Attack graph approach to dynamic network vulnerability analysis and countermeasures

A thesis submitted to the University of Bedfordshire, in partial fulfilment of the requirements for the degree of Doctor of PhilosophyIt is widely accepted that modern computer networks (often presented as a heterogeneous collection of functioning organisations, applications, software, and hardware) contain vulnerabilities. This research proposes a new methodology to compute a dynamic severity cost for each state. Here a state refers to the behaviour of a system during an attack; an example of a state is where an attacker could influence the information on an application to alter the credentials. This is performed by utilising a modified variant of the Common Vulnerability Scoring System (CVSS), referred to as a Dynamic Vulnerability Scoring System (DVSS). This calculates scores of intrinsic, time-based, and ecological metrics by combining related sub-scores and modelling the problem’s parameters into a mathematical framework to develop a unique severity cost. The individual static nature of CVSS affects the scoring value, so the author has adapted a novel model to produce a DVSS metric that is more precise and efficient. In this approach, different parameters are used to compute the final scores determined from a number of parameters including network architecture, device setting, and the impact of vulnerability interactions. An attack graph (AG) is a security model representing the chains of vulnerability exploits in a network. A number of researchers have acknowledged the attack graph visual complexity and a lack of in-depth understanding. Current attack graph tools are constrained to only limited attributes or even rely on hand-generated input. The automatic formation of vulnerability information has been troublesome and vulnerability descriptions are frequently created by hand, or based on limited data. The network architectures and configurations along with the interactions between the individual vulnerabilities are considered in the method of computing the Cost using the DVSS and a dynamic cost-centric framework. A new methodology was built up to present an attack graph with a dynamic cost metric based on DVSS and also a novel methodology to estimate and represent the cost-centric approach for each host’ states was followed out. A framework is carried out on a test network, using the Nessus scanner to detect known vulnerabilities, implement these results and to build and represent the dynamic cost centric attack graph using ranking algorithms (in a standardised fashion to Mehta et al. 2006 and Kijsanayothin, 2010). However, instead of using vulnerabilities for each host, a CostRank Markov Model has developed utilising a novel cost-centric approach, thereby reducing the complexity in the attack graph and reducing the problem of visibility. An analogous parallel algorithm is developed to implement CostRank. The reason for developing a parallel CostRank Algorithm is to expedite the states ranking calculations for the increasing number of hosts and/or vulnerabilities. In the same way, the author intends to secure large scale networks that require fast and reliable computing to calculate the ranking of enormous graphs with thousands of vertices (states) and millions of arcs (representing an action to move from one state to another). In this proposed approach, the focus on a parallel CostRank computational architecture to appraise the enhancement in CostRank calculations and scalability of of the algorithm. In particular, a partitioning of input data, graph files and ranking vectors with a load balancing technique can enhance the performance and scalability of CostRank computations in parallel. A practical model of analogous CostRank parallel calculation is undertaken, resulting in a substantial decrease in calculations communication levels and in iteration time. The results are presented in an analytical approach in terms of scalability, efficiency, memory usage, speed up and input/output rates. Finally, a countermeasures model is developed to protect against network attacks by using a Dynamic Countermeasures Attack Tree (DCAT). The following scheme is used to build DCAT tree (i) using scalable parallel CostRank Algorithm to determine the critical asset, that system administrators need to protect; (ii) Track the Nessus scanner to determine the vulnerabilities associated with the asset using the dynamic cost centric framework and DVSS; (iii) Check out all published mitigations for all vulnerabilities. (iv) Assess how well the security solution mitigates those risks; (v) Assess DCAT algorithm in terms of effective security cost, probability and cost/benefit analysis to reduce the total impact of a specific vulnerability

Improving resilience to cyber-attacks by analysing system output impacts and costs

