Real-time fusion and projection of network intrusion activity

Intrusion Detection Systems (IDS) warn of suspicious or malicious network activity and are a fundamental, yet passive, defense-in-depth layer for modern networks. Prior research has applied information fusion techniques to correlate the alerts of multiple IDSs and group those belonging to the same multi-stage attack into attack tracks. Projecting the next likely step in these tracks potentially enhances an analyst’s situational awareness; however, the reliance on attack plans, complicated algorithms, or expert knowledge of the respective network is prohibitive and prone to obsolescence with the continual deployment of new technology and evolution of hacker tradecraft. This thesis presents a real-time continually learning system capable of projecting attack tracks that does not require a priori knowledge about network architecture or rely on static attack templates. Prediction correctness over time and other metrics are used to assess the system’s performance. The system demonstrates the successful real-time adaptation of the model, including enhancements such as the prediction that a never before observed event is about to occur. The intrusion projection system is framed as part of a larger information fusion and impact assessment architecture for cyber security

Developing Cyberspace Data Understanding: Using CRISP-DM for Host-based IDS Feature Mining

Current intrusion detection systems generate a large number of specific alerts, but do not provide actionable information. Many times, these alerts must be analyzed by a network defender, a time consuming and tedious task which can occur hours or days after an attack occurs. Improved understanding of the cyberspace domain can lead to great advancements in Cyberspace situational awareness research and development. This thesis applies the Cross Industry Standard Process for Data Mining (CRISP-DM) to develop an understanding about a host system under attack. Data is generated by launching scans and exploits at a machine outfitted with a set of host-based data collectors. Through knowledge discovery, features are identified within the data collected which can be used to enhance host-based intrusion detection. By discovering relationships between the data collected and the events, human understanding of the activity is shown. This method of searching for hidden relationships between sensors greatly enhances understanding of new attacks and vulnerabilities, bolstering our ability to defend the cyberspace domain

Error analysis of sequence modeling for projecting cyber attacks

Intrusion Detection System (IDS) has become an integral component in the field of network security. Prior research has focused on developing efficient IDSs and correlating attacks as Attack Tracks. To enhance the network analyst\u27s situational awareness, sequence modeling techniques like Variable Length Markov Models (VLMM) have been used to project likely future attacks. However, such projections are made assuming that the IDSs detect each and every attack action, which is not viable in reality. An IDS could miss an attack due to loss of packets or improper traffic analysis, or when an attacker evades detection by employing obfuscation techniques. Such missed detections, could negatively affect the prediction model, resulting in erroneous estimations. This thesis investigates the prediction performance as an error analysis of VLMM when used for projecting cyber attacks. This analysis is based on the impact of missed alerts, representing undetected attack actions. The analysis begins with an analytical study of a state-based Markov model, called Causal-State Splitting Reconstruction (CSSR), to contrast the context-based VLMM. Simulation results show that VLMM and CSSR perform comparably, with VLMM being a simpler model without the need to maintain and train the state space. A thorough design of experiments studies the effects of missing IDS alerts, by having missed alerts at different locations of the attack sequence with different rates. The experimental results suggested that the change in prediction accuracy is low when there are missed alerts in one part of the sequence and higher if they are throughout the entire sequence. Also, the prediction accuracy increases when there are rare alerts missing, and it decreases when there are common alerts missing. In addition, change in the prediction accuracy is relatively less for sequences with smaller symbol space compared to sequences with larger symbol space. Overall, the results demonstrate the robustness and limitations of VLMM when used for cyber attack prediction. The insights derived in this analysis will be beneficial to the security analyst in assessing the model in terms of its predictive performance when there are missed alerts

A Modelling approach for evaluating the ranking capability of Situational Awareness System in real time operation. Modelling, evaluating and quantifying different situational assessment in real time operation, using an analytical approach for measuring the ranking capability of SWA system

