A Machine Learning based Empirical Evaluation of Cyber Threat Actors High Level Attack Patterns over Low level Attack Patterns in Attributing Attacks

Cyber threat attribution is the process of identifying the actor of an attack incident in cyberspace. An accurate and timely threat attribution plays an important role in deterring future attacks by applying appropriate and timely defense mechanisms. Manual analysis of attack patterns gathered by honeypot deployments, intrusion detection systems, firewalls, and via trace-back procedures is still the preferred method of security analysts for cyber threat attribution. Such attack patterns are low-level Indicators of Compromise (IOC). They represent Tactics, Techniques, Procedures (TTP), and software tools used by the adversaries in their campaigns. The adversaries rarely re-use them. They can also be manipulated, resulting in false and unfair attribution. To empirically evaluate and compare the effectiveness of both kinds of IOC, there are two problems that need to be addressed. The first problem is that in recent research works, the ineffectiveness of low-level IOC for cyber threat attribution has been discussed intuitively. An empirical evaluation for the measure of the effectiveness of low-level IOC based on a real-world dataset is missing. The second problem is that the available dataset for high-level IOC has a single instance for each predictive class label that cannot be used directly for training machine learning models. To address these problems in this research work, we empirically evaluate the effectiveness of low-level IOC based on a real-world dataset that is specifically built for comparative analysis with high-level IOC. The experimental results show that the high-level IOC trained models effectively attribute cyberattacks with an accuracy of 95% as compared to the low-level IOC trained models where accuracy is 40%.Comment: 20 page

Cyber Warfare: Explaining the Absence of Physical Force Responses by States

This essay examines the unwillingness of nation-states to use physical force in response to cyber warfare. Specifically, the paper claims that uncertainties regarding international law, state sovereignty, definitions of the use of force, and the problem of attribution in cyberspace contribute to a state’s decision to forego responding to cyber-attacks by using physical force attacks in other domains (i.e., land, air, sea, and space). These concepts are considered within the framework of Neorealist theory and in reference to the literature on cyber warfare. The 2007 series of cyber-attacks on Estonia are utilized as a case study to further examine the above elements. This paper builds upon the growing body of literature focused on cyber warfare and, in contrast to other research, argues that the international system’s inadequate handling of cyber- war concerns affects states’ responses to cyber-attacks by using physical force

Planning for the Future of Cyber Attack Attribution : Hearing Before the H. Subcomm. on Technology and Innovation of the H. Comm. on Science and Technology, 111th Cong., July 15, 2010 (Statement by Adjunct Professor Marc Rotenberg, Geo. U. L. Center)

Steve Bellovin, another security expert, noted recently that one of risks of the new White House plan for cyber security is that it places too much emphasis on attribution. As Dr. Bellovin explains: The fundamental premise of the proposed strategy is that our serious Internet security problems are due to lack of sufficient authentication. That is demonstrably false. The biggest problem was and is buggy code. All the authentication in the world won\u27t stop a bad guy who goes around the authentication system, either by finding bugs exploitable before authentication is performed, finding bugs in the authentication system itself, or by hijacking your system and abusing the authenticated connection set up by the legitimate user. While I believe the White House, the Cyber Security Advisor, and the various participants in the drafting process have made an important effort to address privacy and security interests, I share Professor Bellovin’s concern that too much emphasis has been placed on promoting identification. I also believe that online identification, promoted by government, will be used for purposes unrelated to cyber security and could ultimately chill political speech and limit the growth of the Internet. Greater public participation in the development of this policy as well as a formal rulemaking on the White House proposal could help address these concerns

Revealing the cyber security non-compliance “attribution gulf”

Non-compliance is a well-known issue in the field of cyber security. Non-compliance usually manifests in an individual’s sins of omission or commission, and it is easy to conclude that the problem is attributable to their personal flawed decision making. However, the individual’s decision not to comply is likely also to be influenced by a range of environmental and contextual factors. Bordieu, for example, suggests that personal habitus influences decisions. We identified a wide range of possible explanations for non-compliance from the research literature and classified these, finding that a number of the identified factors were indeed habitus related. We then used Q-methodology to determine which of these non-compliance explanations aligned with public attributions of non-compliance causatives. We discovered an “attribution gulf”, with popular opinion attributing non-compliance primarily to individual failings or ignorance. The existence of this attribution gap means that those designing cyber security interventions are likely to neglect the influence of habitus on choices and decisions. We need to broaden our focus if non-compliance is to be reduced

Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors

This is the author accepted manuscript. The final version is available from OUP via the DOI in this record.Cyber operations pose a set of novel challenges to the generally conservative body of the law of State responsibility. Central among them is the problem of attribution, which lies at the intersection of technology and law. This article reflects the recent developments in the States’ technological capacity to identify the sources of cyber attacks from the perspective of international law. It revisits Article 8 of the International Law Commission’s Articles on State Responsibility in order to ‘decode’ its contents vis-à-vis its drafting history and with an eye on its future application to the conduct in cyberspace. The article argues that there are three autonomous standards of attribution built into that provision: instructions, direction, and control. It then demonstrates the utility and limitations of each of them against the backdrop of actual and hypothetical cyber operations. The article concludes with suggestions for further development of the law in this area, focussing on the missing potential of the law to regulate instigation of wrongful cyber conduct and on the prohibitively strict test of control applicable de lege lata.I would like to gratefully acknowledge the generous support of the Minerva Center for the Rule of Law under Extreme Conditions at the Faculty of Law and Department of Geography and Environmental Studies, University of Haifa, Israel and of the Israeli Ministry of Science, Technology and Space

Offensive cyber: What are the possibilities of the use of offensive cyber as an offensive capability within the existing international legal framework?

