1,355 research outputs found
A Cost-effective Shuffling Method against DDoS Attacks using Moving Target Defense
Moving Target Defense (MTD) has emerged as a newcomer into the asymmetric
field of attack and defense, and shuffling-based MTD has been regarded as one
of the most effective ways to mitigate DDoS attacks. However, previous work
does not acknowledge that frequent shuffles would significantly intensify the
overhead. MTD requires a quantitative measure to compare the cost and
effectiveness of available adaptations and explore the best trade-off between
them. In this paper, therefore, we propose a new cost-effective shuffling
method against DDoS attacks using MTD. By exploiting Multi-Objective Markov
Decision Processes to model the interaction between the attacker and the
defender, and designing a cost-effective shuffling algorithm, we study the best
trade-off between the effectiveness and cost of shuffling in a given shuffling
scenario. Finally, simulation and experimentation on an experimental software
defined network (SDN) indicate that our approach imposes an acceptable
shuffling overload and is effective in mitigating DDoS attacks
DAG-Based Attack and Defense Modeling: Don't Miss the Forest for the Attack Trees
This paper presents the current state of the art on attack and defense
modeling approaches that are based on directed acyclic graphs (DAGs). DAGs
allow for a hierarchical decomposition of complex scenarios into simple, easily
understandable and quantifiable actions. Methods based on threat trees and
Bayesian networks are two well-known approaches to security modeling. However
there exist more than 30 DAG-based methodologies, each having different
features and goals. The objective of this survey is to present a complete
overview of graphical attack and defense modeling techniques based on DAGs.
This consists of summarizing the existing methodologies, comparing their
features and proposing a taxonomy of the described formalisms. This article
also supports the selection of an adequate modeling technique depending on user
requirements
Survey of Attack Projection, Prediction, and Forecasting in Cyber Security
This paper provides a survey of prediction, and forecasting methods used in cyber security. Four main tasks are discussed first, attack projection and intention recognition, in which there is a need to predict the next move or the intentions of the attacker, intrusion prediction, in which there is a need to predict upcoming cyber attacks, and network security situation forecasting, in which we project cybersecurity situation in the whole network. Methods and approaches for addressing these tasks often share the theoretical background and are often complementary. In this survey, both methods based on discrete models, such as attack graphs, Bayesian networks, and Markov models, and continuous models, such as time series and grey models, are surveyed, compared, and contrasted. We further discuss machine learning and data mining approaches, that have gained a lot of attention recently and appears promising for such a constantly changing environment, which is cyber security. The survey also focuses on the practical usability of the methods and problems related to their evaluation
Training Automated Defense Strategies Using Graph-based Cyber Attack Simulations
We implemented and evaluated an automated cyber defense agent. The agent
takes security alerts as input and uses reinforcement learning to learn a
policy for executing predefined defensive measures. The defender policies were
trained in an environment intended to simulate a cyber attack. In the
simulation, an attacking agent attempts to capture targets in the environment,
while the defender attempts to protect them by enabling defenses. The
environment was modeled using attack graphs based on the Meta Attack Language
language. We assumed that defensive measures have downtime costs, meaning that
the defender agent was penalized for using them. We also assumed that the
environment was equipped with an imperfect intrusion detection system that
occasionally produces erroneous alerts based on the environment state. To
evaluate the setup, we trained the defensive agent with different volumes of
intrusion detection system noise. We also trained agents with different
attacker strategies and graph sizes. In experiments, the defensive agent using
policies trained with reinforcement learning outperformed agents using
heuristic policies. Experiments also demonstrated that the policies could
generalize across different attacker strategies. However, the performance of
the learned policies decreased as the attack graphs increased in size.Comment: Presented at the Workshop on SOC Operations and Construction (WOSOC)
2023, colocated with NDSS 202
Analysis of Bulk Power System Resilience Using Vulnerability Graph
Critical infrastructure such as a Bulk Power System (BPS) should have some quantifiable measure of resiliency and definite rule-sets to achieve a certain resilience value. Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) networks are integral parts of BPS. BPS or ICS are themselves not vulnerable because of their proprietary technology, but when the control network and the corporate network need to have communications for performance measurements and reporting, the ICS or BPS become vulnerable to cyber-attacks. Thus, a systematic way of quantifying resiliency and identifying crucial nodes in the network is critical for addressing the cyber resiliency measurement process. This can help security analysts and power system operators in the decision-making process. This thesis focuses on the resilience analysis of BPS and proposes a ranking algorithm to identify critical nodes in the network. Although there are some ranking algorithms already in place, but they lack comprehensive inclusion of the factors that are critical in the cyber domain. This thesis has analyzed a range of factors which are critical from the point of view of cyber-attacks and come up with a MADM (Multi-Attribute Decision Making) based ranking method. The node ranking process will not only help improve the resilience but also facilitate hardening the network from vulnerabilities and threats.
The proposed method is called MVNRank which stands for Multiple Vulnerability Node Rank. MVNRank algorithm takes into account the asset value of the hosts, the exploitability and impact scores of vulnerabilities as quantified by CVSS (Common Vulnerability Scoring System). It also considers the total number of vulnerabilities and severity level of each vulnerability, degree centrality of the nodes in vulnerability graph and the attacker’s distance from the target node. We are using a multi-layered directed acyclic graph (DAG) model and ranking the critical nodes in the corporate and control network which falls in the paths to the target ICS. We don\u27t rank the ICS nodes but use them to calculate the potential power loss capability of the control center nodes using the assumed ICS connectivity to BPS. Unlike most of the works, we have considered multiple vulnerabilities for each node in the network while generating the rank by using a weighted average method. The resilience computation is highly time consuming as it considers all the possible attack paths from the source to the target node which increases in a multiplicative manner based on the number of nodes and vulnerabilities. Thus, one of the goals of this thesis is to reduce the simulation time to compute resilience which is achieved as illustrated in the simulation results
- …