HeAT PATRL: Network-Agnostic Cyber Attack Campaign Triage With Pseudo-Active Transfer Learning

SOC (Security Operation Center) analysts historically struggled to keep up with the growing sophistication and daily prevalence of cyber attackers. To aid in the detection of cyber threats, many tools like IDS’s (Intrusion Detection Systems) are utilized to monitor cyber threats on a network. However, a common problem with these tools is the volume of the logs generated is extreme and does not stop, further increasing the chance for an adversary to go unnoticed until it’s too late. Typically, the initial evidence of an attack is not an isolated event but a part of a larger attack campaign describing prior events that the attacker took to reach their final goal. If an analyst can quickly identify each step of an attack campaign, a timely response can be made to limit the impact of the attack or future attacks. In this work, we ask the question “Given IDS alerts, can we extract out the cyber-attack kill chain for an observed threat that is meaningful to the analyst?” We present HeAT-PATRL, an IDS attack campaign extractor that leverages multiple deep machine learning techniques, network-agnostic feature engineering, and the analyst’s knowledge of potential threats to extract out cyber-attack campaigns from IDS alert logs. HeAT-PATRL is the culmination of two works. Our first work “PATRL” (Pseudo-Active Transfer Learning), translates the complex alert signature description to the Action-Intent Framework (AIF), a customized set of attack stages. PATRL employs a deep language model with cyber security texts (CVE’s, C-Sec Blogs, etc.) and then uses transfer learning to classify alert descriptions. To further leverage the cyber-context learned in the language model, we develop Pseudo-Active learning to self-label unknown unlabeled alerts to use as additional training data. We show PATRL classifying the entire Suricata database (~70k signatures) with a top-1 of 87\% and top-3 of 99\% with less than 1,200 manually labeled signatures. The final work, HeAT (Heated Alert Triage), captures the analyst’s domain knowledge and opinion of the contribution of IDS events to an attack campaign given a critical IoC (indicator of compromise). We developed network-agnostic features to characterize and generalize attack campaign contributions so that prior triages can aid in identifying attack campaigns for other attack types, new attackers, or network infrastructures. With the use of cyber-attack competition data (CPTC) and data from a real SOC operation, we demonstrate that the HeAT process can identify campaigns reflective of the analysts thinking while greatly reducing the number of actions to be assessed by the analyst. HeAT has the unique ability to uncover attack campaigns meaningful to the analyst across drastically different network structures while maintaining the important attack campaign relationships defined by the analyst

Knowledge-based Decision Making for Simulating Cyber Attack Behaviors

Computer networks are becoming more complex as the reliance on these network increases in this era of exponential technological growth. This makes the potential gains for criminal activity on these networks extremely serious and can not only devastate organizations or enterprises but also the general population. As complexity of the network increases so does the difficulty to protect the networks as more potential vulnerabilities are introduced. Despite best efforts, traditional defenses like Intrusion Detection Systems and penetration tests are rendered ineffective to even amateur cyber adversaries. Networks now need to be analyzed at all times to preemptively detect weaknesses which harbored a new research field called Cyber Threat Analytics. However, current techniques for cyber threat analytics typically perform static analysis on the network and system vulnerabilities but few address the most variable and most critical piece of the puzzle -- the attacker themselves. This work focuses on defining a baseline framework for modeling a wide variety of cyber attack behaviors which can be used in conjunction with a cyber attack simulator to analyze the effects of individual or multiple attackers on a network. To model a cyber attacker\u27s behaviors with reasonable accuracy and flexibility, the model must be based on aspects of an attacker that are used in real scenarios. Real cyber attackers base their decisions on what they know and learn about the network, vulnerabilities, and targets. This attacker behavior model introduces the aspect of knowledge-based decision making to cyber attack behavior modeling with the goal of providing user configurable options. This behavior model employs Cyber Attack Kill Chain along with an ensemble of the attacker capabilities, opportunities, intent, and preferences. The proposed knowledge-based decision making model is implemented to enable the simulation of a variety of network attack behaviors and their effects. This thesis will show a number of simulated attack scenarios to demonstrate the capabilities and limitations of the proposed model

HeATed Alert Triage (HeAT): Transferrable Learning to Extract Multistage Attack Campaigns

