A fictitious play‐based response strategy for multistage intrusion defense systems

The recent developments of advanced intrusion detection systems in the cyber security field provide opportunities to proactively protect the computer network systems and minimize the impacts of attackers on network operations. This paper is intended to assist the network defender find its best actions to defend against multistage attacks. The possible sequences of interactions between the attackers and the network defender are modeled as a two‐player non‐zero‐sum non‐cooperative dynamic multistage game with incomplete information. The players are assumed to be rational. They take turns in making decisions by considering previous and possible future interactions with the opponent and use Bayesian analysis after each interaction to update their knowledge about the opponents. We propose a Dynamic game tree‐based Fictitious Play (DFP) approach to describe the repeated interactive decisions of the players. Each player finds its best moves at its decision nodes of the game tree by using multi‐objective analysis. All possibilities are considered with their uncertain future interactions, which are based on learning of the opponent's decision process (including risk attitude and objectives). Instead of searching the entire game tree, appropriate future time horizons are dynamically determined for both players. In the DFP approach, the defender keeps tracking the opponent's actions, predicts the probabilities of future possible attacks, and then chooses its best moves. Thus, a new defense algorithm, called Response by DFP (RDFP), is developed. Numerical experiments show that this approach significantly reduces the damage caused by multistage attacks and it is also more efficient than other related algorithms. Copyright © 2013 John Wiley & Sons, Ltd. In the cybersecurity field, the possible sequences of interactions between the attackers and the network defender are modeled as a two‐player non‐zero‐sum non‐cooperative dynamic multi‐stage game with incomplete information. Based on the recent developments of advanced intrusion detection systems, a new defense algorithm, called Response by Dynamic game tree‐based Fictitious Play (RDFP), is developed for the defender to consider previous and possible future interactions with the attackers, update his/her knowledge about the opponents, and find the best defending strategies quickly.Peer Reviewedhttp://deepblue.lib.umich.edu/bitstream/2027.42/106062/1/sec730.pd

Tactics, Techniques and Procedures (TTPs) to Augment Cyber Threat Intelligence (CTI): A Comprehensive Study

Sharing Threat Intelligence is now one of the biggest trends in cyber security industry. Today, no one can deny the necessity for information sharing to fight the cyber battle. The massive production of raw and redundant data coupled with the increasingly innovative attack vectors of the perpetrators demands an ecosystem to scrutinize the information, detect and react to take a defensive stance. Having enough sources for threat intelligence or having too many security tools are the least of our problems. The main challenge lies in threat knowledge management, interoperability between different security tools and then converting these filtered data into actionable items across multiple devices. Large datasets may help filtering the massive information gathering, open standards may somewhat facilitate the interoperability issues, and machine learning may partly aid the learning of malicious traits and features of attack, but how do we coordinate the actionable responses across devices, networks, and other ecosystems to be proactive rather than reactive? This paper presents a study of current threat intelligence landscape (Tactic), information sources, basic Indicators of Compromise (IOCs) (Technique) and STIX and TAXII standard as open source frameworks (Procedure) to augment Cyber Threat Intelligence (CTI) sharing

Modeling Cyber Situational Awareness through Data Fusion

Cyber attacks are compromising networks faster than administrators can respond. Network defenders are unable to become oriented with these attacks, determine the potential impacts, and assess the damages in a timely manner. Since the observations of network sensors are normally disjointed, analysis of the data is overwhelming and time is not spent efficiently. Automation in defending cyber networks requires a level of reasoning for adequate response. Current automated systems are mostly limited to scripted responses. Better defense tools are required. This research develops a framework that aggregates data from heterogeneous network sensors. The collected data is correlated into a single model that is easily interpreted by decision-making entities. This research proposes and tests an impact rating system that estimates the feasibility of an attack and its potential level of impact against the targeted network host as well the other hosts that reside on the network. The impact assessments would allow decision makers to prioritize attacks in real-time and attempt to mitigate the attacks in order of their estimated impact to the network. The ultimate goal of this system is to provide computer network defense tools the situational awareness required to make the right decisions to mitigate cyber attacks in real-time

Improving intrusion detection systems using data mining techniques

Recent surveys and studies have shown that cyber-attacks have caused a lot of damage to organisations, governments, and individuals around the world. Although developments are constantly occurring in the computer security field, cyber-attacks still cause damage as they are developed and evolved by hackers. This research looked at some industrial challenges in the intrusion detection area. The research identified two main challenges; the first one is that signature-based intrusion detection systems such as SNORT lack the capability of detecting attacks with new signatures without human intervention. The other challenge is related to multi-stage attack detection, it has been found that signature-based is not efficient in this area. The novelty in this research is presented through developing methodologies tackling the mentioned challenges. The first challenge was handled by developing a multi-layer classification methodology. The first layer is based on decision tree, while the second layer is a hybrid module that uses two data mining techniques; neural network, and fuzzy logic. The second layer will try to detect new attacks in case the first one fails to detect. This system detects attacks with new signatures, and then updates the SNORT signature holder automatically, without any human intervention. The obtained results have shown that a high detection rate has been obtained with attacks having new signatures. However, it has been found that the false positive rate needs to be lowered. The second challenge was approached by evaluating IP information using fuzzy logic. This approach looks at the identity of participants in the traffic, rather than the sequence and contents of the traffic. The results have shown that this approach can help in predicting attacks at very early stages in some scenarios. However, it has been found that combining this approach with a different approach that looks at the sequence and contents of the traffic, such as event- correlation, will achieve a better performance than each approach individually

