Abstract
Many defense problems are time-dominant: attacks progress at speeds that outpace human-centric systems designed for
monitoring and response. Despite this shortcoming, these well-honed and ostensibly reliable systems pervade most
domains, including cyberspace. The argument that often prevails when considering the automation of defense is that
while technological systems are suitable for simple, well-defined tasks, only humans possess sufficiently nuanced
understanding of problems to act appropriately under complicated circumstances. While this perspective is founded in
verifiable truths, it does not account for a middle ground in which human-managed technological capabilities extend
well into the territory of complex reasoning, thereby automating more nuanced sense-making and dramatically
increasing the speed at which it can be applied. Snort1 and platforms like it enable humans to build, refine, and deploy
sense-making tools for network defense. Shortcomings of these platforms include a reliance on rule-based logic, which
confounds analyst knowledge of how bad actors behave with the means by which bad behaviors can be detected, and a
lack of feedback-informed automation of sensor deployment. We propose an approach in which human-specified
computational models hypothesize bad behaviors independent of indicators and then allocate sensors to estimate and
forecast the state of an intrusion. State estimates and forecasts inform the proactive deployment of additional sensors
and detection logic, thereby closing the sense-making loop. All the while, humans are on the loop, rather than in it,
permitting nuanced management of fast-acting automated measurement, detection, and inference engines. This paper
motivates and conceptualizes analytics to facilitate this human-machine partnership.
