Learning About Simulated Adversaries from Human Defenders using Interactive Cyber-Defense Games

Given the increase in cybercrime, cybersecurity analysts (i.e. Defenders) are in high demand. Defenders must monitor an organization's network to evaluate threats and potential breaches into the network. Adversary simulation is commonly used to test defenders' performance against known threats to organizations. However, it is unclear how effective this training process is in preparing defenders for this highly demanding job. In this paper, we demonstrate how to use adversarial algorithms to investigate defenders' learning of defense strategies, using interactive cyber defense games. Our Interactive Defense Game (IDG) represents a cyber defense scenario that requires constant monitoring of incoming network alerts and allows a defender to analyze, remove, and restore services based on the events observed in a network. The participants in our study faced one of two types of simulated adversaries. A Beeline adversary is a fast, targeted, and informed attacker; and a Meander adversary is a slow attacker that wanders the network until it finds the right target to exploit. Our results suggest that although human defenders have more difficulty to stop the Beeline adversary initially, they were able to learn to stop this adversary by taking advantage of their attack strategy. Participants who played against the Beeline adversary learned to anticipate the adversary and take more proactive actions, while decreasing their reactive actions. These findings have implications for understanding how to help cybersecurity analysts speed up their training.Comment: Submitted to Journal of Cybersecurit

A Cyber-War Between Bots: Human-Like Attackers are More Challenging for Defenders than Deterministic Attackers

Adversary emulation is commonly used to test cyber defense performance against known threats to organizations. However, designing attack strategies is an expensive and unreliable manual process, based on subjective evaluation of the state of a network. In this paper, we propose the design of adversarial human-like cognitive models that are dynamic, adaptable, and have the ability to learn from experience. A cognitive model is built according to the theoretical principles of Instance-Based Learning Theory (IBLT) of experiential choice in dynamic tasks. In a simulation experiment, we compared the predictions of an IBL attacker with a carefully designed efficient but deterministic attacker attempting to access an operational server in a network. The results suggest that an IBL cognitive model that emulates human behavior can be a more challenging adversary for defenders than the carefully crafted optimal attack strategies. These insights can be used to inform future adversary emulation efforts and cyber defender training

A Cyber-War Between Bots: Human-Like Attackers are More Challenging for Defenders than Deterministic Attackers

Adversary emulation is commonly used to test cyber defense performance against known threats to organizations. However, designing attack strategies is an expensive and unreliable manual process, based on subjective evaluation of the state of a network. In this paper, we propose the design of adversarial human-like cognitive models that are dynamic, adaptable, and have the ability to learn from experience. A cognitive model is built according to the theoretical principles of Instance-Based Learning Theory (IBLT) of experiential choice in dynamic tasks. In a simulation experiment, we compared the predictions of an IBL attacker with a carefully designed efficient but deterministic attacker attempting to access an operational server in a network. The results suggest that an IBL cognitive model that emulates human behavior can be a more challenging adversary for defenders than the carefully crafted optimal attack strategies. These insights can be used to inform future adversary emulation efforts and cyber defender training

Team performance analysis of a collaborative spatial orientation mission in mars analogue environment

International audienceAs highlighted by human factors experts of the IAA, complementary studies have to be carried out in the field of human sciences to better understand psychological and sociological issues in long duration spaceflight and in isolated and extreme planetary environment. In order to minimize operational risks, efficient communication, problem solving capability and teamwork efficiency, which are considered key behavioural competencies by NASA, have to be tested. It is proposed here to assess the collaboration performance of astronauts in the context of a team spatial orientation task in planetary-analog environments. The experiment was originally designed and tested at the Mars Desert Research Station (crew 185, December 2017). Interestingly, some failures have been observed due to imperfect spatial representation, uncertainties and some communication problems. A similar experiment has been carried out using a virtual environment. N=62 participants have been paired up. Both teammates must collaborate to send a rover to a specific location on a computer simulation of the Mars surface. One person, the astronaut, drives the rover in the virtual environment, orally guided by the captain staying at the base. Every 45 seconds, each participant is asked to mark on his map the location he believes the rover to be. Similarity of teammates spatial shared situational awareness and their accuracy have been used to objectively assess the team performance. Answers to a post-experiment questionnaire have been used to assess perceived communication behaviours of the team. Successful and Unsuccessful teams are compared. Interesting results are presented and discussed. Remarkably, significant differences in terms of Spatial SSA and communication behaviours appeared

