journal ref: JDMS 2018

Long-Term Forecasts of Military Technologies for a 20-30 Year Horizon: An Empirical Assessment of Accuracy

Authors: Alexander Kott, Philip Perconti

Abstract: During the 1990s, while exploring the impact of the collapse of the Soviet Union on developments in future warfare, a number of authors offered forecasts of military technology appearing by the year 2020. This paper offers a quantitative assessment of the accuracy of this group of forecasts. The overall accuracy - by several measures - was assessed as quite high, thereby pointing to the potential… ▽ More During the 1990s, while exploring the impact of the collapse of the Soviet Union on developments in future warfare, a number of authors offered forecasts of military technology appearing by the year 2020. This paper offers a quantitative assessment of the accuracy of this group of forecasts. The overall accuracy - by several measures - was assessed as quite high, thereby pointing to the potential value of such forecasts in managing investments in long-term research and development. Major differences in accuracy, with strong statistical significance, were found between forecasts pertaining primarily to information acquisition and processing technologies, as opposed to technologies that aim primarily at physical effects. This paper also proposes several recommendations regarding methodological aspects of forecast accuracy assessments. Although the assessments were restricted to information available in open literature, the expert assessors did not find this constraint a significant detriment to the assessment process. △ Less

Submitted 22 July, 2018; originally announced July 2018.

Comments: under review at the Technological Forecasting and Social Change journal

Towards an Active, Autonomous and Intelligent Cyber Defense of Military Systems: the NATO AICA Reference Architecture

Authors: Paul Theron, Alexander Kott, Martin Drašar, Krzysztof Rzadca, Benoît LeBlanc, Mauno Pihelgas, Luigi Mancini, Agostino Panico

Abstract: Within the future Global Information Grid, complex massively interconnected systems, isolated defense vehicles, sensors and effectors, and infrastructures and systems demanding extremely low failure rates, to which human security operators cannot have an easy access and cannot deliver fast enough reactions to cyber-attacks, need an active, autonomous and intelligent cyber defense. Multi Agent Syst… ▽ More Within the future Global Information Grid, complex massively interconnected systems, isolated defense vehicles, sensors and effectors, and infrastructures and systems demanding extremely low failure rates, to which human security operators cannot have an easy access and cannot deliver fast enough reactions to cyber-attacks, need an active, autonomous and intelligent cyber defense. Multi Agent Systems for Cyber Defense may provide an answer to this requirement. This paper presents the concept and architecture of an Autonomous Intelligent Cyber defense Agent (AICA). First, we describe the rationale of the AICA concept. Secondly, we explain the methodology and purpose that drive the definition of the AICA Reference Architecture (AICARA) by NATO's IST-152 Research and Technology Group. Thirdly, we review some of the main features and challenges of Multi Autonomous Intelligent Cyber defense Agent (MAICA). Fourthly, we depict the initially assumed AICA Reference Architecture. Then we present one of our preliminary research issues, assumptions and ideas. Finally, we present the future lines of research that will help develop and test the AICA / MAICA concept. △ Less

Submitted 7 June, 2018; originally announced June 2018.

Comments: This is a pre-print version of the paper that appears in the Proceedings of the International Conference on Military Communications and Information Systems, Warsaw, Poland, 22-23 May 2018. arXiv admin note: substantial text overlap with arXiv:1803.10664

Towards a Reconceptualisation of Cyber Risk: An Empirical and Ontological Study

Authors: Alessandro Oltramari, Alexander Kott

Abstract: The prominence and use of the concept of cyber risk has been rising in recent years. This paper presents empirical investigations focused on two important and distinct groups within the broad community of cyber-defense professionals and researchers: (1) cyber practitioners and (2) developers of cyber ontologies. The key finding of this work is that the ways the concept of cyber risk is treated by… ▽ More The prominence and use of the concept of cyber risk has been rising in recent years. This paper presents empirical investigations focused on two important and distinct groups within the broad community of cyber-defense professionals and researchers: (1) cyber practitioners and (2) developers of cyber ontologies. The key finding of this work is that the ways the concept of cyber risk is treated by practitioners of cybersecurity is largely inconsistent with definitions of cyber risk commonly offered in the literature. Contrary to commonly cited definitions of cyber risk, concepts such as the likelihood of an event and the extent of its impact are not used by cybersecurity practitioners. This is also the case for use of these concepts in the current generation of cybersecurity ontologies. Instead, terms and concepts reflective of the adversarial nature of cyber defense appear to take the most prominent roles. This research offers the first quantitative empirical evidence that rejection of traditional concepts of cyber risk by cybersecurity professionals is indeed observed in real-world practice. △ Less

Submitted 21 June, 2018; originally announced June 2018.

Comments: This is a pre-print version of the paper published in the Journal of Information Warfare, volume 17, issue 1, Winter 2018

Fundamental Concepts of Cyber Resilience: Introduction and Overview

Authors: Igor Linkov, Alexander Kott

Abstract: Given the rapid evolution of threats to cyber systems, new management approaches are needed that address risk across all interdependent domains (i.e., physical, information, cognitive, and social) of cyber systems. Further, the traditional approach of hardening of cyber systems against identified threats has proven to be impossible. Therefore, in the same way that biological systems develop immuni… ▽ More Given the rapid evolution of threats to cyber systems, new management approaches are needed that address risk across all interdependent domains (i.e., physical, information, cognitive, and social) of cyber systems. Further, the traditional approach of hardening of cyber systems against identified threats has proven to be impossible. Therefore, in the same way that biological systems develop immunity as a way to respond to infections and other attacks, so too must cyber systems adapt to ever-changing threats that continue to attack vital system functions, and to bounce back from the effects of the attacks. Here, we explain the basic concepts of resilience in the context of systems, discuss related properties, and make business case of cyber resilience. We also offer a brief summary of ways to assess cyber resilience of a system, and approaches to improving cyber resilience. △ Less

Submitted 7 June, 2018; originally announced June 2018.

