1,142 research outputs found
Malware in the Future? Forecasting of Analyst Detection of Cyber Events
There have been extensive efforts in government, academia, and industry to
anticipate, forecast, and mitigate cyber attacks. A common approach is
time-series forecasting of cyber attacks based on data from network telescopes,
honeypots, and automated intrusion detection/prevention systems. This research
has uncovered key insights such as systematicity in cyber attacks. Here, we
propose an alternate perspective of this problem by performing forecasting of
attacks that are analyst-detected and -verified occurrences of malware. We call
these instances of malware cyber event data. Specifically, our dataset was
analyst-detected incidents from a large operational Computer Security Service
Provider (CSSP) for the U.S. Department of Defense, which rarely relies only on
automated systems. Our data set consists of weekly counts of cyber events over
approximately seven years. Since all cyber events were validated by analysts,
our dataset is unlikely to have false positives which are often endemic in
other sources of data. Further, the higher-quality data could be used for a
number for resource allocation, estimation of security resources, and the
development of effective risk-management strategies. We used a Bayesian State
Space Model for forecasting and found that events one week ahead could be
predicted. To quantify bursts, we used a Markov model. Our findings of
systematicity in analyst-detected cyber attacks are consistent with previous
work using other sources. The advanced information provided by a forecast may
help with threat awareness by providing a probable value and range for future
cyber events one week ahead. Other potential applications for cyber event
forecasting include proactive allocation of resources and capabilities for
cyber defense (e.g., analyst staffing and sensor configuration) in CSSPs.
Enhanced threat awareness may improve cybersecurity.Comment: Revised version resubmitted to journa
Applications of Machine Learning to Threat Intelligence, Intrusion Detection and Malware
Artificial Intelligence (AI) and Machine Learning (ML) are emerging technologies with applications to many fields. This paper is a survey of use cases of ML for threat intelligence, intrusion detection, and malware analysis and detection. Threat intelligence, especially attack attribution, can benefit from the use of ML classification. False positives from rule-based intrusion detection systems can be reduced with the use of ML models. Malware analysis and classification can be made easier by developing ML frameworks to distill similarities between the malicious programs. Adversarial machine learning will also be discussed, because while ML can be used to solve problems or reduce analyst workload, it also introduces new attack surfaces
Survey of Attack Projection, Prediction, and Forecasting in Cyber Security
This paper provides a survey of prediction, and forecasting methods used in cyber security. Four main tasks are discussed first, attack projection and intention recognition, in which there is a need to predict the next move or the intentions of the attacker, intrusion prediction, in which there is a need to predict upcoming cyber attacks, and network security situation forecasting, in which we project cybersecurity situation in the whole network. Methods and approaches for addressing these tasks often share the theoretical background and are often complementary. In this survey, both methods based on discrete models, such as attack graphs, Bayesian networks, and Markov models, and continuous models, such as time series and grey models, are surveyed, compared, and contrasted. We further discuss machine learning and data mining approaches, that have gained a lot of attention recently and appears promising for such a constantly changing environment, which is cyber security. The survey also focuses on the practical usability of the methods and problems related to their evaluation
Cyber Situation Awareness with Active Learning for Intrusion Detection
Intrusion detection has focused primarily on detecting cyberattacks at the
event-level. Since there is such a large volume of network data and attacks are
minimal, machine learning approaches have focused on improving accuracy and
reducing false positives, but this has frequently resulted in overfitting. In
addition, the volume of intrusion detection alerts is large and creates fatigue
in the human analyst who must review them. This research addresses the problems
associated with event-level intrusion detection and the large volumes of
intrusion alerts by applying active learning and cyber situation awareness.
This paper includes the results of two experiments using the UNSW-NB15 dataset.
The first experiment evaluated sampling approaches for querying the oracle, as
part of active learning. It then trained a Random Forest classifier using the
samples and evaluated its results. The second experiment applied cyber
situation awareness by aggregating the detection results of the first
experiment and calculating the probability that a computer system was part of a
cyberattack. This research showed that moving the perspective of event-level
alerts to the probability that a computer system was part of an attack improved
the accuracy of detection and reduced the volume of alerts that a human analyst
would need to review.Comment: McElwee, S. & Cannady, J. (2019). Cyber situation awareness with
active learning for intrusion detection. SoutheastCon 2019. IEEE. Pre-prin
- …