Pro-active visualization of cyber security on a National Level : a South African case study

The need for increased national cyber security situational awareness is evident from the growing number of published national cyber security strategies. Governments are progressively seen as responsible for cyber security, but at the same time increasingly constrained by legal, privacy and resource considerations. Infrastructure and services that form part of the national cyber domain are often not under the control of government, necessitating the need for information sharing between governments and commercial partners. While sharing of security information is necessary, it typically requires considerable time to be implemented effectively. In an effort to decrease the time and effort required for cyber security situational awareness, this study considered commercially available data sources relating to a national cyber domain. Open source information is typically used by attackers to gather information with great success. An understanding of the data provided by these sources can also afford decision makers the opportunity to set priorities more effectively. Through the use of an adapted Joint Directors of Laboratories (JDL) fusion model, an experimental system was implemented that visualized the potential that open source intelligence could have on cyber situational awareness. Datasets used in the validation of the model contained information obtained from eight different data sources over a two year period with a focus on the South African .co.za sub domain. Over a million infrastructure devices were examined in this study along with information pertaining to a potential 88 million vulnerabilities on these devices. During the examination of data sources, a severe lack of information regarding the human aspect in cyber security was identified that led to the creation of a novel Personally Identifiable Information detection sensor (PII). The resultant two million records pertaining to PII in the South African domain were incorporated into the data fusion experiment for processing. The results of this processing are discussed in the three case studies. The results offered in this study aim to highlight how data fusion and effective visualization can serve to move national cyber security from a primarily reactive undertaking to a more pro-active model

Real-time fusion and projection of network intrusion activity

Intrusion Detection Systems (IDS) warn of suspicious or malicious network activity and are a fundamental, yet passive, defense-in-depth layer for modern networks. Prior research has applied information fusion techniques to correlate the alerts of multiple IDSs and group those belonging to the same multi-stage attack into attack tracks. Projecting the next likely step in these tracks potentially enhances an analyst’s situational awareness; however, the reliance on attack plans, complicated algorithms, or expert knowledge of the respective network is prohibitive and prone to obsolescence with the continual deployment of new technology and evolution of hacker tradecraft. This thesis presents a real-time continually learning system capable of projecting attack tracks that does not require a priori knowledge about network architecture or rely on static attack templates. Prediction correctness over time and other metrics are used to assess the system’s performance. The system demonstrates the successful real-time adaptation of the model, including enhancements such as the prediction that a never before observed event is about to occur. The intrusion projection system is framed as part of a larger information fusion and impact assessment architecture for cyber security

Resilient and Trustworthy Dynamic Data-driven Application Systems (DDDAS) Services for Crisis Management Environments

Future crisis management systems needresilient and trustworthy infrastructures to quickly develop reliable applications and processes, andensure end-to-end security, trust, and privacy. Due to the multiplicity and diversity of involved actors, volumes of data, and heterogeneity of shared information;crisis management systems tend to be highly vulnerable and subjectto unforeseen incidents. As a result, the dependability of crisis management systems can be at risk. This paper presents a cloud-based resilient and trustworthy infrastructure (known as rDaaS) to quickly develop secure crisis management systems. The rDaaS integrates the Dynamic Data-Driven Application Systems (DDDAS) paradigm into a service-oriented architecture over cloud technology and provides a set of resilient DDDAS-As-A Service (rDaaS) components to build secure and trusted adaptable crisis processes. The rDaaS also ensures resilience and security by obfuscating the execution environment and applying Behavior Software Encryption and Moving Technique Defense. A simulation environment for a nuclear plant crisis management case study is illustrated to build resilient and trusted crisis response processes

Data-driven Approach to Information Sharing using Data Fusion and Machine Learning

