Cybersecurity Games: Mathematical Approaches for Cyber Attack and Defense Modeling

Cyber-attacks targeting individuals and enterprises have become a predominant part of the computer/information age. Such attacks are becoming more sophisticated and prevalent on a day-to-day basis. The exponential growth of cyber plays and cyber players necessitate the inauguration of new methods and research for better understanding the cyber kill chain, particularly with the rise of advanced and novel malware and the extraordinary growth in the population of Internet residents, especially connected Internet of Things (IoT) devices. Mathematical modeling could be used to represent real-world cyber-attack situations. Such models play a beneficial role when it comes to the secure design and evaluation of systems/infrastructures by providing a better understanding of the threat itself and the attacker\u27s conduct during the lifetime of a cyber attack. Therefore, the main goal of this dissertation is to construct a proper theoretical framework to be able to model and thus evaluate the defensive strategies/technologies\u27 effectiveness from a security standpoint. To this end, we first present a Markov-based general framework to model the interactions between the two famous players of (network) security games, i.e., a system defender and an attacker taking actions to reach its attack objective(s) in the game. We mainly focus on the most significant and tangible aspects of sophisticated cyber attacks: (1) the amount of time it takes for the adversary to accomplish its mission and (2) the success probabilities of fulfilling the attack objective(s) by translating attacker-defender interactions into well-defined games and providing rigorous cryptographic security guarantees for a system given both players\u27 tactics and strategies. We study various attack-defense scenarios, including Moving Target Defense (MTD) strategies, multi-stage attacks, and Advanced Persistent Threats (APT). We provide general theorems about how the probability of a successful adversary defeating a defender’s strategy is related to the amount of time (or any measure of cost) spent by the adversary in such scenarios. We also introduce the notion of learning in cybersecurity games and describe a general game of consequences meaning that each player\u27s chances of making a progressive move in the game depend on its previous actions. Finally, we walk through a malware propagation and botnet construction game in which we investigate the importance of defense systems\u27 learning rates to fight against the self-propagating class of malware such as worms and bots. We introduce a new propagation modeling and containment strategy called the learning-based model and study the containment criterion for the propagation of the malware based on theoretical and simulation analysis

Zero day exploits and national readiness for cyber-warfare

A zero day vulnerability is an unknown exploit that divulges security flaws in software before such a flaw is publicly reported or announced. But how should a nation react to a zero day? This question is a concern for most national governments, and one that requires a systematic approach for its resolution. The securities of critical infrastructure of nations and states have been severally violated by cybercriminals. Nation-state espionage and the possible disruption and circumvention of the security of critical networks has been on the increase. Most of these violations are possible through detectable operational bypasses, which are rather ignored by security administrators. One common instance of a detectable operational bypass is the non-application of periodic security updates and upgrades from software and hardware vendors. Every software is not necessarily in its final state, and the application of periodic updates allow for the patching of vulnerable systems, making them to be secure enough to withstand an exploit. To have control over the security of critical national assets, a nation must be “cyber-ready” through the proper management of vulnerabilities and the deployment of the rightful technology in the cyberspace for hunting, detecting and preventing cyber-attacks and espionage. To this effect, this paper discusses the implications of zero day exploits and highlights the dangers posed by this cankerworm for an unprepared nation. The paper also adopts the defence-in-depth strategy for national readiness and a foolproof system that enforces the security of critical national infrastructure at all levels.Keywords: exploits, zero day, vulnerability, cyberspace, cyber-warfar

Techniques for Processing TCP/IP Flow Content in Network Switches at Gigabit Line Rates

The growth of the Internet has enabled it to become a critical component used by businesses, governments and individuals. While most of the traffic on the Internet is legitimate, a proportion of the traffic includes worms, computer viruses, network intrusions, computer espionage, security breaches and illegal behavior. This rogue traffic causes computer and network outages, reduces network throughput, and costs governments and companies billions of dollars each year. This dissertation investigates the problems associated with TCP stream processing in high-speed networks. It describes an architecture that simplifies the processing of TCP data streams in these environments and presents a hardware circuit capable of TCP stream processing on multi-gigabit networks for millions of simultaneous network connections. Live Internet traffic is analyzed using this new TCP processing circuit

The InfoSec Handbook

Computer scienc

Topology-Aware Vulnerability Mitigation Worms

In very dynamic Information and Communication Technology (ICT) infrastructures, with rapidly growing applications, malicious intrusions have become very sophisticated, effective, and fast. Industries have suffered billions of US dollars losses due only to malicious worm outbreaks. Several calls have been issued by governments and industries to the research community to propose innovative solutions that would help prevent malicious breaches, especially with enterprise networks becoming more complex, large, and volatile. In this thesis we approach self-replicating, self-propagating, and self-contained network programs (i.e. worms) as vulnerability mitigation mechanisms to eliminate threats to networks. These programs provide distinctive features, including: Short distance communication with network nodes, intermittent network node vulnerability probing, and network topology discovery. Such features become necessary, especially for networks with frequent node association and disassociation, dynamically connected links, and where hosts concurrently run multiple operating systems. We propose -- to the best of our knowledge -- the first computer worm that utilize the second layer of the OSI model (Data Link Layer) as its main propagation medium. We name our defensive worm Seawave, a controlled interactive, self-replicating, self-propagating, and self-contained vulnerability mitigation mechanism. We develop, experiment, and evaluate Seawave under different simulation environments that mimic to a large extent enterprise networks. We also propose a threat analysis model to help identify weaknesses, strengths, and threats within and towards our vulnerability mitigation mechanism, followed by a mathematical propagation model to observe Seawave's performance under large scale enterprise networks. We also preliminary propose another vulnerability mitigation worm that utilizes the Link Layer Discovery Protocol (LLDP) for its propagation, along with an evaluation of its performance. In addition, we describe a preliminary taxonomy that rediscovers the relationship between different types of self-replicating programs (i.e. viruses, worms, and botnets) and redefines these programs based on their properties. The taxonomy provides a classification that can be easily applied within the industry and the research community and paves the way for a promising research direction that would consider the defensive side of self-replicating programs

Maintenance of complex I and its supercomplexes by NDUF-11 is essential for mitochondrial structure, function and health

Mitochondrial supercomplexes form around a conserved core of monomeric complex I and dimeric complex III; wherein a subunit of the former, NDUFA11, is conspicuously situated at the interface. We identified nduf-11 (B0491.5) as encoding the Caenorhabditis elegans homologue of NDUFA11. Animals homozygous for a CRISPR-Cas9-generated knockout allele of nduf-11 arrested at the second larval (L2) development stage. Reducing (but not eliminating) expression using RNAi allowed development to adulthood, enabling characterisation of the consequences: destabilisation of complex I and its supercomplexes and perturbation of respiratory function. The loss of NADH dehydrogenase activity was compensated by enhanced complex II activity, with the potential for detrimental reactive oxygen species (ROS) production. Cryo-electron tomography highlighted aberrant morphology of cristae and widening of both cristae junctions and the intermembrane space. The requirement of NDUF-11 for balanced respiration, mitochondrial morphology and development presumably arises due to its involvement in complex I and supercomplex maintenance. This highlights the importance of respiratory complex integrity for health and the potential for its perturbation to cause mitochondrial disease. This article has an associated First Person interview with Amber Knapp-Wilson, joint first author of the paper

The InfoSec Handbook

Computer scienc