Cyber-attacks cost businesses millions of dollars every year, a key component of which is the cost of business disruption from system downtime. As cyber-attacks cannot all be prevented, there is a need to consider the cyber resilience of systems, i.e. the ability to withstand cyber-attacks and recover from them. Previous works discussing system cyber resilience typically either offer generic high-level guidance on best practices, provide limited attack modelling, or apply to systems with special characteristics. There is a lack of an approach to system cyber resilience evaluation that is generally applicable yet provides a detailed consideration for the system-level impacts of cyber-attacks and defences. We propose a methodology for evaluating the effectiveness of actions intended to improve resilience to cyber-attacks, considering their impacts on system output performance, and monetary costs. It is intended for analysing attacks that can disrupt the system function, and involves modelling attack progression, system output production, response to attacks, and costs from cyber-attacks and defensive actions. Studies of three use cases demonstrate the implementation and usefulness of our methodology. First, in our redundancy planning study, we considered the effect of redundancy additions on mitigating the impacts of cyber-attacks on system output performance. We found that redundancy with diversity can be effective in increasing resilience, although the reduction in attack-related costs must be balanced against added maintenance costs. Second, our work on attack countermeasure selection shows that by considering system output impacts across the duration of an attack, one can find more cost-effective attack responses than without such considerations. Third, we propose an approach to mission viability analysis for multi-UAV deployments facing cyber-attacks, which can aid resource planning and determining if the mission can conclude successfully despite an attack. We provide different implementations of our model components, based on use case requirements.Open Acces

Counter Unmanned Aircraft Systems Technologies and Operations

As the quarter-century mark in the 21st Century nears, new aviation-related equipment has come to the forefront, both to help us and to haunt us. (Coutu, 2020) This is particularly the case with unmanned aerial vehicles (UAVs). These vehicles have grown in popularity and accessible to everyone. Of different shapes and sizes, they are widely available for purchase at relatively low prices. They have moved from the backyard recreation status to important tools for the military, intelligence agencies, and corporate organizations. New practical applications such as military equipment and weaponry are announced on a regular basis – globally. (Coutu, 2020) Every country seems to be announcing steps forward in this bludgeoning field. In our successful 2nd edition of Unmanned Aircraft Systems in the Cyber Domain: Protecting USA’s Advanced Air Assets (Nichols, et al., 2019), the authors addressed three factors influencing UAS phenomena. First, unmanned aircraft technology has seen an economic explosion in production, sales, testing, specialized designs, and friendly / hostile usages of deployed UAS / UAVs / Drones. There is a huge global growing market and entrepreneurs know it. Second, hostile use of UAS is on the forefront of DoD defense and offensive planners. They are especially concerned with SWARM behavior. Movies like “Angel has Fallen,” where drones in a SWARM use facial recognition technology to kill USSS agents protecting POTUS, have built the lore of UAS and brought the problem forefront to DHS. Third, UAS technology was exploding. UAS and Counter- UAS developments in navigation, weapons, surveillance, data transfer, fuel cells, stealth, weight distribution, tactics, GPS / GNSS elements, SCADA protections, privacy invasions, terrorist uses, specialized software, and security protocols has exploded. (Nichols, et al., 2019) Our team has followed / tracked joint ventures between military and corporate entities and specialized labs to build UAS countermeasures. As authors, we felt compelled to address at least the edge of some of the new C-UAS developments. It was clear that we would be lucky if we could cover a few of – the more interesting and priority technology updates – all in the UNCLASSIFIED and OPEN sphere. Counter Unmanned Aircraft Systems: Technologies and Operations is the companion textbook to our 2nd edition. The civilian market is interesting and entrepreneurial, but the military and intelligence markets are of concern because the US does NOT lead the pack in C-UAS technologies. China does. China continues to execute its UAS proliferation along the New Silk Road Sea / Land routes (NSRL). It has maintained a 7% growth in military spending each year to support its buildup. (Nichols, et al., 2019) [Chapter 21]. They continue to innovate and have recently improved a solution for UAS flight endurance issues with the development of advanced hydrogen fuel cell. (Nichols, et al., 2019) Reed and Trubetskoy presented a terrifying map of countries in the Middle East with armed drones and their manufacturing origin. Guess who? China. (A.B. Tabriski & Justin, 2018, December) Our C-UAS textbook has as its primary mission to educate and train resources who will enter the UAS / C-UAS field and trust it will act as a call to arms for military and DHS planners.https://newprairiepress.org/ebooks/1031/thumbnail.jp

