A framework to facilitate cyber defense situational awareness modeled in an emulated virtual machine testbed

Modern computer networks and the cyber attacks launched against them grow more complex each year. Analyzing network information can be complex and time consuming. Network defenders are routinely unable to orient themselves quickly enough to determine the expected system impact, much less defend the networks' resources. The network operator's time would be better spent finding and executing event responses to minimize damage. Current automated response systems are mostly limited to scripted responses based on data from a single source. Better automation is required. This paper presents a framework that aggregates data from heterogeneous network sensors, including intrusion detection systems and network vulnerability assessment tools. An impact rating system is proposed and tested that estimates the feasibility of an attack and its potential impact. The impact assessments allow decision makers to prioritize attacks in real time and attempt to mitigate the attacks in order of their estimated network impact to the network. Experimental results indicated that when administrators are only concerned with high-level attacks, impact assessments could eliminate a mean 51.21% of irrelevant data. When only concerned with high-and medium-level attacks, a mean of 34.03% of the data was irrelevant. This represents a significant reduction in the information administrators must process.