Comments: This is a preprint version of a chapter that appears in the book "Cyber Resilience of Systems and Networks," Springer 2018

Approaches to Enhancing Cyber Resilience: Report of the North Atlantic Treaty Organization (NATO) Workshop IST-153

Authors: Alexander Kott, Benjamin Blakely, Diane Henshel, Gregory Wehner, James Rowell, Nathaniel Evans, Luis Muñoz-González, Nandi Leslie, Donald W French, Donald Woodard, Kerry Krutilla, Amanda Joyce, Igor Linkov, Carmen Mas-Machuca, Janos Sztipanovits, Hugh Harney, Dennis Kergl, Perri Nejib, Edward Yakabovicz, Steven Noel, Tim Dudman, Pierre Trepagnier, Sowdagar Badesha, Alfred Møller

Abstract: This report summarizes the discussions and findings of the 2017 North Atlantic Treaty Organization (NATO) Workshop, IST-153, on Cyber Resilience, held in Munich, Germany, on 23-25 October 2017, at the University of Bundeswehr. Despite continual progress in managing risks in the cyber domain, anticipation and prevention of all possible attacks and malfunctions are not feasible for the current or fu… ▽ More This report summarizes the discussions and findings of the 2017 North Atlantic Treaty Organization (NATO) Workshop, IST-153, on Cyber Resilience, held in Munich, Germany, on 23-25 October 2017, at the University of Bundeswehr. Despite continual progress in managing risks in the cyber domain, anticipation and prevention of all possible attacks and malfunctions are not feasible for the current or future systems comprising the cyber infrastructure. Therefore, interest in cyber resilience (as opposed to merely risk-based approaches) is increasing rapidly, in literature and in practice. Unlike concepts of risk or robustness - which are often and incorrectly conflated with resilience - resiliency refers to the system's ability to recover or regenerate its performance to a sufficient level after an unexpected impact produces a degradation of its performance. The exact relation among resilience, risk, and robustness has not been well articulated technically. The presentations and discussions at the workshop yielded this report. It focuses on the following topics that the participants of the workshop saw as particularly important: fundamental properties of cyber resilience; approaches to measuring and modeling cyber resilience; mission modeling for cyber resilience; systems engineering for cyber resilience, and dynamic defense as a path toward cyber resilience. △ Less

Submitted 20 April, 2018; originally announced April 2018.

Report number: ARL-SR-0396

Toward Intelligent Autonomous Agents for Cyber Defense: Report of the 2017 Workshop by the North Atlantic Treaty Organization (NATO) Research Group IST-152-RTG

Authors: Alexander Kott, Ryan Thomas, Martin Drašar, Markus Kont, Alex Poylisher, Benjamin Blakely, Paul Theron, Nathaniel Evans, Nandi Leslie, Rajdeep Singh, Maria Rigaki, S Jay Yang, Benoit LeBlanc, Paul Losiewicz, Sylvain Hourlier, Misty Blowers, Hugh Harney, Gregory Wehner, Alessandro Guarino, Jana Komárková, James Rowell

Abstract: This report summarizes the discussions and findings of the Workshop on Intelligent Autonomous Agents for Cyber Defence and Resilience organized by the NATO research group IST-152-RTG. The workshop was held in Prague, Czech Republic, on 18-20 October 2017. There is a growing recognition that future cyber defense should involve extensive use of partially autonomous agents that actively patrol the fr… ▽ More This report summarizes the discussions and findings of the Workshop on Intelligent Autonomous Agents for Cyber Defence and Resilience organized by the NATO research group IST-152-RTG. The workshop was held in Prague, Czech Republic, on 18-20 October 2017. There is a growing recognition that future cyber defense should involve extensive use of partially autonomous agents that actively patrol the friendly network, and detect and react to hostile activities rapidly (far faster than human reaction time), before the hostile malware is able to inflict major damage, evade friendly agents, or destroy friendly agents. This requires cyber-defense agents with a significant degree of intelligence, autonomy, self-learning, and adaptability. The report focuses on the following questions: In what computing and tactical environments would such an agent operate? What data would be available for the agent to observe or ingest? What actions would the agent be able to take? How would such an agent plan a complex course of actions? Would the agent learn from its experiences, and how? How would the agent collaborate with humans? How can we ensure that the agent will not take undesirable destructive actions? Is it possible to help envision such an agent with a simple example? △ Less

Submitted 20 April, 2018; originally announced April 2018.

Report number: ARL-SR-0395

Challenges and Characteristics of Intelligent Autonomy for Internet of Battle Things in Highly Adversarial Environments

Authors: Alexander Kott

Abstract: Numerous, artificially intelligent, networked things will populate the battlefield of the future, operating in close collaboration with human warfighters, and fighting as teams in highly adversarial environments. This paper explores the characteristics, capabilities and intelligence required of such a network of intelligent things and humans - Internet of Battle Things (IOBT). It will experience u… ▽ More Numerous, artificially intelligent, networked things will populate the battlefield of the future, operating in close collaboration with human warfighters, and fighting as teams in highly adversarial environments. This paper explores the characteristics, capabilities and intelligence required of such a network of intelligent things and humans - Internet of Battle Things (IOBT). It will experience unique challenges that are not yet well addressed by the current generation of AI and machine learning. △ Less

Submitted 13 April, 2018; v1 submitted 20 March, 2018; originally announced March 2018.

Comments: This is a version of the paper that was presented at, and will appear in the Proceedings of the 2018 Spring Symposium of AAAI, March 26-28, 2018, Palo Alto, CA

Autonomous Intelligent Cyber-defense Agent (AICA) Reference Architecture. Release 2.0

Authors: Alexander Kott, Paul Théron, Martin Drašar, Edlira Dushku, Benoît LeBlanc, Paul Losiewicz, Alessandro Guarino, Luigi Mancini, Agostino Panico, Mauno Pihelgas, Krzysztof Rzadca, Fabio De Gaspari

