16,909 research outputs found

    Reinforcement learning for efficient network penetration testing

    Get PDF
    Penetration testing (also known as pentesting or PT) is a common practice for actively assessing the defenses of a computer network by planning and executing all possible attacks to discover and exploit existing vulnerabilities. Current penetration testing methods are increasingly becoming non-standard, composite and resource-consuming despite the use of evolving tools. In this paper, we propose and evaluate an AI-based pentesting system which makes use of machine learning techniques, namely reinforcement learning (RL) to learn and reproduce average and complex pentesting activities. The proposed system is named Intelligent Automated Penetration Testing System (IAPTS) consisting of a module that integrates with industrial PT frameworks to enable them to capture information, learn from experience, and reproduce tests in future similar testing cases. IAPTS aims to save human resources while producing much-enhanced results in terms of time consumption, reliability and frequency of testing. IAPTS takes the approach of modeling PT environments and tasks as a partially observed Markov decision process (POMDP) problem which is solved by POMDP-solver. Although the scope of this paper is limited to network infrastructures PT planning and not the entire practice, the obtained results support the hypothesis that RL can enhance PT beyond the capabilities of any human PT expert in terms of time consumed, covered attacking vectors, accuracy and reliability of the outputs. In addition, this work tackles the complex problem of expertise capturing and re-use by allowing the IAPTS learning module to store and re-use PT policies in the same way that a human PT expert would learn but in a more efficient way

    Improving the Relevance of Cyber Incident Notification for Mission Assurance

    Get PDF
    Military organizations have embedded Information and Communication Technology (ICT) into their core mission processes as a means to increase operational efficiency, improve decision making quality, and shorten the kill chain. This dependence can place the mission at risk when the loss, corruption, or degradation of the confidentiality, integrity, and/or availability of a critical information resource occurs. Since the accuracy, conciseness, and timeliness of the information used in decision making processes dramatically impacts the quality of command decisions, and hence, the operational mission outcome; the recognition, quantification, and documentation of critical mission-information resource dependencies is essential for the organization to gain a true appreciation of its operational risk. This research identifies existing decision support systems and evaluates their capabilities as a means for capturing, maintaining and communicating mission-to-information resource dependency information in a timely and relevant manner to assure mission operations. This thesis answers the following research question: Which decision support technology is the best candidate for use in a cyber incident notification system to overcome limitations identified in the existing United States Air Force cyber incident notification process

    ESASCF: Expertise Extraction, Generalization and Reply Framework for an Optimized Automation of Network Security Compliance

    Full text link
    The Cyber threats exposure has created worldwide pressure on organizations to comply with cyber security standards and policies for protecting their digital assets. Vulnerability assessment (VA) and Penetration Testing (PT) are widely adopted Security Compliance (SC) methods to identify security gaps and anticipate security breaches. In the computer networks context and despite the use of autonomous tools and systems, security compliance remains highly repetitive and resources consuming. In this paper, we proposed a novel method to tackle the ever-growing problem of efficiency and effectiveness in network infrastructures security auditing by formally introducing, designing, and developing an Expert-System Automated Security Compliance Framework (ESASCF) that enables industrial and open-source VA and PT tools and systems to extract, process, store and re-use the expertise in a human-expert way to allow direct application in similar scenarios or during the periodic re-testing. The implemented model was then integrated within the ESASCF and tested on different size networks and proved efficient in terms of time-efficiency and testing effectiveness allowing ESASCF to take over autonomously the SC in Re-testing and offloading Expert by automating repeated segments SC and thus enabling Experts to prioritize important tasks in Ad-Hoc compliance tests. The obtained results validate the performance enhancement notably by cutting the time required for an expert to 50% in the context of typical corporate networks first SC and 20% in re-testing, representing a significant cost-cutting. In addition, the framework allows a long-term impact illustrated in the knowledge extraction, generalization, and re-utilization, which enables better SC confidence independent of the human expert skills, coverage, and wrong decisions resulting in impactful false negatives

