Detecting Ambiguity Aversion in Cyberattack Behavior to Inform Cognitive Defense Strategies

TL;DR

This paper presents a novel framework for detecting ambiguity aversion in cyberattack behavior using multi-modal data, LLM parsing, and real-time inference to enhance adaptive defense strategies.

Contribution

It introduces a new computational model and methodology to identify ambiguity aversion in adversaries, leveraging multi-modal data and LLMs for real-time analysis.

Findings

Successful inference of ambiguity aversion levels in simulated attacks

Demonstrated near-real-time detection capability

Enhanced understanding of adversary decision-making processes

Abstract

Adversaries (hackers) attempting to infiltrate networks frequently face uncertainty in their operational environments. This research explores the ability to model and detect when they exhibit ambiguity aversion, a cognitive bias reflecting a preference for known (versus unknown) probabilities. We introduce a novel methodological framework that (1) leverages rich, multi-modal data from human-subjects red-team experiments, (2) employs a large language model (LLM) pipeline to parse unstructured logs into MITRE ATT&CK-mapped action sequences, and (3) applies a new computational model to infer an attacker's ambiguity aversion level in near-real time. By operationalizing this cognitive trait, our work provides a foundational component for developing adaptive cognitive defense strategies.