Spatiotemporal Patterns and Predictability of Cyberattacks

Y.C.L. was supported by Air Force Office of Scientific Research (AFOSR) under grant no. FA9550-10-1-0083 and Army Research Office (ARO) under grant no. W911NF-14-1-0504. S.X. was supported by Army Research Office (ARO) under grant no. W911NF-13-1-0141. The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.Peer reviewedPublisher PD

Super-resolution community detection for layer-aggregated multilayer networks

Applied network science often involves preprocessing network data before applying a network-analysis method, and there is typically a theoretical disconnect between these steps. For example, it is common to aggregate time-varying network data into windows prior to analysis, and the tradeoffs of this preprocessing are not well understood. Focusing on the problem of detecting small communities in multilayer networks, we study the effects of layer aggregation by developing random-matrix theory for modularity matrices associated with layer-aggregated networks with $N$ nodes and $L$ layers, which are drawn from an ensemble of Erd\H{o}s-R\'enyi networks. We study phase transitions in which eigenvectors localize onto communities (allowing their detection) and which occur for a given community provided its size surpasses a detectability limit $K^*$. When layers are aggregated via a summation, we obtain $K^*\varpropto \mathcal{O}(\sqrt{NL}/T)$, where $T$ is the number of layers across which the community persists. Interestingly, if $T$ is allowed to vary with $L$ then summation-based layer aggregation enhances small-community detection even if the community persists across a vanishing fraction of layers, provided that $T/L$ decays more slowly than $\mathcal{O}(L^{-1/2})$. Moreover, we find that thresholding the summation can in some cases cause $K^*$ to decay exponentially, decreasing by orders of magnitude in a phenomenon we call super-resolution community detection. That is, layer aggregation with thresholding is a nonlinear data filter enabling detection of communities that are otherwise too small to detect. Importantly, different thresholds generally enhance the detectability of communities having different properties, illustrating that community detection can be obscured if one analyzes network data using a single threshold.Comment: 11 pages, 8 figure

Spatiotemporal patterns and predictability of cyberattacks

A relatively unexplored issue in cybersecurity science and engineering is whether there exist intrinsic patterns of cyberattacks. Conventional wisdom favors absence of such patterns due to the overwhelming complexity of the modern cyberspace. Surprisingly, through a detailed analysis of an extensive data set that records the time-dependent frequencies of attacks over a relatively wide range of consecutive IP addresses, we successfully uncover intrinsic spatiotemporal patterns underlying cyberattacks, where the term "spatio" refers to the IP address space. In particular, we focus on analyzing {\em macroscopic} properties of the attack traffic flows and identify two main patterns with distinct spatiotemporal characteristics: deterministic and stochastic. Strikingly, there are very few sets of major attackers committing almost all the attacks, since their attack "fingerprints" and target selection scheme can be unequivocally identified according to the very limited number of unique spatiotemporal characteristics, each of which only exists on a consecutive IP region and differs significantly from the others. We utilize a number of quantitative measures, including the flux-fluctuation law, the Markov state transition probability matrix, and predictability measures, to characterize the attack patterns in a comprehensive manner. A general finding is that the attack patterns possess high degrees of predictability, potentially paving the way to anticipating and, consequently, mitigating or even preventing large-scale cyberattacks using macroscopic approaches

Hidden Markov Model Based Intrusion Alert Prediction

Intrusion detection is only a starting step in securing IT infrastructure. Prediction of intrusions is the next step to provide an active defense against incoming attacks. Most of the existing intrusion prediction methods mainly focus on prediction of either intrusion type or intrusion category. Also, most of them are built based on domain knowledge and specific scenario knowledge. This thesis proposes an alert prediction framework which provides more detailed information than just the intrusion type or category to initiate possible defensive measures. The proposed algorithm is based on hidden Markov model and it does not depend on specific domain knowledge. Instead, it depends on a training process. Hence the proposed algorithm is adaptable to different conditions. Also, it is based on prediction of the next alert cluster, which contains source IP address, destination IP range, alert type and alert category. Hence, prediction of next alert cluster provides more information about future strategies of the attacker. Experiments were conducted using a public data set generated over 2500 alert predictions. Proposed alert prediction framework achieved accuracy of 81% and 77% for single step and five step predictions respectively for prediction of the next alert cluster. It also achieved an accuracy of prediction of 95% and 92% for single step and five step predictions respectively for prediction of the next alert category. The proposed methods achieved 5% prediction accuracy improvement for alert category over variable length Markov based alert prediction method, while providing more information for a possible defense

A Markov-Based Intrusion Tolerance Finite Automaton

It is inevitable for networks to be invaded during operation. The intrusion tolerance technology comes into being to enable invaded networks to provide the necessary network services. This paper introduces an automatic learning mechanism of the intrusion tolerance system to update network security strategy, and derives an intrusion tolerance finite automaton model from an existing intrusion tolerance model. The proposed model was quantified by the Markov theory to compute the stable probability of each state. The calculated stable probabilities provide the theoretical guidance and basis for administrators to better safeguard network security. Verification results show that it is feasible, effective, and convenient to integrate the Markov model to the intrusion tolerance finite automaton