    Modeling Cyber Situational Awareness through Data Fusion

    Get PDF
    Cyber attacks are compromising networks faster than administrators can respond. Network defenders are unable to become oriented with these attacks, determine the potential impacts, and assess the damages in a timely manner. Since the observations of network sensors are normally disjointed, analysis of the data is overwhelming and time is not spent efficiently. Automation in defending cyber networks requires a level of reasoning for adequate response. Current automated systems are mostly limited to scripted responses. Better defense tools are required. This research develops a framework that aggregates data from heterogeneous network sensors. The collected data is correlated into a single model that is easily interpreted by decision-making entities. This research proposes and tests an impact rating system that estimates the feasibility of an attack and its potential level of impact against the targeted network host as well the other hosts that reside on the network. The impact assessments would allow decision makers to prioritize attacks in real-time and attempt to mitigate the attacks in order of their estimated impact to the network. The ultimate goal of this system is to provide computer network defense tools the situational awareness required to make the right decisions to mitigate cyber attacks in real-time

    A comparative study on cyber power : the United Kingdom, France, and Germany

    Get PDF
    This thesis aims to shed light on the concept of cyber power. Cyber power is a concept that has gained relevance with geopolitical dynamics reaching cyberspace and the increasing intertwining between the physical and digital. In this regard, this concept has been treated through three theoretical lenses: realism, liberalism, and constructivism. Still, constructivist approaches to the concept are sparse and deserve some attention. Thus, the thesis was based on a constructivist perspective, tackling the following research problem: How do states’ perceptions of cybersecurity shape the form of their power projection? Does that confer a new form of power relations, therefore, cyber power as a phenomenon? To answer these questions, the research was developed to be a qualitative comparative study with a case center design. The selection of cases took a regional focus and encompassed conventional geopolitical European powers: the United Kingdom, France, and Germany. As auxiliary methods, the research used qualitative document analysis, practice tracing, and interviews to ensure robust findings. Specifically, the thesis was divided into seven chapters. The first chapter presents the research design and briefly contextualizes the debate over cyber power. The second chapter recalls what power means, going back to Political Sciences' influences on International Relations and the generational development of cyber power theories and indexes. The third, fourth, and fifth chapters focus on the case studies of the United Kingdom, France, and Germany, highlighting their digital mentalities (i.e., self and threat perceptions). The sixth chapter presents the comparison within the cases, pointing to similarities and differences in the concept of cyber power and how perspectives shaped the countries' international positions. The final chapter concludes the research findings and points out that strategic cybersecurity culture plays a relevant role in countries' cyber power perspectives. Even though cyber power was a term only used explicitly by the United Kingdom, it translated into the term sovereignty for France and Germany. In this regard, the idea of power in cyberspace presented itself as broader than just offensive and defensive capabilities, encompassing governance/diplomatic and economic/domestic affairs aspects. Besides, there is an influencing aspect, exposing that cyber power projection would be visible through diplomacy/cyber diplomacy.Esta tese tem como objetivo lançar luz sobre o conceito de poder cibernĂ©tico. O poder cibernĂ©tico Ă© um conceito que ganhou relevĂąncia com a dinĂąmica geopolĂ­tica que atinge o ciberespaço e o crescente entrelaçamento entre o fĂ­sico e o digital. Nesse sentido, esse conceito foi tratado por meio de trĂȘs lentes teĂłricas: realismo, liberalismo e construtivismo. Ainda assim, as abordagens construtivistas do conceito sĂŁo escassas e merecem alguma atenção. Dessa forma, a tese se baseou em uma perspectiva construtivista, abordando o seguinte problema: Como as percepçÔes dos Estados sobre segurança cibernĂ©tica moldam a forma de sua projeção de poder? Isso confere uma nova forma de relaçÔes de poder, portanto o poder cibernĂ©tico como fenĂŽmeno? Para responder a estas questĂ”es, a pesquisa foi desenvolvida para ser um estudo qualitativo comparativo com um desenho centrado em casos. A seleção dos casos teve um enfoque regional e abrangeu potĂȘncias geopolĂ­ticas europeias convencionais: Reino Unido, França e Alemanha. Como mĂ©todos auxiliares, a pesquisa utilizou anĂĄlise qualitativa de documentos, rastreamento de prĂĄticas e entrevistas para garantir resultados robustos. Especificamente, a tese foi dividida em sete capĂ­tulos. O primeiro capĂ­tulo apresenta o desenho da pesquisa e contextualiza brevemente o debate sobre o poder cibernĂ©tico. O segundo capĂ­tulo relembra o que significa poder, remontando Ă s influĂȘncias das CiĂȘncias PolĂ­ticas nas RelaçÔes Internacionais e ao desenvolvimento geracional de teorias e Ă­ndices de poder cibernĂ©tico. O terceiro, quarto e quinto capĂ­tulos se concentram nos estudos de caso, do Reino Unido, França e Alemanha, destacando suas mentalidades digitais (ou seja, percepçÔes de si mesmo e de ameaças). O sexto capĂ­tulo apresenta a comparação dentro dos casos, apontando semelhanças e diferenças no conceito de poder cibernĂ©tico e como perspectivas moldaram as posiçÔes internacionais dos paĂ­ses. O capĂ­tulo final conclui os achados da pesquisa e aponta que a cultura de segurança estratĂ©gica desempenha um papel relevante nas perspectivas do poder cibernĂ©tico dos paĂ­ses. Embora o poder cibernĂ©tico seja um termo usado apenas explicitamente pelo Reino Unido, ele se traduziu no termo soberania para a França e a Alemanha. Nesse sentido, a ideia de poder no ciberespaço apresentou-se como mais ampla do que apenas capacidades ofensivas e defensivas, englobando aspectos de governança/diplomacia e econĂŽmico/ domĂ©sticos. AlĂ©m disso, hĂĄ um aspecto de influĂȘncia no conceito, expondo que a projeção do poder cibernĂ©tico seria visĂ­vel por meio da diplomacia/ciberdiplomacia

