Papers
Topics
Authors
Recent
Search
2000 character limit reached

CognitiveAttack: Targeting Perception & AI

Updated 7 July 2026
  • CognitiveAttack is a cluster of security strategies that target human perception, memory, and reasoning through manipulation techniques.
  • It encompasses human-targeted assaults and AI-native attacks that exploit cognitive biases and reasoning overload to alter decisions.
  • Defensive paradigms leverage cognitive metrics and game-theoretic models, underscoring the need for standardized, holistic cyber defenses.

CognitiveAttack denotes a family of cyber and AI security concepts organized around cognition as the primary object of attack, inference, or control. In the most established usage, it refers to operations that manipulate perception, belief, judgment, and action in order to alter human decision-making; adjacent work extends the term to defender models that infer attacker traits from behavior, and to AI-native attacks that target reasoning chains, ranking cognition, or semantic scene interpretation. Formal definitions emphasize manipulation of perceptions and beliefs to affect decisions and actions, while broader cognitive-security formulations place the relevant surface in perception, attention, memory, mental operations, and their coupling to cyber and physical processes (Rushing et al., 5 Mar 2026, Rushing et al., 17 Oct 2025, Huang et al., 2023).

1. Conceptual scope

The literature surveyed here suggests that CognitiveAttack is not yet a single standardized term, but a cluster of closely related research programs. What unifies them is the claim that cyber conflict cannot be analyzed solely at the level of software vulnerabilities, packets, or malware artifacts; cognition itself becomes either the target, the observable latent state, or the vulnerable substrate.

Usage suggested by the literature Primary object Representative papers
Human-targeted cognitive attack Perception, attention, memory, beliefs, decisions, action (Huang et al., 2023, Rodriguez et al., 2020, Rushing et al., 17 Oct 2025, Rushing et al., 5 Mar 2026)
Attacker-cognition inference and exploitation Ambiguity aversion, risk propensity, framing resistance, behavioral signatures (Carney et al., 8 Dec 2025, Kim et al., 23 Oct 2025, Hans et al., 23 Oct 2025, Orun et al., 2023)
AI-internal or platform-level cognition attack Reasoning paths, ranking attention, semantic perception graphs (Upadhayay et al., 2024, Zhao et al., 8 Apr 2025, Zhan et al., 11 Feb 2026, Chen et al., 7 Aug 2025)

Traditional cyber attacks, in this framing, target computational or network resources directly. Cognitive attacks instead target the human cognitive process itself, or exploit cognition-like mechanisms in AI systems. Social engineering is therefore treated as a psychological rather than purely technical vector, because it manipulates internal information processing to produce attacker-aligned behavior (Rodriguez et al., 2020). Cognitive security further distinguishes itself from cognitive reliability: reliability focuses on non-adversarial error, ergonomics, and workload, whereas cognitive security explicitly models adaptive adversaries exploiting cognitive weaknesses (Huang et al., 2023).

In the cognitive-warfare formulation, the evaluative center of gravity is not message reach alone but sustained advantage in decision-making under contest. Cognitive attacks are operations targeting human minds in order to manipulate perceptions and beliefs, whereas cognitive warfare is the broader adaptive contest over perception, interpretation, judgment, and action across time horizons (Rushing et al., 5 Mar 2026).

2. Human cognition as the attack surface

Within cognitive-security research on Human-Cyber-Physical Systems, exploitable vulnerabilities are organized around perception, attention, memory, mental operations and biases, trust calibration and habituation, and fatigue. These vulnerabilities act along a feedforward pipeline—perception, attention, working memory and long-term memory, mental operations, behavior—while feedback loops allow behavior and context to recursively reshape subsequent cognition (Huang et al., 2023).

This framing broadens the attack surface well beyond phishing content. Perception can be manipulated through illusions, priming, spoofed identity cues, or deceptive interface overlays. Attention can be overloaded through feints or Informational Denial-of-Service, producing change blindness, attentional blink, or delayed processing. Memory can be exploited through false recall, omission, suggestive cues, or emotional reinforcement. Mental operations can be biased through anchoring, framing, optimism bias, ingroup bias, reciprocity, authority, social proof, liking, scarcity, and consistency. Trust calibration and habituation reduce vigilance under alert-heavy workflows, while fatigue increases response latency and error probability (Huang et al., 2023).