Abstract: This report - a major revision of its previous release - describes a reference architecture for intelligent software agents performing active, largely autonomous cyber-defense actions on military networks of computing and communicating devices. The report is produced by the North Atlantic Treaty Organization (NATO) Research Task Group (RTG) IST-152 "Intelligent Autonomous Agents for Cyber Defense… ▽ More This report - a major revision of its previous release - describes a reference architecture for intelligent software agents performing active, largely autonomous cyber-defense actions on military networks of computing and communicating devices. The report is produced by the North Atlantic Treaty Organization (NATO) Research Task Group (RTG) IST-152 "Intelligent Autonomous Agents for Cyber Defense and Resilience". In a conflict with a technically sophisticated adversary, NATO military tactical networks will operate in a heavily contested battlefield. Enemy software cyber agents - malware - will infiltrate friendly networks and attack friendly command, control, communications, computers, intelligence, surveillance, and reconnaissance and computerized weapon systems. To fight them, NATO needs artificial cyber hunters - intelligent, autonomous, mobile agents specialized in active cyber defense. With this in mind, in 2016, NATO initiated RTG IST-152. Its objective has been to help accelerate the development and transition to practice of such software agents by producing a reference architecture and technical roadmap. This report presents the concept and architecture of an Autonomous Intelligent Cyber-defense Agent (AICA). We describe the rationale of the AICA concept, explain the methodology and purpose that drive the definition of the AICA Reference Architecture, and review some of the main features and challenges of AICAs. △ Less

Submitted 22 March, 2023; v1 submitted 28 March, 2018; originally announced March 2018.

Comments: This is a major revision and extension of the earlier release of AICA Reference Architecture

Report number: ARL-SR-0421

The Internet of Battle Things

Authors: Alexander Kott, Ananthram Swami, Bruce J West

Abstract: The battlefield of the future will be densely populated by a variety of entities ("things") -- some intelligent and some only marginally so -- performing a broad range of tasks: sensing, communicating, acting, and collaborating with each other and human warfighters. We call this the Internet of Battle Things, IoBT. In some ways, IoBT is already becoming a reality, but 20-30 years from now it is li… ▽ More The battlefield of the future will be densely populated by a variety of entities ("things") -- some intelligent and some only marginally so -- performing a broad range of tasks: sensing, communicating, acting, and collaborating with each other and human warfighters. We call this the Internet of Battle Things, IoBT. In some ways, IoBT is already becoming a reality, but 20-30 years from now it is likely to become a dominant presence in warfare. To become a reality, however, this bold vision will have to overcome a number of major challenges. As one example of such a challenge, the communications among things will have to be flexible and adaptive to rapidly changing situations and military missions. In this paper, we explore this and several other major challenges of IoBT, and outline key research directions and approaches towards solving these challenges. △ Less

Submitted 24 December, 2017; originally announced December 2017.

Comments: This is a version of the article that appears in IEEE Computer as: Kott, Alexander, Ananthram Swami, and Bruce J. West. "The Internet of Battle Things." Computer 49.12 (2016): 70-75

Journal ref: Computer 49.12 (2016): 70-75

How do you Command an Army of Intelligent Things?

Authors: Alexander Kott, David Alberts

Abstract: Within a decade, probably less, we will need to find ways to work effectively with ever growing numbers of intelligent things, including robots and intelligent agents. The networked workforce of the near future will thus consist of not only interconnected and interdependent humans but also of intelligent things. This raises a number of challenging issues, none more compelling and urgent than findi… ▽ More Within a decade, probably less, we will need to find ways to work effectively with ever growing numbers of intelligent things, including robots and intelligent agents. The networked workforce of the near future will thus consist of not only interconnected and interdependent humans but also of intelligent things. This raises a number of challenging issues, none more compelling and urgent than finding an answer to the question "How to manage this new organizational form?" We consider these issues in a particularly challenging domain of human endeavor -- warfare. Command and Control (C2) is the term applied to management or governance of military organizations and endeavors. We consider how human and other intelligent entities can best contribute to ensuring that the decision makers, whether human or machine, have the information they require and make good use of this information to accomplish C2 functions. Commanders or managers of mixed human-thing organizations will face several challenges that the discussion above has highlighted. Things are challenged in a number of areas and will need humans to provide these capabilities. These include their ability to explain, build trust, bond, understand personal agendas, emotions, politics, and negotiate. Things and people both to some extent have difficulty anticipating and co** with the unusual and unexpected and to think of out-of-the-box solutions. △ Less

Submitted 24 December, 2017; originally announced December 2017.

Comments: This is a version of the article that appears in IEEE Computer as: Kott, Alexander, and David S. Alberts. "How Do You Command an Army of Intelligent Things?." Computer 12 (2017): 96-100

Journal ref: Computer 12 (2017): 96-100

Approaches to Modeling the Impact of Cyber Attacks on a Mission

Authors: Alexander Kott, Mona Lange, Jackson Ludwig

Abstract: The success of a business mission is highly dependent on the Communications and Information Systems (CIS) that support the mission. Mission Impact Assessment (MIA) seeks to assist the integration of business or military operations with cyber defense, particularly in bridging the cognitive gap between operational decision-makers and cyber defenders. Recent years have seen a growing interest in mode… ▽ More The success of a business mission is highly dependent on the Communications and Information Systems (CIS) that support the mission. Mission Impact Assessment (MIA) seeks to assist the integration of business or military operations with cyber defense, particularly in bridging the cognitive gap between operational decision-makers and cyber defenders. Recent years have seen a growing interest in model-driven approaches to MIA. Such approaches involve construction and simulation of models of the mission, systems, and attack scenarios in order to understand an attack's impact, including its nature, dependencies involved, and the extent of consequences. This paper discusses representative examples of recent research on model-driven approach to MIA, highlights its potential value and cautions about serious remaining challenges. △ Less

Submitted 11 October, 2017; originally announced October 2017.

Comments: This is an earlier version (more verbose and less polished) of the paper titled "Assessing Mission Impact of Cyberattacks: Toward a Model-Driven Paradigm" that appeared in October 2017 issue of IEEE Security & Privacy. arXiv admin note: text overlap with arXiv:1601.00912

Cyber-Physical War Gaming

Authors: E. J. M. Colbert, D. T. Sullivan, A Kott

Abstract: This paper presents general strategies for cyber war gaming of Cyber-Physical Systems (CPSs) that are used for cyber security research at the U.S. Army Research Laboratory (ARL). Since Supervisory Control and Data Acquisition (SCADA) and other CPSs are operational systems, it is difficult or impossible to perform security experiments on actual systems. The authors describe how table-top strategy s… ▽ More This paper presents general strategies for cyber war gaming of Cyber-Physical Systems (CPSs) that are used for cyber security research at the U.S. Army Research Laboratory (ARL). Since Supervisory Control and Data Acquisition (SCADA) and other CPSs are operational systems, it is difficult or impossible to perform security experiments on actual systems. The authors describe how table-top strategy sessions and realistic, live CPS war games are conducted at ARL. They also discuss how the recorded actions of the war game activity can be used to test and validate cyber-defence models, such as game-theoretic security models. △ Less

Submitted 24 August, 2017; originally announced August 2017.