Représentation partagée et travail collaboratif en contexte C2 : monitoring d'opérateurs en situation simulée de command and control.

Advances in information and communication technologies has enabled the development of collaborative work in almost all sectors of human activity. To ensure the performance of the group and minimize the risk of errors, it is crucial that the team members share a common understanding of the situation in which they are involved. This is particularly true in military crisis situations, such as those that exist within command and control (C2) structures.Within an environment characterized by the growing complexity of conflicts, the challenge today is both scientific and highly applicative. Progress in the study of collective cognition, the heart of collaborative work, has a clear potential that must be translated into tangible applications to optimize the management and execution of collective tasks. Real-time evaluation of the cognition of individuals and teams allows to envisage adaptive tools and systems to improve efficiency, performance and agility.In light of these challenges, our objective, commissioned by the DGA, is to find appropriate measures that would enable an assessment of the dynamics of the sharing of situational awareness, in the very constraining context of command and control room operations, which require the lowest possible level of instrumentation of operators.Our contribution to the field has been dual. We have proposed the concept of situation awareness synchrony to support the theoretical development of the study of the dynamics of situation awareness sharing. In addition, we have highlighted the importance of adopting a cognitive engineering methodology, in the perspective of transposing laboratory knowledge to a more complex application environments.Thus, our work consisted in exploring quantitative measures of shared situational awareness, suitable for automated and real-time exploitation by a collective cognition diagnostic system. We applied psychophysiological and behavioural monitoring of operators engaged in a C2 task (individual, then collective), to evaluate their shared situation awareness, using eye tracker pupillometry.These studies have led us to analyze the sensitivity of this monitoring to the dynamics of the operators' situational awareness and its sharing in an ecological environment.This doctoral work is presented as a demonstration of the interest and applicability of shared cognition evaluation systems in realistic collaborative work environments, and is supported by proposals concerning the future of research on C2.L’évolution des technologies de l’information et de la communication (TIC) a permis le développement du travail collaboratif dans quasiment tous les secteurs de l’activité humaine. Pour assurer la performance du collectif et minimiser le risque d’erreurs, il est crucial que les individus qui collaborent partagent une même représentation de la situation dans laquelle ils sont engagés. Ceci est d’autant plus vrai en situation de crise militaire, comme il en existe au sein des structures de commandement et contrôle d’opérations (C2).Dans un environnement marqué par la complexité grandissante des conflits, l’enjeu est aujourd’hui à la fois scientifique et hautement applicatif. L’avancée de l’étude de la cognition collective, cœur du travail collaboratif, est porteuse d’un potentiel certain qui doit se traduire par des applications concrètes au service de l’optimisation de la gestion et de la réalisation des tâches collectives. L’évaluation en temps réel de la cognition des individus et des équipes permet d’envisager des outils et des systèmes adaptatifs pour gagner en efficacité, en performance et en agilité. Face à ces enjeux, notre objectif, sur commande de la DGA, est de trouver des mesures appropriées qui permettraient une évaluation de la dynamique du partage des consciences de situation, dans le contexte très contraignant des salles de commandement et de contrôle, qui nécessite la plus faible instrumentation possible des opérateurs.Notre contribution au domaine est double. D’une part nous proposons le concept de synchronie des consciences de situation, pour soutenir le développement théorique de l’étude de la dynamique de partage de conscience de situation. D’autre part nous mettons en évidence l’importance d’adopter une méthodologie d’ingénierie cognitique, dans une perspective de transposition des connaissances de laboratoire à une situation d’application complexe, s’apparentant autant que possible à l’environnement réel de prise de décision en C2.Notre travail a alors consisté à explorer des mesures quantitatives du partage de conscience de situation, adaptées à l’exploitation automatisée et en temps réel par un système de diagnostic de la cognition collective. Nous avons mis en pratique l’utilisation du monitoring psychophysiologique et comportemental d’opérateurs engagés dans une tache (individuelle, puis collective) de C2, pour évaluer leur partage de conscience de situation, par l’utilisation de la pupillométrie par oculomètre (eye tracker).Ces études, nous ont amenés à mesurer la sensibilité du monitoring à la dynamique des consciences de situation des opérateurs et à leur partage en environnement écologique.Ce travail de doctorat se présente comme une mise en avant de l’intérêt et de l’applicabilité de systèmes d’évaluation du partage de cognition en environnement de travail collaboratif réaliste, et s’accompagne de propositions concernant le futur de la recherche sur le C2

