Table of Contents
Fetching ...

A Case Study on the Use of Representativeness Bias as a Defense Against Adversarial Cyber Threats

Briland Hitaj, Grit Denker, Laura Tinnel, Michael McAnally, Bruce DeBruhl, Nathan Bunting, Alex Fafard, Daniel Aaron, Richard D. Roberts, Joshua Lawson, Greg McCain, Dylan Starink

TL;DR

The paper investigates whether representativeness bias in attackers can be exploited to enhance cyber defense. It introduces bias triggers within capture-the-flag events (Rep1a and Rep1b) and uses a within-subject design at HITB and ECSC to measure effects on attacker decisions and time allocation. Results show no significant effect on initial path choices but reveal significant differences in time spent on non-vulnerable versus vulnerable paths in Rep1b, with mixed patterns across conferences; linear mixed-effects modeling confirms substantive effects of event, challenge, and condition. The work demonstrates the feasibility of psychology-informed active defenses and outlines a path toward bias sensors and broader bias repertoire to improve cyber resilience.

Abstract

Cyberspace is an ever-evolving battleground involving adversaries seeking to circumvent existing safeguards and defenders aiming to stay one step ahead by predicting and mitigating the next threat. Existing mitigation strategies have focused primarily on solutions that consider software or hardware aspects, often ignoring the human factor. This paper takes a first step towards psychology-informed, active defense strategies, where we target biases that human beings are susceptible to under conditions of uncertainty. Using capture-the-flag events, we create realistic challenges that tap into a particular cognitive bias: representativeness. This study finds that this bias can be triggered to thwart hacking attempts and divert hackers into non-vulnerable attack paths. Participants were exposed to two different challenges designed to exploit representativeness biases. One of the representativeness challenges significantly thwarted attackers away from vulnerable attack vectors and onto non-vulnerable paths, signifying an effective bias-based defense mechanism. This work paves the way towards cyber defense strategies that leverage additional human biases to thwart future, sophisticated adversarial attacks.

A Case Study on the Use of Representativeness Bias as a Defense Against Adversarial Cyber Threats

TL;DR

The paper investigates whether representativeness bias in attackers can be exploited to enhance cyber defense. It introduces bias triggers within capture-the-flag events (Rep1a and Rep1b) and uses a within-subject design at HITB and ECSC to measure effects on attacker decisions and time allocation. Results show no significant effect on initial path choices but reveal significant differences in time spent on non-vulnerable versus vulnerable paths in Rep1b, with mixed patterns across conferences; linear mixed-effects modeling confirms substantive effects of event, challenge, and condition. The work demonstrates the feasibility of psychology-informed active defenses and outlines a path toward bias sensors and broader bias repertoire to improve cyber resilience.

Abstract

Cyberspace is an ever-evolving battleground involving adversaries seeking to circumvent existing safeguards and defenders aiming to stay one step ahead by predicting and mitigating the next threat. Existing mitigation strategies have focused primarily on solutions that consider software or hardware aspects, often ignoring the human factor. This paper takes a first step towards psychology-informed, active defense strategies, where we target biases that human beings are susceptible to under conditions of uncertainty. Using capture-the-flag events, we create realistic challenges that tap into a particular cognitive bias: representativeness. This study finds that this bias can be triggered to thwart hacking attempts and divert hackers into non-vulnerable attack paths. Participants were exposed to two different challenges designed to exploit representativeness biases. One of the representativeness challenges significantly thwarted attackers away from vulnerable attack vectors and onto non-vulnerable paths, signifying an effective bias-based defense mechanism. This work paves the way towards cyber defense strategies that leverage additional human biases to thwart future, sophisticated adversarial attacks.
Paper Structure (13 sections, 7 figures, 3 tables)

This paper contains 13 sections, 7 figures, 3 tables.

Figures (7)

  • Figure 1: Content of logs shown in the treatment version of Rep1a. In this challenge, the control group did not have any logs.
  • Figure 2: SaikoCTF index page for Rep1a challenge
  • Figure 3: Content of logs shown in CTF challenge Rep1b in the control (left) and the treatment version (right).
  • Figure 4: Rep1a results for ECSC (left) and HITB (right) events. Effect size ($E$) and respective P-values ($P$) are shown for each plot.
  • Figure 5: Rep1b results for ECSC (left) and HITB (right) events. Effect size ($E$) and respective P-values ($P$) are shown for each plot.
  • ...and 2 more figures