Empirical work on social engineering connects these mechanisms to observed behavior. Personalization increased responses from 16% to 72% in one university social-phishing setting; a contextualized “benefits/compensation” pretext achieved 15.24% victimization in 22 minutes; a high-quality fraudulent website fooled 90.9% of participants; and users in high-spam environments were 59% less likely to click spam, consistent with learned suspicion under higher perceived prevalence (Rodriguez et al., 2020). The same literature associates higher susceptibility with workload, time pressure, acute stress, low vigilance, low expertise, and strong message appeal, while awareness alone is not consistently protective (Rodriguez et al., 2020).

The HCPS literature also provides an explicit kill-chain view. Cognitive attack progression includes reconnaissance, planning, execution, and exploitation; execution itself includes exploitation of perception, attention, memory, or bias, ongoing monitoring of responses, and reinforcement or propagation once initial influence is achieved. This makes cognitive attack neither a mere synonym for misinformation nor a simple adjunct to social engineering, but a cross-layer process in which manipulated cognition produces cyber or physical effects (Huang et al., 2023).

3. Attacker cognition as an observable latent state

A second major usage treats cognition not as the victim surface but as an attacker-side latent variable that can be inferred from behavior and then exploited by the defender. The most developed example is ambiguity-aversion detection from human red-team experiments. That framework ingests timestamped Operation Notes and Suricata NetFlow logs from GAMBIT experiments on a SimSpace Cyber Force Platform enterprise range, uses an LLM pipeline to convert unstructured records into MITRE ATT&CK-mapped action sequences, and updates a PsychSim defender model of attacker ambiguity aversion in near-real time (Carney et al., 8 Dec 2025).

The ambiguity model uses Subjective Expected Utility as an ambiguity-neutral benchmark and treats deviations under high uncertainty as evidence of ambiguity aversion. Operational cues include novelty of action or target, technique complexity, historical variance in success rates, and hedging behaviors. On 1,583 action observations from 29 participants, ambiguity-aversion probabilities had mean 0.212, standard deviation 0.196, median 0.091, and 237 of 1,583 observations exceeded the paper’s high-confidence threshold of 0.5. Tactic-level averages were highest during Discovery, and a Wilcoxon signed-rank test showed loss-aversion probabilities were higher overall than ambiguity-aversion probabilities (Carney et al., 8 Dec 2025).

Psychometric modeling offers a parallel line of evidence. Using multilevel mixed-effects Poisson regression on 1,964 labeled technique uses from 33 professional red-team participants, one study found significant technique-specific interactions for the Cognitive Reflection Test, the General Risk Propensity Scale, and two Adult Decision-Making Competence resistance-to-framing subscales. Higher CRT scores were associated with lower Reconnaissance, Collection, Credential Access, Initial Access, and Privilege Escalation but higher Lateral Movement; higher GRiPS scores predicted more Initial Access and Collection. Expertise level, treatment condition, and demographics did not significantly predict technique patterns (Kim et al., 23 Oct 2025).

Telemetry-only cognition inference pushes the same idea into operational monitoring. A Suricata-only pipeline segments network events into attacker “actions,” maps those actions through retrieval-augmented LLM prompts to ATT&CK techniques, and then infers traits such as loss aversion, risk tolerance, goal persistence, and ambiguity aversion from tool switching, protocol transitions, and pivot patterns. Performance is strongly visibility-dependent: the reported Suricata-only detection rates were 100% for Collection, 96.8% for Reconnaissance, 90.9% for Execution, 13.6% for Exfiltration, and 0% for Persistence, which reflects the limits of encrypted, network-only observation for host-resident or intent-heavy behaviors (Hans et al., 23 Oct 2025).

A more user-centric variant appears in remote intrusion identification through cognitive-behavioral signals. There, keyboard and mouse events, motion paths, timing, and GUI “cognitive stimuli” are modeled with a Bayesian Network to distinguish legitimate and suspicious behavior. In the reported two-user setting, accuracy was 79% with equal-frequency discretization and 94% with equal-width discretization (Orun et al., 2023). This suggests a broader interpretation of CognitiveAttack in which deviations in cognitive-motor behavior are themselves a security signal.