Comments: To appear in Journal of Information Warfare, Volume 16

Burstiness of Intrusion Detection Process: Empirical Evidence and a Modeling Approach

Authors: Richard Harang, Alexander Kott

Abstract: We analyze sets of intrusion detection records observed on the networks of several large, nonresidential organizations protected by a form of intrusion detection and prevention service. Our analyses reveal that the process of intrusion detection in these networks exhibits a significant degree of burstiness as well as strong memory, with burstiness and memory properties that are comparable to those… ▽ More We analyze sets of intrusion detection records observed on the networks of several large, nonresidential organizations protected by a form of intrusion detection and prevention service. Our analyses reveal that the process of intrusion detection in these networks exhibits a significant degree of burstiness as well as strong memory, with burstiness and memory properties that are comparable to those of natural processes driven by threshold effects, but different from bursty human activities. We explore time-series models of these observable network security incidents based on partially observed data using a hidden Markov model with restricted hidden states, which we fit using Markov Chain Monte Carlo techniques. We examine the output of the fitted model with respect to its statistical properties and demonstrate that the model adequately accounts for intrinsic "bursting" within observed network incidents as a result of alternation between two or more stochastic processes. While our analysis does not lead directly to new detection capabilities, the practical implications of gaining better understanding of the observed burstiness are significant, and include opportunities for quantifying a network's risks and defensive efforts. △ Less

Submitted 12 July, 2017; originally announced July 2017.

Comments: This is a version of the paper that is to appear as Harang, R., & Kott, A. (2017). Burstiness of Intrusion Detection Process: Empirical Evidence and a Modeling Approach. IEEE Transactions on Information Forensics and Security

Recommendations for Model-Driven Paradigms for Integrated Approaches to Cyber Defense

Authors: Mona Lange, Alexander Kott, Noam Ben-Asher, Wim Mees, Nazife Baykal, Cristian-Mihai Vidu, Matteo Merialdo, Marek Malowidzki, Bhopinder Madahar

Abstract: The North Atlantic Treaty Organization (NATO) Exploratory Team meeting, "Model-Driven Paradigms for Integrated Approaches to Cyber Defense," was organized by the NATO Science and Technology Organization's (STO) Information Systems and Technology (IST) panel and conducted its meetings and electronic exchanges during 2016. This report describes the proceedings and outcomes of the team's efforts. M… ▽ More The North Atlantic Treaty Organization (NATO) Exploratory Team meeting, "Model-Driven Paradigms for Integrated Approaches to Cyber Defense," was organized by the NATO Science and Technology Organization's (STO) Information Systems and Technology (IST) panel and conducted its meetings and electronic exchanges during 2016. This report describes the proceedings and outcomes of the team's efforts. Many of the defensive activities in the fields of cyber warfare and information assurance rely on essentially ad hoc techniques. The cyber community recognizes that comprehensive, systematic, principle-based modeling and simulation are more likely to produce long-term, lasting, reusable approaches to defensive cyber operations. A model-driven paradigm is predicated on creation and validation of mechanisms of modeling the organization whose mission is subject to assessment, the mission (or missions) itself, and the cyber-vulnerable systems that support the mission. This by any definition is a complex socio-technical system (of systems), and the level of detail of this class of problems ranges from the level of host and network events to the systems' functions up to the function of the enterprise. Solving this class of problems is of medium to high difficulty and can draw in part on advances in Systems Engineering (SE). Such model-based approaches and analysis could be used to explore multiple alternative mitigation and work-around strategies and to select the optimal course of mitigating actions. Furthermore, the model-driven paradigm applied to cyber operations is likely to benefit traditional disciplines of cyber defense such as security, vulnerability analysis, intrusion prevention, intrusion detection, analysis, forensics, attribution, and recovery. △ Less

Submitted 9 March, 2017; originally announced March 2017.

Overview of Cyber Science and Technology Programs at the U.S. Army Research Laboratory

Authors: Alexander Kott

Abstract: This paper provides an overview of research programs in cyber security performed by the U.S Army Research Laboratory. Although ARL is the U.S. Army's corporate laboratory that focuses on fundamental and early applied research, the fundamental science endeavors are closely integrated with extensive operationally-oriented programs. One example is the Cyber Collaborative Research Alliance (CRA) that… ▽ More This paper provides an overview of research programs in cyber security performed by the U.S Army Research Laboratory. Although ARL is the U.S. Army's corporate laboratory that focuses on fundamental and early applied research, the fundamental science endeavors are closely integrated with extensive operationally-oriented programs. One example is the Cyber Collaborative Research Alliance (CRA) that brings together ARL scientists with academic researchers from dozens of U.S. universities. ARL cyber scientists are largely driven by challenges unique to the ground operations of the Army; this paper outlines a few of these challenges and the ways in which they are addressed by ARL research efforts. The long-term campaign of cyber research is guided by the vision of the future Army battlefield. In the year 2040, it will be a highly converged virtual-physical space, where cyber operations will be an integral part of the battle. △ Less

Submitted 3 January, 2017; originally announced February 2017.

