




\subsection{Piecewise constant parameters}

In a first extension of the SDE model, we assume that malware and bonware have an activity rate of 0 until they activate at time points $t^{m}$ and $t^{b}$, respectively. After activation, both activity rates are constant.  Additionally, both efficiency parameters are assumed to be constant in time. Specifically,  $\theta^{\malwareSuper}(t) = \theta^{m} u\!\left(t-t^{m}\right)$, $\theta^{\bonwareSuper}(t) = \theta^{b} u\!\left(t-t^{b}\right)$, ${{\gamma}^{\malwareSuper}}(t) = \gamma^{m}$, and ${{\gamma}^{\bonwareSuper}}(t) = \gamma^{b}$.
Here $u(\cdot)$ is the unit step function.

The piecewise constant formulation here is particularly apposite for our experiments, in which the timing of malware attacks is known.  The analyst can then choose between considering $t^{m}$ and $t^{b}$ as known, and retain the parsimony of a four-parameter model, or considering them unknown and estimate them from data in a six-parameter model.  The difference between the known onset time of an attack and the estimated $t^m$ may then be interpreted as the time it takes for an attack to take effect. Similarly, the difference between that onset time and the estimated $t^b$ may be interpreted as the delay until bonware begins to restore functionality after an attack.


\section{Prior work}\label{sec:prior-work}

A growing body of literature explores quantification of resilience in general and cyber resilience in particular. Very approximately, the literature can be divided into two categories: 
(1) qualitative assessments of a system (actually existing or its design) by subject matter experts (SMEs) \cite{alexeev}, \cite{henshel} and 
(2) quantitative measurements based on empirical or experimental observations of how a system (or its high-fidelity model; \cite{kott2017assessing}) responds to a cyber compromise \cite{kott2019cyber,ligo2021how}.
In the first category, a well-cited example is the approach called the cyber-resilience matrix \cite{linkov2013resilience}. In this approach, a system is considered as spanning four domains: (1) physical (i.e., the physical resources of the system, and the design, capabilities, features and characteristics of those resources); (2) informational (i.e., the system's availability, storage, and use of information); (3) cognitive (i.e., the ways in which informational and physical resources are used to comprehend the situation and make pertinent decisions); and (4) social (i.e., structure, relations, and communications of social nature within and around the system). For each of these domains of the system, SMEs are asked to assess, and to express in metrics, the extent to which the system exhibits the ability to (1) plan and prepare for an adverse cyber incident; (2) absorb the impact of the adverse cyber incident; (3) recover from the effects of the adverse cyber incident; and (4) adapt to the ramifications of the adverse cyber incident. In this way, the approach defines a 4-by-4 matrix that serves as a framework for structured assessments by SMEs.     

Another example within the same category (i.e., qualitative assessments of a system by SMEs) is a recent, elaborate approach proposed by \cite{beling2021developmental}. The approach is called Framework for Operational Resilience in Engineering and System Test (FOREST), and a key methodology within FOREST is called Testable Resilience Efficacy Elements (TREE). For a given system or subsystem, the methodology requires SMEs to assess, among others, how well the resilience solution is able to (1) sense or discover a successful cyber-attack; (2) identify the part of the system that has been successfully attacked; (3) reconfigure the system in order to mitigate and contain the consequences of the attack. Assessment may include tests of the system, although the methodology does not prescribe the tests. 

Undoubtedly, such methodologies can be very valuable in finding opportunities in improvements of cyber-resilience in a system that is either at the design stage or is already constructed. Still, these are essentially qualitative assessments, not quantitative measurements derived from an experiment. 

In the second category (i.e., quantitative measurements based on empirical or experimental observations of how a system, or its high-fidelity model, responds to a cyber compromise), most approaches tend to revolve around a common idea we call here the area under the curve (AUC) method \cite{hosseini2016review,kott2021to}. The general idea is depicted in Figure~\ref{fig:auc}. In an experiment/test, a system is engaged into a performance of a representative mission, and then is subjected to an ensemble or sequence of representative cyber attacks. A mission-relevant quantitative functionality of the system is observed and recorded. The resulting average functionality, divided by normal functionality, can be used as a measure of resilience.  

\begin{figure}[t]
  \centering
 
  \aaa{attacks_and_defenses.pdf}
  \caption{Resilience can be measured by subjecting a system to cyber attacks and measuring the fraction of functionality lost due to cyber attack, as compared to normal functionality.}
  \label{fig:auc}
\end{figure}

Brtis \cite{brtis2016how} performed a structured evaluation and comparison of multiple resilience metrics and concluded that the AUC-based approaches are superior to others. He wrote, ``We evaluated 23 candidate metrics against 19 evaluation criteria. From this analysis we conclude that the best single metric for resiliency is the expected availability of the required capability.'' Parenthetically, our research did not find a reason to disagree with Brtis's position. 

However, AUC-based resilience measures are inherently cumulative, aggregate measures, and do not tell us much about the underlying processes. For example, is it possible to quantify the resilience \impact{} of the bonware of the given system? Similarly, is it possible to quantify the \impact{} of malware? In addition, is it possible to gain insights into how these values of \impact{fulness} vary over time during an incident? We offer steps toward answering such questions.  
\subsection{Accomplishment and functionality}

Every mission has a goal, and we postulate that for a given mission, there exists a function $\ma(t)$ that represents accomplishment and is cumulative from the mission start time up until the present time $t$.  We define functionality, ${{F}}(t)$, to be the time derivative of mission accomplishment.  Thus,
\begin{equation}
  \label{eq:ma}
  {{F}}(t) = \frac{d \ma }{dt}, \quad \ma(t) = \int_{t_0}^t {{F}}(\tau) \, d\tau.
\end{equation}
The normal functionality, when the system performs normally and does not experience effects of a cyber attack, may, in general, vary with time. For simplicity, throughout this paper, we assume the normal functionality to be constant in time, $\Fnominal(t)=\Fnominal$. Thus, the functionality of our system prior to an attack or other malfunction is normal at the start time:
${{F}}(t_0)=\Fnominal$.


\section{An application of the model}
\subsection{Obtaining model parameters}
\label{sec:parameters}
Given notional data that represents a typical curve of functionality
over the course of an incident where malware and bonware are active,
we develop a fast method to estimate the continuous model parameters
for a curve that approximates the data, and use these parameters to
generate further realizations based on this model.  In Figure
\ref{fig:notional} an example of such notional data is plotted (in
light blue).  In this section, we illustrate our method to
extract the model parameters from this curve.



The set $P=\{t_0, \hdots, t_K\}$ partitions the mission timeline and
malware and bonware are constant in each interval $(t_{i-1},t_i), \,\,
i=1, \hdots, K. \,\,$  In each interval,
$\Qware_i=\malware_i+\bonware_i$ and the differential equation
governing Continuous Model I is $\frac{dF(t)}{dt}+\Qware_i F(t) =
\Fnominal (t) \bonware_i.$  Thus, in each interval $(t_{i-1},t_i),$
the solution is 
\begin{equation*}
  {{F}}(t)     =
  \left[{{F}}(t_{i-1}) - \frac{\Fnominal \bonware_i}{
      \Qware_i } \right]  e^{-\Qware_i (t-t_{i-1})} + \frac{\Fnominal \bonware_i}{\Qware_i}.
\end{equation*}
We compute the effectiveness, ${\effectiveness}^{\malwareSuper}$, and activity, ${\activity}^{\malwareSuper}$, of malware
and of bonware (${\effectiveness}^{\bonwareSuper}, {\activity}^{\bonwareSuper}$), in each interval:
$\malware_i = {\effectiveness}^{\malwareSuper}_i {\activity}^{\malwareSuper}_i$, $\bonware_i = {\effectiveness}^{\bonwareSuper}_i {\activity}^{\bonwareSuper}_i$.

