Security Situation Assessment and Response Evaluation (SSARE)

A response to cyber attack is a decision made in the face of risk and uncertainty. Uncertainty, both in our understanding of the current situation and our capacity to predict exactly the results of alternate responses, requires the ability to entertain multiple hypotheses about the actual state of system security, attacker intent, and response effects. Risk management for catastrophic or near-catastrophic breaches of security or loss of service (either through system compromise or overly aggressive response) requires the evaluation of tradeoffs among competing objectives. Security Situation Assessment and Response Evaluation (SSARE) is a mixed-initiative computer software system for wide-area cyber attack detection, situation assessment, and response evaluation. SSARE is designed to detect a large-scale attack in progress, display an assessment of the situation, and identify effective responses, including automated context and risk-sensitive policy adaptations. The core of our technical approach is (I) development of attack, attacker, mission, systems, and infrastructure element models; (2) application of IET-developed information fusion and dynamic situation assessment technology, and (3) decision-theoretic evaluation of responses