YOU ARE THE WEAKEST LINK: ADDRESSING CYBER SECURITY CONCERNS WITHIN THE FIRE DEPARTMENT OF NEW YORK

The evolving cyber threat landscape consistently challenges organizational cybersecurity defenses. Cyberattacks, which were once rare, have become alarmingly frequent. In response, organizations have traditionally focused on technological solutions; however, human error remains a leading cause of network data breaches. The lack of effective security measures aimed at mitigating human error leaves organizations, such as the Fire Department of New York (FDNY), vulnerable to cyber intrusions. The FDNY’s dependence on digital networks for day-to-day operations underscores the need for security measures that address both technological and human vulnerabilities. This research combines descriptive, evaluative, and prescriptive methods, including a red-team exercise simulating a social engineering attack, to assess how the current cyber threat environment affects the FDNY. The study uncovers significant vulnerabilities, particularly among frontline personnel, who are often overlooked in traditional cybersecurity practices. Based on the findings, the research proposes strategic recommendations to strengthen the FDNY’s cyber defenses. The study promotes a comprehensive “all-hands-on-deck” approach that highlights the importance of making cybersecurity a shared responsibility, encompassing everyone from frontline personnel to senior leadership. This approach offers insights and methods applicable to other organizations seeking to strengthen their cybersecurity posture.Distribution Statement A. Approved for public release: Distribution is unlimited.Civilian, Fire Department of New Yor

Game theory with learning for cyber security monitoring

Carefully crafted computer worms such as Stuxnet and recent data breaches on retail organizations (e.g., Target, Home Depot) are very sophisticated security attacks on critical cyber infrastructures. Such attacks are referred to as advanced persistent threat (APT), and are on constant rise with severe implications. In all these attacks, the presence of an attacker itself is difficult to detect as they log-in as legitimate users. Hence, these attacks comprising multiple actions are challenging to differentiate from benign and therefore common detection techniques have to deal with high false positive rates. While machine learning and game theoretic models have been applied for intrusion detection, machine learning techniques lack the ability to model the rationality of the players, while the game theoretic approaches rely on the strict assumption of full rationality and complete information. This thesis discusses an approach that proposes Q-Learning to model the decision process of a security administrator which addresses the joint limitations of using game theory and machine learning techniques for this problem. This work compares variations of Q-Learning with a traditional stochastic game model by performing a simulation under different pair of profiles for attackers and defenders using parameters derived from real incident data of a large computer organization. Analysis on the strengths and weaknesses of the algorithms, and how the parameters in the algorithms affect the performance are studied. Simulation results show that Naive Q-Learning, despite the restricted information on the opponent, better reduces the impact of an attacker compared to Minmax Q-Learning against all attackers, or Stochastic Games players against less rational opponents

Information Security Risk Assessment Methods in Cloud Computing: Comprehensive Review

Cloud computing faces more security threats, requiring better security measures. This paper examines the various classification and categorization schemes for cloud computing security issues, including the widely known CIA trinity (confidentiality, integrity, and availability), by considering critical aspects of the cloud, such as service models, deployment models, and involved parties. A comprehensive comparison of cloud security classifications constructs an exhaustive taxonomy. ISO27005, NIST SP 800–30, CRAMM, CORAS, OCTAVE Allegro, and COBIT 5 are rigorously compared based on their applicability, adaptability, and suitability within a cloud-based hosting methodology. The findings of this research recommend OCTAVE Allegro as the preferred cloud hosting paradigm. With many security models available in management studies, it is imperative to identify those suitable for the rapidly expanding and dynamically evolving cloud environment. This study underscores the significant methods for securing data on cloud-hosting platforms, thereby contributing to establishing a robust cloud security taxonomy and hosting methodology

Information Security Risk Assessment Methods in Cloud Computing: Comprehensive Review

Cloud computing faces more security threats, requiring better security measures. This paper examines the various classification and categorization schemes for cloud computing security issues, including the widely known CIA trinity (confidentiality, integrity, and availability), by considering critical aspects of the cloud, such as service models, deployment models, and involved parties. A comprehensive comparison of cloud security classifications constructs an exhaustive taxonomy. ISO27005, NIST SP 800–30, CRAMM, CORAS, OCTAVE Allegro, and COBIT 5 are rigorously compared based on their applicability, adaptability, and suitability within a cloud-based hosting methodology. The findings of this research recommend OCTAVE Allegro as the preferred cloud hosting paradigm. With many security models available in management studies, it is imperative to identify those suitable for the rapidly expanding and dynamically evolving cloud environment. This study underscores the significant methods for securing data on cloud-hosting platforms, thereby contributing to establishing a robust cloud security taxonomy and hosting methodology

How Physicality Enables Trust: A New Era of Trust-Centered Cyberphysical Systems

Multi-agent cyberphysical systems enable new capabilities in efficiency, resilience, and security. The unique characteristics of these systems prompt a reevaluation of their security concepts, including their vulnerabilities, and mechanisms to mitigate these vulnerabilities. This survey paper examines how advancement in wireless networking, coupled with the sensing and computing in cyberphysical systems, can foster novel security capabilities. This study delves into three main themes related to securing multi-agent cyberphysical systems. First, we discuss the threats that are particularly relevant to multi-agent cyberphysical systems given the potential lack of trust between agents. Second, we present prospects for sensing, contextual awareness, and authentication, enabling the inference and measurement of ``inter-agent trust" for these systems. Third, we elaborate on the application of quantifiable trust notions to enable ``resilient coordination," where ``resilient" signifies sustained functionality amid attacks on multiagent cyberphysical systems. We refer to the capability of cyberphysical systems to self-organize, and coordinate to achieve a task as autonomy. This survey unveils the cyberphysical character of future interconnected systems as a pivotal catalyst for realizing robust, trust-centered autonomy in tomorrow's world