    Defense against Insider Threat: a Framework for Gathering Goal-based Requirements

    Get PDF
    Insider threat is becoming comparable to outsider threat in frequency of security events. This is a worrying situation, since insider attacks have a high probability of success because insiders have authorized access and legitimate privileges. Despite their importance, insider threats are still not properly addressed by organizations. We contribute to reverse this situation by introducing a framework composed of a method for identification and assessment of insider threat risks and of two supporting deliverables for awareness of insider threat. The deliverables are: (i) attack strategies structured in four decomposition trees, and (ii) a matrix which correlates defense strategies, attack strategies and control principles. The method output consists of goal-based requirements for the defense against insiders

    Automating Security Risk and Requirements Management for Cyber-Physical Systems

    Get PDF
    Cyber-physische Systeme ermöglichen zahlreiche moderne AnwendungsfĂ€lle und GeschĂ€ftsmodelle wie vernetzte Fahrzeuge, das intelligente Stromnetz (Smart Grid) oder das industrielle Internet der Dinge. Ihre SchlĂŒsselmerkmale KomplexitĂ€t, HeterogenitĂ€t und Langlebigkeit machen den langfristigen Schutz dieser Systeme zu einer anspruchsvollen, aber unverzichtbaren Aufgabe. In der physischen Welt stellen die Gesetze der Physik einen festen Rahmen fĂŒr Risiken und deren Behandlung dar. Im Cyberspace gibt es dagegen keine vergleichbare Konstante, die der Erosion von Sicherheitsmerkmalen entgegenwirkt. Hierdurch können sich bestehende Sicherheitsrisiken laufend Ă€ndern und neue entstehen. Um SchĂ€den durch böswillige Handlungen zu verhindern, ist es notwendig, hohe und unbekannte Risiken frĂŒhzeitig zu erkennen und ihnen angemessen zu begegnen. Die BerĂŒcksichtigung der zahlreichen dynamischen sicherheitsrelevanten Faktoren erfordert einen neuen Automatisierungsgrad im Management von Sicherheitsrisiken und -anforderungen, der ĂŒber den aktuellen Stand der Wissenschaft und Technik hinausgeht. Nur so kann langfristig ein angemessenes, umfassendes und konsistentes Sicherheitsniveau erreicht werden. Diese Arbeit adressiert den dringenden Bedarf an einer Automatisierungsmethodik bei der Analyse von Sicherheitsrisiken sowie der Erzeugung und dem Management von Sicherheitsanforderungen fĂŒr Cyber-physische Systeme. Das dazu vorgestellte Rahmenwerk umfasst drei Komponenten: (1) eine modelbasierte Methodik zur Ermittlung und Bewertung von Sicherheitsrisiken; (2) Methoden zur Vereinheitlichung, Ableitung und Verwaltung von Sicherheitsanforderungen sowie (3) eine Reihe von Werkzeugen und Verfahren zur Erkennung und Reaktion auf sicherheitsrelevante Situationen. Der Schutzbedarf und die angemessene Stringenz werden durch die Sicherheitsrisikobewertung mit Hilfe von Graphen und einer sicherheitsspezifischen Modellierung ermittelt und bewertet. Basierend auf dem Modell und den bewerteten Risiken werden anschließend fundierte Sicherheitsanforderungen zum Schutz des Gesamtsystems und seiner FunktionalitĂ€t systematisch abgeleitet und in einer einheitlichen, maschinenlesbaren Struktur formuliert. Diese maschinenlesbare Struktur ermöglicht es, Sicherheitsanforderungen automatisiert entlang der Lieferkette zu propagieren. Ebenso ermöglicht sie den effizienten Abgleich der vorhandenen FĂ€higkeiten