CMF training is inherently complex. The abundance of data produced during cyber training exercises poses challenges and opportunities. The rapid rate of change in both CMF procedures and big data analytics technology necessitates studying CMF workflow, uncovering gaps in the current tool set, and identifying technologies to leverage. The first step during phase I is to determine what capabilities are needed and what data is available to drive the functionality. The second step during phase I is define the technologies and their associated technical risk for STACK. While the specific visualization needs and data availability will not be known until requirements are elicited, there are certain assumptions that can be made based on the description of the problem and the characteristics of the domain. STACK will leverage the Velox computing framework as necessary. We foresee Velox being beneficial at both the domain analysis and cyber agent levels. Velox is a knowledge-based technology that can be combined with machine learning algorithms to create a hybrid approach that demonstrates the best aspects of both technologies. Hybrid Velox machine learning systems can take multiple forms. A machine learning algorithm can be embedded within a knowledge base to solve a specific problem, such as assessing the likelihood that various Intrusion Detection System (IDS) alerts indicate an actionable situation. Velox knowledge bases can be used to apply focused machine learning algorithms and/or models at the appropriate time, for example by using a NetFlow classifier trained on networks undergoing a BotNet attack after a BotNet attack has been detected. STACK will fully adhere to open architecture technology standards and requirements.
