System Parameters

The system parameters for each block diagram can be seen at the top of the diagram. The 18 parameters considered for the SUT are local policy, trusted neighbor status, threat status, pro- tected resource status, threat risk assessment, available resources, the operational environment and the local-decision maker’s confidence in the IDPS performance levels. Each parameter is described below.

1. Local Decision-Support Profiles: Decision-Support profiles are preprocessed during the training phase (Section 3.6). Once selected, the links weights of each desired response are maintained throughout the experiments. The more neighbors that report a locally defined threat severity match, the higher the contribution for the reported PPL recommendation.

2. IDPS Threat reporting rates: The rates of locally detected threats are workload inputs. Each Local Area has independent arrival rate distributions of normal, Poisson or exponential traffic patterns.

3. Trusted Neighbors: If neighbors are trusted, then the threat reports that match locally defined threat severity are considered for the recommended PPL output. If neighbors are not trusted, then the Local Area’s desired responses do not consider any neighbor participation of reported threats. In that case, the PPL recommended is only the result of the individual decision- support profile.

4. Seed Value: The seed is the value used by NetLogo to maintain reproducible results during runtime. The input-nodes represent the Level-1 and level-2 SA element cues. There are 20 input-nodes used throughout the performance tests.

5. Output-Nodes: The number output nodes represent the encoded representation of the recommended PPL. In the pilot study, the choice is 1 out-put node per area and Scenario II and III use five out-put nodes for each area to interpret the encoded global event vector.

6. Activation Function: The Uni-polar Sigmoid Activation function (i.e. Logistic Func- tion). The sigmoid activation function can be used with or without a threshold and provides a continuous output value between 0 and 1.

7. Threshold: The threshold is set at 0.5.

8. Local Policy: Local Policy, Tactics Techniques and Procedures: These parameters were chosen because they are critical elements in decision-making to support the organizational goals, guidance and specified directives that local decision-makers follow. Restrictive local pol- icy constraints may lead to undesirable Global Policy generalizations and may provide undesira- ble recommendations to the local decision-maker.

9. Threat Status: This factor was chosen because it reflects Level-1 SA about what the threat element is doing in the operational environment, which is a critical factor for IDP. The IDPS and ANN detect the occurrence pattern of threats to make recommendations on the status of reported events.

10. Protected Inventory/Resource Status: Status of Protected Resource(s): This factor provides Level-I SA about where the threat event is occurring to local decision-makers.

11. Risk Assessment: Depending on the local area’s residual risk factor, the desired re- sponse is affected to receive a higher recommendation or increased protective posture, if a global threat matches the local threat severity level.

12. Mitigation Resources Status: Local decision-makers may consider the time it takes to employ quick reaction forces to implement their highest level of threat mitigation and avoidance resources. Early warning Reponses can be recommended by desiring more responses for this particular threat despite the number of neighbors reporting.

13. The Operational Environment: The operational environment provides context and overall SA. Local decision-makers cannot make decisions based on things that they do not know; perhaps interconnecting network boundaries will reduce uncertainty.

14. IDPS performance/Confidence: Performance statistics of the reporting IDPS: Poor accuracy of the reporting IDPS will lead to a lack of trust in the system, and a loss of credibility for all participants in the global collaboration pool. These values are modeled, but not modified during this research.

16. Examples per epoch: Each training sample is presented from the set of DSP to the ANN to learn how best to classify the desired response. The ANN has a greater chance of learn- ing the correct classification of a sample, when the sample is presented multiple times. This de- sirable effect has an unintended consequence of reducing the generalized accuracy, so a balance must be found to reduce over fitting. A lower level can increase the generalization capability of the ANN and approximate the classification of unseen samples when placed in the online per- formance mode. Cross validation is commonly used to find this balance.

17. Learning Rate: The learning rate for the ANN is used to adjust the step size when distributing the error across the system and tune the link weights so that the desired response matches the actual response with an acceptable level of accuracy. A high learning rate tends to allow faster runtimes due to larger increments (step size) in ink weight adjustments. A lower learning rate takes more time because link weights are adjusted in smaller increments.

18. Momentum: Momentum was not used as a parameter in this research. It is used to assist gradient descent to avoid providing link weight values found for the ANN that would rep- resent a local minimum error.