mit externen Sicherheitsanforderungen aus Vorschriften, Prozessen und von GeschĂ€ftspartnern. Trotz aller getroffenen Maßnahmen verbleibt immer ein gewisses Restrisiko einer Kompromittierung, worauf angemessen reagiert werden muss. Dieses Restrisiko wird durch Werkzeuge und Prozesse adressiert, die sowohl die lokale und als auch die großrĂ€umige Erkennung, Klassifizierung und Korrelation von VorfĂ€llen verbessern. Die Integration der Erkenntnisse aus solchen VorfĂ€llen in das Modell fĂŒhrt hĂ€ufig zu aktualisierten Bewertungen, neuen Anforderungen und verbessert weitere Analysen. Abschließend wird das vorgestellte Rahmenwerk anhand eines aktuellen Anwendungsfalls aus dem Automobilbereich demonstriert.Cyber-Physical Systems enable various modern use cases and business models such as connected vehicles, the Smart (power) Grid, or the Industrial Internet of Things. Their key characteristics, complexity, heterogeneity, and longevity make the long-term protection of these systems a demanding but indispensable task. In the physical world, the laws of physics provide a constant scope for risks and their treatment. In cyberspace, on the other hand, there is no such constant to counteract the erosion of security features. As a result, existing security risks can constantly change and new ones can arise. To prevent damage caused by malicious acts, it is necessary to identify high and unknown risks early and counter them appropriately. Considering the numerous dynamic security-relevant factors requires a new level of automation in the management of security risks and requirements, which goes beyond the current state of the art. Only in this way can an appropriate, comprehensive, and consistent level of security be achieved in the long term. This work addresses the pressing lack of an automation methodology for the security-risk assessment as well as the generation and management of security requirements for Cyber-Physical Systems. The presented framework accordingly comprises three components: (1) a model-based security risk assessment methodology, (2) methods to unify, deduce and manage security requirements, and (3) a set of tools and procedures to detect and respond to security-relevant situations. The need for protection and the appropriate rigor are determined and evaluated by the security risk assessment using graphs and a security-specific modeling. Based on the model and the assessed risks, well-founded security requirements for protecting the overall system and its functionality are systematically derived and formulated in a uniform, machine-readable structure. This machine-readable structure makes it possible to propagate security requirements automatically along the supply chain. Furthermore, they enable the efficient reconciliation of present capabilities with external security requirements from regulations, processes, and business partners. Despite all measures taken, there is always a slight risk of compromise, which requires an appropriate response. This residual risk is addressed by tools and processes that improve the local and large-scale detection, classification, and correlation of incidents. Integrating the findings from such incidents into the model often leads to updated assessments, new requirements, and improves further analyses. Finally, the presented framework is demonstrated by a recent application example from the automotive domain
    • 

    corecore