I. Introduction
Due to the expansion of technologies in different fields, such as financial services, medical services, public services and key infrastructure such as water, electricity and telecommunications, computer security has become a basic element of society. According to the data of Massachusetts Institute of Technology (MIT), the risks that the security team will face are mainly attacks on Internet of Things (IoT) equipment, blockchain and key infrastructure [1]; For example, MIT mentioned that the attackers mainly used artificial intelligence and quantum technology to attack on 20 19. This situation involves well-prepared organizations and security professionals who have the ability to face these new challenges; At the international level, some organizations have defined the strategy of quickly responding to security risks through a team of experts and researchers called Computer Incident Response Teams (CSIRTs). CSIRT is composed of experts in the fields of network security, law, psychology and data analysts. According to the pre-set procedures and strategies, CSIRT can quickly and effectively respond to network security incidents and reduce the risk of network attacks.
Security analysts in CSIRTs need to process a large amount of data in order to i) determine the patterns or anomalies that trigger possible attack alerts, and ii) perform the detection process more quickly and effectively. CSIRTs members are seeking new strategies based on technical solutions, such as big data, machine learning and data science [3]. In order to speed up the research process of data analysis methods [4], the National Institute of Standards and Technology (NIST) and other international organizations launched the Data Science Research Program (DSRP). In the field of network security, the application of cognitive science in the process of information security promotes the concept of cognitive security [5]; This allows predictive and descriptive analysis to provide a view of the possible impact of security attacks. Another key factor for the success of CSIRTs is teamwork and adaptability to different environments. In the era of 2 1 century [7], security professionals need teamwork, critical thinking and communication skills. 2065438+In September 2005, Collaborative Computer Association (ACM), IEEE Computer Association (IEEE CS) and Information Systems Association (AIS SIGSEC) held a special interest group meeting on information security and privacy. And the information security education of international federation for information processing Technical Committee (1 1.8 Federation WG) put forward a curriculum guide for network security education, which mentioned the soft skills of non-technical skills pricing, which is very important for security professionals, with the emphasis on teamwork, communication, generation of situational awareness and operation of using different organizational cultures [8].
The ability to generate network security situational awareness in an organization allows the determination of active strategies to face ongoing and upcoming attacks or threats. Situational awareness comes from three cognitive processes: cognition, understanding and projection. Cognitive process is inherent in human behavior, and it will be influenced by different factors, such as stress, fatigue, distraction, physical or environmental conditions. For some researchers, it is interesting to analyze the performance of tasks and the influence of these factors. For example, Robert Karasek put forward a demand control model [9], which studies the cognitive, emotional and physiological needs of computer personnel in different work fields, and the psychological needs of computer personnel are high. In this context, it is necessary to develop cognitive strategies at all levels of information processing; In addition, it is also necessary to analyze how the executive function integrates information processing at all levels through: inhibition control and working memory processing [10] optimization, so as to help network security professionals work efficiently and have enough reaction time.
In this study, we propose a model that integrates cognitive skills, teamwork and data analysis in the field of network security, as shown in figure 1. Cognitive security can make use of the characteristics of cognitive ability of security analysts to transfer these knowledge and information to computer systems; By doing so, they can perform immediate response operations or notifications to the security team to make decisions against security attacks, as shown in figure 1.
The rest of the study is organized as follows. The second part introduces the related work of network security automatic response. The third part introduces the background of the importance of psychology in network security. The fourth part puts forward the suggestion of automatic network security framework based on cognitive process. Finally, the sixth part summarizes the research conclusions of this paper and puts forward the future work direction.
Second, related work
According to the analysis of MIT Review [1 1], in 20 18, cities will install multi-layer sensors to monitor air quality, garbage level or traffic volume; This forecast, together with Gartnert's forecast, will have 20.4 billion networked devices in 2020 [12]. In the new security scenario, organizations must face the drastic changes in the scale and complexity of networks or computing platforms, which are the basis for organizations to support service provision and equipment connection. In this new background, the action ability of traditional security solutions and the ability of human beings to detect and respond to security incidents are limited. For organizations and researchers, another way to evaluate network security is to use cognitive model as a suggestion to enhance the security of computing environment and expand human analytical ability.