4. AI-native and immersive manifestations

In AI safety, the term is extended to attacks on cognition-like processes inside models. One prominent line models long-context jailbreaking as cognitive overload: total load is decomposed as

CLtotal=CLintrinsic+CLextraneous+CLgermane,CL_{total} = CL_{intrinsic} + CL_{extraneous} + CL_{germane},

and overload occurs when effective load exceeds capacity. In that setting, overload prompts caused statistically significant task degradation, with a paired tt-test of t=3.1248t = 3.1248, p=0.0048p = 0.0048, and achieved attack success rates up to 99.99% on models including GPT-4, Claude-3.5 Sonnet, Claude-3 OPUS, Llama-3-70B-Instruct, Gemini-1.0-Pro, and Gemini-1.5-Pro (Upadhayay et al., 2024). A related black-box line defines cognitive overload through multilingual prompting, veiled expression, and effect-to-cause reasoning, and reports successful jailbreaking across all studied models while existing defenses remained weak (Xu et al., 2023).

Other work moves from overload to internal reasoning control. ShadowCoT backdoors the chain-of-thought process itself by conditioning on internal reasoning states, selectively rewiring attention pathways, and perturbing intermediate representations. It updates only about 0.15% of model parameters—about 10 million parameters on a 7B model—yet reports Attack Success Rate 94.4% and Hijacking Success Rate 88.4% while preserving about 99.6% of benign accuracy (Zhao et al., 8 Apr 2025). A distinct red-teaming framework also labeled CognitiveAttack uses supervised fine-tuning and PPO to generate prompts embedding synergistic combinations of cognitive biases; across 30 LLMs, its average HarmBench ASR was 60.1%, compared with 31.6% for PAP (Yang et al., 30 Jul 2025).

Sequential recommender systems provide another AI-native usage. There, a black-box attack reconstructs a “cognitive distribution” from rank positions via

v(j)=αj1,α(0,1),v(j) = \alpha^{j-1}, \quad \alpha \in (0,1),

and

pb(ijx)=exp(v(j)/τb)t=1kexp(v(t)/τb).p_b(i_j \mid x) = \frac{\exp(v(j)/\tau_b)}{\sum_{t=1}^{k}\exp(v(t)/\tau_b)}.

The distillation objective combines KL alignment with pairwise ranking losses to transfer richer positional information than hard labels alone. On ML-1M with a BERT4Rec surrogate, the reported metrics were N@10=0.571N@10 = 0.571, R@10=0.782R@10 = 0.782, Agr@1=0.409Agr@1 = 0.409, and Agr@10=0.631Agr@10 = 0.631; on Beauty, cognitive alignment improved tt0 by 23% over DFME for NARM (Zhan et al., 11 Feb 2026).

Immersive systems place human semantic perception directly in the attack loop. AI-powered mixed reality can manipulate object appearance, labels, audio cues, avatars, or synthetic voices so that the user’s perceived scene diverges from reality. The threat model includes deceptive overlays, spatial-audio misdirection, and persona or voice impersonation, all intensified by low-latency, context-aware rendering (Chiou et al., 2024). Detection work in AR addresses four attack classes—text modification, visual modification, removal, and addition—by converting multimodal observations into symbolic perception graphs and applying particle-filter reasoning. On the Extended AR-VIM dataset, CADAR reported 80.1% accuracy, 77.6% F1, and 68.0% attack-localization accuracy, with accuracy improvements up to 10.7% over the next-best model (Chen et al., 7 Aug 2025).

5. Defensive paradigms and quantitative models

Cognitive-security research has produced a substantial formal vocabulary for defense. In HCPS, the classical CIA triad is reformulated around cognition: authenticity of incoming cognitive streams can be captured by

tt1

cognitive integrity by divergence from a baseline decision distribution,

tt2

and cognitive availability by the probability that cognitive load remains under a threshold,

tt3

The same framework models cognitive state dynamics with state-space equations, analyzes attack progression through Markov-chain transitions, and formulates detection with likelihood-ratio tests, while mapping defenses to kill-chain stages through prebunking, workload management, UI/UX design, anomaly detection, filtering, and decision support (Huang et al., 2023).