Comments: A version of this paper appeared in the special issue of the Journal of Cyber Security and Information Systems, vol.5, n.1, December 2016

The Future Internet of Things and Security of its Control Systems

Authors: Misty Blowers, Jose Iribarne, Edward Colbert, Alexander Kott

Abstract: We consider the future cyber security of industrial control systems. As best as we can see, much of this future unfolds in the context of the Internet of Things (IoT). In fact, we envision that all industrial and infrastructure environments, and cyber-physical systems in general, will take the form reminiscent of what today is referred to as the IoT. IoT is envisioned as multitude of heterogeneous… ▽ More We consider the future cyber security of industrial control systems. As best as we can see, much of this future unfolds in the context of the Internet of Things (IoT). In fact, we envision that all industrial and infrastructure environments, and cyber-physical systems in general, will take the form reminiscent of what today is referred to as the IoT. IoT is envisioned as multitude of heterogeneous devices densely interconnected and communicating with the objective of accomplishing a diverse range of objectives, often collaboratively. One can argue that in the relatively near future, the IoT construct will subsume industrial plants, infrastructures, housing and other systems that today are controlled by ICS and SCADA systems. In the IoT environments, cybersecurity will derive largely from system agility, moving-target defenses, cybermaneuvering, and other autonomous or semi-autonomous behaviors. Cyber security of IoT may also benefit from new design methods for mixed-trusted systems; and from big data analytics -- predictive and autonomous. △ Less

Submitted 6 October, 2016; originally announced October 2016.

Comments: A version of this paper appeared as a chapter of the book "Cyber Security of SCADA and Other Industrial Control Systems," Springer 2016

Inducing and Mitigating a Self-Reinforcing Degradation in Decision-making Teams

Authors: Paul Hubbard, Alexander Kott, Michael Martin

Abstract: The models in this paper demonstrate how self-reinforcing error due to positive feedback can lead to overload and saturation of decision-making elements, and ultimately the cascading collapse of an organization due to the propagation of overload and erroneous decisions throughout the organization. We begin the paper with an analysis of the stability of the decision-making aspects of command organi… ▽ More The models in this paper demonstrate how self-reinforcing error due to positive feedback can lead to overload and saturation of decision-making elements, and ultimately the cascading collapse of an organization due to the propagation of overload and erroneous decisions throughout the organization. We begin the paper with an analysis of the stability of the decision-making aspects of command organizations from a system-theoretic perspective. A simple dynamic model shows how an organization can enter into a self-reinforcing cycle of increasing decision workload until the demand for decisions exceeds the decision-making capacity of the organization. We then extend the model to more complex networked organizations and show that they also experience a form of self-reinforcing degradation. In particular, we find that the degradation in decision quality has a tendency to propagate through the hierarchical structure, i.e. overload at one location affects other locations by overloading the higher-level components which then in turn overload their subordinates. Our computational experiments suggest several strategies for mitigating this type of malfunction: dum** excessive load, empowering lower echelons, minimizing the need for coordination, using command-by-negation, insulating weak performers, and applying on-line diagnostics. We describe a method to allocate decision responsibility and arrange information flow dynamically within a team of decision-makers for command and control. △ Less

Submitted 27 July, 2016; originally announced July 2016.

Comments: A version of this paper appeared as a chapter in the book "Information Warfare and Organizational Decision-Making"

Validation of Information Fusion

Authors: Alexander Kott, Wes Milks

Abstract: We motivate and offer a formal definition of validation as it applies to information fusion systems. Common definitions of validation compare the actual state of the world with that derived by the fusion process. This definition conflates properties of the fusion system with properties of systems that intervene between the world and the fusion system. We propose an alternative definition where val… ▽ More We motivate and offer a formal definition of validation as it applies to information fusion systems. Common definitions of validation compare the actual state of the world with that derived by the fusion process. This definition conflates properties of the fusion system with properties of systems that intervene between the world and the fusion system. We propose an alternative definition where validation of an information fusion system references a standard fusion device, such as recognized human experts. We illustrate the approach by describing the validation process implemented in RAID, a program conducted by DARPA and focused on information fusion in adversarial, deceptive environments. △ Less

Submitted 22 July, 2016; originally announced July 2016.

Comments: This is a version of the paper presented at FUSION'09

Predicting Enemy's Actions Improves Commander Decision-Making

Authors: Michael Ownby, Alexander Kott

Abstract: The Defense Advanced Research Projects Agency (DARPA) Real-time Adversarial Intelligence and Decision-making (RAID) program is investigating the feasibility of "reading the mind of the enemy" - to estimate and anticipate, in real-time, the enemy's likely goals, deceptions, actions, movements and positions. This program focuses specifically on urban battles at echelons of battalion and below. The R… ▽ More The Defense Advanced Research Projects Agency (DARPA) Real-time Adversarial Intelligence and Decision-making (RAID) program is investigating the feasibility of "reading the mind of the enemy" - to estimate and anticipate, in real-time, the enemy's likely goals, deceptions, actions, movements and positions. This program focuses specifically on urban battles at echelons of battalion and below. The RAID program leverages approximate game-theoretic and deception-sensitive algorithms to provide real-time enemy estimates to a tactical commander. A key hypothesis of the program is that these predictions and recommendations will make the commander more effective, i.e. he should be able to achieve his operational goals safer, faster, and more efficiently. Realistic experimentation and evaluation drive the development process using human-in-the-loop wargames to compare humans and the RAID system. Two experiments were conducted in 2005 as part of Phase I to determine if the RAID software could make predictions and recommendations as effectively and accurately as a 4-person experienced staff. This report discusses the intriguing and encouraging results of these first two experiments conducted by the RAID program. It also provides details about the experiment environment and methodology that were used to demonstrate and prove the research goals. △ Less

Submitted 22 July, 2016; originally announced July 2016.

Comments: A version of this paper was presented at CCRTS'06

The Role of PMESII Modeling in a Continuous Cycle of Anticipation and Action

Authors: Alexander Kott, Stephen Morse

Abstract: The inevitable incompleteness of any collection of PMESII models, along with poorly understood methods for combining heterogeneous models, leads to major uncertainty regarding the reliability of computational tools. This uncertainty is further exacerbated by difficulties in validation of such tools. They should only be used as aids to human analysis and decision-making. A practitioner must wonder:… ▽ More The inevitable incompleteness of any collection of PMESII models, along with poorly understood methods for combining heterogeneous models, leads to major uncertainty regarding the reliability of computational tools. This uncertainty is further exacerbated by difficulties in validation of such tools. They should only be used as aids to human analysis and decision-making. A practitioner must wonder: how can we accommodate the uncertainty of a tool's results by applying human judgment appropriately? In this paper, we describe two examples where planners and analysts used (or could have used) computational tools to obtain estimates of effects of various actions under consideration. Then they considered these computational estimates to draw their own conclusions regarding the effects that would likely emerge from proposed actions taken by the international mission. The key idea, in both of our examples, is a continuous cycle of anticipations and actions; in each cycle computational estimates of effects help intervention managers determine appropriate actions, and then assessments of real-world outcomes guide the next increment of computational estimates. With a proper methodology, PMESII modeling tools can offer valuable insights and encourage learning, even if they will never produce fully accurate estimates useable in a customary, strictly predictive manner. △ Less

Submitted 21 July, 2016; originally announced July 2016.