In a dynamically monitored environment the analyst team need timely and accurate information to conduct proactive action over complex situations. Typically, there are thousands of reported activities in a real time operation, therefore steps are taken to direct the analyst’s attention to the most important activity. The data fusion community have introduced the information fusion model, with multiple situational assessments. Each process lends itself to ranking the most important activities into a predetermined order. Unfortunately, the capability of a real time system can be hindered by the knowledge limitation problem, particularly when the underlying system is processing multiple sensor information. Consequently, the situational awareness domains may not rank the identified situation as perfect, as desired by the decision-making resources. This thesis presents advanced research carried out to evaluate the ranking capability of information from the situational awareness domains: perception, comprehension and projection. The Ranking Capability Score (RCS) has been designed for evaluating the prioritisation process. The enhanced (RCS) has been designed for addressing the knowledge representation problem in the user system relation under a situational assessment where the proposed number of tracking activities are dynamically shifted. Finally, the Scheduling Capability Score was designed for evaluating the scheduling capability of the situational awareness system. The proposed performance metrics have been successful in fulfilling their objectives. Furthermore, they have been validated and evaluated using an analytical approach, through conducting a rigorous analysis of the prioritisation and scheduling processes, despite any constraints related to a domain-specific configuration

Information Pooling Bias in Collaborative Cyber Forensics

abstract: Cyber threats are growing in number and sophistication making it important to continually study and improve all dimensions of cyber defense. Human teamwork in cyber defense analysis has been overlooked even though it has been identified as an important predictor of cyber defense performance. Also, to detect advanced forms of threats effective information sharing and collaboration between the cyber defense analysts becomes imperative. Therefore, through this dissertation work, I took a cognitive engineering approach to investigate and improve cyber defense teamwork. The approach involved investigating a plausible team-level bias called the information pooling bias in cyber defense analyst teams conducting the detection task that is part of forensics analysis through human-in-the-loop experimentation. The approach also involved developing agent-based models based on the experimental results to explore the cognitive underpinnings of this bias in human analysts. A prototype collaborative visualization tool was developed by considering the plausible cognitive limitations contributing to the bias to investigate whether a cognitive engineering-driven visualization tool can help mitigate the bias in comparison to off-the-shelf tools. It was found that participant teams conducting the collaborative detection tasks as part of forensics analysis, experience the information pooling bias affecting their performance. Results indicate that cognitive friendly visualizations can help mitigate the effect of this bias in cyber defense analysts. Agent-based modeling produced insights on internal cognitive processes that might be contributing to this bias which could be leveraged in building future visualizations. This work has multiple implications including the development of new knowledge about the science of cyber defense teamwork, a demonstration of the advantage of developing tools using a cognitive engineering approach, a demonstration of the advantage of using a hybrid cognitive engineering methodology to study teams in general and finally, a demonstration of the effect of effective teamwork on cyber defense performance.Dissertation/ThesisDoctoral Dissertation Applied Psychology 201

Knowledge-based Decision Making for Simulating Cyber Attack Behaviors

Computer networks are becoming more complex as the reliance on these network increases in this era of exponential technological growth. This makes the potential gains for criminal activity on these networks extremely serious and can not only devastate organizations or enterprises but also the general population. As complexity of the network increases so does the difficulty to protect the networks as more potential vulnerabilities are introduced. Despite best efforts, traditional defenses like Intrusion Detection Systems and penetration tests are rendered ineffective to even amateur cyber adversaries. Networks now need to be analyzed at all times to preemptively detect weaknesses which harbored a new research field called Cyber Threat Analytics. However, current techniques for cyber threat analytics typically perform static analysis on the network and system vulnerabilities but few address the most variable and most critical piece of the puzzle -- the attacker themselves. This work focuses on defining a baseline framework for modeling a wide variety of cyber attack behaviors which can be used in conjunction with a cyber attack simulator to analyze the effects of individual or multiple attackers on a network. To model a cyber attacker\u27s behaviors with reasonable accuracy and flexibility, the model must be based on aspects of an attacker that are used in real scenarios. Real cyber attackers base their decisions on what they know and learn about the network, vulnerabilities, and targets. This attacker behavior model introduces the aspect of knowledge-based decision making to cyber attack behavior modeling with the goal of providing user configurable options. This behavior model employs Cyber Attack Kill Chain along with an ensemble of the attacker capabilities, opportunities, intent, and preferences. The proposed knowledge-based decision making model is implemented to enable the simulation of a variety of network attack behaviors and their effects. This thesis will show a number of simulated attack scenarios to demonstrate the capabilities and limitations of the proposed model