We observe that there is a unique switching time $\tchange$ where the
functionality's trend reverses, and thus we take $K=2.$ Before the
switch, the impact of malware is greater than that of bonware. From
the time of the switch until the end of the mission, bonware is
stronger.  To estimate the switching time $\tchange$, we find the
minimum of the data to occur over the interval from 64 s to 75 s.
There, the minimum value of the data curve is $m=0.27$.  Taking the
midpoint, our estimate for $\tchange$ is 69.5 s.  We estimate the
activity of malware before switching to be the number of times the
data curve decreases divided by the switching time.  Similarly, our
estimate of bonware activity is the number of times the data curve
increases prior to the switching time.  We thus have
${\activity}^{\malwareSuper}_1~\approx~\sfrac{7}{69.5}~\approx 0.101$ and
${\activity}^{\bonwareSuper}_1 \approx \sfrac{2}{69.5} \approx 0.014$.


To determine the remaining parameters, we numerically solve this
system of equations:
\begin{align*}
    \alpha m  &= \Fnominal \bonQone,\\
    m  &= {{F}}(0)  -\Fnominal \bonQone e^{-\Qware_1 \tchange}+\Fnominal \bonQone.
\end{align*}
The first equation says that where the curve meets the minimum of the data, it has experienced exponential decay of $\alpha$ toward the asymptotic minimum.  We take $\alpha$ to be $\alpha=1-\sfrac{1}{e}$. The second equation says that the minimum occurs at the switching time (the time when the model switches from malware dominating bonware, to bonware dominating malware.  Solving this system of equations yields (with $\malware_1=\Qware_1-\bonware_1$), $\malware_1 \approx  0.025$ and $\bonware_1 \approx 0.005$, so that ${\effectiveness}^{\malwareSuper}_1 = \sfrac{\malware_1}{{\activity}^{\malwareSuper}_1} \approx 0.503$ and ${\effectiveness}^{\bonwareSuper}_1 = \sfrac{\bonware_1}{{\activity}^{\bonwareSuper}_1}\approx 0.362$.

To the right of $t^\star$, we fit an exponentially increasing function.  Similar to before the switching time, we compute the activities of the malware and bonware: ${\activity}^{\malwareSuper}_2 \approx \frac{1}{100-69.5} \approx 0.033$ and ${\activity}^{\bonwareSuper}_2 \approx \frac{4}{100-69.5} \approx 0.131$.

\newcommand\FBonQtwo[1]{\frac{#1 \bonware_2}{\Qware_2}}
To determine the remaining parameters, we numerically solve this system of equations:
  \begin{align*}
    \zeta &= \FBonQtwo{F(0)},\\
    \tilde{\alpha} \zeta &= \left(m- \FBonQtwo{\Fnominal}\right)
    \!\! \left(e^{-\Qware_2 (125-t^\star)}+\FBonQtwo{\Fnominal}\right).
  \end{align*}
  
We have found that $\tilde{\alpha}=1-e^{-4}$ and $\zeta=0.95$ are
satisfactory values to use for these hyperparameters.

We compute $\malware_2 \approx 0.005$ and $\bonware_2 \approx 0.088$,
so that
${\effectiveness}^{\malwareSuper}_1 =
\sfrac{\malware_1}{{\activity}^{\malwareSuper}_1} \approx 0.201$ and
${\effectiveness}^{\bonwareSuper}_1 =
\sfrac{\bonware_1}{{\activity}^{\bonwareSuper}_1}\approx 0.957$.

\subsection{Generating stochastic realizations}

Using the parameters found in Section~\ref{sec:parameters}, we can now
generate stochastic realizations.  In Section~\ref{sec:proposition},
we showed that for large sample sizes, the average of our ensemble
will approach the solution to the continuous ODE model.  We show
empirically that this is indeed the case.  To illustrate, we generated
five realizations (Figure \ref{fig:five:realizations}) of the
stochastic model with parameters found from the notional data of
Section~\ref{sec:parameters}. 
By averaging $n$ curves when
$n \in \{5,50,500,5000\}$ we see how the ensemble average approaches
the solution of the corresponding differential equation as predicted
in the Theorem of Section~\ref{sec:proposition}.


\begin{figure}[t]
\begin{center}
  \pppp{five_realizations_reduced.pdf}
 
  \ppp{stochastic_averaging_reduced.pdf}
 \caption{ (Top) Five realizations of the stochastic model generated with the
   parameters obtained by fitting the notional data shown in Figure
   \ref{fig:notional}.  Each realization is different but each roughly follows
   an exponential decay when $t<t^\star=69.5$ s and an
   exponential recovery for $t\ge t^\star$. (Bottom) Averages of $n$ stochastic runs for $n\in \{5,50,500,5000\}.$  As $n$ increases, the average of the ensemble approaches the fitted curve as predicted in the theorem of Section \ref{sec:proposition}.}
   \label{fig:five:realizations}
   \label{fig:average}
 \end{center}
 \end{figure}


\section{Prior work}\label{sec:prior-work}

A growing body of literature explores quantification of resilience in general and cyber resilience in particular. Very approximately, the literature can be divided into two categories: 
(1) qualitative assessments of a system (actually existing or its design) by subject matter experts (SMEs) \cite{alexeev}, \cite{henshel} and 
(2) quantitative measurements based on empirical or experimental observations of how a system (or its high-fidelity model; \cite{kott2017assessing}) responds to a cyber compromise \cite{kott2019cyber,ligo2021how}.
In the first category, a well-cited example is the approach called the cyber-resilience matrix \cite{linkov2013resilience}. In this approach, a system is considered as spanning four domains: (1) physical (i.e., the physical resources of the system, and the design, capabilities, features and characteristics of those resources); (2) informational (i.e., the system's availability, storage, and use of information); (3) cognitive (i.e., the ways in which informational and physical resources are used to comprehend the situation and make pertinent decisions); and (4) social (i.e., structure, relations, and communications of social nature within and around the system). For each of these domains of the system, SMEs are asked to assess, and to express in metrics, the extent to which the system exhibits the ability to (1) plan and prepare for an adverse cyber incident; (2) absorb the impact of the adverse cyber incident; (3) recover from the effects of the adverse cyber incident; and (4) adapt to the ramifications of the adverse cyber incident. In this way, the approach defines a 4-by-4 matrix that serves as a framework for structured assessments by SMEs.     

Another example within the same category (i.e., qualitative assessments of a system by SMEs) is a recent, elaborate approach proposed by \cite{beling2021developmental}. The approach is called Framework for Operational Resilience in Engineering and System Test (FOREST), and a key methodology within FOREST is called Testable Resilience Efficacy Elements (TREE). For a given system or subsystem, the methodology requires SMEs to assess, among others, how well the resilience solution is able to (1) sense or discover a successful cyber-attack; (2) identify the part of the system that has been successfully attacked; (3) reconfigure the system in order to mitigate and contain the consequences of the attack. Assessment may include tests of the system, although the methodology does not prescribe the tests. 

Undoubtedly, such methodologies can be very valuable in finding opportunities in improvements of cyber-resilience in a system that is either at the design stage or is already constructed. Still, these are essentially qualitative assessments, not quantitative measurements derived from an experiment. 

