88 research outputs found
Cyber-Attack Modeling Analysis Techniques: An Overview
YesCyber attack is a sensitive issue in the world
of Internet security. Governments and business organisations
around the world are providing enormous effort to secure their
data. They are using various types of tools and techniques to
keep the business running, while adversaries are trying to breach
security and send malicious software such as botnets, viruses,
trojans etc., to access valuable data. Everyday the situation is
getting worse because of new types of malware emerging to attack
networks. It is important to understand those attacks both before
and after they happen in order to provide better security to
our systems. Understanding attack models provide more insight
into network vulnerability; which in turn can be used to protect
the network from future attacks. In the cyber security world, it
is difficult to predict a potential attack without understanding
the vulnerability of the network. So, it is important to analyse
the network to identify top possible vulnerability list, which will
give an intuitive idea to protect the network. Also, handling an
ongoing attack poses significant risk on the network and valuable
data, where prompt action is necessary. Proper utilisation of
attack modelling techniques provide advance planning, which
can be implemented rapidly during an ongoing attack event. This
paper aims to analyse various types of existing attack modelling
techniques to understand the vulnerability of the network; and
the behaviour and goals of the adversary. The ultimate goal is to
handle cyber attack in efficient manner using attack modelling
techniques
Simulating Windows-Based Cyber Attacks Using Live Virtual Machine Introspection
Static memory analysis has been proven a valuable technique for digital forensics. However, the memory capture technique halts the system causing the loss of important dynamic system data. As a result, live analysis techniques have emerged to complement static analysis. In this paper, a compiled memory analysis tool for virtualization (CMAT-V) is presented as a virtual machine introspection (VMI) utility to conduct live analysis during simulated cyber attacks. CMAT-V leverages static memory dump analysis techniques to provide live system state awareness. CMAT-V parses an arbitrary memory dump from a simulated guest operating system (OS) to extract user information, network usage, active process information and registry files. Unlike some VMI applications, CMAT-V bridges the semantic gap using derivation techniques. This provides increased operating system compatibility for current and future operating systems. This research demonstrates the usefulness of CMAT-V as a situational awareness tool during simulated cyber attacks and measures the overall performance of CMAT-V
Spatiotemporal Patterns and Predictability of Cyberattacks
Y.C.L. was supported by Air Force Office of Scientific Research (AFOSR) under grant no. FA9550-10-1-0083 and Army Research Office (ARO) under grant no. W911NF-14-1-0504. S.X. was supported by Army Research Office (ARO) under grant no. W911NF-13-1-0141. The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.Peer reviewedPublisher PD
Predictive Cyber-security Analytics Framework: A non-homogenous Markov model for Security Quantification
Numerous security metrics have been proposed in the past for protecting
computer networks. However we still lack effective techniques to accurately
measure the predictive security risk of an enterprise taking into account the
dynamic attributes associated with vulnerabilities that can change over time.
In this paper we present a stochastic security framework for obtaining
quantitative measures of security using attack graphs. Our model is novel as
existing research in attack graph analysis do not consider the temporal aspects
associated with the vulnerabilities, such as the availability of exploits and
patches which can affect the overall network security based on how the
vulnerabilities are interconnected and leveraged to compromise the system.
Gaining a better understanding of the relationship between vulnerabilities and
their lifecycle events can provide security practitioners a better
understanding of their state of security. In order to have a more realistic
representation of how the security state of the network would vary over time, a
nonhomogeneous model is developed which incorporates a time dependent
covariate, namely the vulnerability age. The daily transition-probability
matrices are estimated using Frei's Vulnerability Lifecycle model. We also
leverage the trusted CVSS metric domain to analyze how the total exploitability
and impact measures evolve over a time period for a given network.Comment: 16 pages, 6 Figures in International Conference of Security, Privacy
and Trust Management 201
Spatiotemporal patterns and predictability of cyberattacks
A relatively unexplored issue in cybersecurity science and engineering is
whether there exist intrinsic patterns of cyberattacks. Conventional wisdom
favors absence of such patterns due to the overwhelming complexity of the
modern cyberspace. Surprisingly, through a detailed analysis of an extensive
data set that records the time-dependent frequencies of attacks over a
relatively wide range of consecutive IP addresses, we successfully uncover
intrinsic spatiotemporal patterns underlying cyberattacks, where the term
"spatio" refers to the IP address space. In particular, we focus on analyzing
{\em macroscopic} properties of the attack traffic flows and identify two main
patterns with distinct spatiotemporal characteristics: deterministic and
stochastic. Strikingly, there are very few sets of major attackers committing
almost all the attacks, since their attack "fingerprints" and target selection
scheme can be unequivocally identified according to the very limited number of
unique spatiotemporal characteristics, each of which only exists on a
consecutive IP region and differs significantly from the others. We utilize a
number of quantitative measures, including the flux-fluctuation law, the Markov
state transition probability matrix, and predictability measures, to
characterize the attack patterns in a comprehensive manner. A general finding
is that the attack patterns possess high degrees of predictability, potentially
paving the way to anticipating and, consequently, mitigating or even preventing
large-scale cyberattacks using macroscopic approaches
- …