PREFACE

This book seeks to present a summary of recent research advances in cyber situation awareness. A multidisciplinary group of leading researchers from the areas of cybersecurity, cognitive science, and decision science offer their viewpoints on recent advances in cyber situation awareness. Today, when a security incident happens, the top three questions a cyber operation center would ask are: What has happened? Why did it happen? What should I do? Answers to the first two questions form the core of cyber situation awareness (SA). Whether the last question can be satisfactorily addressed is largely dependent on the cyber SA capability of an enterprise. From the perspective of “data to decisions,” cyber SA can be viewed as a main output of a particular data triaging system. Since there are a large variety of sensors monitoring an enterprise network, the cyber operation center will gather a large amount of data coming from these different types of data sources. The data typically represent normal operation status. Stealthy attack-related information could be deeply embedded among the large volume of normal operation data. Thus the signal-to-noise ratio of attack data is normally extremely low. Answering the first two questions through data triaging could be as hard as finding a needle in a haystack. Although numerous tools have been developed to help security analysts gain a better SA, existing tools are not yet adequate to provide cyber operation centers with highly desirable cyber SA capabilities listed as follows: