49 research outputs found
HeAT PATRL: Network-Agnostic Cyber Attack Campaign Triage With Pseudo-Active Transfer Learning
SOC (Security Operation Center) analysts historically struggled to keep up with the growing sophistication and daily prevalence of cyber attackers. To aid in the detection of cyber threats, many tools like IDSâs (Intrusion Detection Systems) are utilized to monitor cyber threats on a network. However, a common problem with these tools is the volume of the logs generated is extreme and does not stop, further increasing the chance for an adversary to go unnoticed until itâs too late. Typically, the initial evidence of an attack is not an isolated event but a part of a larger attack campaign describing prior events that the attacker took to reach their final goal. If an analyst can quickly identify each step of an attack campaign, a timely response can be made to limit the impact of the attack or future attacks. In this work, we ask the question âGiven IDS alerts, can we extract out the cyber-attack kill chain for an observed threat that is meaningful to the analyst?â We present HeAT-PATRL, an IDS attack campaign extractor that leverages multiple deep machine learning techniques, network-agnostic feature engineering, and the analystâs knowledge of potential threats to extract out cyber-attack campaigns from IDS alert logs. HeAT-PATRL is the culmination of two works. Our first work âPATRLâ (Pseudo-Active Transfer Learning), translates the complex alert signature description to the Action-Intent Framework (AIF), a customized set of attack stages. PATRL employs a deep language model with cyber security texts (CVEâs, C-Sec Blogs, etc.) and then uses transfer learning to classify alert descriptions. To further leverage the cyber-context learned in the language model, we develop Pseudo-Active learning to self-label unknown unlabeled alerts to use as additional training data. We show PATRL classifying the entire Suricata database (~70k signatures) with a top-1 of 87\% and top-3 of 99\% with less than 1,200 manually labeled signatures. The final work, HeAT (Heated Alert Triage), captures the analystâs domain knowledge and opinion of the contribution of IDS events to an attack campaign given a critical IoC (indicator of compromise). We developed network-agnostic features to characterize and generalize attack campaign contributions so that prior triages can aid in identifying attack campaigns for other attack types, new attackers, or network infrastructures. With the use of cyber-attack competition data (CPTC) and data from a real SOC operation, we demonstrate that the HeAT process can identify campaigns reflective of the analysts thinking while greatly reducing the number of actions to be assessed by the analyst. HeAT has the unique ability to uncover attack campaigns meaningful to the analyst across drastically different network structures while maintaining the important attack campaign relationships defined by the analyst
Knowledge-based Decision Making for Simulating Cyber Attack Behaviors
Computer networks are becoming more complex as the reliance on these network increases in this era of exponential technological growth. This makes the potential gains for criminal activity on these networks extremely serious and can not only devastate organizations or enterprises but also the general population. As complexity of the network increases so does the difficulty to protect the networks as more potential vulnerabilities are introduced. Despite best efforts, traditional defenses like Intrusion Detection Systems and penetration tests are rendered ineffective to even amateur cyber adversaries. Networks now need to be analyzed at all times to preemptively detect weaknesses which harbored a new research field called Cyber Threat Analytics. However, current techniques for cyber threat analytics typically perform static analysis on the network and system vulnerabilities but few address the most variable and most critical piece of the puzzle -- the attacker themselves.
This work focuses on defining a baseline framework for modeling a wide variety of cyber attack behaviors which can be used in conjunction with a cyber attack simulator to analyze the effects of individual or multiple attackers on a network. To model a cyber attacker\u27s behaviors with reasonable accuracy and flexibility, the model must be based on aspects of an attacker that are used in real scenarios. Real cyber attackers base their decisions on what they know and learn about the network, vulnerabilities, and targets. This attacker behavior model introduces the aspect of knowledge-based decision making to cyber attack behavior modeling with the goal of providing user configurable options. This behavior model employs Cyber Attack Kill Chain along with an ensemble of the attacker capabilities, opportunities, intent, and preferences. The proposed knowledge-based decision making model is implemented to enable the simulation of a variety of network attack behaviors and their effects. This thesis will show a number of simulated attack scenarios to demonstrate the capabilities and limitations of the proposed model
HeATed Alert Triage (HeAT): Transferrable Learning to Extract Multistage Attack Campaigns
With growing sophistication and volume of cyber attacks combined with complex
network structures, it is becoming extremely difficult for security analysts to
corroborate evidences to identify multistage campaigns on their network. This
work develops HeAT (Heated Alert Triage): given a critical indicator of
compromise (IoC), e.g., a severe IDS alert, HeAT produces a HeATed Attack
Campaign (HAC) depicting the multistage activities that led up to the critical
event. We define the concept of "Alert Episode Heat" to represent the analysts
opinion of how much an event contributes to the attack campaign of the critical
IoC given their knowledge of the network and security expertise. Leveraging a
network-agnostic feature set, HeAT learns the essence of analyst's assessment
of "HeAT" for a small set of IoC's, and applies the learned model to extract
insightful attack campaigns for IoC's not seen before, even across networks by
transferring what have been learned. We demonstrate the capabilities of HeAT
with data collected in Collegiate Penetration Testing Competition (CPTC) and
through collaboration with a real-world SOC. We developed HeAT-Gain metrics to
demonstrate how analysts may assess and benefit from the extracted attack