Shared situation awareness and collaboration in C2 : operators monitoring in command and control simulated situation.

L’évolution des technologies de l’information et de la communication (TIC) a permis le développement du travail collaboratif dans quasiment tous les secteurs de l’activité humaine. Pour assurer la performance du collectif et minimiser le risque d’erreurs, il est crucial que les individus qui collaborent partagent une même représentation de la situation dans laquelle ils sont engagés. Ceci est d’autant plus vrai en situation de crise militaire, comme il en existe au sein des structures de commandement et contrôle d’opérations (C2).Dans un environnement marqué par la complexité grandissante des conflits, l’enjeu est aujourd’hui à la fois scientifique et hautement applicatif. L’avancée de l’étude de la cognition collective, cœur du travail collaboratif, est porteuse d’un potentiel certain qui doit se traduire par des applications concrètes au service de l’optimisation de la gestion et de la réalisation des tâches collectives. L’évaluation en temps réel de la cognition des individus et des équipes permet d’envisager des outils et des systèmes adaptatifs pour gagner en efficacité, en performance et en agilité. Face à ces enjeux, notre objectif, sur commande de la DGA, est de trouver des mesures appropriées qui permettraient une évaluation de la dynamique du partage des consciences de situation, dans le contexte très contraignant des salles de commandement et de contrôle, qui nécessite la plus faible instrumentation possible des opérateurs.Notre contribution au domaine est double. D’une part nous proposons le concept de synchronie des consciences de situation, pour soutenir le développement théorique de l’étude de la dynamique de partage de conscience de situation. D’autre part nous mettons en évidence l’importance d’adopter une méthodologie d’ingénierie cognitique, dans une perspective de transposition des connaissances de laboratoire à une situation d’application complexe, s’apparentant autant que possible à l’environnement réel de prise de décision en C2.Notre travail a alors consisté à explorer des mesures quantitatives du partage de conscience de situation, adaptées à l’exploitation automatisée et en temps réel par un système de diagnostic de la cognition collective. Nous avons mis en pratique l’utilisation du monitoring psychophysiologique et comportemental d’opérateurs engagés dans une tache (individuelle, puis collective) de C2, pour évaluer leur partage de conscience de situation, par l’utilisation de la pupillométrie par oculomètre (eye tracker).Ces études, nous ont amenés à mesurer la sensibilité du monitoring à la dynamique des consciences de situation des opérateurs et à leur partage en environnement écologique.Ce travail de doctorat se présente comme une mise en avant de l’intérêt et de l’applicabilité de systèmes d’évaluation du partage de cognition en environnement de travail collaboratif réaliste, et s’accompagne de propositions concernant le futur de la recherche sur le C2.Advances in information and communication technologies has enabled the development of collaborative work in almost all sectors of human activity. To ensure the performance of the group and minimize the risk of errors, it is crucial that the team members share a common understanding of the situation in which they are involved. This is particularly true in military crisis situations, such as those that exist within command and control (C2) structures.Within an environment characterized by the growing complexity of conflicts, the challenge today is both scientific and highly applicative. Progress in the study of collective cognition, the heart of collaborative work, has a clear potential that must be translated into tangible applications to optimize the management and execution of collective tasks. Real-time evaluation of the cognition of individuals and teams allows to envisage adaptive tools and systems to improve efficiency, performance and agility.In light of these challenges, our objective, commissioned by the DGA, is to find appropriate measures that would enable an assessment of the dynamics of the sharing of situational awareness, in the very constraining context of command and control room operations, which require the lowest possible level of instrumentation of operators.Our contribution to the field has been dual. We have proposed the concept of situation awareness synchrony to support the theoretical development of the study of the dynamics of situation awareness sharing. In addition, we have highlighted the importance of adopting a cognitive engineering methodology, in the perspective of transposing laboratory knowledge to a more complex application environments.Thus, our work consisted in exploring quantitative measures of shared situational awareness, suitable for automated and real-time exploitation by a collective cognition diagnostic system. We applied psychophysiological and behavioural monitoring of operators engaged in a C2 task (individual, then collective), to evaluate their shared situation awareness, using eye tracker pupillometry.These studies have led us to analyze the sensitivity of this monitoring to the dynamics of the operators' situational awareness and its sharing in an ecological environment.This doctoral work is presented as a demonstration of the interest and applicability of shared cognition evaluation systems in realistic collaborative work environments, and is supported by proposals concerning the future of research on C2

Turing-like Experiment in a Cyber Defense Game

During the past decade, researchers of behavioral cyber security have created cognitive agents that are able to learn and make decisions in dynamic environments in ways that assimilate human decision processes. However, many of these efforts have been limited to simple detection tasks and represent basic cognitive functions rather than a whole set of cognitive capabilities required in dynamic cyber defense scenarios. Our current work aims at advancing the development of cognitive agents that learn and make defense-dynamic decisions during cyber attacks by intelligent attack agents. We also aim to evaluate the capability of these cognitive models in ``Turing-like'' experiments, comparing the decisions and performance of these agents against human cyber defenders. In this paper, we present an initial demonstration of a cognitive model of the defender that relies on a cognitive theory of dynamic decision-making, Instance-Based Learning Theory (IBLT); we also demonstrate the execution of the same defense task by human defenders. We rely on OpenAI Gym and CybORG and adapt an existing CAGE scenario to generate a simulation experiment using an IBL defender. We also offer a new Interactive Defense Game (IDG), where \textit{human} defenders can perform the same CAGE scenario simulated with the IBL model. Our results suggest that the IBL model makes decisions against two intelligent attack agents that are similar to those observed in a subsequent human experiment. We conclude with a description of the cognitive foundations required to build autonomous intelligent cyber defense agents that can collaborate with humans in autonomous cyber defense teams

