When actions speak louder than words: Using changes in operator behavior and system efficiency measures to detect the presence of a cyber attack

2018 ◽  
Vol 62 (1) ◽  
pp. 270-271
Author(s):  
Kelly Satterfield ◽  
Vincent F. Mancuso ◽  
Adam Strang ◽  
Eric Greenlee ◽  
Brent Miller ◽  
...  
Keyword(s):  
Supervisory Control ◽  
Human Performance ◽  
Cyber Attacks ◽  
Cyber Attack ◽  
System Efficiency ◽  
Control Task ◽  
Idle State ◽  
Focal Area ◽  
Operator Behavior ◽  
System Effectiveness

Increases in cyber incidents have required substantial investments in cyber defense for national security. However, adversaries have begun moving away from traditional cyber tactics in order to escape detection by network defenders. The aim of some of these new types of attacks is not to steal information, but rather to create subtle inefficiencies that, when aggregated across a whole system, result in decreased system effectiveness. The aim of such attacks is to evade detection for long durations, allowing them to cause as much harm as possible. As a result, such attacks are sometimes referred to as “low and slow” (e.g., Mancuso et al., 2013). It is unknown how effective operators are likely to be at detecting and correctly diagnosing the symptoms of low and slow cyber attacks. Recent research by Hirshfield and colleagues (2015) suggests that the symptoms of the attack may need to be extreme in order to gain operator recognition. This calls into question the utility of relying on operators for detection altogether. Therefore, one goal for this research was to provide an initial exploration of attack deception and magnitude on operator behavior, performance, and potential detection of the attack. Operators in these systems are not passive observers, however, but active agents attempting to further their task goals. As a result, operators may alter their behavior in response to degraded system capabilities. This suggests that changes in the pattern and frequency of operator behavior following the inception of a cyber attack could potentially be used to detect its onset, even without the operator being fully aware of those changes (Mancuso et al., 2014). Similarly, since low and slow attacks are designed to degrade overall system effectiveness, performance measures of system efficiency, such as frequency and duration of tasks completed, may provide additional means to detect an ongoing cyber attack. As such, a second goal for the present research was to determine whether changes in operator behavior and system efficiency metrics could act as indicators of an active low and slow cyber attack. Participants in this experiment performed a multiunmanned aerial vehicle (UAV) supervisory control task. During the task, participant control over their UAVs was disrupted by a simulated cyber attack that caused affected UAVs to stop flying toward participant- selected destinations and enter an idle state. Aside from halting along their designated flight path, idled UAVs displayed no other indication of the cyber attack. The frequency of cyber attacks increased with time-on-task, such that attacks were relatively infrequent at the beginning of the task, occurring once in every five destination assignments made, and were ubiquitous by the end of the task, occurring after each destination assignment. Attack deception was manipulated with regard to participants’ approximate screen gaze location at the time of a cyber attack. In the overt condition, UAVs entered the idle state near the participant’s current focal area (indexed by the location of operator mouse interactions with the simulation), thereby providing some opportunity for operators to directly observe the effects of the cyber attack. In the covert condition, the attack occurred outside the operator’s current focal area, forcing them to rely on memory to detect the cyber attack. In the control condition, no cyber attacks occurred during the experiment. Following the UAV supervisory control task, participants were asked a series of debriefing questions to determine if they had noticed the UAV manipulation during the task. Most participants (approximately 64%) reported noticing the manipulation, but only after a series of questions prompting them to think of any problems they encountered during the task. The remaining participants reported noticing no errors during the task. Results regarding measures of performance and system efficiency indicated that performance decreased as the magnitude of the cyber attack increased. Measures of efficiency were calculated using fan-out (Olsen & Goodrich, 2003) which provided information regarding how many UAVs operators were able to control and how long UAVs were in an idle state during the trial. Operators controlled fewer vehicles, and vehicles sat idle for longer durations, as the magnitude of the cyber attack increased. However, these differences in efficiency were not statistically significantly different until relatively late in the trial. Overall, operators seemed insensitive to the presence of the cyber attack, only disclosing the problem after being prompted several times through guided questions by the experimenter. However, significant changes in operator behavior and system efficiency were observed as the magnitude of the cyber attack increased. These results demonstrate that subtle cyber attacks designed to slowly degrade human performance were measurable, but these changes were not apparent until late in the experiment when the attack was at its midpoint in magnitude. This experiment suggests that even though measurable changes in operator behavior may not occur until late in an attack, these metrics are more effective than reliance on operator detection.