Comments: A version of this paper appeared as a book chapter in Kott, A., & Citrenbaum, G. (Eds.). Estimating Impact: A Handbook of Computational Methods and Models for Anticipating Economic, Social, Political and Security Effects in International Interventions. Springer, 2010

A Survey of Research on Control of Teams of Small Robots in Military Operations

Authors: Stuart Young, Alexander Kott

Abstract: While a number of excellent review articles on military robots have appeared in existing literature, this paper focuses on a distinct sub-space of related problems: small military robots organized into moderately sized squads, operating in a ground combat environment. Specifically, we consider the following: - Command of practical small robots, comparable to current generation, small unmanned grou… ▽ More While a number of excellent review articles on military robots have appeared in existing literature, this paper focuses on a distinct sub-space of related problems: small military robots organized into moderately sized squads, operating in a ground combat environment. Specifically, we consider the following: - Command of practical small robots, comparable to current generation, small unmanned ground vehicles (e.g., PackBots) with limited computing and sensor payload, as opposed to larger vehicle-sized robots or micro-scale robots; - Utilization of moderately sized practical forces of 3-10 robots applicable to currently envisioned military ground operations; - Complex three-dimensional physical environments, such as urban areas or mountainous terrains and the inherent difficulties they impose, including limited and variable fields of observation, difficult navigation, and intermittent communication; - Adversarial environments where the active, intelligent enemy is the key consideration in determining the behavior of the robotic force; and - Purposeful, partly autonomous, coordinated behaviors that are necessary for such a robotic force to survive and complete missions; these are far more complex than, for example, formation control or field coverage behavior. △ Less

Submitted 3 June, 2016; originally announced June 2016.

Comments: a version of this paper was presented at the 14th CCRTS Symposium

Approaches to Modeling Insurgency

Authors: Alexander Kott, Bruce Skarin

Abstract: This paper begins with an introduction to qualitative theories and models of insurgency, quantitative measures of insurgency, influence diagrams, system dynamics models of insurgency, agent based molding of insurgency, human-in-the-loop wargaming of insurgency, and statistical models of insurgency. The paper then presents a detailed case study of an agent-based model that focuses on the Troubles i… ▽ More This paper begins with an introduction to qualitative theories and models of insurgency, quantitative measures of insurgency, influence diagrams, system dynamics models of insurgency, agent based molding of insurgency, human-in-the-loop wargaming of insurgency, and statistical models of insurgency. The paper then presents a detailed case study of an agent-based model that focuses on the Troubles in Northern Ireland starting in 1968. The model is agent-based and uses a modeling tool called Simulation of Cultural Identities for Prediction of Reactions (SCIPR). The objective in this modeling effort was to predict trends in the degree of population's support to parties in this conflict. The case studies describes in detail the agents, their actions, model initialization and simulation process, and the results of the simulation compared to actual historical results of elections. △ Less

Submitted 5 March, 2016; originally announced March 2016.

Comments: A version of this paper appeared as a book chapter in Kott, A., & Citrenbaum, G. (Eds.). Estimating Impact: A Handbook of Computational Methods and Models for Anticipating Economic, Social, Political and Security Effects in International Interventions. Springer, 2010

Resiliency and Robustness of Complex, Multi-Genre Networks

Authors: Alexander Kott, Tarek Abdelzaher

Abstract: We explore the resiliency and robustness of systems while viewing them as complex, multi-genre networks. The term "complex, multi-genre networks" refers to networks that combine several distinct genres - networks of physical resources, communication networks, information networks, and social and cognitive networks. We show that this perspective is fruitful and adds to our understanding of fundamen… ▽ More We explore the resiliency and robustness of systems while viewing them as complex, multi-genre networks. The term "complex, multi-genre networks" refers to networks that combine several distinct genres - networks of physical resources, communication networks, information networks, and social and cognitive networks. We show that this perspective is fruitful and adds to our understanding of fundamental challenges and tradeoffs in robustness and resiliency, as well as potential solutions to the challenges. Study of systems as multi-genre networks is relatively uncommon; instead, it is customary in research and engineering literature to focus on a view of a network comprised of homogeneous elements, (e.g., a network of communication devices, or a network of social beings). Yet, most if not all real-world networks are multi-genre - it is hard to find any real system of a significant complexity that does not include a combination of interconnected physical elements, communication devices and channels, data collections, and human users forming an integrated, inter-dependent whole. Most approaches to improving resiliency and robustness involve compromises, and the key challenge is to find a favorable compromise. Such compromises involve reducing or managing the complexity of the network: coupling, rigidity and dependency. We discuss several of these compromises, e.g., performance vs resiliency; resiliency to one type of disruption vs resiliency to another disruption type; and complexity vs resiliency. △ Less

Submitted 25 January, 2016; originally announced January 2016.

Comments: A version of this paper appeared as a book chapter in Adaptive, Dynamic, and Resilient Systems published by Springer

Decision Aids for Adversarial Planning in Military Operations: Algorithms, Tools, and Turing-test-like Experimental Validation

Authors: Alexander Kott, Ray Budd, Larry Ground, Lakshmi Rebbapragada, John Langston

Abstract: Use of intelligent decision aids can help alleviate the challenges of planning complex operations. We describe integrated algorithms, and a tool capable of translating a high-level concept for a tactical military operation into a fully detailed, actionable plan, producing automatically (or with human guidance) plans with realistic degree of detail and of human-like quality. Tight interleaving of s… ▽ More Use of intelligent decision aids can help alleviate the challenges of planning complex operations. We describe integrated algorithms, and a tool capable of translating a high-level concept for a tactical military operation into a fully detailed, actionable plan, producing automatically (or with human guidance) plans with realistic degree of detail and of human-like quality. Tight interleaving of several algorithms -- planning, adversary estimates, scheduling, routing, attrition and consumption estimates -- comprise the computational approach of this tool. Although originally developed for Army large-unit operations, the technology is generic and also applies to a number of other domains, particularly in critical situations requiring detailed planning within a constrained period of time. In this paper, we focus particularly on the engineering tradeoffs in the design of the tool. In an experimental evaluation, reminiscent of the Turing test, the tool's performance compared favorably with human planners. △ Less

Submitted 22 January, 2016; originally announced January 2016.

