Operational Model
Operations with the Cyber CRA are modeled as state progression structures for reasoning about cyber-maneuvers and security goals and strategies [7]. Operations are broken into subtasks that progress temporally to a final operation success end-state. Each subtask is defined by a set of security requirements, security outcomes (the change in security state consequent of the subtask completion), risks, costs, and payouts. At the technical level, we formalize the operational model as discrete-time, finite-horizon Markov Decision Processes (MDP) [3][4]. This model enables us to obtain multiple maneuver sequences, to evaluate the cost associated with each sequence, and to make optimal choice of a maneuver sequence that accomplishes the operation under various attacks. In this, we adapt established control theory systems to Cyber-decision making. The operation model represents a formal specification of a cyber-scenario, e.g., the actions needed to complete an online task as described in the preceding section. We model an operation as a directed graph where the nodes are the states of the operation, and the edges are the state transitions needed to complete the mission. Each transition can represent atomic actions, abstractions for sub-operations or discrete time intervals [32]. However, based on the scenario, a choice of several maneuvers is possible. One cannot predict with certainty the consequence of these maneuvers given the current system state, but may model it as a stochastic event with many possible outcomes.
Consider a vastly simplified view of the example vehicle image transmission operation outlined in the preceding section. A model of that Cyber-mission (called an operation in this context) would proceed to (a) establish communication over local and global communication links, (b) transmit that data over the network and (c) terminate the communication. Note that this mission appears superficially to be a linear progression of states, but actually each step can be carried out in many different ways and may require mitigating attacks, using alternate methods when media is either not secure or too costly. Hence each of these steps can be represented by a complex flow of alternative approaches to implementing that higher level goal. The operational model is used to navigate these states and continuously select the approach with the highest probability of reaching a successful end state within a cost budget (e.g., the optimal control result). In this way, the Cyber system is adaptive to changing environmental states, resources, and resilient in the presence of adversary action.
Highlighted throughout, the operational model is built upon three interdependent inputs; detection state, risk metrics, and agility maneuvers. The detection state is the collection of all inputs from sensors and inferred states of the system (i.e., the situational awareness derived from the environment). The risk metrics is an assessment of the set of possible outcomes, their impacts on the operation and the environment, both as weighted by the probability of their occurrence. The set of maneuvers is the set of actions that will enable mission progress. The output is the best maneuver that has the best probability of moving the state towards the best mission goal (end-state).
Note that the end-state of the operation or operation strategy must change as the environment changes. For example, if it is found that an attacker has launched an attack that may prevent completion of the operation, other means to ensure success must be found. If success is no longer possible, other operation goals (with lower payout) and subtasks (with different security apparatus and configuration) may be defined or the operation aborted entirely. For example, in the event that an attacker successfully prevents the delivery of the high-resolution image (e.g. via DoS attack), the system may choose to send an image to another location (such as a local HQ) or may send a lower resolution image. In both cases a favorable outcome is achieved whereas the original goal could not be. This ability to find alternate strategies and outcomes is the key to fighting through adversarial action.