scholarly journals A review: towards practical attack taxonomy for industrial control systems

2018 ◽  
Vol 7 (2.14) ◽  
pp. 145 ◽  
Author(s):  
Qais Saif Qassim ◽  
Norziana Jamil ◽  
Razali Jidin ◽  
Mohd Ezanee Rusli ◽  
Md Nabil Ahmad Zawawi ◽  
...  
Keyword(s):  
Control Systems ◽  
Supervisory Control ◽  
Cyber Attacks ◽  
Critical Infrastructures ◽  
Cyber Attack ◽  
Industrial Control ◽  
Industrial Control Systems ◽  
Scada System ◽  
Water Transportation ◽  
Different Types

Supervisory Control and Data Acquisition (SCADA) system is the underlying control system of most national critical infrastructures such as power, energy, water, transportation and telecommunication. In order to understand the potential threats to these infrastructures and the mechanisms to protect them, different types of cyber-attacks applicable to these infrastructures need to be identified. Therefore, there is a significant need to have a comprehensive understanding of various types of cyber-attacks and its classification associated with both Opera-tion Technology (OT) and Information Technology (IT). This paper presents a comprehensive review of existing cyber-attack taxonomies available in the literature and evaluates these taxonomies based on defined criteria.  

scholarly journals The Impact of Increasing Autonomy on Training Requirements in a UAV Supervisory Control Task

2019 ◽  
Vol 13 (4) ◽  
pp. 295-309 ◽  
Author(s):  
Mary Cummings ◽  
Lixiao Huang ◽  
Haibei Zhu ◽  
Daniel Finkelstein ◽  
Ran Wei
Keyword(s):  
Supervisory Control ◽  
Human Performance ◽  
Search Time ◽  
Recognition Algorithm ◽  
Control Task ◽  
Training Requirements ◽  
Human In The Loop ◽  
Search Tasks ◽  
Automation Control ◽  
The Impact

A common assumption across many industries is that inserting advanced autonomy can often replace humans for low-level tasks, with cost reduction benefits. However, humans are often only partially replaced and moved into a supervisory capacity with reduced training. It is not clear how this shift from human to automation control and subsequent training reduction influences human performance, errors, and a tendency toward automation bias. To this end, a study was conducted to determine whether adding autonomy and skipping skill-based training could influence performance in a supervisory control task. In the human-in-the-loop experiment, operators performed unmanned aerial vehicle (UAV) search tasks with varying degrees of autonomy and training. At the lowest level of autonomy, operators searched images and, at the highest level, an automated target recognition algorithm presented its best estimate of a possible target, occasionally incorrectly. Results were mixed, with search time not affected by skill-based training. However, novices with skill-based training and automated target search misclassified more targets, suggesting a propensity toward automation bias. More experienced operators had significantly fewer misclassifications when the autonomy erred. A descriptive machine learning model in the form of a hidden Markov model also provided new insights for improved training protocols and interventional technologies.

scholarly journals Human Performance Consequences of Automated Decision Aids

2012 ◽  
Vol 6 (1) ◽  
pp. 57-87 ◽  
Author(s):  
Dietrich Manzey ◽  
Juliane Reichenbach ◽  
Linda Onnasch
Keyword(s):  
Supervisory Control ◽  
Human Performance ◽  
Prior Experience ◽  
Decision Aids ◽  
Manual Control ◽  
Control Task ◽  
Commission Errors ◽  
Performance Consequences ◽  
System Information ◽  
Manual Performance