In [13], the author proposes a combination of machine learning-based detection and time logic-based analysis, which allows to distinguish anomalies and realize dynamic network response. In [14], the use of cognitive security for personal devices is included, which allows devices to identify the owner and conduct autonomous security, so that devices can make their own security decisions. Based on the knowledge of function and dependency [15], the automation of diagnosis can be realized. In "Research on Autonomous Computing Method in Digital Service Ecosystem" [16], 25 different digital ecosystems applying the concept of autonomous computing are proposed. In [13], it is proposed how to establish "good exceptions" to establish normal operating parameters and how any changes can generate automatic reconfiguration of network devices to control data flow.
Third, cognitive skills and network security.
Situational awareness
From the perspective of psychology, situational awareness is defined as the ability to understand life based on one's own experience [17]. This concept has been applied to the field of computer systems; For example, Lewis defines the self-awareness of a computing system as the ability to acquire its own knowledge based on internal and external events [18]. In [19], self-awareness is defined as the ability to generate knowledge about itself and the environment for a computer system, and decide the actions to be performed according to this knowledge.
1) Network security situational awareness (CSA): The concept of situational awareness (SA) describes the threats and attacks that organizations are currently facing, the possible impact of attacks, the identification of attackers and user behavior [20]. Analysts must understand the security situation and determine the possibility of impact. In order to generate situational awareness, we can use OODA loop. The cognitive OODA cycle proposed by Bleton is a cognitive process based on perception, understanding and projection [2 1]. Table 1 shows the relationship between cognitive stage, cognitive process and products produced according to Brenton's suggestion.
2) Network Cognitive Situational Awareness (CCSA):
In order to establish an organization's awareness of network security, we can rely on cognition to support the decision-making process. Adapting to the cognitive process of perception, understanding and projection in cyberspace, we will have the relationship shown in Table 2.
B. Non-technical skills
Organizations such as the Department of Homeland Security (DHS) and the National Cyber Security Alliance (NCSA) both launched the National Cyber Security Awareness Month, and celebrated the15th meeting on 20 18 [22] to promote the community to understand the relevant aspects of risks and threats in the digital environment. In these fields, security professionals must have non-technical skills in order to be able to spread knowledge to a group of people without technical background in a clear and consistent way. For the network security in an organization, the defense strategy is based on risk management and is divided into four levels of the network security risk management life cycle, as shown in Figure 2.
In the life cycle of network security risk management, at least the following personnel are required:
? Team leader/coordinator;
? Responsible for system and information security;
? Communication team or public relations;
? Classification or classification;
? Event management team-level 2;
? Legal team.
This emphasizes the necessity of developing collaboration skills in an environment where professionals from different disciplines collaborate, so teamwork is a very important skill for network security experts. Neustrom mentioned that organizations or companies in the 2 1 century are more flexible, can adapt to changes quickly, and have more effective horizontal relations; Therefore, today's organizations pay more attention to flexible structure and horizontal communication. Tasks and roles are defined in a more open way, the environment is more dynamic, and the creation of teams allows the described aspects to be realized. Maureen believes that complexity and multidisciplinary work are part of the 2 1 century, and future education must pay attention to the human condition and the diversified relationship between human beings. Another important aspect mentioned by Moran in 2 1 Century Education is to prepare students to face the uncertainty brought by different events in daily life.
With regard to Morin's first concern about students' humanity, it may be important to begin to emphasize training with emphasis on strengthening skills. Mountford divides skills into four categories [25]:
1) cognitive ability;
2) interpersonal skills;
3) business skills;
4) strategic skills.
Generally speaking, universities in the field of network security mainly focus on improving cognitive, business and strategic skills, and pay less attention to non-technical skills. According to Mountford's classification, teamwork, collaboration, communication and networking all belong to the category of interpersonal skills. Future network security professionals are all studying in universities; Therefore, engineering education needs to encourage the development of non-technical skills. Kyllonen put forward the skills needed in 2 1 century, which mentioned the following points [7]:
? Critical thinking;
? Oral and written communication;
? Labor ethics;
? Teamwork;
? Cooperation;
? Major;
? Troubleshooting.
A good network security personnel framework [26] establishes a set of knowledge, skills and abilities related to non-technical aspects for security professionals, such as:
? Be able to participate in the work of planning group, coordination group and task group;
? Ability to use cooperative skills and strategies;
? Ability to apply critical reading/thinking skills;
? Ability to cooperate effectively with others.
