Experience-based cyber situation recognition using relaxable logic patterns

Cyber situation awareness is a growingly important issue as the world becomes more and more connected. Unfortunately, the amount of data produced by existing intrusion detection tools usually significantly exceeds the cognition throughput of a human analyst. In attempting to align a huge amount of information and the limited human cognitive load, we developed a systematic approach to leverage experiences of security analysts to enhance cyber situation recognition. We used a logic-based approach to efficiently capture and utilize experts´ experience, which can be categorized as kind of knowledge-based intrusion detection. However, knowledge-based intrusion detection relies on the establishment of a knowledge base created from cyber attack signatures, but building a comprehensive knowledge base that covers all variations of attacks is impractical under large-scale networks since knowledge engineering can be a time-consuming process. Therefore, how to effectively leverage limited number of human experience became the second focus of our research. In this paper, we presented the logic-based approach under an experience-driven framework, followed by the concept of experience relaxation for mitigating the limitation of knowledge-based intrusion detection. Our experimental results showed a significant improvement in the knowledge base coverage by applying experience relaxation.