Situation awareness issues during outdoor activity

International audienceIn complex and dangerous environments such as extraterrestrial terrain, performance and risks issues are often driven by insufficient situation awareness and poor representation sharing.For a better understanding of situation awareness issues and in order to adapt tools and interfaces and to propose appropriate training procedures, tests on analogue terrains are of primary importance. Numerous experiments have already been conducted in the field. Examples: - Several experiments have been carried out by CREW 185 at Mars Desert Research Station at the end of December 2017. The objective was to study spatial shared representations and communication strategies between a crew member staying at the base and an astronaut in EVA. The protocol of the experiment was split in two steps. Day one, a crew member “Capcom” goes in the field and builds a small cairn in a specific location known only to him. He also pays attention to the different environmental cues that may help finding the path to the cairn. Day two, another crew member “Astronaut” goes in the field. He communicates with Capcom using simple walkie-talkies. He starts a few hundred meters from the cairn and Capcom tries to explain how to find it. There is no map, no GPS and no compass. The experiment has been carried out 8 times with different combinations of 2 persons among a group of 4. As expected, the degraded situation awareness made the task difficult to complete.Sometimes, the cairn was never found or it was found after a long time. Several failure reasons have been identified: Small differences in what has been memorized by Capcom and the reality of the terrain, inappropriate instructions interpretation, wrong representation of the path or communication losses. In order to reduce errors, it is recommended to train astronauts to appropriate behavioral skills and to carry out tests in similar conditions.- In a different context, unpressurized ATV (All Terrain Vehicles) have been tested in the field [1]. It was reported several important difficulties and some advices have been made to increase situation awareness. First, there was an incredible difference in performance between an ATV expert and a beginner. While the expert was able to go fast and at very low risk in many places (rocky terrain, high slope, etc.), beginners were going slowly and were not able to go in similar places without risks. A specific high level ATV driving skill must therefore be defined. Second, provided that winches are available, it was found that a large part of the zone was accessible to unpressurized rovers while it was certainly out of reach from heavy pressurized ones. As the exploratory performance could be strongly impacted by the type of vehicle sent to the surface of the planet, it is recommended to test the vehicles in different analogue terrains

Real-time teamwork evaluation and C2 crisis management: overview of doctoral research

International audienceEvaluation of human performance and cognition has been around for decades. But the growing number of teamwork situations and the growing complexity of military operations and context of command and control of operations have made real time evaluation of team cognition a real need for tomorrow technologies and tools. Being able to assess in real time the individuals and team cognition and state would allow for the development of adaptive tools and systems, gaining in efficiency and performance and lowering errors rate. Our objective is to find appropriate metrics that would allow for such an assessment, in the very constraining context of Current Ops of Air Command and Control rooms, requiring no instrumentation of the monitored operators

Situation awareness issues during outdoor activity

International audienceIn complex and dangerous environments such as extraterrestrial terrain, performance and risks issues are often driven by insufficient situation awareness and poor representation sharing.For a better understanding of situation awareness issues and in order to adapt tools and interfaces and to propose appropriate training procedures, tests on analogue terrains are of primary importance. Numerous experiments have already been conducted in the field. Examples: - Several experiments have been carried out by CREW 185 at Mars Desert Research Station at the end of December 2017. The objective was to study spatial shared representations and communication strategies between a crew member staying at the base and an astronaut in EVA. The protocol of the experiment was split in two steps. Day one, a crew member “Capcom” goes in the field and builds a small cairn in a specific location known only to him. He also pays attention to the different environmental cues that may help finding the path to the cairn. Day two, another crew member “Astronaut” goes in the field. He communicates with Capcom using simple walkie-talkies. He starts a few hundred meters from the cairn and Capcom tries to explain how to find it. There is no map, no GPS and no compass. The experiment has been carried out 8 times with different combinations of 2 persons among a group of 4. As expected, the degraded situation awareness made the task difficult to complete.Sometimes, the cairn was never found or it was found after a long time. Several failure reasons have been identified: Small differences in what has been memorized by Capcom and the reality of the terrain, inappropriate instructions interpretation, wrong representation of the path or communication losses. In order to reduce errors, it is recommended to train astronauts to appropriate behavioral skills and to carry out tests in similar conditions.- In a different context, unpressurized ATV (All Terrain Vehicles) have been tested in the field [1]. It was reported several important difficulties and some advices have been made to increase situation awareness. First, there was an incredible difference in performance between an ATV expert and a beginner. While the expert was able to go fast and at very low risk in many places (rocky terrain, high slope, etc.), beginners were going slowly and were not able to go in similar places without risks. A specific high level ATV driving skill must therefore be defined. Second, provided that winches are available, it was found that a large part of the zone was accessible to unpressurized rovers while it was certainly out of reach from heavy pressurized ones. As the exploratory performance could be strongly impacted by the type of vehicle sent to the surface of the planet, it is recommended to test the vehicles in different analogue terrains