Cyber is hot. Although the international community, scientists, military and NATO primarily focus on how to defend themselves against cyber attacks, this study mainly focuses on the offensive side of cyber. The thesis analyses the possibilities of the use of offensive cyber as a capability within the existing international legal framework. The thesis consists of two parts. The first part discusses what offensive cyber is and what its possibilities and capabilities are. Offensive use of cyber is new within modern warfare. Therefore it is important to describe and explain cyber attacks and offensive cyber operations thoroughly. In this part the definitions are set, and the base characteristics of cyber attack are discussed. Not only the possibilities of offensive cyber are described, but also dilemmas for the use of offensive cyber are explained. This first part concludes with possible scenarios for the use of offensive cyber operations. The second part of this thesis is a case study and analyses whether and how offensive cyber fits in, and complies with the existing international legal framework. Firstly, the aspects in the existing international legal framework are discussed, which are unambiguous for regular war scenarios, but seem difficult to interpret when it comes to cyber operations. Secondly, the case study is conducted by analysing the three main principles within the Laws of Armed Conflict (LoAC), proportionality, necessity and distinction, on the four recent cyber cases of Estonia 2007, Georgia 2008, Stuxnet 2010 and Libya 2011. The conclusion of the thesis is that the existing international legal framework is not fully suitable for the use of cyber as an offensive capability. Especially the attribution problem, collateral damage, and distinction between military and civil objects are problematic. As long as there is no consensus on international accepted cyber law that sets the boundaries for the use of offensive cyber, the existing international legal framework is applicable, and the use of offensive cyber will have its challenges and grey areas. A new international accepted legal cyber framework should limit, and set boundaries for the use of offensive cyber. On the other hand, developing a new international accepted legal framework, in which offensive cyber is appointed, is also an opportunity to exploit the optimum use of offensive cyber, within that framework

A multilabel fuzzy relevance clustering system for malware attack attribution in the edge layer of cyber-physical networks

The rapid increase in the number of malicious programs has made malware forensics a daunting task and caused users’ systems to become in danger. Timely identification of malware characteristics including its origin and the malware sample family would significantly limit the potential damage of malware. This is a more profound risk in Cyber-Physical Systems (CPSs), where a malware attack may cause significant physical damage to the infrastructure. Due to limited on-device available memory and processing power in CPS devices, most of the efforts for protecting CPS networks are focused on the edge layer, where the majority of security mechanisms are deployed. Since the majority of advanced and sophisticated malware programs are combining features from different families, these malicious programs are not similar enough to any existing malware family and easily evade binary classifier detection. Therefore, in this article, we propose a novel multilabel fuzzy clustering system for malware attack attribution. Our system is deployed on the edge layer to provide insight into applicable malware threats to the CPS network. We leverage static analysis by utilizing Opcode frequencies as the feature space to classify malware families. We observed that a multilabel classifier does not classify a part of samples. We named this problem the instance coverage problem. To overcome this problem, we developed an ensemble-based multilabel fuzzy classification method to suggest the relevance of a malware instance to the stricken families. This classifier identified samples of VirusShare, RansomwareTracker, and BIG2015 with an accuracy of 94.66%, 94.26%, and 97.56%, respectively

FINGERPRINTING MALICIOUS IP TRAFFIC

In the new global economy, cyber-attacks have become a central issue. The detection, mitigation and attribution of such cyber-attacks require efficient and practical techniques to fingerprint malicious IP traffic. By fingerprinting, we refer to: (1) the detection of malicious network flows and, (2) the attribution of the detected flows to malware families that generate them. In this thesis, we firstly address the detection problem and solve it by using a classification technique. The latter uses features that exploit only high-level properties of traffic flows and therefore does not rely on deep packet inspection. As such, our technique is effective even in the presence of encrypted traffic. Secondly, whenever a malicious flow is detected, we propose another technique to attribute such a flow to the malware family that generated it. The attribution technique is built upon k-means clustering, sequence mining and Pushdown Automata (PDAs) to capture the network behaviors of malware family groups. Indeed, the generated PDAs are actually network signatures for malware family groups. Our results show that the proposed malicious detection and attribution techniques achieve high accuracy with low false (positive and negative) alerts

General Counsel of the FBI, James Baker, in Conversation with Professor Mary DeRosa on the FBI and International Justice

Mary DeRosa, Georgetown Law Professor, former Deputy Counsel to President Obama for National Security Affairs, former Legal Advisor to the National Security Council under President Obama, and former Deputy Legal Adviser to the National Security Council in the Clinton Administration, interviewed current General Counsel of the Federal Bureau of Investigation (FBI), James Baker. The two discussed the FBI’s role in international law enforcement and the domestic tension between technological advancement and law enforcement duties