Presentation is loading. Please wait.

Presentation is loading. Please wait.

Use of Soar for Modeling Cyber Operations 36 th Soar Workshop Ann Arbor, Michigan Denise Nicholson, Ph.D., Director of X Ryan O’Grady, Software Engineer.

Published byEmma Morrison Modified over 8 years ago

Similar presentations

Presentation on theme: "Use of Soar for Modeling Cyber Operations 36 th Soar Workshop Ann Arbor, Michigan Denise Nicholson, Ph.D., Director of X Ryan O’Grady, Software Engineer."— Presentation transcript:

1 Use of Soar for Modeling Cyber Operations 36 th Soar Workshop Ann Arbor, Michigan Denise Nicholson, Ph.D., Director of X Ryan O’Grady, Software Engineer denise.nicholson@soartech.com ryan.ogrady@soartech.com

2 2 SC2RAM Simulated Cognitive Cyber Red-team Attacker Model Phase II SBIR ONR topic N132-132 POP FY15-17

3 3 CYSTINE (CYber SecuriTy INstruction Environment) Phase II SBIR AFRL topic AF141-031 POP FY15-17

4 How Soar links Cyberspace Potential to represent Doctrinal Templates (Ontologies) of adversary / defense  Do not exist/are rudimentary for cyberspace operations  Useful for action->counter-action (i.e. maneuver), attribution, and deterrence  Must address cyberspace layers 4 Cyberspace Layer IndicatorsRelative Detection Difficulty Adversary Cost to change Cognitive/ Social Intent/Goals TTPs Social Presence HardMedium (harder after foothold is gained) Logical Malware variants IP addresses/TCP Ports Configurations/Logs Low->Medium (depending on adversary sophistication) Low Physical Infrastructure Computing devices Spectrum Location MediumHigh (lower after foothold is gained) SoarTech expertise Where most resources are spent

5 SC2RAM Agent Demonstration Video URL 5

6 SC2RAM Architecture 6

7 Soar Agent in Brief 7 Built using “Forest of Goals” approach, variation of NGS Goal Hierarchy read into WM from XML files Attack-Defense Trees read into WM from XML files General tasks and parameters to output link, translated into network commands via HackerToolkit Results of network commands translated via HackerToolkit and written to input link

8 Overview of Behavior The agent’s top-level goal is to access and explore the file system of a particular network space Because the target information is on a file system, the agent decides it needs access to the file system The agent decides to try to achieve access by mining user credentials for the system This leads to recursive subgoals to locate an information source that may contain credentials, search the exfiltrated information for credentials, and then (if found) use those credentials to access the system 8

9 Under The Hood – Agent Knowledge The agent’s knowledge is structured as a set of modular goals that can interleave in multiple ways to support different situations. Example: A “Possess information” goal is required to possess files on the target file-system. There are many possibly ways to “Possess information”, based on the information location, type, medium, etc. One way to gain access to files on a file system is to exfiltrate (again with various potential methods) some user credentials for the system. This in turn generates a different “Possess information” goal, which can again be achieved in multiple possible ways. The threading and interleaving of goals for a particular attack generates an “Attack tree” structure, but the underlying goals are more of a graph The specific demo generates a single “Attack tree” trajectory, but the underlying knowledge representation has numerous placeholders ready to be populated with additional choices, representing a variety of Tactics, Techniques, and Procedures 9

10 Generated/Composed Attack Tree

11 Under The Hood – Interaction Middleware Design objectives: –Use existing, standard cyber operations tools Support realistic attack Tactics, Techniques, and Procedures Support future adaptation and extension as toolkits increase in sophistication –Generalize agent-tool interactions Allow reuse of agent reasoning to heterogeneous tools that perform similar functions Decouple decision making from details of attack execution –Support easy integration of new tools Keep toolkit up to date with state of the art at low cost Keep toolkit additions decoupled from agent knowledge enhancements 11

12 HackerToolkit Middleware Architecture 12

13 Crawl, Walk, Run 13 Initial demonstration at the end of the Phase 1 Option in 3 vignettes with IHMC’s KAoS network simulation. Demonstrated interoperability with the Michigan Cyber Range (MCR) Alphaville virtualized network. Current Phase II efforts expanded cognitive agent capabilities in situations relevant to transition customer’s scenarios – i.e. capability or tool for a Cyber Exercise

14 What Comes Next 14 Moving Goal Hierarchy and Attack-Defense Trees to Semantic Memory Plan Recognition to predict adversary actions Explore how Episodic Memory could be used

15 N UGGETS & C OAL 15 NuggetsCoal A great “wicked problem” to explore learning mechanisms Resource intensive knowledge acquisition and representation Explanation of agent’s decisions is valuable Difficult to demonstrate autonomous vs automated for such complex domain

Download ppt "Use of Soar for Modeling Cyber Operations 36 th Soar Workshop Ann Arbor, Michigan Denise Nicholson, Ph.D., Director of X Ryan O’Grady, Software Engineer."