With growing sophistication and volume of cyber attacks combined with complex network structures, it is becoming extremely difficult for security analysts to corroborate evidences to identify multistage campaigns on their network. This work develops HeAT (Heated Alert Triage): given a critical indicator of compromise (IoC), e.g., a severe IDS alert, HeAT produces a HeATed Attack Campaign (HAC) depicting the multistage activities that led up to the critical event. We define the concept of "Alert Episode Heat" to represent the analysts opinion of how much an event contributes to the attack campaign of the critical IoC given their knowledge of the network and security expertise. Leveraging a network-agnostic feature set, HeAT learns the essence of analyst's assessment of "HeAT" for a small set of IoC's, and applies the learned model to extract insightful attack campaigns for IoC's not seen before, even across networks by transferring what have been learned. We demonstrate the capabilities of HeAT with data collected in Collegiate Penetration Testing Competition (CPTC) and through collaboration with a real-world SOC. We developed HeAT-Gain metrics to demonstrate how analysts may assess and benefit from the extracted attack campaigns in comparison to common practices where IP addresses are used to corroborate evidences. Our results demonstrates the practical uses of HeAT by finding campaigns that span across diverse attack stages, remove a significant volume of irrelevant alerts, and achieve coherency to the analyst's original assessments

Eastern European Young People in Brexit Britain : Racism, Anxiety and a Precarious Future [Research and Policy Briefing No.1]

Here to Stay? is a research project which explores the lives of young people who arrived in the UK as migrant children from Central and Eastern Europe (CEE). It focuses on young people aged 12-18 who migrated after the EU enlargement in 2004 and have lived in the UK for at least 3 years. The project explores how migration and current immigration policies are impacting their lives, how satisfied they are with local services, the quality of their relationships, and what are their feelings of identity and belonging in the UK. The study is important because it presents the first analysis since the Brexit Referendum on how current plans for Britain to leave the European Union are impacting on young Eastern Europeans’ lives. We have gathered the opinions and experiences of over 1,100 young people on a range of issues, including Brexit, their participation in communities and access to services, their experiences of racism and exclusion, their relationships, well-being and plans for future now that the UK is planning to leave the EU. These Briefings aim to inform a wide range of audiences on the experiences of young Eastern Europeans living in contemporary Britain. The Briefings should also help local authorities and other organisations develop policies and improve services for young people, taking into account their needs and experiences

Eastern European Young People's Political and Community Engagement in the UK

Here to Stay? is a research project which explores the lives of young people who arrived in the UK as migrant children from Central and Eastern Europe (CEE). It focuses on young people aged 12-18 who migrated after the EU enlargement in 2004 and have lived in the UK for at least 3 years. The project explores how migration and current immigration policies are impacting their lives, how satisfied they are with local services, the quality of their relationships, and what are their feelings of identity and belonging in the UK. The study is important because it presents the first analysis since the Brexit Referendum on how current plans for Britain to leave the European Union are impacting on young Eastern Europeans’ lives. We have gathered the opinions and experiences of over 1,100 young people on a range of issues, including Brexit, their participation in communities and access to services, their experiences of racism and exclusion, their relationships, well-being and plans for future now that the UK is planning to leave the EU. These Briefings aim to inform a wide range of audiences on the experiences of young Eastern Europeans living in contemporary Britain. The Briefings should also help local authorities and other organisations develop policies and improve services for young people, taking into account their needs and experiences

SoK: Contemporary Issues and Challenges to Enable Cyber Situational Awareness for Network Security

Cyber situational awareness is an essential part of cyber defense that allows the cybersecurity operators to cope with the complexity of today's networks and threat landscape. Perceiving and comprehending the situation allow the operator to project upcoming events and make strategic decisions. In this paper, we recapitulate the fundamentals of cyber situational awareness and highlight its unique characteristics in comparison to generic situational awareness known from other fields. Subsequently, we provide an overview of existing research and trends in publishing on the topic, introduce front research groups, and highlight the impact of cyber situational awareness research. Further, we propose an updated taxonomy and enumeration of the components used for achieving cyber situational awareness. The updated taxonomy conforms to the widely-accepted three-level definition of cyber situational awareness and newly includes the projection level. Finally, we identify and discuss contemporary research and operational challenges, such as the need to cope with rising volume, velocity, and variety of cybersecurity data and the need to provide cybersecurity operators with the right data at the right time and increase their value through visualization