Bayesian Analysis of Competing Cyber Hypotheses

竞争网络假设的贝叶斯分析

• 批准号: EP/L022702/1
• 负责人: Simon Maskell
• 金额: $ 24.17万
• 依托单位: University of Liverpool
• 依托单位国家: 英国
• 项目类别: Research Grant
• 财政年份: 2014
• 资助国家: 英国
• 起止时间: 2014 至 无数据
• 项目状态: 已结题
• 来源: https://gtr.ukri.org/projects?ref=EP%2FL022702%2F1
• 关键词: Bayesian; Analysis; Competing; Cyber; Hypotheses

Cyber security is recognised as important at the highest levels of international government. President Obama has said that "the Cyber threat is one of the most serious economic and national security challenges [the US] face as a nation". Even the £650M in additional funding that accompanied the UK's Cyber Security Strategy is dwarfed by the >£10B estimated annual cost of cyber-crime to the UK economy. Additionally, we see links to "transnational organised crime" (cyber-crime is lucrative and widespread) as well as "Terrorism" (state-sponsored cyber-warfare is increasing) and "Ideologies and beliefs" (anti-establishment hacktivists, eg Anonymous, are also resorting to cyber-attack to express their views).Companies such as HP help organisations who are subjected to cyber attacks to protect their assets and information from such attacks. These cyber defence companies achieve this using a combination of hardware and software augmented with human effort. Allocating human effort to activity is critical since inappropriate allocation can result in human time being wasted or attacks going unchallenged. Time pressure, the presence of ambiguous information and the high stakes involved can then degrade the human judgement associated with this allocation process.Psychologists understand that such pressures degrade human decision making and similar issues have been found to exist in other domains. Indeed, Pearl Harbour and the Cuban Missile Crisis were each the result of failures in the intelligence process that can be traced back to human analysis errors educating decision making. Motivated by such experiences, in the 1970s, the CIA developed a technique, "Analysis of Competing Hypotheses" which encourages analysts and decision makers to avoid the pitfalls that can be associated with intelligence analysis. This technique involves consideration of multiple candidate explanations for what is being observed. The hypotheses are then assessed (and iteratively refined) using the observations to discriminate between likely and unlikely hypotheses. While the technique has proven its utility, for it to work effectively, it is important that the hypotheses considered include the "possible" not just the "probable" explanations. Unfortunately, "possible" and "probable" aren't precisely defined in this context.However, a recent advance in the statistics literature, "Sequential Monte Carlo Samplers", exhibits many of the same features as Analysis of Competing Hypotheses. Sequential Monte Carlo samplers are typically applied in contexts where a computer (not a person) generates the hypotheses and assesses them. However, just like Analysis of Competing Hypotheses, they consider a population of hypotheses, assessed against data and then iteratively used to spawn a new population of hypotheses. Crucially, the analogous concept to the notion of "possible" and "probable" hypotheses is both well defined and well understood.We propose to adapt Sequential Monte Carlo samplers to become part of Analysis of Competing Hypotheses. We further propose to apply and demonstrate a tool embodying the technique in an operational cyber security context.If successful, this project would develop techniques that would ensure that decisions made in operational cyber security settings were well motivated. Where those decisions relate to the allocation of human analyst resources to activities, this would improve the efficiency of cyber security operations. The technology will position the UK at the forefront of the state-of-the-art in this high priority application domain.

国际政府最高层认为网络安全非常重要。奥巴马总统表示，“网络威胁是[美国]作为一个国家面临的最严重的经济和国家安全挑战之一”。即使是英国网络安全战略附带的 6.5 亿英镑额外资金，与每年网络犯罪给英国经济造成的超过 100 亿英镑的估计成本相比，也显得相形见绌。此外，我们还看到了与“跨国有组织犯罪”（网络犯罪利润丰厚且普遍）以及“恐怖主义”（国家支持的网络战正在增加）和“意识形态和信仰”（反建制黑客活动分子，例如匿名组织，也利用网络攻击来表达他们的观点）的链接。惠普等公司帮助遭受网络攻击的组织 攻击，以保护其资产和信息免受此类攻击。这些网络防御公司通过结合硬件和软件并辅以人力来实现这一目标。将人力分配到活动中至关重要，因为分配不当可能会导致人力时间浪费或攻击无法应对。时间压力、模糊信息的存在以及所涉及的高风险可能会降低与此分配过程相关的人类判断力。心理学家了解到，这种压力会降低人类的决策能力，并且在其他领域也发现了类似的问题。事实上，珍珠港事件和古巴导弹危机都是情报过程失败的结果，这些失败可以追溯到人类分析错误教育决策。受这些经验的启发，中央情报局在 20 世纪 70 年代开发了一种名为“竞争假设分析”的技术，鼓励分析师和决策者避免与情报分析相关的陷阱。该技术涉及对所观察到的现象考虑多种候选解释。然后使用观察结果来评估（并迭代完善）假设，以区分可能的假设和不太可能的假设。虽然该技术已证明其实用性，但要使其有效发挥作用，重要的是所考虑的假设包括“可能”而不仅仅是“可能”的解释。不幸的是，在这种情况下，“可能”和“可能”没有被精确定义。然而，统计文献的最新进展“顺序蒙特卡洛采样器”展示了许多与竞争假设分析相同的特征。顺序蒙特卡罗采样器通常应用于计算机（而不是人）生成假设并对其进行评估的环境。然而，就像竞争假设分析一样，他们考虑一组假设，根据数据进行评估，然后迭代地用于产生一组新的假设。至关重要的是，与“可能”和“可能”假设的概念类似的概念既得到了很好的定义，也得到了很好的理解。我们建议采用顺序蒙特卡罗采样器，使其成为竞争假设分析的一部分。我们进一步建议在运营网络安全环境中应用和演示体现该技术的工具。如果成功，该项目将开发技术，确保在运营网络安全环境中做出的决策具有良好的动机。如果这些决策涉及将人力分析师资源分配给活动，这将提高网络安全运营的效率。该技术将使英国在这一高优先级应用领域处于最先进的前沿。