Online influence operations are quantified differently. One proposal defines weighted interactions

tt4

and engagement effectiveness

tt5

where the reported weights are 0.1 for views, 0.3 for likes, 0.7 for comments, and 1.0 for shares. The scale is then mapped to grade bands from F to A+, with “viral” tiers above 10,000 (Rushing et al., 17 Oct 2025). A separate proactive-defense framework attempts to forecast future disruptive innovations likely to amplify cognitive attacks. Its linear model,

tt6

implies a cadence of roughly one new disruptive innovation every 4.6 years; a complementary attribute score

tt7

uses threshold tt8 to flag likely disruptive innovations for preemptive defensive planning (Rushing et al., 17 Oct 2025).

Defenses can also be cognition-aware in the narrower sense of modeling the adversary’s own decision biases. In ambiguity-aversion detection, high-confidence estimates can trigger dynamic deception, information shaping, or interface frictions, particularly during Discovery when ambiguity signals concentrate (Carney et al., 8 Dec 2025). In strategic cyber deception, a bi-level game-theoretic model defines an tt9-Window of Belief Superiority and a t=3.1248t = 3.12480-Window of Uncertainty Superiority, and reports at least a 40% improvement in total rewards during execution when deception modes are strategically timed (Yang et al., 5 Sep 2025). In networked control systems, bilateral cognitive security games formalize cognitive hierarchy, cognitive resonance, and cognitive mismatch under stealthy false-data injection; in the reported 10-node example, convergence occurred at CH-17 with t=3.1248t = 3.12481, t=3.1248t = 3.12482, and t=3.1248t = 3.12483 (Nguyen et al., 2 May 2025).

At the broadest scale, cognitive-warfare frameworks shift evaluation from exposure and messaging toward OODA-cycle performance. Cognitive superiority is defined as sustained comparative advantage in achieving cognitive objectives faster and more cost-effectively, and the measurable attributes emphasized are decision degradation or protection, adaptation speed, and efficiency under contest across acute and chronic horizons (Rushing et al., 5 Mar 2026).

6. Limitations and research trajectory

The coexistence of human-targeted, attacker-modeling, and AI-internal usages suggests that CognitiveAttack currently functions more as a family resemblance term than as a fully standardized ontology. That definitional spread is analytically productive, but it also makes cross-paper comparison difficult because “cognition” may refer to human bias, attacker strategy, model reasoning, semantic perception, or ranking attention (Rushing et al., 5 Mar 2026).

Methodological limitations are substantial. The ambiguity-aversion framework does not report the identities of the LLMs used for parsing, the prompts, parsing accuracy, latency measurements, or ablations, and its authors explicitly note the need for larger datasets and interactive validation (Carney et al., 8 Dec 2025). The psychometric technique-selection model reports moderate overdispersion at 3.64 and relies on low counts for several rare techniques, while its ATT&CK labels depend on an LLM-based annotation pipeline (Kim et al., 23 Oct 2025). The weighted engagement metric does not include bot filtering, user deduplication, or platform-specific calibration (Rushing et al., 17 Oct 2025). The disruptive-innovation forecasting method is built on only 11 historical innovations and uses investigator-dependent qualitative scoring (Rushing et al., 17 Oct 2025).

Sensing and deployment raise additional constraints. The immersive-environments paper is explicitly a position statement and presents no datasets, user studies, or quantitative evaluation (Chiou et al., 2024). More generally, cognitive-security work identifies privacy-preserving sensing, consent, governance, cross-domain transferability, and standardization of cognitive CIA metrics as unresolved problems (Huang et al., 2023).

A plausible implication is that mature CognitiveAttack research will require common taxonomies, multimodal telemetry fusion, closed-loop experiments that manipulate cognition and directly measure behavioral change, and defenses that remain robust when the relevant surface is not only code or traffic but also perception, reasoning, uncertainty, and trust.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (18)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to CognitiveAttack.