The number of security incidents worldwide is increasing, and the capabilities to detect and react is of uttermost importance. Intrusion Detection Systems (IDSs) are employed in various locations in networks to identify malicious activity. These sensors produce large amounts of data, which are fused and reduced. It is necessary to determine how to perform such fusion and reduction of data from heterogeneous sources. IDS is known to produce a high amount of false positives which create a high workload for human analysts at Security Operation Center (SOC). To ensure scalability, systems for reducing and streamlining the detection process is critical. The application of Threat Intelligence (TI) in information security for detection and prevention is widespread. When performing sharing of TI, it must be ensured that the data is reliable and trustworthy. Further, it must be guaranteed that the sharing process leaks sensitive data. This thesis has proposed a process model describing the process of fusion and reduction of heterogeneous sensor data and TI in intrusion detection. Our work is based on a literature study and qualitative research interviews with security experts from law enforcement and public and private organisations. Further, an identification of reliable and trustworthy features in such fused and reduced data for use in Machine Learning (ML) is given. We have applied data-driven methods on a real-world dataset from a SOC for this identification, and evaluate our results using well-known performance measure. Our results show that the application of ML can be used for prediction and decision support in the operation of SOC. We also provide an identification of sensitive features from the features selected by our data-driven experiments.Antall sikkerhetshendelser i verden øker, og mulighetene for deteksjon og reak- sjon er kritisk. Intrusion Detection System (IDS)er blir plassert i forskjellige lokasjoner i nettverk og systemer for å kunne identifisere ondsinnet aktivitet. Disse sensorene produserer store mengder data som må bli fusjonert og redusert. Det er derfor viktig å definere hvordan slik datafusjonering og -reduksjon skal gjøres når man har et stort antall heterogene sensorer. Det er kjent at IDSer pro- duserer store mengder falske positiver, som igjen skaper store mengder unød- vendig arbeid for sikkerhetsanalytikere i en Security Operation Center (SOC). For å tilrettelegge skalering er det kritisk med systemer som kan reduserer og effektivisere deteksjonsprosessen. Bruken av trusseletteretning for deteksjon og prevensjon i informasjonssikkerhetsmiljøet er utbredt. Når trusseletteretning blir delt, er det sentralt at den delte informasjonen er pålitelig, og at man unngår å dele sensitiv informasjon. Denne oppgaven foreslår en prosessmodel som beskriver fusjonering og reduksjon av data fra heterogene sensorer og trusseletteretningskilder. Vårt arbeid er basert på en litteraturstudie kombinert med kvalitative forskn- ingsintervjuer med sikkerhetseksperter fra politimyndigheter og offentlige og private organisasjoner. Videre så har vi identifisert attributer i slik fusjonert og redusert data som kan brukes i maskinlæring. Dette ble gjort via en datadrevet fremgangsmåte på et datasett fra en SOC med data fra den virkelige verden. Videre så ble resultatene våre evaluert med kjente metoder for ytelsesmåling. Våre resultater viser at bruken av maskinlæring for prediksjon og beslutningsstøtte i daglig operasjon av en SOC er mulig. Videre så har vi identifisert sensitive at- tributer fra attributene valgt av våre datadrevne eksperimenter

Application of data and information fusion

Ph.DDOCTOR OF PHILOSOPH

Context-awareness and the smart grid: Requirements and challenges

New intelligent power grids (smart grids) will be an essential way of improving efficiency in power supply and power consumption, facilitating the use of distributed and renewable resources on the supply side and providing consumers with a range of tailored services on the consumption side. The delivery of efficiencies and advanced services in a smart grid will require both a comprehensive overlay communications network and flexible software platforms that can process data from a variety of sources, especially electronic sensor networks. Parallel developments in autonomic systems, pervasive computing and context-awareness (relating in particular to data fusion, context modelling, and semantic data) could provide key elements in the development of scalable smart grid data management systems and applications that utilise a multi-technology communications network. This paper describes: (1) the communications and data management requirements of the emerging smart grid, (2) state-of-the-art techniques and systems for context-awareness and (3) a future direction towards devising a context-aware middleware platform for the smart grid, as well as associated requirements and challenges