In the second category (i.e., quantitative measurements based on empirical or experimental observations of how a system, or its high-fidelity model, responds to a cyber compromise), most approaches tend to revolve around a common idea we call here the area under the curve (AUC) method \cite{hosseini2016review,kott2021to}.
In an experiment/test, a system is engaged into a performance of a representative mission, and then is subjected to an ensemble or sequence of representative cyber attacks. A mission-relevant quantitative functionality of the system is observed and recorded. The resulting average functionality, divided by normal functionality, can be used as a measure of resilience.  


Brtis \cite{brtis2016how} performed a structured evaluation and comparison of multiple resilience metrics and concluded that the AUC-based approaches are superior to others. He wrote, ``We evaluated 23 candidate metrics against 19 evaluation criteria. From this analysis we conclude that the best single metric for resiliency is the expected availability of the required capability.'' Parenthetically, our research did not find a reason to disagree with Brtis's position. 

However, AUC-based resilience measures are inherently cumulative, aggregate measures, and do not tell us much about the underlying processes. For example, is it possible to quantify the resilience \impact{} of the bonware of the given system? Similarly, is it possible to quantify the \impact{} of malware? In addition, is it possible to gain insights into how these values of \impact{fulness} vary over time during an incident? We offer steps toward answering such questions.  
\subsection{Constant model}

Assuming $\malware, \bonware,$ and $\Qware$ are constant, we have
\begin{equation}  \label{eq:1}
   \frac{d{{F}}}{dt} + \Qware {{F}}(t) =  \Fnominal \bonware.
\end{equation}
   
   
\subsubsection{No bonware}

If $\bonware=0$, then Equation~\ref{eq:1} reduces to $\frac{d{{F}}}{dt} + \malware {{F}}(t) =  0$ and ${{F}}(t) = {{F}}(0) e^{-\malware t}$. If also $\malware=0$ (no bonware and no malware), then $\frac{d{{F}}}{dt}=0$ and ${{F}}(t)={{F}}(0)$.
 
 
\subsubsection{Bonware}\label{sec:4.2}

With bonware present,
the solution is 
\begin{equation} \label{eq:3}
    {{F}}(t) = \left[{{F}}(0) - \frac{\Fnominal \bonware}{ \Qware } \right] e^{-\Qware t} + \frac{\Fnominal \bonware}{\Qware}.
\end{equation}

\begin{figure}[th]
  \centering
  \aaa{figure_2_rescaled.pdf}
 
 
 
    \caption{Normalized functionality, ${{F}}(t)/\Fnominal$, is shown for various values of $\malware$ (malware attacking) and $\bonware$ (bonware defending) and at initial conditions ${{F}}(0)/\Fnominal \in\{0.0, 0.5, 1.0 \}$.  The functionality over time depends on the relative strengths of bonware and malware and on the intial condition.  When the system initially is at normal functionality and when malware overpowers bonware, functionality exhibits exponential decay.  When functionality initially is low, and when bonware overpowers malware, the system recovers (via Eq.~\ref{eq:3}) to $\frac{\Fnominal \bonware}{\malware+\bonware}$.}
    \label{fig:2}
\end{figure}

If ${{F}}(0)>\sfrac{\Fnominal\bonware}{\Qware},$ then ${{F}}(t)$ will initially, at time $t=0$, be at ${{F}}(0)$ and decrease to $\sfrac{\Fnominal\bonware}{\Qware}$.  If  ${{F}}(0)>\sfrac{\Fnominal\bonware}{\Qware},$ then the function ${{F}}(t) = {{F}}(0)$ will be constant.  If ${{F}}(0)<\sfrac{\Fnominal \bonware}{\Qware},$ the function will start at ${{F}}={{F}}(0)$ and increase to $\sfrac{\Fnominal \bonware}{\Qware}.$ Examples of these situations are shown in Figure~\ref{fig:2}.  The plot of $(\malware>0)$ in Figure~\ref{fig:2} shows that even in the presence of bonware, malware will still have an impact on the system.  \blue{The steady-state of the system is obtained either by setting $\frac{d{{F}}}{dt}=0$ in Equation~\ref{eq:1} or letting $t\to\infty:$}
\begin{equation} \label{eq:5}
  {{F}}_\infty=  \lim_{t\to\infty} {{F}}(t)  =\Fnominal\frac{\bonware}{\malware+\bonware}
\end{equation}
so that the antidote to malware is to overwhelm it with bonware.  \blue{The exponent, $-\Qware t = (-\malware-\bonware)t$ in the solution given by Equation $\ref{eq:3}$ indicates that increasing the \impact{} of either malware or bonware will cause the system to more quickly approach steady-state.}{}  At steady-state,
\begin{equation}\label{eq:5a}
  \begin{aligned}
    \frac{ \Fnominal -{{F}}_\infty}{{{F}}_\infty}  =  \frac{\malware}{\malware+\bonware}.
  \end{aligned}
\end{equation}
Equation~\ref{eq:5a} gives us further insight into the trade-off between impacts of both malware and bonware.  The relative decrease of the function from normal functionality is equal to the ratio of malware \impact{} to the sum of malware and bonware \impact{}s.
\subsection{Linear model}  \label{sec:linear}

\newcommand{\Omega(t)}{\Omega(t)}
\newcommand{\Lambda}{\Lambda}

The \impact{}s of malware and bonware may also be linear functions of $t$, so that $\malware(t) = \nu - \mu t$,    $\bonware(t) = \alpha-\beta t$, and  $\Qware(t)   =  \lambda - \omega t$, where $\lambda = \alpha + \nu$ and $\omega  = \beta + \mu$.  Under this linear model, Equation~\ref{eq:00} becomes
\begin{equation}
  \frac{d{{F}}}{dt} + (\lambda - \omega t) {{F}}(t) = \Fnominal (\alpha - \beta t)
\label{eq:linear:model}
\end{equation}
The solution can be expressed in terms of the error function
$\blue{\erf(z)=\frac{2}{\sqrt{\pi }}\int_0^z e^{-\tau^2}\,d\tau}$:
\begin{equation}
  \label{eq:6}
  \begin{aligned}
    \frac{{{F}}(t)}{\Fnominal} &= \frac{1}{\Omega(t)} \left\{
      \frac{{{F}}(0)}{\Fnominal}
      -\frac{\beta}{\omega}\left(1-{\Omega(t)}\right) +(\alpha \omega
      -\beta \lambda )
    \right.\\
    \times&\left.  \frac{\sqrt{\frac{\pi }{2}} e^{\Lambda^2} }{\omega
        ^{3/2}}\left[\erf\left(\Lambda\right)+\erf\left(\frac{\omega
            t}{\sqrt{2 \omega }}-\Lambda\right)\right] \right\}
\end{aligned}
\end{equation}
\normalsize
where $\Omega(t) = e^{\lambda  t-\frac{1}{2}\omega t^2}$, and $\Lambda = \sfrac{\lambda}{\sqrt{2 \omega }}$.


\section{Continuous model}\label{sec:continuous}

For the first set of models, we make the assumption that mission accomplishment is twice continuously differentiable: $\ma\in C^2$, and thus ${{F}} \in C^1$. 

As a first approximation, we let the \impact{} of malware on the
derivative of functionality be linear.
The \impact{} of bonware is similarly defined and proportional to the
level of functionality below normal.
Malware degrades the system while bonware aims to increase
functionality over time.  Malware \impact{} and bonware \impact{} are
assumed to be continuous functions of time,
$\malware, \bonware \in C^0.$ The \impact{} on functionality is the sum
of the \impact{s} of malware and bonware, and
\begin{equation}
  \frac{d{{F}}}{dt} + \Qware(t) {{F}}(t) = \Fnominal \bonware (t),
\label{eq:00}
\end{equation}
where $\Qware(t)=\malware(t)+\bonware(t).$
Since we expect bonware to help (or at least not harm) and malware to
not help, we assume $\bonware(t) \ge 0$ and $\malware(t) \ge 0$.  We also assume normal
functionality is positive, ${{F}}_0 > 0,$ and functionality
is always nonnegative and less than or equal to normal functionality,
$0 \le {{F}}(t) \le \Fnominal.$ 
This first-order linear differential equation has the following solution: 
\small
\begin{equation}
  F(t)  = e^{-\int_0^t \Qware(p) \, dp } \left( F(0) + \bintegral \right).
\end{equation}
\normalsize
To help us understand how the model works, we find explicit solutions for a number of examples. 