A GENERAL FRAMEWORK FOR CHARACTERIZING AND EVALUATING ATTACKER MODELS FOR CPS SECURITY ASSESSMENT

Characterizing the attacker’s perspective is essential to assessing the security posture and resilience of cyber-physical systems. The attacker’s perspective is most often achieved by cyber-security experts (e.g., red teams) who critically challenge and analyze the system from an adversarial stance. Unfortunately, the knowledge and experience of cyber-security experts can be inconsistent leading to situations where there are gaps in the security assessment of a given system. Structured security review processes (such as TAM, Mission Aware, STPA-SEC, and STPA-SafeSec) attempt to standardize the review processes to impart consistency across an organization or application domain. However, with most security review processes, the attackers’ perspectives are ad hoc and often lack structure. Attacker modeling is a potential solution but there is a lack of uniformity in published literature and a lack of structured methods to integrate the attacker perspective into established security review processes. This dissertation proposes a generalized framework for characterizing and evaluating attacker models for CPS security assessment. We developed this framework from a structured literature survey on attacker model characteristics which we used to create an ontology of attacker models from a context of security assessment. This generalized framework facilitates the characterization and functional representation of attacker models, leveraged in a novel scalable integration workflow. This workflow leverages an intermediate functional representation module to integrate attacker models into a security review process. In conclusion, we demonstrate the efficacy of our attacker modeling framework through a use case in which we integrate an attacker model into an established security review process

Fair, Equitable, and Just: A Socio-technical Approach to Online Safety

Socio-technical systems have been revolutionary in reshaping how people maintain relationships, learn about new opportunities, engage in meaningful discourse, and even express grief and frustrations. At the same time, these systems have been central in the proliferation of harmful behaviors online as internet users are confronted with serious and pervasive threats at alarming rates. Although researchers and companies have attempted to develop tools to mitigate threats, the perception of dominant (often Western) frameworks as the standard for the implementation of safety mechanisms fails to account for imbalances, inequalities, and injustices in non-Western civilizations like the Caribbean. Therefore, in this dissertation I adopt a holistic approach to online safety that acknowledges the complexities of harms for understudied populations specifically focusing on the Caribbean. In this dissertation, I conduct three studies that take steps towards (1) filling in the gap of missing empirical understanding around users’ perceptions of safety threats and how that is associated with their intentions to engage with supportive countermeasures, (2) understanding the gaps in current approaches to justice, and (3) developing an understanding towards the development of equitable and inclusive countermeasures. In the first study, I conduct a region-wide survey which reveals Caribbean citizens experience high rates of exposure to online threats. Moreover, I show that by conceptually defining protective behaviors based on the threats that they address, it exposes how the perceptions of threats influences the adoption of online safety countermeasures while uncovering distinctions in perceptions depending on the type of harm. The second study utilizes a multi-disciplinary approach to understand the state of legislative protections. Through a reflective legislative and media analysis, the study uncovered major discrepancies in the region’s approach towards justice in online spaces. Lastly, the final study incorporates the findings of these works by conducting an online experiment to test the design of justice-oriented safety countermeasures. The results provide support for the development of countermeasures that people perceive to be fair, equitable, and just

Cyber-security Risk Assessment

Cyber-security domain is inherently dynamic. Not only does system configuration changes frequently (with new releases and patches), but also new attacks and vulnerabilities are regularly discovered. The threat in cyber-security is human, and hence intelligent in nature. The attacker adapts to the situation, target environment, and countermeasures. Attack actions are also driven by attacker's exploratory nature, thought process, motivation, strategy, and preferences. Current security risk assessment is driven by cyber-security expert's theories about this attacker behavior. The goal of this dissertation is to automatically generate the cyber-security risk scenarios by: * Capturing diverse and dispersed cyber-security knowledge * Assuming that there are unknowns in the cyber-security domain, and new knowledge is available frequently * Emulating the attacker's exploratory nature, thought process, motivation, strategy, preferences and his/her interaction with the target environment * Using the cyber-security expert's theories about attacker behavior The proposed framework is designed by using the unique cyber-security domain requirements identified in this dissertation and by overcoming the limitations of current risk scenario generation frameworks. The proposed framework automates the risk scenario generation by using the knowledge as it becomes available (or changes). It supports observing, encoding, validating, and calibrating cyber-security expert's theories. It can also be used for assisting the red-teaming process. The proposed framework generates ranked attack trees and encodes the attacker behavior theories. These can be used for prioritizing vulnerability remediation. The proposed framework is currently being extended for developing an automated threat response framework that can be used to analyze and recommend countermeasures. This framework contains behavior driven countermeasures that uses the attacker behavior theories to lead the attacker away from the system to be protected