Two experiments are reported that investigate to what extent performance consequences of automated aids are dependent on the distribution of functions between human and automation and on the experience an operator has with an aid. In the first experiment, performance consequences of three automated aids for the support of a supervisory control task were compared. Aids differed in degree of automation (DOA). Compared with a manual control condition, primary and secondary task performance improved and subjective workload decreased with automation support, with effects dependent on DOA. Performance costs include return-to-manual performance issues that emerged for the most highly automated aid and effects of complacency and automation bias, respectively, which emerged independent of DOA. The second experiment specifically addresses how automation bias develops over time and how this development is affected by prior experience with the system. Results show that automation failures entail stronger effects than positive experience (reliably working aid). Furthermore, results suggest that commission errors in interaction with automated aids can depend on three sorts of automation bias effects: (a) withdrawal of attention in terms of incomplete cross-checking of information, (b) active discounting of contradictory system information, and (c) inattentive processing of contradictory information analog to a “looking-but-not-seeing” effect.

Situation Awareness Reacquisition in a Supervisory Control Task

2011 ◽  
Author(s):  
Daniel Gartenberg ◽  
Malcolm McCurry ◽  
Greg Trafton
Keyword(s):  
Situation Awareness ◽  
Supervisory Control ◽  
Control Task

The invisible hole of information on SMB's cybersecurity

2019 ◽  
Vol 7 (1) ◽  
pp. 14-26
Author(s):  
Ruti Gafni ◽  
Tal Pavel
Keyword(s):  
Mass Communication ◽  
Cyber Attacks ◽  
Communication Media ◽  
Specific Information ◽  
Exploratory Research ◽  
Cyber Attack ◽  
Public Attention ◽  
Cyber Threats ◽  
Accessible Information ◽  
Types Of Information

Small and Medium Businesses (SMB) use Internet and computer-based tools in their daily processes, sometimes without being aware to the cyber threats, or without knowing how to be prepared in case of a cyber-attack, although they are a major target for cyber-attacks. Specific information about cybersecurity needed by SMBs, in order to cope with cyber threats, is not always available or easily accessible. In this study, a vast search of different types of information about SMBs’ cybersecurity was performed, in order to find whether a hole of accessible information exists in this area. This exploratory research covered general mass communication media channels, technological and professional cybersecurity websites, and academic journals, and found that indeed very few studies, articles and news items were published in this matter. Leveraging knowledge and awareness, diminishing the shame for reporting cyber-attacks, and increasing mass communication media interest and public attention, may be activities to cover this “invisible hole”.

The Structure of Cyber Attacks

2020 ◽  
Vol 9 (1) ◽  
pp. 43-52
Author(s):  
Silviu-Elian MITRĂ
Keyword(s):  
Mode Of Action ◽  
Cyber Attacks ◽  
Cyber Attack ◽  
Computer Viruses ◽  
Unique Mode ◽  
External Sources

The objective of this portfolio is to ensure a good understanding of the topic of the complex and unique mode of action of cyber attacks, as well as the study of the ways in which they occur. The content of this portfolio includes from the beginning of computer viruses to the specific modern mechanisms of cyber attack undertaken by cybercriminals in order to cause detriment, but also theft or damage to certain information. Furthermore, this paper also provides essential aspects regarding the protection methods that users must undertake so that they can prevent and at the same time face these dangers specific to our age. In the elaboration of this study, there were used both personal methods, by applying my own knowledge accumulated through the study, and accessing external sources containing information necessary to complete the insufficiently analyzed problems. In essence, the elaboration of this study ensured the coverage of all relevant domains and aspects that are based on the structure and conception of cyber attacks, as well as in the manner provided by their action and manifestation.

