Operators need situational awareness (SA) of their organisation’s computer networks and Information Systems in order to identify threats, estimate impact of attacks, evaluate risks, understand situations, and make sound decisions swiftly and accurately on what to protect against, and how to address incidents that may impact valued assets. Enterprise computer networks are often huge and complex, spanning across several WANs and supporting a number of distributed services. Understanding situations in such dynamic and complex networks is time-consuming and challenging. Operators SA are enhanced through a number of ways, one of which is through the use of situation-aware systems and technology. Designing situation-aware systems for computer network defence (CND) is difficult without understanding basic situational awareness design requirements of network applications and systems. Thus, this chapter investigates pertinent features that are foundation, essential, and beneficial for designing situation-aware systems, software, and network applications for CND.
TopIntroduction
In the last fifteen years the application of situational awareness has been revolutionary, particularly in Air Traffic Control (ATC), and Defence and Military operation where SA has been extensively researched. ATC operation, for instance, can be compared to CND operation; unfortunately, while the application of situational awareness to computer network defence is still in its embryonic stage, its application to ATC is mainstream (Onwubiko C., 2009).
One of the primary purposes of CND is to ensure that systems and networks are secure, reliable and operational. This includes actions taken via computer networks to protect, monitor, analyse, detect and respond to cyber-attacks, intrusions, disruptions or other perceived unauthorised actions that could compromise or impact defence information systems and networks. CND is achieved through a collective effort by personnel who monitor, manage and maintain defence systems, networks and infrastructures, such as network operators, security analysts, systems administrators and network engineers. This group of personnel are referred to, in this chapter, as operators, (‘human’ operators). These personnel are faced with the onerous tasks of coordinating, maintaining, monitoring and ensuring the necessary actions required in keeping defence systems and network infrastructures operational, whilst ensuring that appropriate protection from cyber-attacks is provided on a daily basis.
Cyber-attacks to computer networks are growing and evolving. For example, code-driven attacks, deliberate malicious software attacks, espionage, distributed denial of service attacks, phishing and the recent computer electronics attacks (E.g. Stuxnet). All these contribute in demonstrating the complexity and challenges faced in a CND environment.
Situational awareness is the process of perceiving the elements in the environment, understanding the elements in the environment, and the projection of their status into the near future (Endsley M. R., 2000). SA underscores situation assessment in order to make accurate forecast in dynamic and complex environments. Thus, the underpinning of situational awareness in computer networks is to assist operators to identify adversaries, estimate impact of attacks, evaluate risks, understand situations and make sound decisions on how best to protect valued assets swiftly and accurately (Onwubiko C., 2009). Hence, we believe that the application of SA in CND will yield unprecedented benefits akin to SA for safety and security in aircraft, flight operation and safety controls.
In this chapter we investigate task and system requirements that support situational awareness in CND. Task requirements are human operator-specific tasks such as risk assessment, protective monitoring and decision making. System requirements are automated system-specific tasks completed by computer systems and network appliances. The elicitation of task and system requirements for CND is the foundation for building CND systems and applications that are situation-aware; and the use of situation-aware systems and applications in a CND environment certainly enhances operator situational awareness.
Situational awareness as a human mental process is enhanced by the use of technology to access, analyse, and present information to have greater understanding of existing situations and how they may change over time (ESRI, 2008). Thus, the aim of this chapter is to investigate situational awareness in computer network security, and to evaluate task and system design requirements (functional and non-functional) that CND systems should possess to enhance operator situational awareness. According to Endsley M. R., and Garland D. J., (2000), the enhancement of operator situation awareness has become a major design goal for those developing operator interfaces, automation concepts and training programs in a wide variety of fields, such as, air traffic control, power plants and advanced manufacturing systems. It is equally important to extend this design assessment to CND infrastructure, systems and applications.
The remainder of this chapter is organised as follows. The first section describes situational awareness in network security. The second section discusses our design requirements framework for developing situation-aware CND systems and applications. Design requirements discussed comprises both functional and non-functional requirements. The third section elaborates on our contribution and outlines benefits of the work, which strengthens the usefulness of the contribution. Finally, the chapter is summarised with a conclusion.