Cognitive Agents for Adaptive Training in Cyber Operations

Abstract

To support training for offensive and defensive cyber operations, we focus on giving the trainee a realistic ecosystem to train in. This ecosystem includes models of attackers, defenders, and users. The high-level goals for adaptation in this ecosystem are of two types: realism in behavior and tailoring of training. In terms of realism, real-world cyber operations are highly adaptive. Attackers constantly innovate new attack techniques and adapt existing techniques to take advantage of emerging vulnerabilities. Defenders must adapt to ever-changing attack tactics and vulnerabilities. Users continuously adapt to rapidly changing technology. A realistic training ecosystem requires those adaptations to be reflected in the models of the synthetic actors. In terms of tailoring, training systems often require ecosystem actors to step outside of what would “realistically” happen and instead create artifices to focus the trainee’s experience on particular learning objectives. In support of these high-level adaptation goals, the CyCog (CYber COGnitive) framework currently supports three types of adaptivity. These include adaptation of tactics and techniques (for example, innovating a new attack or defense), adaptation of level of sophistication (for example, to make an attacker more or less aggressive, or to limit or expand a defender’s awareness to focus training), and adaptation of personality parameters (for example, to tune the preferences of various types of users in the ecosystem). To maintain maximum training flexibility, we use a mixed-autonomy approach that allows all forms of adaptation to be controlled on a spectrum from automated tuning to manual manipulation by human instructors.