Applications of Machine Learning to Threat Intelligence, Intrusion Detection and Malware

Artificial Intelligence (AI) and Machine Learning (ML) are emerging technologies with applications to many fields. This paper is a survey of use cases of ML for threat intelligence, intrusion detection, and malware analysis and detection. Threat intelligence, especially attack attribution, can benefit from the use of ML classification. False positives from rule-based intrusion detection systems can be reduced with the use of ML models. Malware analysis and classification can be made easier by developing ML frameworks to distill similarities between the malicious programs. Adversarial machine learning will also be discussed, because while ML can be used to solve problems or reduce analyst workload, it also introduces new attack surfaces

MITRE ATT&CK-driven cyber risk assessment

Assessing the risk posed by Advanced Cyber Threats (APTs) is challenging without understanding the methods and tactics adversaries use to attack an organisation. The MITRE ATT&CK provides information on the motivation, capabilities, interests and tactics, techniques and procedures (TTPs) used by threat actors. In this paper, we leverage these characteristics of threat actors to support informed cyber risk characterisation and assessment. In particular, we utilise the MITRE repository of known adversarial TTPs along with attack graphs to determine the attack probability as well as the likelihood of success of an attack. We further identify attack paths with the highest likelihood of success considering the techniques and procedures of a threat actor. The assessment is supported by a case study of a health care organisation to identify the level of risk against two adversary groups– Lazarus and menuPass

Improving the coastal hazard management in Indonesia: Lesson learned from other countries

The management of coastal development in hazard areas has now become a serious issue due to\ud increasing trend for people to live at the coast, including Indonesia. Unfortunately, coastal hazards often go unaddressed\ud until they happened and brought severe damage the coastal areas. The objectives of this study are to assess and review\ud the quality of the coastal hazard mitigation and management plans that have been implemented in several countries.\ud Therefore, the development of appropriate advance setbacks based on the need to avoid or reduce risk and acceptance of\ud the uncertainties can be established and translated into planning system and management actions in a pragmatic and\ud effective way. Also to be able to transfer the knowledges, technologies and expertise also to be able to share of research\ud findings, lessons learned and best practices to enhance the capability of arranging an optimal coastal hazard\ud management. Such successful experience and knowledge about hazard mitigation action should be shared by taking\ud consideration of local conditions in Indonesia. Also, the preparations for community, such as education and awareness\ud when planning for coastal protection and development, are really important to be considered carefully

Implication of FORCEnet on coalition forces

The coalition navies of Australia, Canada, New Zealand, United Kingdom and the United States (AUSCANNZUKUS) are in a period of transformation. They are stepping out of the Industrial Age of warfare and into the Informational Age of warfare. Network Centric Warfare (NCW) is the emerging theory to accomplish this undertaking. NCW describes "the combination of strategies, emerging tactics, techniques, and procedures, and organizations that a fully or even partially networked force can employ to create a decisive war fighting advantage." 1 This theory is turned into a concept through Network Centric Operations (NCO) and implemented through the FORCEnet operational construct and architectural framework. The coalition navies are moving in a direction to develop and leverage information more effectively and efficiently. This will lead to an informational advantage that can be used as a combat multiplier to shape and control the environment, so as to dissuade, deter, and decisively defeat any enemy. This analysis was comprised of defining three TTCP AG-6 provided vignettes into ARENA model that captured Coalition ESG configurations at various FORCEnet levels. The results of the analysis demonstrated that enhanced FORCEnet capabilities such as FORCEnet Levels 2 and 4 would satisfy the capability gap for a needed network-centric ESG force that can effectively counter insurgency operations in Maritime warfare. Furthermore, the participating allied navies in the Coalition ESG should pursue acquisition strategies to upgrade their ship platforms in accordance with our recommendation which indicates that FORCEnet Level 2 is the best value.http://archive.org/details/implicationoffor109456926N