\subsection{Piecewise linear model}

\newcommand{\Omega_j(t)}{\Omega_j(t)}
\newcommand{\Lambda}{\Lambda}

Both malware and bonware \impact{}s may initially be linear, but if
the situation changes and a different linear model holds after a time,
the model should be able to account for it.  In particular, if malware
\impact{} is decreasing over time, at some point we will reach
$\malware=0$ and the model switches to a new linear model.
Equation~\ref{eq:linear:model} can be written
\begin{equation*}
  \frac{d{{F}}}{dt} = \sum_{j=0}^{N-1}  \left[ (\lambda_j - \omega_j t) {{F}}(t) -  \Fnominal (\alpha_j - \beta_j t) \right]. \label{eq:piecewise:linear}
\end{equation*}
The solution follows from Equation~\ref{eq:6}.
Example realizations of the piecewise linear models are shown in
Figure~\ref{fig:piecewise:linear}.  The shapes of the curves resemble experimental data discussed in \cite{ellis2022experimental}.

\begin{figure}[t]
  \centering
    \aaa{figure_3_simplified.pdf}
    \caption{Normalized functionality, ${{F}}(t)/\Fnominal$,
      for piecewise linear models. \Impact{}s of malware and bonware
      are linear functions of time.}
    \label{fig:piecewise:linear}
\end{figure}
\subsection{Interaction between bonware and malware}

In all previous models, bonware and malware have acted independently from one another, increasing and decreasing functionality respectively.  In the next version of the model, we additionally allow bonware to act on malware rather than only on functionality directly.  This requires the introduction of an interaction term $\blue{I(t)}$ incorporated in the generic model of Equation~\ref{eq:sde:generic}:
$$\frac{d {{F}}}{d t} 
  =  \left(1-{{F}}(t)\right) {\activity}^{\bonwareSuper}(t) {\effectiveness}^{\bonwareSuper}(t)\nonumber-{{F}}(t) {\activity}^{\malwareSuper}(t) {\effectiveness}^{\malwareSuper}(t) \blue{I(t)}.$$

To complete the interaction model, we may specify that $\blue{I(t)} = u\!\left(\blue{t^{\text{i}}}-t\right)$, so that the malware has its regular effect until some time $\blue{t^{\text{i}}}$, when the malware retreats or is disabled by the bonware. Figure~\ref{fig:psdel} (left) shows simulated data from this model with $\theta^{\bonwareSuper}=0.12$, ${{\gamma}^{\bonwareSuper}}=0.71$, $\theta^{\malwareSuper}=0.08$, and ${{\gamma}^{\malwareSuper}}=0.34$.

\section{Introduction}

Resilience continues to gain attention as a key property of cyber and cyber-physical systems, for the purposes of cyber defense. Although definitions vary, it is generally agreed that cyber resilience refers to the ability of a system to resist and recover from a cyber compromise that degrades the mission-relevant performance of the system \cite{kott2019cyber}.  Resilience should not be conflated with risk or security \cite{linkov2018risk}.

To make the discussion more concrete, consider the example of a military ground logistics vehicle, possibly unmanned, which performs a mission of delivering heavy supplies along a difficult route. The adversary's malware successfully gains access to the Controller Area Network (CAN bus) of the vehicle \cite{bozdal2018august}. Then, the malware executes cyber attacks by sending a combination of messages intended to degrade the vehicle's performance and diminish its ability to complete its delivery mission. We assume that the malware is at least partly successful, and the vehicle indeed begins to experience a degradation of its mission-relevant performance.

At this point, we expect the vehicle's resilience-relevant elements to  resist the degradation and then to recover its performance to a satisfactory level, within an acceptably short time period. These ``resilience-relevant elements'' might be of several kinds. First, because the vehicle is a cyber-physical system, certain physical characteristics of the vehicles mechanisms will provide a degree of resilience. For example, the cooling system of the vehicle will exhibit a significant resistance to overheating even if the malware succeeds in misrepresenting the temperature sensors data. Second, appropriate defensive software residing on the vehicle continually monitors and analyzes the information passing through the CAN bus \cite{kott2018}.  When the situation appears suspicious, it may take actions such as blocking or correcting potentially malicious messages. Third, it is possible that a remote monitoring center, staffed with experienced human cyber defenders, will detect a cyber compromise and will provide corrective actions remotely \cite{kott2021cyber}.

For the purposes of this paper, we assume that the remote monitoring and resilience via external intervention is impossible \cite{kott2020doers}. This may be the case if the vehicle must maintain radio silence for survivability purposes, or if the malware spoofs or blocks communication channels of the vehicle. Therefore, in this paper we assume that resilience is provided by the first two classes of resilience-relevant elements. Here, by analogy with malware, we call these ``bonware'' -- a combination of physical and cyber features of the vehicle that serve to resist and recover from a cyber compromise.

A key challenge in the field of cyber resilience is quantifying or measuring resilience. Indeed, no engineering discipline achieved significant maturity without being able to measure the properties of phenomena relevant to the discipline \cite{kott2021cyber}. Developers of systems like the notional vehicle in our example must be able to  quantify the resilience of the vehicle under development in order to know whether the features they introduce in the vehicle improve its cyber resilience, or make it worse.
Similarly, buyers of the vehicle need to know how to quantitatively specify and test resilience in order to determine whether the product meets their specifications.  

In this paper, we report some of the results of a project called \textit{Quantitative Measurement of Cyber Resilience} (QMoCR) in which our research team seeks to identify quantitative characteristics of systems' responses to cyber compromises that can be derived from repeatable, systematic experiments. Briefly, we have constructed a test-bed in which a surrogate vehicle is subjected to controlled cyber attacks produced by malware. The vehicle is equipped with an autonomous cyber-defense system \cite{kott2020doers,kott2018} and also has some inherent physical resilience features. This ensemble of cyber-physical features (i.e., ``bonware'') strives to resist and recover from the performance degradation caused by the malware's attack. The test bed is instrumented in such a way that we can measure observable manifestations of this battle between the malware and bonware, especially the mission-relevant performance parameters of the vehicle. 

The details of the test bed and the experiment are given in a companion paper \cite{ellis2022experimental}. The focus of this paper is different -– here we concentrate on constructing mathematical models that can be used to describe the dynamics of the malware-bonware battle. We seek models that are parsimonious in the number of empirical parameters and allow us to easily derive parameters of the model from experimental data.

