Cyber reasoning with argumentation: Abstracting from incomplete and contradictory evidence

Information given to system administrators is often incomplete and contradictory. Even worse, administrators are required to adhere to organizational policies, which frequently contain conflicting goals. While prior work in security has sought to alleviate these concerns, much of it strives to identify attacks and intrusions with approaches that require complete knowledge for analysis. In this paper, we present a framework to addresses the challenges facing administrators by using formal argumentation to generate big-picture conclusions regarding the system. Unlike other schemes, argumentation excels in situations where information is incomplete and knowledge is contradictory. To motivate our approach, we detail a scenario inspired by real-world data taken from the U.C. Davis environment.