Predictive Methods in Cyber Defense: Current Experience and Research Challenges

Predictive analysis allows next-generation cyber defense that is more proactive than current approaches based on intrusion detection. In this paper, we discuss various aspects of predictive methods in cyber defense and illustrate them on three examples of recent approaches. The first approach uses data mining to extract frequent attack scenarios and uses them to project ongoing cyberattacks. The second approach uses a dynamic network entity reputation score to predict malicious actors. The third approach uses time series analysis to forecast attack rates in the network. This paper presents a unique evaluation of the three distinct methods in a common environment of an intrusion detection alert sharing platform, which allows for a comparison of the approaches and illustrates the capabilities of predictive analysis for current and future research and cybersecurity operations. Our experiments show that all three methods achieved a sufficient technology readiness level for experimental deployment in an operational setting with promising accuracy and usability. Namely prediction and projection methods, despite their differences, are highly usable for predictive blacklisting, the first provides a more detailed output, and the second is more extensible. Network security situation forecasting is lightweight and displays very high accuracy, but does not provide details on predicted events

Analysis of the Infection and the Injection Phases of the Telnet Botnets

With the number of Internet of Things devices increasing, also the number of vulnerable devices connected to the Internet increases. These devices can become part of botnets and cause damage to the Internet infrastructure. In this paper we study telnet botnets and their behaviour in the first two stages of its lifecycle - initial infection, and secondary infection. The main objective of this paper is to determine specific attributes of their behavior during these stages and design a model for profiling threat agents into telnet botnets groups. We implemented a telnet honeynet and analyzed collected data. Also, we applied clustering methods for security incident profiling. We consider K-modes and PAM clustering algorithms. We found out that a number of sessions and credential guessing are easily collected and United States of Americable attributes for threat agents profiling

Honeypots and honeynets: issues of privacy

Honeypots and honeynets are popular tools in the area of network security and network forensics. The deployment and usage of these tools are influenced by a number of technical and legal issues, which need to be carefully considered. In this paper, we outline the privacy issues of honeypots and honeynets with respect to their technical aspects. The paper discusses the legal framework of privacy and legal grounds to data processing. We also discuss the IP address, because by EU law, it is considered personal data. The analysis of legal issues is based on EU law and is supported by discussions on privacy and related issues

Lessons Learned from Honeypots - Statistical Analysis of Logins and Passwords

Part 3: Security and Privacy IssuesInternational audienceHoneypots are unconventional tools to study methods, tools and goals of attackers. In addition to IP addresses, timestamps and count of attacks, these tools collect combinations of login and password. Therefore, analysis of data collected by honeypots can bring different view of logins and passwords. In paper, advanced statistical methods and correlations with spatial-oriented data were applied to find out more detailed information about the logins and passwords. Also we used the Chi-square test of independence to study difference between login and password. In addition, we study agreement of structure of password and login using kappa statistics

Evaluation of Attackers’ Skill Levels in Multi-Stage Attacks

The rapid move to digitalization and usage of online information systems brings new and evolving threats that organizations must protect themselves from and respond to. Monitoring an organization’s network for malicious activity has become a standard practice together with event and log collection from network hosts. Security operation centers deal with a growing number of alerts raised by intrusion detection systems that process the collected data and monitor networks. The alerts must be processed so that the relevant stakeholders can make informed decisions when responding to situations. Correlation of alerts into more expressive intrusion scenarios is an important tool in reducing false-positive and noisy alerts. In this paper, we propose correlation rules for identifying multi-stage attacks. Another contribution of this paper is a methodology for inferring from an alert the values needed to evaluate the attack in terms of the attacker’s skill level. We present our results on the CSE-CIC-IDS2018 data set

Early-Stage Detection of Cyber Attacks

Nowadays, systems around the world face many cyber attacks every day. These attacks consist of numerous steps that may occur over an extended period of time. We can learn from them and use this knowledge to create tools to predict and prevent the attacks. In this paper, we introduce a way to sort cyber attacks in stages, which can help with the detection of each stage of cyber attacks. In this way, we can detect the earlier stages of the attack. We propose a solution using Bayesian network algorithms to predict how the attacks proceed. We can use this information for more effective defense against cyber threats

Network Intrusion Detection with Threat Agent Profiling

With the increase in usage of computer systems and computer networks, the problem of intrusion detection in network security has become an important issue. In this paper, we discuss approaches that simplify network administrator’s work. We applied clustering methods for security incident profiling. We consider K-means, PAM, and CLARA clustering algorithms. For this purpose, we used data collected in Warden system from various security tools. We do not aim to differentiate between normal and abnormal network traffic, but we focus on grouping similar threat agents based on attributes of security events. We suggest a case of a fine classification and a case of a coarse classification and discuss advantages of both cases

Recent Advances in ASIC Development for Enhanced Performance M-Sequence UWB Systems

Short-range ultra-wideband (UWB) radar sensors belong to very promising sensing techniques that have received vast attention recently. The M-sequence UWB sensing techniques for radio detection and ranging feature several advantages over the other short-range radars, inter alia superior integration capabilities. The prerequisite to investigate their capabilities in real scenarios is the existence of physically available hardware, i.e., particular functional system blocks. In this paper, we present three novel blocks of M-sequence UWB radars exploiting application-specific integrated circuit (ASIC) technology. These are the integrated 15th-order M-sequence radar transceiver on one chip, experimental active Electronic Communication Committee (ECC) bandpass filter, and miniature transmitting UWB antenna with an integrated amplifier. All these are custom designs intended for the enhancement of capabilities of an M-sequence-based system family for new UWB short-range sensing applications. The design approaches and verification of the manufactured prototypes by measurements of the realized circuits are presented in this paper. The fine balance on technology capabilities (Fc of roughly 120 GHz) and thoughtful design process of the proposed blocks is the first step toward remarkably minimized devices, e.g., as System on Chip designs, which apparently allow broadening the range of new applications

A Functional Assay for the Determination of Heparin-Induced Thrombocytopenia via Flow Cytometry

Heparin-induced thrombocytopenia (HIT) is a life-threatening complication of heparin therapy (both unfractionated heparin and low-molecular-weight heparin). In our study, we examined a group of 122 patients with suspected HIT. The samples of all patients were analyzed in the first step using an immunoassay (ID-PaGIA Heparin/PF4, Hemos1L-Acustar HIT IgG, ZYMUTEST HIA Monostrip IgG) to detect the presence of antibodies against heparin–PF4 complexes (platelet factor 4). When the immunoassay was positive, the sample was subsequently analyzed for HIT with a functional flow cytometry assay, the HITAlert kit, the purpose of which was to demonstrate the ability of the antibodies present to activate platelets. A diagnosis of HIT can be made only after a positive functional test result. In this article, we present an overview of our practical experience with the use of the new functional method of analysis, HIT, with flow cytometry. In this work, we compared the mutual sensitivity of two functional tests, SRA and the flow cytometry HITAlert kit, in patients perceived as being at risk for HIT. This work aims to delineate the principle, procedure, advantages, pitfalls, and possibilities of the application of the functional test HITAlert using flow cytometry