Building a Cybersecurity Culture in the Industrial Control System Environment

2019 ◽  
Vol 8 (1) ◽  
pp. 39-44
Author(s):  
Claudia ARAUJO MACEDO ◽  
Jos MENTING
Keyword(s):  
Control System ◽  
Control Systems ◽  
Cyber Attacks ◽  
Cyber Attack ◽  
Industrial Control System ◽  
Security Measures ◽  
Industrial Control ◽  
Industrial Control Systems ◽  
System A ◽  
Educational Processes

Cybersecurity in industrial control system environments has become a significant concern and is even more relevant in the context of critical infrastructures where control system disruption could have a profound impact on health, safety and the environment. This makes this type of system a major target for malicious activities. Notwithstanding an organization’s interest in protecting its industrial control systems against cyber-attacks, the implementation of security measures, whether technical, organizational or human, still faces resistance and is often seen as a constraint. Using the best technology to protect industrial control systems makes no sense if persons with access do not act attentively and protectively. Technical and human cybersecurity measures are intrinsically linked, and it is essential that all persons with access to these systems are fully aware of the inherent cyber risks. Organizations must also act so that staff receive appropriate training on how to keep systems continuously protected against cyber-attack when carrying out their daily tasks. These educational processes can contribute to building an effective cybersecurity culture fully reflective of management and staff attitudes, so that the availability, integrity and confidentiality of information in industrial control systems can be assured.

SARCP - Exploiting Cyber-Attack Prediction Through Socially-Aware Recommendation

2022 ◽  
Vol 14 (1) ◽  
pp. 0-0
Keyword(s):  
Social Network ◽  
Real World ◽  
Cyber Security ◽  
Betweenness Centrality ◽  
Cyber Attacks ◽  
Experimental Results ◽  
Cyber Attack ◽  
Defence Mechanisms ◽  
Network Measure ◽  
Recommender Algorithm

In the domain of cyber security, the defence mechanisms of networks has traditionally been placed in a reactionary role. Cyber security professionals are therefore disadvantaged in a cyber-attack situation due to the fact that it is vital that they maneuver such attacks before the network is totally compromised. In this paper, we utilize the Betweenness Centrality network measure (social property) to discover possible cyber-attack paths and then employ computation of similar personality of nodes/users to generate predictions about possible attacks within the network. Our method proposes a social recommender algorithm called socially-aware recommendation of cyber-attack paths (SARCP), as an attack predictor in the cyber security defence domain. In a social network, SARCP exploits and delivers all possible paths which can result in cyber-attacks. Using a real-world dataset and relevant evaluation metrics, experimental results in the paper show that our proposed method is favorable and effective.

Comparing Single Tier and Three Tier Infrastructure Designs against DDoS Attacks

2017 ◽  
Vol 7 (3) ◽  
pp. 59-75 ◽  
Author(s):  
Akashdeep Bhardwaj ◽  
Sam Goundar
Keyword(s):  
Data Center ◽  
Denial Of Service ◽  
Cyber Attacks ◽  
Cyber Attack ◽  
Ddos Attacks ◽  
Design Data ◽  
Application Performance ◽  
Server Virtualization ◽  
Security Officers ◽  
Cloud Environments

With the rise in cyber-attacks on cloud environments like Brute Force, Malware or Distributed Denial of Service attacks, information security officers and data center administrators have a monumental task on hand. Organizations design data center and service delivery with the aim of catering to maximize device provisioning & availability, improve application performance, ensure better server virtualization and end up securing data centers using security solutions at internet edge protection level. These security solutions prove to be largely inadequate in times of a DDoS cyber-attack. In this paper, traditional data center design is reviewed and compared to the proposed three tier data center. The resilience to withstand against DDoS attacks is measured for Real User Monitoring parameters, compared for the two infrastructure designs and the data is validated using T-Test.

Sign in / Sign up

Export Citation Format

Share Document