Systematizing Decentralization and Privacy: Lessons from 15 Years of Research and Deployments

Decentralized systems are a subset of distributed systems where multiple authorities control different components and no authority is fully trusted by all. This implies that any component in a decentralized system is potentially adversarial. We revise fifteen years of research on decentralization and privacy, and provide an overview of key systems, as well as key insights for designers of future systems. We show that decentralized designs can enhance privacy, integrity, and availability but also require careful trade-offs in terms of system complexity, properties provided, and degree of decentralization. These trade-offs need to be understood and navigated by designers. We argue that a combination of insights from cryptography, distributed systems, and mechanism design, aligned with the development of adequate incentives, are necessary to build scalable and successful privacy-preserving decentralized systems

Knowledge visualizations: a tool to achieve optimized operational decision making and data integration

The overabundance of data created by modern information systems (IS) has led to a breakdown in cognitive decision-making. Without authoritative source data, commanders’ decision-making processes are hindered as they attempt to paint an accurate shared operational picture (SOP). Further impeding the decision-making process is the lack of proper interface interaction to provide a visualization that aids in the extraction of the most relevant and accurate data. Utilizing the DSS to present visualizations based on OLAP cube integrated data allow decision-makers to rapidly glean information and build their situation awareness (SA). This yields a competitive advantage to the organization while in garrison or in combat. Additionally, OLAP cube data integration enables analysis to be performed on an organization’s data-flows. This analysis is used to identify the critical path of data throughout the organization. Linking a decision-maker to the authoritative data along this critical path eliminates the many decision layers in a hierarchal command structure that can introduce latency or error into the decision-making process. Furthermore, the organization has an integrated SOP from which to rapidly build SA, and make effective and efficient decisions.http://archive.org/details/knowledgevisuali1094545877Outstanding ThesisOutstanding ThesisMajor, United States Marine CorpsCaptain, United States Marine CorpsApproved for public release; distribution is unlimited

Automated Cyber Threat Intelligence Generation on Multi-Host Network Incidents

The lack of automation is one of the main issues hindering the broad usage of high-level Cyber Threat Intelligence (CTI). Creating and using such information by capturing Tactics, Techniques and Procedures (TTPs) is currently an arduous manual task for Cyber Security Incident Response Teams (CSIRT). For CSIRTs, a Network Intrusion Detection System (NIDS) automates the detection of cyber threats. It provides relevant information about alerts to the analysts. This information could generate CTI reports to help others better protect themselves from similar attacks. Due to the demanding work involved in manually creating high-level CTI reports for multi-host incidents, automating this process has become increasingly important.In this paper, a solution is presented to automate the creation of verifiable high-level cyber threat intelligence reports by mapping chains of alerts to TTPs. The solution enables visualisation of attack chains and tactics used, but also manual analysis and validation of the reports created. The proposed approach is evaluated by comparing generating reports with existing CTI, validating any additional TTPs found. The evaluation shows that, not only it was able to match existing reports, but it was also able to improve the knowledge about these threats.</p

Cybersecurity Risk in U.S. Critical Infrastructure: An Analysis of Publicly Available U.S. Government Alerts and Advisories

As threat actor operations become increasingly sophisticated and emphasize the targeting of critical infrastructure and services, the need for cybersecurity information sharing will continue to grow. Escalating demand for cyber threat intelligence and information sharing across the cybersecurity community has resulted in the need to better understand the information produced by reputable sources such as U.S. CISA Alerts and ICS-CERT advisories. The text analysis program, Profiler Plus, is used to extract information from 1,574 U.S. government alerts and advisories to develop visualizations and generate enhanced insights into different cyber threat actor types, the tactics which can be used for cyber operations, and sectors of critical infrastructure at risk of an attack. The findings of this study enhance cyber threat intelligence activities by enabling an understanding of the trends in public information sharing as well as identifying gaps in open-source reporting on cyber-threat information