The remainder of the paper is organized as follows. In the next section, we briefly describe prior work related to quantification of cyber resilience.  We provide formal definitions of accomplishment and functionality.  We propose a class of parsimonious models in which effects of both malware and bonware are approximated as deterministic, continuous differentiable variables, and we explore several variations of such models. In the following section we propose a different class of models – stochastic models, and we show how this class is related to the previously proposed class of deterministic models. Then we show how these models are used to approximate experimental data obtained with our surrogate vehicle. We show how to determine the parameters of the models from experimental data.  We discuss whether these parameters might be considered quantitative characteristics (i.e., measurements) of the bonware's cyber resilience.    
\subsection{Applying the SDE model}
\subsection{Parameter expansion of the SDE model}

The SDE model can be conveniently stated as a hidden Markov model and implemented as a directed acyclic graph \cite{griffiths2008bayesian} for efficient parameter estimation with a general-purpose Bayesian inference engine (e.g., JAGS; \cite{plummer2003jags}).  Our implementation relied on a sequential definition for the likelihood function:
$\left({{F}}(t+1) \mid {{F}}(t), \ldots\right) \sim  \dunif{L(t)}{U(t)}$, with $L(t) = {{F}}(t)-{\activity}^{\malwareSuper}(t){\effectiveness}^{\malwareSuper}(t){{F}}(t)$ and $U(t) = {{F}}(t)+{\activity}^{\bonwareSuper}(t){\effectiveness}^{\bonwareSuper}(t)\left(1-{{F}}(t)\right)$.

Since this likelihood function depends on the unknown stochastic parameters ${\activity}^{\malwareSuper}(t)$, ${\activity}^{\bonwareSuper}(t)$, ${\effectiveness}^{\malwareSuper}(t)$, and ${\effectiveness}^{\bonwareSuper}(t)$, we applied a parameter expansion approach \cite{liu1998parameter,gelman2004parameterization} using Equations~\ref{eq:sde:mwa}--\ref{eq:sde:bwe}. 


\section{Quantitative measures of cyber resilience}\label{sec:qmocr}



\section{Continuous model}\label{sec:continuous}

For the first set of models, we make the assumption that mission accomplishment is twice continuously differentiable: $\ma\in C^2$, and thus ${{F}} \in C^1$. 

As a first approximation, we let the \impact{} of malware on the
derivative of functionality be linear:
$\frac{d{{F}}_m(t)}{dt} = - {{F}}(t) \malware(t)$.
The \impact{} of bonware is similarly defined and proportional to the
level of functionality below normal.
$\frac{d{{F}}_b(t) } {dt} = (\Fnominal-F(t)) \bonware(t)$.
Malware degrades the system while bonware aims to increase
functionality over time.  Malware \impact{} and bonware \impact{} are
assumed to be continuous functions of time,
$\malware, \bonware \in C^0.$ The \impact{} on functionality is the sum
of the \impact{s} of malware and bonware:
$\frac{d{{F}}(t)}{dt} = \frac{d{{F}}_m(t)}{dt} +
\frac{d{{F}}_b(t)}{dt}$. Then
\begin{equation}
  \frac{d{{F}}}{dt} = (\Fnominal-{{F}}(t)) \bonware(t) - {{F}}(t) \malware(t).
\label{eq:0}
\end{equation}
Since we expect bonware to help (or at least not harm) and malware to
not help, we assume $\bonware(t) \ge 0$ and $\malware(t) \ge 0$ and we
let $\Qware(t)=\malware(t)+\bonware(t).$ We also assume normal
functionality is positive, ${{F}}_0 > 0,$ and functionality
is always nonnegative and less than or equal to normal functionality,
$0 \le {{F}}(t) \le \Fnominal.$ Equation~\ref{eq:0} can be
written as
\begin{equation}
  \frac{d{{F}}}{dt} + \Qware(t) {{F}}(t) = \Fnominal \bonware (t).
\label{eq:00}
\end{equation}
This first-order linear differential equation has the following solution: 
\begin{equation}
  F(t)  = e^{-\int_0^t \Qware(p) \, dp } \left( F(0) + \bintegral \right).
\end{equation}
To help us understand how the model works, we find explicit solutions for a number of examples.  We start with a piecewise constant malware \impact{}, piecewise constant bonware \impact{}, and also look at a piecewise linear model.  



\section{An application of the model}
\subsection{Obtaining model parameters}
\label{sec:parameters}
Given notional data that represents a typical curve of functionality
over the course of an incident where malware and bonware are active,
we develop a fast method to estimate the continuous model parameters
for a curve that approximates the data, and use these parameters to
generate further realizations based on this model.  In Figure
\ref{fig:notional} an example of such notional data is plotted (in
light blue/gray).  In this section, we illustrate our method to
extract the model parameters from this curve.



The set $P=\{t_0, \hdots, t_K\}$ partitions the mission timeline and
malware and bonware are constant in each interval $(t_{i-1},t_i), \,\,
i=1, \hdots, K. \,\,$  In each interval,
$\Qware_i=\malware_i+\bonware_i$ and the differential equation
governing Continuous Model I is $\frac{dF(t)}{dt}+\Qware_i F(t) =
\Fnominal (t) \bonware_i.$  Thus, in each interval $(t_{i-1},t_i),$
the solution is 
\begin{equation*}
  {{F}}(t)     =
  \left[{{F}}(t_{i-1}) - \frac{\Fnominal \bonware_i}{
      \Qware_i } \right]  e^{-\Qware_i (t-t_{i-1})} + \frac{\Fnominal \bonware_i}{\Qware_i}.
\end{equation*}
We compute the effectiveness, ${\effectiveness}^{\malwareSuper}$, and activity, ${\activity}^{\malwareSuper}$, of malware
and of bonware (${\effectiveness}^{\bonwareSuper}, {\activity}^{\bonwareSuper}$), in each interval:
$\malware_i = {\effectiveness}^{\malwareSuper}_i {\activity}^{\malwareSuper}_i$, $\bonware_i = {\effectiveness}^{\bonwareSuper}_i {\activity}^{\bonwareSuper}_i$.

We observe that there is a unique switching time $\tchange$ where the
functionality's trend reverses, and thus we take $K=2.$ Before the
switch, the impact of malware is greater than that of bonware. From
the time of the switch until the end of the mission, bonware is
stronger.  To estimate the switching time $\tchange$, we find the
minimum of the data to occur over the interval from 64 s to 75 s.
There, the minimum value of the data curve is $m=0.27$.  Taking the
midpoint, our estimate for $\tchange$ is 69.5 s.  We estimate the
activity of malware before switching to be the number of times the
data curve decreases divided by the switching time.  Similarly, our
estimate of bonware activity is the number of times the data curve
increases prior to the switching time.  We thus have
${\activity}^{\malwareSuper}_1~\approx~\sfrac{7}{69.5}~\approx 0.101$ and
${\activity}^{\bonwareSuper}_1 \approx \sfrac{2}{69.5} \approx 0.014$.


To determine the remaining parameters, we numerically solve this system of equations:
\begin{align*}
    \alpha m & = \Fnominal \bonQone,\\
    m & = {{F}}(0)  -\Fnominal \bonQone e^{-\Qware_1 \tchange}+\Fnominal \bonQone.
\end{align*}
The first equation says that where the curve meets the minimum of the data, it has experienced exponential decay of $\alpha$ toward the asymptotic minimum.  We take $\alpha$ to be $\alpha=1-\sfrac{1}{e}$. The second equation says that the minimum occurs at the switching time (the time when the model switches from malware dominating bonware, to bonware dominating malware.  Solving this system of equations yields (with $\malware_1=\Qware_1-\bonware_1$), $\malware_1 \approx  0.025$ and $\bonware_1 \approx 0.005$, so that ${\effectiveness}^{\malwareSuper}_1 = \sfrac{\malware_1}{{\activity}^{\malwareSuper}_1} \approx 0.503$ and ${\effectiveness}^{\bonwareSuper}_1 = \sfrac{\bonware_1}{{\activity}^{\bonwareSuper}_1}\approx 0.362$.

