Sensor Configuration Oriented to Attack Plans (SCOAP) is a novel system for supporting focused intrusion detection by deploying, generating, and placing sensors to detect the most likely or most damaging cyber attacks. The motivation is to improve network situation awareness by providing information on enterprise-level attacks, rather than sensor-level alarms.

Using techniques adapted from AI planning (demonstrated on Adventium's earlier ARDA-funded Insider Threat program) and discrete variable optimization, the system employs models of an adversary’s objectives, resources, and capabilities to provide a controlling function that actively determines how best to configure, deploy, and combine the output of existing sensor and detection technologies into a broader attack recognition and diagnosis system for complex, large-scale computer networks. SCOAP can be used as a stand-alone system or it can be integrated with adaptive defense mechanisms in a more comprehensive CND system. SCOAP is funded by AFRL on the Closing the Loop on Network Centric Defense project.