Corporate IT Security Systems are widespread and robust, but generally suffer from a soloing effect. The anti-virus system (Symantec Endpoint, McAfee EPO) doesn’t talk to the authentication system (Windows Active Directory, OpenDirectory, LDAP), which may or may not relate to the patch management system (WSUS, SMS, BigFix), none of which integrate with the network monitoring and intrusion detection systems (Firewalls, Snort). Yet, all of these systems hold individual “evidence” of cyber security details. These individual pieces of evidence could be combined to provide a better picture of current activities on the network (see below). Leveraging existing cyber security systems as sensors in a larger sensor network is the key. There is also opportunity for developing small software sensors and deploying them across the network to monitor individual system parameters (configuration changes, etc), running applications, CPU load, memory and network utilization. The objective in this line of research is to develop a list of sensors that already exist and provide access to their data to a fusion system.
The key element in a data fusion system is not the data, but the algorithms and inferences that can be made. The JDL Data Fusion Process Model is an excellent guide to the types of algorithmic processes, inputs and outputs that are required to develop situational awareness and project future possible outcomes to better inform the analyst of what to do next. This work will take the sensors from the project above, and use a variety of algorithms at Levels 1 (Entity Extraction), 2 (Awareness) and 3 (Projection) of the JDL process.
User interfaces of cyber security systems are terrible! We need to do a better job of understanding the cognitive capabilities of analysts. The split-attention effect decreases learning, yet many systems rife with multiple panels and screens, which draw away the analyst’s attention. Sonification may be helpful, but the sound must reinforce what is being displayed on screen to take advantage of the modality effect. Current analysts have hundreds of thousands of lines of alert data. The data overload must be addressed. It’s possible that the design guidance of “Overview, Zoom/Filter, Details on Demand” could provide us with better user interfaces.
In a different arena, I have also been working on understanding how best to utilize humans as soft sensors in extreme events. This work is based on my experience in the 2009 DARPA Network Challenge, where I helped lead the iSchools Caucus Team to 10th place in the Challenge, finding 6 of the 10 balloon locations. When using humans as sensors, there are issues in terms of motivation, recruiting, validating responses and deception. In my professional capacity in the Department of Kinesiology, I am also involved in helping to collect Experience Data, where the individual provides self-reported data in terms of mood, feelings, physical findings, daily experiences and other personal data. Both of these kinds of projects have an interest to be in terms of data collection on handheld devices (PDAs/SmartPhones), motivation of research subjects/human sensors and data fusion.
I am also interested in studying the security advice that system administrators impose on end-users. The cognitive capabilities of an individual are often ignored when requiring passwords to be changed frequently and with additional character complexity. Generally, system administrators provide either poor or no advice for how to select and remember good passwords. Working memory, long-term memory schema development and leveraging existing schemas all play a potential role in password selection.