To the right of $t^\star$, we fit an exponentially increasing function.  Similar to before the switching time, we compute the activities of the malware and bonware: ${\activity}^{\malwareSuper}_2 \approx \frac{1}{100-69.5} \approx 0.033$ and ${\activity}^{\bonwareSuper}_2 \approx \frac{4}{100-69.5} \approx 0.131$.

To determine the remaining parameters, we numerically solve this system of equations:
  \begin{align*}
    \zeta & = F(0)   \bonQtwo,\\
    \tilde{\alpha} \zeta & = \left(m-\Fnominal
    \bonQtwo\right)\left(e^{-\Qware_2 (125-t^\star)}+\Fnominal \bonQtwo\right).
  \end{align*}
  
We have found that $\tilde{\alpha}=1-e^{-4}$ and $\zeta=0.95$ are
satisfactory values to use for these hyperparameters.

We compute $\malware_2 \approx  0.005$ and $\bonware_2 \approx 0.088$, so that ${\effectiveness}^{\malwareSuper}_1 = \sfrac{\malware_1}{{\activity}^{\malwareSuper}_1} \approx 0.201$ and ${\effectiveness}^{\bonwareSuper}_1 = \sfrac{\bonware_1}{{\activity}^{\bonwareSuper}_1}\approx 0.957$.

  



\subsection{Generating stochastic realizations}

Using the parameters found in Section~\ref{sec:parameters}, we can now
generate stochastic realizations.  In Section~\ref{sec:proposition},
we showed that for large sample sizes, the average of our ensemble
will approach the solution to the continuous ODE model.  We show
empirically that this is indeed the case.  To illustrate, we generated
five realizations (Figure \ref{fig:five:realizations}) of the
stochastic model with parameters found from the notional data of
Section~\ref{sec:parameters}.  We averaged these curves to obtain the
$n=5$ curve in Figure~\ref{fig:average}.  By averaging $n$ curves when
$n \in \{5,50,500,5000\}$ we see how the ensemble average approaches
the solution of the corresponding differential equation as predicted
in the Theorem of Section~\ref{sec:proposition}.

\begin{figure}[ht]
\begin{center}
   \aaa{five_realizations_reduced.pdf}
 \caption{Five realizations of the stochastic model generated with the
   parameters obtained by fitting the notional data shown in Figure
   \ref{fig:notional}.  Each realization is different but each roughly follows
   an exponential decay when $t<t^\star=69.5$ s and an
   exponential recovery for $t\ge t^\star$. }
   \label{fig:five:realizations}
 \end{center}
 \end{figure}

\begin{figure}[ht]
  \centering
 
  \aaa{stochastic_averaging_reduced.pdf}
  \caption{Averages of $n$ stochastic runs for $n\in \{5,50,500,5000\}.$  As $n$ increases, the average of the ensemble approaches the fitted curve as predicted in the theorem of Section \ref{sec:proposition}. }
  \label{fig:average}
\end{figure}

\subsection{Relationship between continuous and SDE model}\label{sec:proposition}

With the parameters of the stochastic model selected appropriately, we show that as the number of stochastic realizations increases, the expectation of the solution to the stochastic differential equation model approaches that of the ODE model.   We show this for the simple constant parameter case.  The general result follows by extension.

\newtheorem*{theorem}{Theorem}

\begin{theorem}
Let $y^m_k \sim \dbern{2\malware}$, $y^b_k \sim
\dbern{2\bonware}$, $z^m_{k} \sim \dunif{0}{{{F}}_{k}}$, $z^b_{k} \sim \dunif{0}{\Fnominal-{{F}}_{k}}$, and 
\begin{equation}  \label{eq:stochastic:diff}
  {{F}}_{k+1}  =  {{F}}_{k} 
     - y^m_{k} z^m_{k}
     + y^b_{k} z^b_{k}, \quad (k=1,\hdots,K). 
\end{equation}
Let ${\mathcal{F}_k}_n=\frac{{{{F}}_k}_j}{n}$, $(j=1,\hdots,n)$, then\\
\blue{$\mathcal{F}_k~=~\mathbb{E} ({{F}}_k)~=~\lim_{n\to\infty}
 {\mathcal{F}_k}_n$ and $\mathcal{F}_k\approx {{F}}(k),$ for
 large $k$, 
 where ${{F}}(t)$ is the solution to the initial value problem
given by Equation~\ref{eq:1} with $F(0)=\mathcal{F}_0.$}
\end{theorem}

\begin{proof}
\blue{Take the expectation of Equation~\ref{eq:stochastic:diff}.  Then
  $\mathcal{F}_k~-~\mathcal{F}_{k-1}+ (\malware+\bonware)
  \mathcal{F}_{k-1}=\Fnominal \bonware$.  With
  ${\mathcal{F}_0}_n=\mathcal{F}_0,$
 
 
 the~solution~is
$\mathcal{F}_k = \left[\mathcal{F}_0 - \frac{\Fnominal
    \bonware}{ \Qware } \right] (1-\Qware)^k + \frac{\Fnominal
  \bonware}{\Qware},$ which approximates Equation~\ref{eq:3} for large
$k$.}
\end{proof}

\subsection{Piecewise linear model}

\newcommand{\Omega_j(t)}{\Omega_j(t)}
\newcommand{\Lambda}{\Lambda}

Both malware and bonware \impact{}s may initially be linear, but if
the situation changes and a different linear model holds after a time,
the model should be able to account for it.  In particular, if malware
\impact{} is decreasing over time, at some point we will reach
$\malware=0$ and the model switches to a new linear model.
Equation~\ref{eq:linear:model} can be written
\begin{equation*}
  \frac{d{{F}}}{dt} = \sum_{j=0}^{N-1}  \left[ (\lambda_j - \omega_j t) {{F}}(t) -  \Fnominal (\alpha_j - \beta_j t) \right]. \label{eq:piecewise:linear}
\end{equation*}
The solution follows from Equation~\ref{eq:6}:
\begin{align*} \label{eq:piecewise:linear:solution}
  \frac{{{F}}(t)}{\Fnominal} &= \frac{1}{\Omega_j(t)} 
  \left\{ 
    \frac{{{F}}(t_j)}{\Fnominal}-\frac{\beta_j}{\omega_j }\left(1-\Omega_j(t)\right) +(\alpha_j  \omega_j -\beta_j  \lambda_j )\right.\\
  \times & \left. \frac{\sqrt{\frac{\pi }{2}} e^{\Lambda_j^2 }}{\omega_j^{3/2}} \left[\text{erf}\left(\Lambda_j\right)+\text{erf}\left(\frac{\omega_j (t-t_j) }{\sqrt{2 \omega_j }}-\Lambda_j\right)\right] \right\},\\
& \quad (t_j \le t < t_{j+1}), \quad (j=0,\cdots, N-1)
\end{align*}
where $\Omega_j(t)=e^{\lambda_j (t-t_j)-\frac{1}{2}\omega_j (t-t_j)^2 }$ and $\Lambda_j=\sfrac{\lambda_j }{\sqrt{2 \omega_j }}$.  