Similar presentations

VirtualSim Inc. Real tools for virtual worlds Presentation.

VirtualSim Inc. Real tools for virtual worlds Presentation.
Modelling CGFs for tactical air-to-air combat training

Modelling CGFs for tactical air-to-air combat training
Chapter 11 user support. Issues –different types of support at different times –implementation and presentation both important –all need careful design.

Chapter 11 user support. Issues –different types of support at different times –implementation and presentation both important –all need careful design.
From Model-based to Model-driven Design of User Interfaces.

From Model-based to Model-driven Design of User Interfaces.
Sponsored by the U.S. Department of Defense © 2005 by Carnegie Mellon University 1 Pittsburgh, PA 15213-3890 Dennis Smith, David Carney and Ed Morris DEAS.

Sponsored by the U.S. Department of Defense © 2005 by Carnegie Mellon University 1 Pittsburgh, PA Dennis Smith, David Carney and Ed Morris DEAS.
Semantic Web and Web Mining: Networking with Industry and Academia İsmail Hakkı Toroslu IST EVENT 2006.

Semantic Web and Web Mining: Networking with Industry and Academia İsmail Hakkı Toroslu IST EVENT 2006.
Software Issues Derived from Dr. Fawcett’s Slides Phil Pratt-Szeliga Fall 2009.

Software Issues Derived from Dr. Fawcett’s Slides Phil Pratt-Szeliga Fall 2009.
Annual SERC Research Review - Student Presentation, October 5-6, 2011 1 Extending Model Based System Engineering to Utilize 3D Virtual Environments Peter.

Annual SERC Research Review - Student Presentation, October 5-6, Extending Model Based System Engineering to Utilize 3D Virtual Environments Peter.
MDC Open Information Model West Virginia University CS486 Presentation Feb 18, 2000 Lijian Liu (OIM:

MDC Open Information Model West Virginia University CS486 Presentation Feb 18, 2000 Lijian Liu (OIM:
Module 3: Business Information Systems Chapter 11: Knowledge Management.

Module 3: Business Information Systems Chapter 11: Knowledge Management.
COMP 410 & Sky.NET May 2 nd, 2006. What is COMP 410? Forming an independent company The customer The planning Learning teamwork.

COMP 410 & Sky.NET May 2 nd, What is COMP 410? Forming an independent company The customer The planning Learning teamwork.
CSIAC is a DoD Information Analysis Center (IAC) sponsored by the Defense Technical Information Center (DTIC) Presentation to: Insider Threat SOAR Workshop.

CSIAC is a DoD Information Analysis Center (IAC) sponsored by the Defense Technical Information Center (DTIC) Presentation to: Insider Threat SOAR Workshop.
A Multi-Domain Evaluation of Scaling in Soar’s Episodic Memory Nate Derbinsky, Justin Li, John E. Laird University of Michigan.

A Multi-Domain Evaluation of Scaling in Soar’s Episodic Memory Nate Derbinsky, Justin Li, John E. Laird University of Michigan.
University of Dublin Trinity College Localisation and Personalisation: Dynamic Retrieval & Adaptation of Multi-lingual Multimedia Content Prof Vincent.

University of Dublin Trinity College Localisation and Personalisation: Dynamic Retrieval & Adaptation of Multi-lingual Multimedia Content Prof Vincent.
11 C H A P T E R Artificial Intelligence and Expert Systems.

11 C H A P T E R Artificial Intelligence and Expert Systems.
Hummm…  How do I create an engaging online course that facilitates learning?

Hummm…  How do I create an engaging online course that facilitates learning?
High Performance Embedded Computing © 2007 Elsevier Lecture 3: Design Methodologies Embedded Computing Systems Mikko Lipasti, adapted from M. Schulte Based.

High Performance Embedded Computing © 2007 Elsevier Lecture 3: Design Methodologies Embedded Computing Systems Mikko Lipasti, adapted from M. Schulte Based.
High Performance Embedded Computing © 2007 Elsevier Chapter 1, part 2: Embedded Computing High Performance Embedded Computing Wayne Wolf.

High Performance Embedded Computing © 2007 Elsevier Chapter 1, part 2: Embedded Computing High Performance Embedded Computing Wayne Wolf.
Measuring the Quality of Decisionmaking and Planning Framed in the Context of IBC Experimentation February 9, 2007 Evidence Based Research, Inc.

Measuring the Quality of Decisionmaking and Planning Framed in the Context of IBC Experimentation February 9, 2007 Evidence Based Research, Inc.
INTERACTIVE ANALYSIS OF COMPUTER CRIMES PRESENTED FOR CS-689 ON 10/12/2000 BY NAGAKALYANA ESKALA.

INTERACTIVE ANALYSIS OF COMPUTER CRIMES PRESENTED FOR CS-689 ON 10/12/2000 BY NAGAKALYANA ESKALA.

Similar presentations

Ads by Google