Characterization of cyber attacks through variable length Markov models

The increase in bandwidth, the emergence of wireless technologies, and the spread of the Internet throughout the world have created new forms of communication with effects on areas such as business, entertainment, and education. This pervasion of computer networks into human activity has amplified the importance of cyber security. Network security relies heavily on Intrusion Detection Systems (IDS), whose objective is to detect malicious network traffic and computer usage. IDS data can be correlated into cyber attack tracks, which consist of ordered collections of alerts triggered during a single multi-stage attack. The objective of this research is to enhance the current knowledge of attack behavior by developing a model that captures the sequential properties of attack tracks. Two sequence characterization models are discussed: Variable Length Markov Models (VLMMs), which are a type of finite-context models, and Hidden Markov Models (HMMs), which are also known as finite-state models. A VLMM is implemented based on attack sequences s = {x1, x2, ...xn} where xi 2 and is a set of possible values of one or more fields in an alert message. This work shows how the proposed model can be used to predict future attack actions (xj+1) belonging to a newly observed and unfolding attack sequence s = {x1, x2, ..., xj}. It also presents a metric that measures the variability in attack actions based on information entropy and a method for classifying attack tracks as sophisticated or simple based on average log-loss. In addition, insights into the analysis of attack target machines are discussed

Masquerade detection using Singular Value Decomposition

Information systems and networks are highly susceptible to attacks in the form of intrusions. One such attack is by the masqueraders who impersonate legitimate users. Masqueraders can be detected in anomaly based intrusion detection by identifying the abnormalities in user behavior. This user behavior is logged in log files of different types. In our research we use the score based technique of Singular Value Decomposition to address the problem of masquerade detection on a unix based system. We have data collected in the form of sequential unix commands ran by 50 users. SVD is a linear algebraic technique, which has been previously used for applications like facial recognition. We present experimental results and we analyze the effectiveness and efficiency of this SVD-based masquerade detection

From Intrusion Detection to Attacker Attribution: A Comprehensive Survey of Unsupervised Methods

Over the last five years there has been an increase in the frequency and diversity of network attacks. This holds true, as more and more organisations admit compromises on a daily basis. Many misuse and anomaly based Intrusion Detection Systems (IDSs) that rely on either signatures, supervised or statistical methods have been proposed in the literature, but their trustworthiness is debatable. Moreover, as this work uncovers, the current IDSs are based on obsolete attack classes that do not reflect the current attack trends. For these reasons, this paper provides a comprehensive overview of unsupervised and hybrid methods for intrusion detection, discussing their potential in the domain. We also present and highlight the importance of feature engineering techniques that have been proposed for intrusion detection. Furthermore, we discuss that current IDSs should evolve from simple detection to correlation and attribution. We descant how IDS data could be used to reconstruct and correlate attacks to identify attackers, with the use of advanced data analytics techniques. Finally, we argue how the present IDS attack classes can be extended to match the modern attacks and propose three new classes regarding the outgoing network communicatio

Survey of Attack Projection, Prediction, and Forecasting in Cyber Security

This paper provides a survey of prediction, and forecasting methods used in cyber security. Four main tasks are discussed first, attack projection and intention recognition, in which there is a need to predict the next move or the intentions of the attacker, intrusion prediction, in which there is a need to predict upcoming cyber attacks, and network security situation forecasting, in which we project cybersecurity situation in the whole network. Methods and approaches for addressing these tasks often share the theoretical background and are often complementary. In this survey, both methods based on discrete models, such as attack graphs, Bayesian networks, and Markov models, and continuous models, such as time series and grey models, are surveyed, compared, and contrasted. We further discuss machine learning and data mining approaches, that have gained a lot of attention recently and appears promising for such a constantly changing environment, which is cyber security. The survey also focuses on the practical usability of the methods and problems related to their evaluation

Combining security and reliability of critical infrastructures: The concept of securability

