situation awareness

The highest level in Endsley's situation awareness model is called projection when the status of elements in the environment is shortly predicted. In cybersecurity situation awareness, the projection for an Advanced Persistent Threat (APT) requires to predict the next step of the APT.The threats are constantly changing and becoming more complex. As supervised and unsupervised learning methods require APT datasets for projecting the next step of APTs, they cannot identify unknown APT threats.In reinforcement learning methods, the agent interacts with the environment, which might project the next step of known and unknown APTs. So far, reinforcement learning has not been used to project the next step of APTs.In reinforcement learning, the agent uses the previous states and actions to approximate the best action of the current state. When the number of states and actions is abundant, the agent employs a neural network to approximate the best action of each state.This paper presents a deep reinforcement learning system to project the next step of APTs. As there exists some relation between attack steps, we employ the Long Short Term Memory method to approximate the best action of each state. In our proposed system, based on the current situation, we project the next steps of APT threats.We have evaluated our proposed system on the DAPT2020 dataset. Based on the evaluations performed on the mentioned dataset, six criteria F1, accuracy, precision, recall, loss, and average time were obtained, which are 0.9533, 0.9736, 0.9352, 0.97, 0.0143, and 0.05749(seconds), respectively.

In the rapidly evolving landscape of modern organizations, maintaining robust situation awareness is crucial for agility, informed decision-making, and sustained competitive advantage. Traditional approaches often rely on documented processes, which, while useful, may fail to capture the dynamic and complex nature of actual workflows. Enter process mining—a powerful analytical tool that delves into real-time data, uncovering the true flow of tasks, identifying bottlenecks, and predicting future process behaviors. By transforming raw data into actionable insights, process mining offers an unparalleled level of transparency, enabling organizations to anticipate disruptions, optimize resource allocation, and enhance operational efficiency. This review explores the intersection of situation awareness and process mining, providing a comprehensive analysis of how these methodologies converge to offer a clearer understanding of organizational processes. We begin by examining the theoretical foundations of situation awareness and process mining. The paper then reviews existing research on the application of process mining in enhancing situation awareness, highlighting key advancements, use cases, and the transformative impact on decision-making processes. Despite its numerous benefits, the integration of process mining into situation awareness is not without challenges. This review identifies several open issues, including data quality concerns, the complexity of real-world processes, and the need for more sophisticated analytical techniques. To address these gaps, we propose future research directions, particularly in the context of cyber situation awareness. By advancing the state of the art in process mining, we aim to pave the way for more resilient, adaptable, and aware organizations in the digital age.

Cyber security situation awareness is important for the analysis of cyberspace, and detection of ever-changing threats. As computer networks and systems continue to increase in complexity and sophistication, the requirements and on a cybersecurity operator increase as well. In this paper, we propose a simulation system to assess the impacts of attacks on cyber assets and identify critical assets. Our proposed system helps to have better situation awareness. For this purpose, we first generate the business process model of the organization. This business process model not only contains information about the mission activities but also contains features of the process itself and the context in which the system operates. Then, we determine the dependency between the processes and the cyber assets of an enterprise. Finally, we simulate some attacks on cyber assets. We evaluate the impacts of attacks on the cyber assets and asset-dependent processes by comparing the Measure of Effectiveness before and after of attack simulation.