Example realizations of the piecewise linear models are shown in Figure~\ref{fig:piecewise:linear}.

\begin{figure}[th]
  \centering
    \aaa{figure_3_rescaled.pdf}
    \caption{Normalized functionality, ${{F}}(t)/\Fnominal$, is shown for piecewise linear models. Both malware and bonware \impact{}s are initially linear functions of time.  When malware \impact{} reaches $\malware=0$, then malware \impact{} is zero but bonware \impact{} continues to increase.}
    \label{fig:piecewise:linear}
\end{figure}
\subsection{Piecewise constant model}

If either malware's or bonware's impact diminishes at some point in the incident, the model may switch from one set of constants defining malware and bonware to another set of constants.  The differential equation (Eq.~\ref{eq:0}) may now be expressed as
\begin{equation}
  \frac{d{{F}}}{dt} = \sum_{j=0}^{N-1}(\Fnominal-{{F}}(t)) \bonware_j(t) -  {{F}}(t) \malware_j (t),
  \label{eq:000}
\end{equation}
where the vectors $\boldsymbol{\malware} =( {\malware}_0, {\malware}_1, \cdots {\malware}_{N-1} )$ and $\boldsymbol{\bonware} =( {\bonware}_0,  {\bonware}_1,\cdots, {\bonware}_{N-1})$ contain the malware \impact{} and bonware \impact{}s within time windows whose end points are defined by  $\{t_0, t_1, \cdots, t_N \}$. The solution will be a function which, in each time interval, is the solution found in Equation~\ref{eq:3}:
\begin{align*} \label{eq:piecewise:constant}
    {{F}}(t)     = \left[{{F}}(t_j) - \frac{\Fnominal \bonware_j}{ \Qware_j }
    \right] e^{-\Qware_j\cdot (t-t_j)} + \frac{\Fnominal \bonware_j}{\Qware_j},\\
    \quad (t_j \le t < t_{j+1}), \quad (j=0,\cdots, N-1)
\end{align*}
where $\Qware_j = \malware_j + \bonware_j$.  The smooth line in Figure~\ref{fig:notional} is an example realization of this model.
\begin{figure}[h]
  \centering
 
  \aaa{curves_rescaled.pdf}
  \caption{The smooth line is an example functionality curve with piecewise constant malware and bonware impacts.  The notional data and piecewise constant model fit are described below in Section \ref{sec:parameters}.}
  \label{fig:notional}
\end{figure}

\section{Prior work}\label{sec:prior-work}

A growing body of literature explores quantification of resilience in general and cyber resilience in particular. Very approximately, the literature can be divided into two categories: 
(1) qualitative assessments of a system (actually existing or its design) by subject matter experts (SMEs) \cite{alexeev}, \cite{henshel} and 
(2) quantitative measurements based on empirical or experimental observations of how a system (or its high-fidelity model; \cite{kott2017assessing}) responds to a cyber compromise \cite{kott2019cyber,ligo2021how}.
In the first category, a well-cited example is the approach called the cyber-resilience matrix \cite{linkov2013resilience}. In this approach, a system is considered as spanning four domains: (1) physical (i.e., the physical resources of the system, and the design, capabilities, features and characteristics of those resources); (2) informational (i.e., the system's availability, storage, and use of information); (3) cognitive (i.e., the ways in which informational and physical resources are used to comprehend the situation and make pertinent decisions); and (4) social (i.e., structure, relations, and communications of social nature within and around the system). For each of these domains of the system, SMEs are asked to assess, and to express in metrics, the extent to which the system exhibits the ability to (1) plan and prepare for an adverse cyber incident; (2) absorb the impact of the adverse cyber incident; (3) recover from the effects of the adverse cyber incident; and (4) adapt to the ramifications of the adverse cyber incident. In this way, the approach defines a 4-by-4 matrix that serves as a framework for structured assessments by SMEs.     

Another example within the same category (i.e., qualitative assessments of a system by SMEs) is a recent, elaborate approach proposed by \cite{beling2021developmental}. The approach is called Framework for Operational Resilience in Engineering and System Test (FOREST), and a key methodology within FOREST is called Testable Resilience Efficacy Elements (TREE). For a given system or subsystem, the methodology requires SMEs to assess, among others, how well the resilience solution is able to (1) sense or discover a successful cyber-attack; (2) identify the part of the system that has been successfully attacked; (3) reconfigure the system in order to mitigate and contain the consequences of the attack. Assessment may include tests of the system, although the methodology does not prescribe the tests. 

Undoubtedly, such methodologies can be very valuable in finding opportunities in improvements of cyber-resilience in a system that is either at the design stage or is already constructed. Still, these are essentially qualitative assessments, not quantitative measurements derived from an experiment. 

In the second category (i.e., quantitative measurements based on empirical or experimental observations of how a system, or its high-fidelity model, responds to a cyber compromise), most approaches tend to revolve around a common idea we call here the area under the curve (AUC) method \cite{hosseini2016review,kott2021to}.
In an experiment/test, a system is engaged into a performance of a representative mission, and then is subjected to an ensemble or sequence of representative cyber attacks. A mission-relevant quantitative functionality of the system is observed and recorded. The resulting average functionality, divided by normal functionality, can be used as a measure of resilience.  



However, AUC-based resilience measures are inherently cumulative, aggregate measures, and do not tell us much about the underlying processes. For example, is it possible to quantify the resilience \impact{} of the bonware of the given system? Similarly, is it possible to quantify the \impact{} of malware? In addition, is it possible to gain insights into how these values of \impact{fulness} vary over time during an incident? We offer steps toward answering such questions.  
\subsection{Constant parameters}

In the simplest version of the SDE model, we assume that the rate of malware attacks and their maximum efficiency are constant in time, and that the rate of bonware restoration and its maximum efficiency are both constant in time. Specifically, under this model it is assumed that $\theta^{\malwareSuper}(t) = \theta^{m}$, $\theta^{\bonwareSuper}(t) = \theta^{b}$, ${{\gamma}^{\malwareSuper}}(t) = \gamma^{m}$, and ${{\gamma}^{\bonwareSuper}}(t) = \gamma^{b}$ (cf.\ Eqs.~\ref{eq:sde:mwa}--\ref{eq:sde:bwe}).

This version of the model is parsimonious, with only four free parameters, each with a useful interpretation.





\section{Discussion and conclusion}

We have presented a broadly applicable framework for the analysis of the cyber resilience of military artifacts.  Our framework relies on the construction of a custom differential equation time series model that shows good qualitative correspondence to the functionality of vehicles performing missions.  Seeking to move beyond the use of area-under-the-curve quantifications of cyber resilience, our proposed models have the advantage that their parameters have domain-relevant interpretations such as \textit{the activity of malware} and \textit{the effectiveness of bonware}.  Such interpretable parameters can provide a more nuanced interpretation of cyber resilience data
being experimentally obtained in our lab.

Our formal models come in two families with complementary advantages. A series of continuous models is parsimonious, mathematically convenient, and easy to fit.  A series of discrete, stochastic models shows greater verisimilitude but is slightly less parsimonious and requires more computationally onerous parameter estimation techniques.

Both types of models can be extended to a large variety of custom circumstances, including the case where model parameters change gradually, abruptly, or predictably as a result of experimental manipulation.  Future work will include an extension to the cases of multiple simultaneous objectives and to the case of multiple vehicles to be analyzed jointly.
\subsection{Cyber resilience}

In Section~\ref{sec:prior-work} we discussed a measure of cyber resilience, the area under the functionality curve, which is precisely the mission accomplishment $\ma(T)$ evaluated at the final time of the mission.  To be able to compare measures of cyber resilience for multiple missions, we normalize the measure by dividing by the total mission time.
\begin{equation*}
  R= \frac{1}{T-t_0} \int_{t_0}^T {{F}}(\tau) \, d\tau =
  \frac{\ma(T)}{T-t_0}.
\end{equation*}
Often there are multiple objectives to a mission.  Given a vector of resiliences, $\mathbf{R} =(R_1,R_2, \hdots, R_n),$ we define the overall cyber resilence to be the
root-mean-square resilience of our mission:
\begin{eqnarray*}
  R= ||\mathbf{R}||_2 
 