Comments: A version of this paper appeared in the Applied Intelligence journal

Coalition-based Planning of Military Operations: Adversarial Reasoning Algorithms in an Integrated Decision Aid

Authors: Larry Ground, Alexander Kott, Ray Budd

Abstract: Use of knowledge-based planning tools can help alleviate the challenges of planning a complex operation by a coalition of diverse parties in an adversarial environment. We explore these challenges and potential contributions of knowledge-based tools using as an example the CADET system, a knowledge-based tool capable of producing automatically (or with human guidance) battle plans with realistic d… ▽ More Use of knowledge-based planning tools can help alleviate the challenges of planning a complex operation by a coalition of diverse parties in an adversarial environment. We explore these challenges and potential contributions of knowledge-based tools using as an example the CADET system, a knowledge-based tool capable of producing automatically (or with human guidance) battle plans with realistic degree of detail and complexity. In ongoing experiments, it compared favorably with human planners. Interleaved planning, scheduling, routing, attrition and consumption processes comprise the computational approach of this tool. From the coalition operations perspective, such tools offer an important aid in rapid synchronization of assets and actions of heterogeneous assets belonging to multiple organizations, potentially with distinct doctrine and rules of engagement. In this paper, we discuss the functionality of the tool, provide a brief overview of the technical approach and experimental results, and outline the potential value of such tools. △ Less

Submitted 22 January, 2016; originally announced January 2016.

Comments: A version of this paper appeared in proceedings of the 2002 International Conference on Knowledge Systems for Coalition Operations (KSCO)

Assessing Mission Impact of Cyberattacks: Report of the NATO IST-128 Workshop

Authors: Alexander Kott, Nikolai Stoianov, Nazife Baykal, Alfred Moller, Reginald Sawilla, Pram Jain, Mona Lange, Cristian Vidu

Abstract: This report presents the results of a workshop conducted by the North Atlantic Treaty Organization (NATO) Information Systems Technology (IST) Panel in Istanbul, Turkey, in June 2015 to explore science and technology for characterizing the impact of cyber-attacks on missions. Military mission success is highly dependent on the communications and information systems (CISs) that support the mission… ▽ More This report presents the results of a workshop conducted by the North Atlantic Treaty Organization (NATO) Information Systems Technology (IST) Panel in Istanbul, Turkey, in June 2015 to explore science and technology for characterizing the impact of cyber-attacks on missions. Military mission success is highly dependent on the communications and information systems (CISs) that support the mission and their use in the cyber battlespace. The inexorably growing dependency on computational information processing for weapons, intelligence, communication, and logistics systems continues to increase the vulnerability of missions to various cyber threats. Attacks on CISs or other cyber incidents degrade or disrupt the usage of CISs, and the resulting mission capability, performance, and completion. These incidents are expected to increase in frequency and sophistication. The workshop participants concluded that the key to solving the mission impact assessment problem was in adopting and develo** a new model-driven paradigm that creates and validates mechanisms of modeling the mission organization, the mission(s), and the cyber-vulnerable systems that support the mission(s). Such models then simulate or portray the impacts of the cyber-attacks. In addition, such model-based analysis could explore multiple alternative mitigation and work-around strategies - an essential part of co** with mission impact - and select the optimal course of mitigating actions. Only such a paradigm can be expected to provide meaningful, actionable information about mission impacts that have not been seen before or do not match prior experiences and patterns. The papers presented at this workshop are available in an accompanying volume, Proceedings of the NATO Workshop IST-128, Assessing Mission Impact of Cyber Attacks. △ Less

Submitted 5 January, 2016; originally announced January 2016.

Report number: ARL-TR-7566

Security Metrics in Industrial Control Systems

Authors: Zachary A. Collier, Mahesh Panwar, Alexander A. Ganin, Alex Kott, Igor Linkov

Abstract: Risk is the best known and perhaps the best studied example within a much broader class of cyber security metrics. However, risk is not the only possible cyber security metric. Other metrics such as resilience can exist and could be potentially very valuable to defenders of ICS systems. Often, metrics are defined as measurable properties of a system that quantify the degree to which objectives of… ▽ More Risk is the best known and perhaps the best studied example within a much broader class of cyber security metrics. However, risk is not the only possible cyber security metric. Other metrics such as resilience can exist and could be potentially very valuable to defenders of ICS systems. Often, metrics are defined as measurable properties of a system that quantify the degree to which objectives of the system are achieved. Metrics can provide cyber defenders of an ICS with critical insights regarding the system. Metrics are generally acquired by analyzing relevant attributes of that system. In terms of cyber security metrics, ICSs tend to have unique features: in many cases, these systems are older technologies that were designed for functionality rather than security. They are also extremely diverse systems that have different requirements and objectives. Therefore, metrics for ICSs must be tailored to a diverse group of systems with many features and perform many different functions. In this chapter, we first outline the general theory of performance metrics, and highlight examples from the cyber security domain and ICS in particular. We then focus on a particular example of a class of metrics that is different from the one we have considered in earlier chapters. Instead of risk, here we consider metrics of resilience. Resilience is defined by the National Academy of Sciences (2012) as the ability to prepare and plan for, absorb, recover from, or more successfully adapt to actual or potential adverse events. This chapter presents two approaches for the generation of metrics based on the concept of resilience using a matrix-based approach and a network-based approach. Finally, a discussion of the benefits and drawbacks of different methods is presented along with a process and tips intended to aid in devising effective metrics. △ Less

Submitted 25 December, 2015; originally announced December 2015.

