248 research outputs found
A Survey of Network Requirements for Enabling Effective Cyber Deception
In the evolving landscape of cybersecurity, the utilization of cyber
deception has gained prominence as a proactive defense strategy against
sophisticated attacks. This paper presents a comprehensive survey that
investigates the crucial network requirements essential for the successful
implementation of effective cyber deception techniques. With a focus on diverse
network architectures and topologies, we delve into the intricate relationship
between network characteristics and the deployment of deception mechanisms.
This survey provides an in-depth analysis of prevailing cyber deception
frameworks, highlighting their strengths and limitations in meeting the
requirements for optimal efficacy. By synthesizing insights from both
theoretical and practical perspectives, we contribute to a comprehensive
understanding of the network prerequisites crucial for enabling robust and
adaptable cyber deception strategies
Draining the Water Hole: Mitigating Social Engineering Attacks with CyberTWEAK
Cyber adversaries have increasingly leveraged social engineering attacks to
breach large organizations and threaten the well-being of today's online users.
One clever technique, the "watering hole" attack, compromises a legitimate
website to execute drive-by download attacks by redirecting users to another
malicious domain. We introduce a game-theoretic model that captures the salient
aspects for an organization protecting itself from a watering hole attack by
altering the environment information in web traffic so as to deceive the
attackers. Our main contributions are (1) a novel Social Engineering Deception
(SED) game model that features a continuous action set for the attacker, (2) an
in-depth analysis of the SED model to identify computationally feasible
real-world cases, and (3) the CyberTWEAK algorithm which solves for the optimal
protection policy. To illustrate the potential use of our framework, we built a
browser extension based on our algorithms which is now publicly available
online. The CyberTWEAK extension will be vital to the continued development and
deployment of countermeasures for social engineering.Comment: IAAI-20, AICS-2020 Worksho
Optimal Timing in Dynamic and Robust Attacker Engagement During Advanced Persistent Threats
Advanced persistent threats (APTs) are stealthy attacks which make use of
social engineering and deception to give adversaries insider access to
networked systems. Against APTs, active defense technologies aim to create and
exploit information asymmetry for defenders. In this paper, we study a scenario
in which a powerful defender uses honeynets for active defense in order to
observe an attacker who has penetrated the network. Rather than immediately
eject the attacker, the defender may elect to gather information. We introduce
an undiscounted, infinite-horizon Markov decision process on a continuous state
space in order to model the defender's problem. We find a threshold of
information that the defender should gather about the attacker before ejecting
him. Then we study the robustness of this policy using a Stackelberg game.
Finally, we simulate the policy for a conceptual network. Our results provide a
quantitative foundation for studying optimal timing for attacker engagement in
network defense.Comment: Submitted to the 2019 Intl. Symp. Modeling and Optimization in
Mobile, Ad Hoc, and Wireless Nets. (WiOpt
Evolving Reinforcement Learning Environment to Minimize Learner's Achievable Reward: An Application on Hardening Active Directory Systems
We study a Stackelberg game between one attacker and one defender in a
configurable environment. The defender picks a specific environment
configuration. The attacker observes the configuration and attacks via
Reinforcement Learning (RL trained against the observed environment). The
defender's goal is to find the environment with minimum achievable reward for
the attacker. We apply Evolutionary Diversity Optimization (EDO) to generate
diverse population of environments for training. Environments with clearly high
rewards are killed off and replaced by new offsprings to avoid wasting training
time. Diversity not only improves training quality but also fits well with our
RL scenario: RL agents tend to improve gradually, so a slightly worse
environment earlier on may become better later. We demonstrate the
effectiveness of our approach by focusing on a specific application, Active
Directory (AD). AD is the default security management system for Windows domain
networks. AD environment describes an attack graph, where nodes represent
computers/accounts/etc., and edges represent accesses. The attacker aims to
find the best attack path to reach the highest-privilege node. The defender can
change the graph by removing a limited number of edges (revoke accesses). Our
approach generates better defensive plans than the existing approach and scales
better
Cyber Defense Remediation in Energy Delivery Systems
The integration of Information Technology (IT) and Operational Technology (OT) in Cyber-Physical Systems (CPS) has resulted in increased efficiency and facilitated real-time information acquisition, processing, and decision making. However, the increase in automation technology and the use of the internet for connecting, remote controlling, and supervising systems and facilities has also increased the likelihood of cybersecurity threats that can impact safety of humans and property. There is a need to assess cybersecurity risks in the power grid, nuclear plants, chemical factories, etc. to gain insight into the likelihood of safety hazards. Quantitative cybersecurity risk assessment will lead to informed cyber defense remediation and will ensure the presence of a mitigation plan to prevent safety hazards. In this dissertation, using Energy Delivery Systems (EDS) as a use case to contextualize a CPS, we address key research challenges in managing cyber risk for cyber defense remediation.
First, we developed a platform for modeling and analyzing the effect of cyber threats and random system faults on EDS\u27s safety that could lead to catastrophic damages. We developed a data-driven attack graph and fault graph-based model to characterize the exploitability and impact of threats in EDS. We created an operational impact assessment to quantify the damages. Finally, we developed a strategic response decision capability that presents optimal mitigation actions and policies that balance the tradeoff between operational resilience (tactical risk) and strategic risk.
Next, we addressed the challenge of management of tactical risk based on a prioritized cyber defense remediation plan. A prioritized cyber defense remediation plan is critical for effective risk management in EDS. Due to EDS\u27s complexity in terms of the heterogeneous nature of blending IT and OT and Industrial Control System (ICS), scale, and critical processes tasks, prioritized remediation should be applied gradually to protect critical assets. We proposed a methodology for prioritizing cyber risk remediation plans by detecting and evaluating critical EDS nodes\u27 paths. We conducted evaluation of critical nodes characteristics based on nodes\u27 architectural positions, measure of centrality based on nodes\u27 connectivity and frequency of network traffic, as well as the controlled amount of electrical power. The model also examines the relationship between cost models of budget allocation for removing vulnerabilities on critical nodes and their impact on gradual readiness. The proposed cost models were empirically validated in an existing network ICS test-bed computing nodes criticality. Two cost models were examined, and although varied, we concluded the lack of correlation between types of cost models to most damageable attack path and critical nodes readiness.
Finally, we proposed a time-varying dynamical model for the cyber defense remediation in EDS. We utilize the stochastic evolutionary game model to simulate the dynamic adversary of cyber-attack-defense. We leveraged the Logit Quantal Response Dynamics (LQRD) model to quantify real-world players\u27 cognitive differences. We proposed the optimal decision making approach by calculating the stable evolutionary equilibrium and balancing defense costs and benefits. Case studies on EDS indicate that the proposed method can help the defender predict possible attack action, select the related optimal defense strategy over time, and gain the maximum defense payoffs. We also leveraged software-defined networking (SDN) in EDS for dynamical cyber defense remediation. We presented an approach to aid the selection security controls dynamically in an SDN-enabled EDS and achieve tradeoffs between providing security and Quality of Service (QoS). We modeled the security costs based on end-to-end packet delay and throughput. We proposed a non-dominated sorting based multi-objective optimization framework which can be implemented within an SDN controller to address the joint problem of optimizing between security and QoS parameters by alleviating time complexity at O(MN2). The M is the number of objective functions, and N is the population for each generation, respectively. We presented simulation results that illustrate how data availability and data integrity can be achieved while maintaining QoS constraints
- …