Probabilistic Modeling and Inference for Obfuscated Network Attack Sequences

Prevalent computing devices with networking capabilities have become critical network infrastructure for government, industry, academia and every-day life. As their value rises, the motivation driving network attacks on this infrastructure has shifted from the pursuit of notoriety to the pursuit of profit or political gains, leading to network attack on various scales. Facing diverse network attack strategies and overwhelming alters, much work has been devoted to correlate observed malicious events to pre-defined scenarios, attempting to deduce the attack plans based on expert models of how network attacks may transpire. We started the exploration of characterizing network attacks by investigating how temporal and spatial features of attack sequence can be used to describe different types of attack sources in real data set. Attack sequence models were built from real data set to describe different attack strategies. Based on the probabilistic attack sequence model, attack predictions were made to actively predict next possible actions. Experiments through attack predictions have revealed that sophisticated attackers can employ a number of obfuscation techniques to confuse the alert correlation engine or classifier. Unfortunately, most exiting work treats attack obfuscations by developing ad-hoc fixes to specific obfuscation technique. To this end, we developed an attack modeling framework that enables a systematical analysis of obfuscations. The proposed framework represents network attack strategies as general finite order Markov models and integrates it with different attack obfuscation models to form probabilistic graphical model models. A set of algorithms is developed to inference the network attack strategies given the models and the observed sequences, which are likely to be obfuscated. The algorithms enable an efficient analysis of the impact of different obfuscation techniques and attack strategies, by determining the expected classification accuracy of the obfuscated sequences. The algorithms are developed by integrating the recursion concept in dynamic programming and the Monte-Carlo method. The primary contributions of this work include the development of the formal framework and the algorithms to evaluate the impact of attack obfuscations. Several knowledge-driven attack obfuscation models are developed and analyzed to demonstrate the impact of different types of commonly used obfuscation techniques. The framework and algorithms developed in this work can also be applied to other contexts beyond network security. Any behavior sequences that might suffer from noise and require matching to pre-defined models can use this work to recover the most likely original sequence or evaluate quantitatively the expected classification accuracy one can achieve to separate the sequences

A Guidance Template for Attack Sequence Specification in Cyber Attack Simulation

Over the past decade the cost and frequency of cybercrime has skyrocketed and is still increasing year over year. Major targets of cyber attacks are financial organizations, energy and utility companies, governmental agencies, and technology companies. However, almost all businesses are at risk. The increasing threat and cost of cyber crime is caused by many factors, including: the increasing reliance on cyber networks, constantly evolving exploitation and cyber attack methods, and insufficient development of defensive mechanisms to predict and prevent cyber attackers. Promising research in the proactive defense against cyber attacks exists in the field of cyber situational awareness (Cyber SA), but is limited partially due to the limited availability of cyber attack data from desirable attack scenarios. This work improves upon previous development of a cyber attack simulator capable of modeling complex cyber attacks consisting of computer networks, their defenses, and cyber attacker behavior. The main contribution of this work is the introduction of a new model called the Attack Guidance Template (AGT), responsible for the definition of simulated cyber attack sequences and for guiding the attacker to the goal of the attack sequence. The AGT allows the user to define desired cyber attack sequences with flexibility and ranging levels of specificity. This work also introduces an attack sequence analyzer to aid the user in understanding the likelihood of the model attack sequences being accomplished successfully with different attackers across various networks. To ensure the validity of these developments, both the analyzer and the AGT are verified and compared to the previous cyber attack guidance template