  =
  \frac{1}{T-t_0}
  \sqrt{
    \sum_{j=1}^n
    \left( \int_{t_0}^T {{F}}_j(\tau) \, d\tau \right)^2}.
\end{eqnarray*}
\normalsize
Because each mission accomplishment may have a different relative importance, we may account for this by weighting the normal functionalities ${\Fnominal}_j$.  To enforce an overall mission resilience in the range $[0,1]$, we renormalize to obtain normalized resilience $\mathcal{R}$.
\begin{equation*}
  \mathcal{R} = \frac{R}{\left( \sum_{j=1}^n {\Fnominal}_j^2\right)^{1/2} }.
\end{equation*}


\subsection{Gradually changing parameters}\label{sec:sde:gradual}

In a final variation of the SDE model, we allow parameters ${\activity}^{\bonwareSuper}(t)$ and ${\activity}^{\malwareSuper}(t)$ to evolve gradually over time.  A possible application of such a model is the scenario in which malware and bonware actively explore weaknesses and their probability of success may increase over time.  A simulated example of a functionality curve in such a scenario is give in Figure~\ref{fig:psdel} (right).  The functionality shows a period of decrease during the initial period of attack, then a period of high variability as both malware and bonware are active, and a period of recovery after the conclusion of the attack.  
Underlying this pattern is the bonware activity that gradually increases, ${\activity}^{\bonwareSuper}(t) = \Phi(at+b)$, and malware activity that gradually increases until it is turned off at time $\blue{t^{\text{i}}}$, ${\activity}^{\malwareSuper}(t) = \Phi(ct+d)u(\blue{t^{\text{i}}}-t)$, where
\blue{$\Phi(z)=\frac{1}{2}+\frac{1}{2} \erf{(\frac{z}{\sqrt{2}})}$}{} is the cumulative density function of the standard normal distribution. 

\begin{figure*}[ht]
\centering
\ppp{figures/piecewise_stochastic_step_with_interaction-sim-small.pdf}
\qqq{figures/piecewise_stochastic_step_linear_parameters-sim-small.pdf}

    \caption{\textbf{Left:} Simulated data from the SDE model with interaction between bonware and malware.  The angular blue-grey line depicts functionality over mission time.  Changes in functionality occur at random intervals and random step sizes.  The red line and downward pointing marker indicate the period during which malware is active.  This period permits downward steps in functionality.  The green line and upward pointing marker indicate period during which bonware is active.  This period permits upward steps in functionality.  The red marker indicates the onset of a cyber attack and the green marker indicates its conclusion. \textbf{Right:} Simulated data from the SDE model with gradually changing parameters.  Here, the probability that an attack will harm functionality is depicted as a smooth orange curve.  The probability increases over mission time until the attack is repelled.  The smooth purple curve indicates the probability that a bonware attempt to restore functionality is successful. As the smooth curves rise, the rate of steps in the functionality curve increases.  Data were simulated from the equations in Section~\ref{sec:sde:gradual} with $a=0.063$, $b=-6.0$, $c=0.025$, $d=-1.5$.}
    \label{fig:psdel}
\end{figure*}
\section{Stochastic differential equation model}

In this section, we extend the previously defined differential equation (DE) model to a \textit{stochastic} differential equation (SDE) model.  The extension is motivated by the discontinuous nature of the notional data in Figure~\ref{fig:notional}.  Whereas the DE model assumed a smooth functionality curve, our stochastic version allows for a more punctuated attack-and-restoration pattern.

In the SDE model, both malware and bonware may be active at random (or a priori unknown) times with random (or a priori unknown) effectiveness. Let malware activity ${\activity}^{\malwareSuper}(t) \in \{0,1\}$ indicate whether malware was successful at time $t$, bonware activity ${\activity}^{\bonwareSuper}(t) \in \{0,1\}$ indicate whether bonware was successful at time $t$, malware effectiveness ${\effectiveness}^{\malwareSuper}(t) \in [0,1)$ express the proportion of functionality reduced by the malware's success at time $t$, and bonware effectiveness ${\effectiveness}^{\bonwareSuper}(t) \in [0,1)$ express the proportion of damage undone by the bonware's success at time $t$. The SDE analog to Equation~\ref{eq:00} is then
\begin{equation}\label{eq:sde:generic}
  \frac{d {{F}}}{d t} 
  =  \left(\Fnominal-{{F}}(t)\right) {\activity}^{\bonwareSuper}(t) {\effectiveness}^{\bonwareSuper}(t) - {{F}}(t) {\activity}^{\malwareSuper}(t) {\effectiveness}^{\malwareSuper}(t).   
\end{equation}

Rather than changing deterministically over time, these model parameters are assumed to vary stochastically according to these distributions: 
\begin{eqnarray}
  {\activity}^{\malwareSuper}(t)      &\sim& \dbern{\theta^{\malwareSuper}(t)}\label{eq:sde:mwa}, \\
  {\activity}^{\bonwareSuper}(t)      &\sim& \dbern{\theta^{\bonwareSuper}(t)}\label{eq:sde:bwa}, \\
  {\effectiveness}^{\malwareSuper}(t) &\sim& \dunif{0}{{{\gamma}^{\malwareSuper}}(t)}\label{eq:sde:mwe},\\
  {\effectiveness}^{\bonwareSuper}(t) &\sim& \dunif{0}{{{\gamma}^{\bonwareSuper}}(t)}\label{eq:sde:bwe},
\end{eqnarray}
where $\dbern{\theta}$ indicates the Bernoulli distribution with rate $\theta$ and $\dunif{0}{\gamma}$ indicates a uniform distribution with lower bound $0$ and upper bound $\gamma$.  Hence, $\theta^{\malwareSuper}(t) \in {[0,1]}$ is the probability that malware is successful at time $t$, $\theta^{\bonwareSuper}(t) \in {[0,1]}$ is the probability that bonware is successful at time $t$, ${{\gamma}^{\malwareSuper}}(t) \in {(0,1]}$ is the maximum fraction of damage inflicted by malware, and ${{\gamma}^{\bonwareSuper}}(t) \in {(0,1]}$ is the maximum fraction of damage undone by bonware.

Like the ordinary differential equation (ODE) model, the SDE model allows for a number of interesting variants.  In the remainder of this section, we introduce some useful simplifications and extensions.


\subsection{Piecewise constant model}

If either malware's or bonware's impact diminishes at some point in the incident, the model may switch from one set of constants defining malware and bonware to another set of constants.  The differential equation (Eq.~\ref{eq:00}) may now be expressed as
\begin{equation}
  \frac{d{{F}}}{dt} = \sum_{j=0}^{N-1}(\Fnominal-{{F}}(t)) \bonware_j(t) -  {{F}}(t) \malware_j (t),
  \label{eq:000}
\end{equation}
where the vectors $\boldsymbol{\malware} =( {\malware}_0,
{\malware}_1, \cdots {\malware}_{N-1} )$ and $\boldsymbol{\bonware} =(
{\bonware}_0,  {\bonware}_1,\cdots, {\bonware}_{N-1})$ contain the
malware \impact{} and bonware \impact{}s within time windows whose end
points are defined by  $\{t_0, t_1, \cdots, t_N \}$. The solution will
be a function which, in each time interval, is the solution found in
Equation~\ref{eq:3}.  The purple curve in Figure \ref{fig:notional} is
a realization of this model.

\begin{figure}[t]
  \centering
 
  \aaa{curves_rescaled.pdf}
  \caption{The smooth line is an example functionality curve with piecewise constant malware and bonware impacts.  The notional data and piecewise constant model fit are described below in Section \ref{sec:parameters}.}
  \label{fig:notional}
\end{figure}