A review of cyber-ranges and test-beds:current and future trends

Cyber situational awareness has been proven to be of value in forming a comprehensive understanding of threats and vulnerabilities within organisations, as the degree of exposure is governed by the prevailing levels of cyber-hygiene and established processes. A more accurate assessment of the security provision informs on the most vulnerable environments that necessitate more diligent management. The rapid proliferation in the automation of cyber-attacks is reducing the gap between information and operational technologies and the need to review the current levels of robustness against new sophisticated cyber-attacks, trends, technologies and mitigation countermeasures has become pressing. A deeper characterisation is also the basis with which to predict future vulnerabilities in turn guiding the most appropriate deployment technologies. Thus, refreshing established practices and the scope of the training to support the decision making of users and operators. The foundation of the training provision is the use of Cyber-Ranges (CRs) and Test-Beds (TBs), platforms/tools that help inculcate a deeper understanding of the evolution of an attack and the methodology to deploy the most impactful countermeasures to arrest breaches. In this paper, an evaluation of documented CR and TB platforms is evaluated. CRs and TBs are segmented by type, technology, threat scenarios, applications and the scope of attainable training. To enrich the analysis of documented CR and TB research and cap the study, a taxonomy is developed to provide a broader comprehension of the future of CRs and TBs. The taxonomy elaborates on the CRs/TBs dimensions, as well as, highlighting a diminishing differentiation between application areas

Evaluating Resilience of Cyber-Physical-Social Systems

Nowadays, protecting the network is not the only security concern. Still, in cyber security, websites and servers are becoming more popular as targets due to the ease with which they can be accessed when compared to communication networks. Another threat in cyber physical social systems with human interactions is that they can be attacked and manipulated not only by technical hacking through networks, but also by manipulating people and stealing users’ credentials. Therefore, systems should be evaluated beyond cy- ber security, which means measuring their resilience as a piece of evidence that a system works properly under cyber-attacks or incidents. In that way, cyber resilience is increas- ingly discussed and described as the capacity of a system to maintain state awareness for detecting cyber-attacks. All the tasks for making a system resilient should proactively maintain a safe level of operational normalcy through rapid system reconfiguration to detect attacks that would impact system performance. In this work, we broadly studied a new paradigm of cyber physical social systems and defined a uniform definition of it. To overcome the complexity of evaluating cyber resilience, especially in these inhomo- geneous systems, we proposed a framework including applying Attack Tree refinements and Hierarchical Timed Coloured Petri Nets to model intruder and defender behaviors and evaluate the impact of each action on the behavior and performance of the system.Hoje em dia, proteger a rede não é a única preocupação de segurança. Ainda assim, na segurança cibernética, sites e servidores estão se tornando mais populares como alvos devido à facilidade com que podem ser acessados quando comparados às redes de comu- nicação. Outra ameaça em sistemas sociais ciberfisicos com interações humanas é que eles podem ser atacados e manipulados não apenas por hackers técnicos através de redes, mas também pela manipulação de pessoas e roubo de credenciais de utilizadores. Portanto, os sistemas devem ser avaliados para além da segurança cibernética, o que significa medir sua resiliência como uma evidência de que um sistema funciona adequadamente sob ataques ou incidentes cibernéticos. Dessa forma, a resiliência cibernética é cada vez mais discutida e descrita como a capacidade de um sistema manter a consciência do estado para detectar ataques cibernéticos. Todas as tarefas para tornar um sistema resiliente devem manter proativamente um nível seguro de normalidade operacional por meio da reconfi- guração rápida do sistema para detectar ataques que afetariam o desempenho do sistema. Neste trabalho, um novo paradigma de sistemas sociais ciberfisicos é amplamente estu- dado e uma definição uniforme é proposta. Para superar a complexidade de avaliar a resiliência cibernética, especialmente nesses sistemas não homogéneos, é proposta uma estrutura que inclui a aplicação de refinamentos de Árvores de Ataque e Redes de Petri Coloridas Temporizadas Hierárquicas para modelar comportamentos de invasores e de- fensores e avaliar o impacto de cada ação no comportamento e desempenho do sistema

Improving Phishing Website Detection with Machine Learning: Revealing Hidden Patterns for Better Accuracy

Phishing attacks remain a significant threat to internet users globally, leading to substantial financial losses and compromising personal information. This research study investigates various machine learning models for detecting phishing websites, with a primary focus on achieving high accuracy. After an extensive analysis, the Random Forest Classifier emerged as the most suitable choice for this task. Our methodology leveraged machine learning techniques to uncover subtle patterns and relationships in the data, going beyond traditional URL and content-based restrictions. By incorporating diverse website features, including URL and derived attributes, Page source code-based features, HTML JavaScript-based features, and Domain-based features, we achieved impressive results. The proposed approach effectively classified the majority of websites, demonstrating the efficiency of machine learning in addressing the phishing website detection challenge with an accuracy of over 98%, recall exceeding 98%, and a false positive rate of less than 4%. This research offers valuable insights to the field of cyber security, providing internet users with improved protection against phishing attempts