Intelligent decision support for maintenance: an overview and future trends

The changing nature of manufacturing, in recent years, is evident in industry’s willingness to adopt network-connected intelligent machines in their factory development plans. A number of joint corporate/government initiatives also describe and encourage the adoption of Artificial Intelligence (AI) in the operation and management of production lines. Machine learning will have a significant role to play in the delivery of automated and intelligently supported maintenance decision-making systems. While e-maintenance practice provides aframework for internet-connected operation of maintenance practice the advent of IoT has changed the scale of internetworking and new architectures and tools are needed. While advances in sensors and sensor fusion techniques have been significant in recent years, the possibilities brought by IoT create new challenges in the scale of data and its analysis. The development of audit trail style practice for the collection of data and the provision of acomprehensive framework for its processing, analysis and use should be avaluable contribution in addressing the new data analytics challenges for maintenance created by internet connected devices. This paper proposes that further research should be conducted into audit trail collection of maintenance data, allowing future systems to enable ‘Human in the loop’ interactions

Modélisation formelle des systèmes de détection d'intrusions

L’écosystème de la cybersécurité évolue en permanence en termes du nombre, de la diversité, et de la complexité des attaques. De ce fait, les outils de détection deviennent inefficaces face à certaines attaques. On distingue généralement trois types de systèmes de détection d’intrusions : détection par anomalies, détection par signatures et détection hybride. La détection par anomalies est fondée sur la caractérisation du comportement habituel du système, typiquement de manière statistique. Elle permet de détecter des attaques connues ou inconnues, mais génère aussi un très grand nombre de faux positifs. La détection par signatures permet de détecter des attaques connues en définissant des règles qui décrivent le comportement connu d’un attaquant. Cela demande une bonne connaissance du comportement de l’attaquant. La détection hybride repose sur plusieurs méthodes de détection incluant celles sus-citées. Elle présente l’avantage d’être plus précise pendant la détection. Des outils tels que Snort et Zeek offrent des langages de bas niveau pour l’expression de règles de reconnaissance d’attaques. Le nombre d’attaques potentielles étant très grand, ces bases de règles deviennent rapidement difficiles à gérer et à maintenir. De plus, l’expression de règles avec état dit stateful est particulièrement ardue pour reconnaître une séquence d’événements. Dans cette thèse, nous proposons une approche stateful basée sur les diagrammes d’état-transition algébriques (ASTDs) afin d’identifier des attaques complexes. Les ASTDs permettent de représenter de façon graphique et modulaire une spécification, ce qui facilite la maintenance et la compréhension des règles. Nous étendons la notation ASTD avec de nouvelles fonctionnalités pour représenter des attaques complexes. Ensuite, nous spécifions plusieurs attaques avec la notation étendue et exécutons les spécifications obtenues sur des flots d’événements à l’aide d’un interpréteur pour identifier des attaques. Nous évaluons aussi les performances de l’interpréteur avec des outils industriels tels que Snort et Zeek. Puis, nous réalisons un compilateur afin de générer du code exécutable à partir d’une spécification ASTD, capable d’identifier de façon efficiente les séquences d’événements.Abstract : The cybersecurity ecosystem continuously evolves with the number, the diversity, and the complexity of cyber attacks. Generally, we have three types of Intrusion Detection System (IDS) : anomaly-based detection, signature-based detection, and hybrid detection. Anomaly detection is based on the usual behavior description of the system, typically in a static manner. It enables detecting known or unknown attacks but also generating a large number of false positives. Signature based detection enables detecting known attacks by defining rules that describe known attacker’s behavior. It needs a good knowledge of attacker behavior. Hybrid detection relies on several detection methods including the previous ones. It has the advantage of being more precise during detection. Tools like Snort and Zeek offer low level languages to represent rules for detecting attacks. The number of potential attacks being large, these rule bases become quickly hard to manage and maintain. Moreover, the representation of stateful rules to recognize a sequence of events is particularly arduous. In this thesis, we propose a stateful approach based on algebraic state-transition diagrams (ASTDs) to identify complex attacks. ASTDs allow a graphical and modular representation of a specification, that facilitates maintenance and understanding of rules. We extend the ASTD notation with new features to represent complex attacks. Next, we specify several attacks with the extended notation and run the resulting specifications on event streams using an interpreter to identify attacks. We also evaluate the performance of the interpreter with industrial tools such as Snort and Zeek. Then, we build a compiler in order to generate executable code from an ASTD specification, able to efficiently identify sequences of events