How Multi-Criteria Decision Making can help choosing quickly accurate mitigation to a cyberattack

In cases where a cyberattack is performed on critical infrastructures, for instance Energy Infrastructures in the PHOENIX project, these attacks must be correctly and quickly handled to avoid disasters. In this setting Multi-Criteria Decision Making (MCDM) tools can help take good decision in a very short timeframe.

Beyond preventive measures, cybersecurity is also concerned with the way to answer attacks when they happen. In such cases, there could be may possible answers with only a very short time to mitigate the ongoing attack. In such situation, even experienced operators may not be quick enough to provide a good countermeasure in such a tight timeframe. On the contrary machines can do so, but the lack of cases and the very quick changes in the domain may prevent machine learning algorithms to answer correctly the threats while the choices of a human operator, based on their subject matter expertise may bring a more relevant answer. In cases where the cyberattack is performed on critical infrastructures, for instance Energy Infrastructures in the PHOENIX project, these attacks must be correctly and quickly handled to avoid disasters. This is where Multi-Criteria Decision Making (MCDM) can be of great help.

The principles of MCDM are the following: offline, the knowledge of the subject matter expert is captured using a specific method. It is then used to design a model taking into account a set of relevant criteria that can be easily interpreted by a machine. Then online, the model can be interrogated with the values of the criteria at that moment, and the model reproduces the reasoning of the expert. The result can then be used either to make a decision (Multi-Criteria Decision Making) or to aid the decision maker (Multi-Criteria Decision Aid). Moreover, depending on the generated model, the latter can be analyzed in order to understand better why a decision has been made rather than another one.

In Thales, and in particular for the PHOENIX project we use MYRIAD, a MCDM framework we have been working on in several past projects for attack and natural disaster mitigations. The models produced by the tool are decision trees where each internal node is a Choquet integral of its children. This hierarchical model allows to define a rich global model by taking into account the interactions between criteria of the same branch of the tree. This suite relies on a tool to define simply the preferences of the expert by using comparisons. This tool is based on a widely used theoretical framework called MACBETH and extends it. Using this framework, we ask the user their preference between predetermined situations and the strength of this preference. We then use Operational Research algorithms to find the parameters of the model fitting best their preferences. Beyond the properties of the model, and its capacity to take into account the interactions between criteria, this model also allows to produce accurate explanations of the decisions, for instance by producing the importance index (called Shapley index) of each criterion. This explanation can be used either to understand quickly what is going on by focusing on the most relevant criteria, either to efficiently improve the mitigations according to the most important criterion.