The digital revolution has made people more dependent on ICT technology to perform everyday tasks, whether at home or at work. The systems that support critical aspects of this smart way of living are characterized as critical, and the security level of such systems is higher as compared to others. The definition of the criticality of a system is a rather difficult exercise, and for that reason, we have seen novel cybersecurity regulations to introduce the idea of digital managed services, which include security monitoring, managed network services, or the outsourcing of business processes that are are critical to the functioning, reliability, and availability of Critical National Infrastructures (CNIs). Moreover, ENISA recently issued a new report that deals with supply chain attacks. Those attacks target any chain of the ecosystem of processes, people, organizations, and distributors involved in the creation and delivery of a final solution or product that can be used or incorporated into a CNI, thus further extending the scope of the security posture of a system

A machine learning approach for smart computer security audit

This thesis presents a novel application of machine learning technology to automate network security audit and penetration testing processes in particular. A model-free reinforcement learning approach is presented. It is characterized by the absence of the environmental model. The model is derived autonomously by the audit system while acting in the tested computer network. The penetration testing process is specified as a Markov decision process (MDP) without definition of reward and transition functions for every state/action pair. The presented approach includes application of traditional and modified Q-learning algorithms. A traditional Q-learning algorithm learns the action-value function stored in the table, which gives the expected utility of executing a particular action in a particular state of the penetration testing process. The modified Q-learning algorithm differs by incorporation of the state space approximator and representation of the action-value function as a linear combination of features. Two deep architectures of the approximator are presented: autoencoder joint with artificial neural network (ANN) and autoencoder joint with recurrent neural network (RNN). The autoencoder is used to derive the feature set defining audited hosts. ANN is intended to approximate the state space of the audit process based on derived features. RNN is a more advanced version of the approximator and differs by the existence of the additional loop connections from hidden to input layers of the neural network. Such architecture incorporates previously executed actions into new inputs. It gives the opportunity to audit system learn sequences of actions leading to the goal of the audit, which is defined as receiving administrator rights on the host. The model-free reinforcement learning approach based on traditional Q-learning algorithms was also applied to reveal new vulnerabilities, buffer overflow in particular. The penetration testing system showed the ability to discover a string, exploiting potential vulnerability, by learning its formation process on the go. In order to prove the concept and to test the efficiency of an approach, audit tool was developed. Presented results are intended to demonstrate the adaptivity of the approach, performance of the algorithms and deep machine learning architectures. Different sets of hyperparameters are compared graphically to test the ability of convergence to the optimal action policy. An action policy is a sequence of actions, leading to the audit goal (getting admin rights on the remote host). The testing environment is also presented. It consists of 80+ virtual machines based on a vSphere virtualization platform. This combination of hosts represents a typical corporate network with Users segment, Demilitarized zone (DMZ) and external segment (Internet). The network has typical corporate services available: web server, mail server, file server, SSH, SQL server. During the testing process, the audit system acts as an attacker from the Internet

Advanced Topics in Systems Safety and Security

This book presents valuable research results in the challenging field of systems (cyber)security. It is a reprint of the Information (MDPI, Basel) - Special Issue (SI) on Advanced Topics in Systems Safety and Security. The competitive review process of MDPI journals guarantees the quality of the presented concepts and results. The SI comprises high-quality papers focused on cutting-edge research topics in cybersecurity of computer networks and industrial control systems. The contributions presented in this book are mainly the extended versions of selected papers presented at the 7th and the 8th editions of the International Workshop on Systems Safety and Security—IWSSS. These two editions took place in Romania in 2019 and respectively in 2020. In addition to the selected papers from IWSSS, the special issue includes other valuable and relevant contributions. The papers included in this reprint discuss various subjects ranging from cyberattack or criminal activities detection, evaluation of the attacker skills, modeling of the cyber-attacks, and mobile application security evaluation. Given this diversity of topics and the scientific level of papers, we consider this book a valuable reference for researchers in the security and safety of systems