Regarding the second aspect of Morin computer science, namely uncertainty, some authors, such as [27] and [28], mentioned that the uncertainty in the process of software development may be related to human participation, concurrency and uncertainty in the problem domain. In the software environment, there may be uncertainty between the development of products and the changes of users' initial requirements. In the field of network security, uncertainty may be related to other aspects, such as the time, type and target of network attacks.
Teamwork will also produce uncertainty; In [29], the author mentioned that uncertainty can be generated in people's function and environmental work, depending on variables such as foresight, altruistic intelligence, harvest and unexpected harvest. In [30], the author thinks that uncertainty depends on the structure of the team and the interaction between members.
As shown in Figure 3, under the educational background of 2 1 century, the education of computer science and engineering students in the field of network security must mainly be done in four aspects.
Fourthly, automatic response of network security based on cognitive skills.
Our proposal for incident response automation is based on the importance of establishing situational awareness and making correct decisions on the basis of understanding the positive and negative aspects of organizational security. Our proposal is to use collaborative methods to generate self-awareness and decision-making, which is based on the importance of the cognitive process of security analysts, so as to be able to determine that a security event is among multiple events, and it must be identified as abnormal behavior, which can warn attacks. One aspect we suggest is to strengthen the cognitive process. At RSA Conference 2065438+07, IBM[3 1] demonstrated the cognitive tasks that security analysts must perform when investigating incidents. In Table 3, we propose the relationship between cognitive tasks and the cognitive process of network security.
For the process of automatically responding to security events, we propose a layered architecture as shown in Figure 4. Our proposal emphasizes the analysis layer, in which data obtained from different sources such as sensors, logs or secure blogs can be understood. In addition, in this layer, the experience and effective communication of security analysts are the most basic, because it will predict and fully evaluate events, classify them as events, and establish the most appropriate decisions to reduce the impact of attacks. Specifically, at this level, we propose two subcomponents to establish situational awareness: i) the subcomponents of automatic learning and ii) teamwork. These two subcomponents * * * enjoy a way of direct communication, and the purpose is to generate labels for training supervised learning algorithms based on the knowledge generated by analysts through interaction and exchange of ideas. On the other hand, unsupervised learning algorithms can detect patterns or anomalies that are not easy to detect, and remind security analysts to determine whether they correspond to the same security attacks.
A framework based on data management process is designed to ensure the integrity and quality of different levels of data. Then, it includes:
? Collection;
? Prepare;
? Analysis;
? Visualization;
? Visit.
In Figure 4 below, we will describe in detail the layers that make up our proposed framework.
A) Network collection layer: covers the information sources that will be used to create network security situational awareness. In the data source, you can consider the following situations:
? Network simulation platform;
? Sensor;
? Intrusion detection system;
? Vulnerability analysis;
? Secure portal, blog or feed;
? netflow
? Server and network device logs.
B) Infrastructure layer: Infrastructure layer includes the following components:
? Data collection server, which obtains information from different sources. Consider at least three servers for load balancing and high availability.
? Index servers, which execute the process of data indexing in these servers, and define attributes on this basis, and debug and process data on this basis to generate information of visual layer. Consider at least two servers for load balancing and high availability processes.
? The queue management server establishes the processing resources of the big data solution for process management, and simultaneously visualizes the report server and data in multiple request information. The server handles data visualization tools and allows analysts to perform interactive information queries.
? An intrusion detection server, in which rules for detecting patterns related to security attacks are defined, and the server can access security sensors.
? An alarm management server, in which alarm management is defined as notifying analysts when an abnormal mode is detected, includes an event management system, and allows process control of the upgrade before a security event is detected.
C) Index layer: used to define the search dictionary.
D) Situational awareness layer: This layer is our core proposal. The goal of this level is to establish an organization with a baseline security state. To this end, we consider two parts. The first part is machine learning algorithm, which allows to identify patterns or anomalies according to preprocessed data server logs from different data sources. The second part is called teamwork, which creates self-awareness based on the cooperation of CSIRT security analysts. Based on the knowledge generated by the team, you can train the learning algorithm to improve its accuracy.
E) Classification layer: It defines the alerts generated for security analysts, CsIRT or other participants in the event management process. According to good practice, it is wise to define the classification of alarm levels.