Comments: Chapter in In: Colbert, E. and Kott, A. (eds.), "Cyber Security of Industrial Control Systems, Including SCADA Systems," Springer, NY, 2016

Toward a Research Agenda in Adversarial Reasoning: Computational Approaches to Anticipating the Opponent's Intent and Actions

Authors: Alexander Kott, Michael Ownby

Abstract: This paper defines adversarial reasoning as computational approaches to inferring and anticipating an enemy's perceptions, intents and actions. It argues that adversarial reasoning transcends the boundaries of game theory and must also leverage such disciplines as cognitive modeling, control theory, AI planning and others. To illustrate the challenges of applying adversarial reasoning to real-worl… ▽ More This paper defines adversarial reasoning as computational approaches to inferring and anticipating an enemy's perceptions, intents and actions. It argues that adversarial reasoning transcends the boundaries of game theory and must also leverage such disciplines as cognitive modeling, control theory, AI planning and others. To illustrate the challenges of applying adversarial reasoning to real-world problems, the paper explores the lessons learned in the CADET - a battle planning system that focuses on brigade-level ground operations and involves adversarial reasoning. From this example of current capabilities, the paper proceeds to describe RAID - a DARPA program that aims to build capabilities in adversarial reasoning, and how such capabilities would address practical requirements in Defense and other application areas. △ Less

Submitted 24 December, 2015; originally announced December 2015.

Comments: A version of this paper was presented at the SPIE Symposium on Enabling Technologies for Simulation Science

An Experimental Evaluation of Computational Techniques for Planning and Assessment of International Interventions

Authors: Alexander Kott, Jeff Hansberger, Edward Waltz, Peter Corpac

Abstract: We describe the experimental methodology developed and employed in a series of experiments within the Defense Advanced Research Projects Agency (DARPA) Conflict Modeling, Planning, and Outcomes Exploration (COMPOEX) Program. The primary purpose of the effort was development of tools and methods for analysis, planning and predictive assessment of plans for complex operations where integrated politi… ▽ More We describe the experimental methodology developed and employed in a series of experiments within the Defense Advanced Research Projects Agency (DARPA) Conflict Modeling, Planning, and Outcomes Exploration (COMPOEX) Program. The primary purpose of the effort was development of tools and methods for analysis, planning and predictive assessment of plans for complex operations where integrated political-military-economic-social-infrastructure and information (PMESII) considerations play decisive roles. As part of the program, our team executed several broad-based experiments, involving dozens of experts from several agencies simultaneously. The methodology evolved from one experiment to another because of the lessons learned. The paper presents the motivation, objectives, and structure of this interagency experiment series; the methods we explored in the experiments; and the results, lessons learned and recommendations for future efforts of such nature. △ Less

Submitted 24 December, 2015; originally announced December 2015.

Comments: A version of this paper appeared in the International Journal of Command and Control

Towards Approaches to Continuous Assessment of Cyber Risk in Security of Computer Networks

Authors: Alexander Kott, Curtis Arnold

Abstract: We review the current status and research challenges in the area of cyber security often called continuous monitoring and risk scoring (CMRS). We focus on two most salient aspects of CMRS. First, continuous collection of data through automated feeds; hence the term continuous monitoring. Typical data collected for continuous monitoring purposes include network traffic information as well as host i… ▽ More We review the current status and research challenges in the area of cyber security often called continuous monitoring and risk scoring (CMRS). We focus on two most salient aspects of CMRS. First, continuous collection of data through automated feeds; hence the term continuous monitoring. Typical data collected for continuous monitoring purposes include network traffic information as well as host information from host-based agents. Second, analysis of the collected data in order to assess the risks - the risk scoring. This assessment may include flagging especially egregious vulnerabilities and exposures, or computing metrics that provide an overall characterization of the network's risk level. Currently used risk metrics are often simple sums or counts of vulnerabilities and missing patches. The research challenges pertaining to CMRS fall mainly into two categories. The first centers on the problem of integrating and fusing highly heterogeneous information. The second group of challenges is the lack of rigorous approaches to computing risk. Existing risk scoring algorithms remain limited to ad hoc heuristics such as simple sums of vulnerability scores or counts of things like missing patches or open ports, etc. Weaknesses and potentially misleading nature of such metrics are well recognized. For example, the individual vulnerability scores are dangerously reliant on subjective, human, qualitative input, potentially inaccurate and expensive to obtain. Further, the total number of vulnerabilities may matters far less than how vulnerabilities are distributed over hosts, or over time. Similarly, neither topology of the network nor the roles and dynamics of inter-host interactions are considered by simple sums of vulnerabilities or missing patches. △ Less

Submitted 24 December, 2015; originally announced December 2015.

Comments: A version of this paper appeared in IEEE Security and Privacy

Science of Cyber Security as a System of Models and Problems

Authors: Alexander Kott

Abstract: Terms like "Science of Cyber" or "Cyber Science" have been appearing in literature with growing frequency, and influential organizations initiated research initiatives toward develo** such a science even though it is not clearly defined. We propose to define the domain of the science of cyber security by noting the most salient artifact within cyber security -- malicious software -- and defining… ▽ More Terms like "Science of Cyber" or "Cyber Science" have been appearing in literature with growing frequency, and influential organizations initiated research initiatives toward develo** such a science even though it is not clearly defined. We propose to define the domain of the science of cyber security by noting the most salient artifact within cyber security -- malicious software -- and defining the domain as comprised of phenomena that involve malicious software (as well as legitimate software and protocols used maliciously) used to compel a computing device or a network of computing devices to perform actions desired by the perpetrator of malicious software (the attacker) and generally contrary to the intent (the policy) of the legitimate owner or operator (the defender) of the computing device(s). We further define the science of cyber security as the study of relations -- preferably expressed as theoretically-grounded models -- between attributes, structures and dynamics of: violations of cyber security policy; the network of computing devices under attack; the defenders' tools and techniques; and the attackers' tools and techniques where malicious software plays the central role. We offer a simple formalism of these key objects within cyber science and systematically derive a classification of primary problem classes within cyber science. △ Less

Submitted 29 November, 2015; originally announced December 2015.