KEYWORDS: Computer security, Data fusion, Sensors, Data modeling, Computing systems, Computer intrusion detection, Network security, Process modeling, Data processing, Data conversion
The Joint Directors of Labs Data Fusion Process Model (JDL Model) provides a framework for how to handle sensor
data to develop higher levels of inference in a complex environment. Beginning from a call to leverage data fusion
techniques in intrusion detection, there have been a number of advances in the use of data fusion algorithms in this subdomain
of cyber security. While it is tempting to jump directly to situation-level or threat-level refinement (levels 2 and
3) for more exciting inferences, a proper fusion process starts with lower levels of fusion in order to provide a basis for
the higher fusion levels. The process begins with first order entity extraction, or the identification of important entities
represented in the sensor data stream. Current cyber security operational tools and their associated data are explored for
potential exploitation, identifying the first order entities that exist in the data and the properties of these entities that are
described by the data. Cyber events that are represented in the data stream are added to the first order entities as their
properties. This work explores typical cyber security data and the inferences that can be made at the lower fusion levels
(0 and 1) with simple metrics. Depending on the types of events that are expected by the analyst, these relatively simple
metrics can provide insight on their own, or could be used in fusion algorithms as a basis for higher levels of inference.
A key challenge for human cybersecurity operators is to develop an understanding of what is happening within, and
to, their network. This understanding, or situation awareness, provides the cognitive basis for human operators to take
action within their environments. Yet developing situation awareness of cyberspace (cyber-SA) is understood to be
extremely difficult given the scope of the operating environment, the highly dynamic nature of the environment and the
absence of physical constraints that serve to bound the cognitive task23. As a result, human cybersecurity operators are
often "flying blind" regarding understanding the source, nature, and likely impact of malicious activity on their
networked assets. In recent years, many scholars have dedicated their attention to finding ways to improve cyber-SA in
human operators. In this paper we present our findings from our ongoing research of how cybersecurity analysts develop
and maintain cyber-SA. Drawing from over twenty interviews of analysts working in the military, government,
industrial, and educational domains, we find that cyber-SA to be distributed across human operators and technological
artifacts operating in different functional areas.
KEYWORDS: Data modeling, Network security, Process modeling, Cognitive modeling, Situational awareness sensors, Data fusion, Model-based design, Human-machine interfaces, Systems modeling, Data processing
Building on our previous work, we extend sonification techniques to common network security data. In this current
work, we examine packet flow and the creation of socket connections between a requestor's IP address and port number
with the server's IP address and port number. Our goals for the aural rendering are twofold: to make certain conditions
immediately apparent to untrained listeners, and to create a sound model capable of enough nuance that there is the
possibility of unexpected patterns becoming apparent to a seasoned listener. This system could be used to potentially
provide better cognitive refinement capabilities for data fusion systems, especially when multiple sources of data at
various levels of refinement are presented to the human analyst.
KEYWORDS: Computer security, Data fusion, Sensors, Network security, Process modeling, Data processing, Data modeling, Defense systems, Algorithm development, Databases
A number of cyber security technologies have proposed the use of data fusion to enhance the defensive capabilities of
the network and aid in the development of situational awareness for the security analyst. While there have been advances
in fusion technologies and the application of fusion in intrusion detection systems (IDSs), in particular, additional
progress can be made by gaining a better understanding of a variety of data fusion processes and applying them to the
cyber security application domain. This research explores the underlying processes identified in the Joint Directors of
Laboratories (JDL) data fusion process model and further describes them in a cyber security context.
Access to the requested content is limited to institutions that have purchased or subscribe to SPIE eBooks.
You are receiving this notice because your organization may not have SPIE eBooks access.*
*Shibboleth/Open Athens users─please
sign in
to access your institution's subscriptions.
To obtain this item, you may purchase the complete book in print or electronic format on
SPIE.org.
INSTITUTIONAL Select your institution to access the SPIE Digital Library.
PERSONAL Sign in with your SPIE account to access your personal subscriptions or to use specific features such as save to my library, sign up for alerts, save searches, etc.