F) Automatic response layer: define automatic response actions, because a security incident management plan needs to be established.
Discussion on verbs (abbreviation of verb)
In psychological research, job performance is a theme that seeks to improve job performance, considering personal and environmental variables. The variable we analyzed in this study is the cognitive skills of professionals who perform event management in the field of network security. We believe that the higher the cognitive process related to the execution of functions, the better the performance of tasks solved by security analysts, which is due to the higher requirements for quick response to reduce the impact of attacks. Therefore, it is very important to strengthen cognitive flexibility, so as to I) expand the analysis of event data, ii) visualize the possibility of facing more network attacks, and ii) develop inhibition control to improve the accuracy and effectiveness of its decision. On the other hand, working memory plays an important role in the storage of experience and the subsequent use of this information, so this cognitive process is also helpful to form an awareness of the risks and threats faced by the organization. Another key variable is related to stress management in the work of accident management professionals, so as to formulate strategies to enable them to offset the labor demand.
In the network security management model based on situational awareness, analyzing whether the executive function integrates the process of perception, understanding and projection can improve the task performance and enhance the decision-making process. Non-technical skills play a vital role in many aspects, because if there is not enough ability to communicate and enjoy knowledge, the network security team cannot achieve the efficiency needed to deal with security attacks. For example, in the face of new events or problems, dealing with complexity should not be simply reasoned by security analysts, but should be able to generate psychological models representing complexity and work as a team. This kind of understanding may be complicated, so suggestions such as managing the mind map enjoyed by * * * may be of great significance. Another fact is that multidisciplinary work requires the participation of experts from different fields. However, due to the limited knowledge of the partners, different technical vocabulary and heterogeneous working methods, there are interaction problems. Finally, deal with the uncertainty of activity results or interaction with other team members.
The proposed big data model covers different components that must be considered in the knowledge generation of network security state (network security situation awareness). Just implementing big data architecture is not enough to solve the problem of dealing with massive data. We should devote ourselves to finding reliable information sources, establishing data quality control processes, generating safety commitment indicators, and defining the time for updating data.
In order to establish situational awareness from the information that security analysts can handle, we propose a framework consisting of four modules, as shown in Figure 5: source, cognitive process, collaborative security tasks and soft skills. Teamwork supports four modules. In [23], the author mentioned that the goal of the team is to encourage members to analyze their ways of cooperation, find out their weaknesses and develop new forms of cooperation. To do this, the learning process must be task-centered. According to Neustrom's equipment construction model [23], we put forward the following suggestions in the field of network security:
? Well-trained experts identify problems;
? Data collection;
? Formulation of feedback action plan;
? Generate situational awareness;
? Solution experience;
? Continuous improvement.
Conclusion of intransitive verbs and future work
The changes in technology and society have produced a dynamic and complex environment and a large amount of data. This fact brings new challenges to security analysts, who must process data to determine patterns or anomalies, so as to identify threats or security attacks. The use of cognitive security provides the ability to process a large number of data in different formats in a short time, thus improving the effectiveness of security operations. In the field of network security, big data is mainly used for monitoring actions and anomaly detection. These actions focus on reactive security strategies, but other security activities can be enhanced by big data analysis and used for proactive strategies, such as threat search or cyber deception.
The network security task of event management includes identifying data about events to determine the scope of attack scenarios. Accumulating experience from data about threats and attacks can enhance the awareness of network security. Establishing network security situation awareness requires cognitive and emotional skills, among which the ability of cognitive process is very important; Perception and attention are the first filters for security analysts to collect information from the external environment. Advanced cognitive processes related to working memory, cognitive flexibility and inhibition control participate in externalization behavior in decision-making and event management tasks.
Through the following two skills, you can continuously improve the cognitive process of security analysts:
1) process control. Process control is an important skill for team members, because it helps them to feel, understand and react constructively.
2) Feedback gives you data to support your decision-making, and corrects yourself according to their views on other members of the team.
Regarding the application of big data and machine learning in the security field, there are different suggestions in the business and academic fields; However, they have not been widely implemented. We believe that a possible task in the future is to analyze the causes of this situation. Generally speaking, it may be due to insufficient budget, personnel experience and technical support. In addition, the review through focus groups may be an important contribution to supplement this study.