campaigns in comparison to common practices where IP addresses are used to
corroborate evidences. Our results demonstrates the practical uses of HeAT by
finding campaigns that span across diverse attack stages, remove a significant
volume of irrelevant alerts, and achieve coherency to the analyst's original
assessments
Evolving Code with A Large Language Model
Algorithms that use Large Language Models (LLMs) to evolve code arrived on
the Genetic Programming (GP) scene very recently. We present LLM GP, a
formalized LLM-based evolutionary algorithm designed to evolve code. Like GP,
it uses evolutionary operators, but its designs and implementations of those
operators radically differ from GP's because they enlist an LLM, using
prompting and the LLM's pre-trained pattern matching and sequence completion
capability. We also present a demonstration-level variant of LLM GP and share
its code. By addressing algorithms that range from the formal to hands-on, we
cover design and LLM-usage considerations as well as the scientific challenges
that arise when using an LLM for genetic programming.Comment: 34 pages, 9 figures, 6 Table
Eastern European Young People in Brexit Britain : Racism, Anxiety and a Precarious Future [Research and Policy Briefing No.1]
Here to Stay? is a research project which explores the lives of young people who arrived in the UK as migrant children from Central and Eastern Europe (CEE). It focuses on young people aged 12-18 who migrated after the EU enlargement in 2004 and have lived in the UK for at least 3 years. The project explores how migration and current immigration policies are impacting their lives, how satisfied they are with local services, the quality of their relationships, and what are their feelings of identity and belonging in the UK. The study is important because it presents the first analysis since the Brexit Referendum on how current plans for Britain to leave the European Union are impacting on young Eastern Europeansâ lives. We have gathered the opinions and experiences of over 1,100 young people on a range of issues, including Brexit, their participation in communities and access to services, their experiences of racism and exclusion, their relationships, well-being and plans for future now that the UK is planning to leave the EU. These Briefings aim to inform a wide range of audiences on the experiences of young Eastern Europeans living in contemporary Britain. The Briefings should also help local authorities and other organisations develop policies and improve services for young people, taking into account their needs and experiences
ILLiad and Resource Sharing in the University System of Maryland and Affiliated Institutions Consortium of Libraries
A presentation at the OCLC ILLiad International Conference, Dublin, OH, USA, March 16, 2006The mission of the USMAI (University System of Maryland and Affiliated Institutions) consortium is to support effective access to library resources by providing and promoting a range of resource sharing services which support the objectives and maximize resources of the individual libraries of the member institutions. The consortium has a long-established service through which patrons can request that books be sent from one campus to another via a patron placed hold function, most recently within the Aleph OPAC. Beginning in 2004 the consortiumâs Council of Library Directors (CLD) established a Resource Sharing Task Group (RSTG) to âaddress issues relating to USMAI resource sharing activities, including patron placed holds, direct borrowing, ILL, and delivery systems.â This group was established particularly to ensure the continuity of ILL services as Passport and the ILL Microenhancer were âsunsetted.â As part of its charge the RSTG undertook an analysis of applications available to enhance member ILL services, and also to enhance article delivery between consortium members. At the time of the analysis, the consortium had 6 separate live or planned ILLiad implementations. In 2005 the RSTG recommended to the CLD that ILLiad be implemented consortium wide during the fall of 2005. A panel of USMAI librarians and staff will present our vision for resource sharing, how the combination of ILLiad, Odyssey and Aleph are being used to request materials between our campuses, the various approaches to authentication used across the consortium, and how support is being done for a consortium in which 7 members have separate ILLiad installations and the remainder are supported from a newer central site.OCL
Eastern European Young People's Use of Services in the UK
Here to Stay? is a research project which explores the lives of young people who arrived in the UK as migrant children from Central and Eastern Europe (CEE). It focuses on young people aged 12-18 who migrated after the EU enlargement in 2004 and have lived in the UK for at least 3 years. The project explores how migration and current immigration policies are impacting their lives, how satisfied they are with local services, the quality of their relationships, and what are their feelings of identity and belonging in the UK. The study is important because it presents the first analysis since the Brexit Referendum on how current plans for Britain to leave the European Union are impacting on young Eastern Europeansâ lives. We have gathered the opinions and experiences of over 1,100 young people on a range of issues, including Brexit, their participation in communities and access to services, their experiences of racism and exclusion, their relationships, well-being and plans for future now that the UK is planning to leave the EU. These Briefings aim to inform a wide range of audiences on the experiences of young Eastern Europeans living in contemporary Britain. The Briefings should also help local authorities and other organisations develop policies and improve services for young people, taking into account their needs and experiences
Eastern European Young People's Political and Community Engagement in the UK
Here to Stay? is a research project which explores the lives of young people who arrived in the UK as migrant children from Central and Eastern Europe (CEE). It focuses on young people aged 12-18 who migrated after the EU enlargement in 2004 and have lived in the UK for at least 3 years. The project explores how migration and current immigration policies are impacting their lives, how satisfied they are with local services, the quality of their relationships, and what are their feelings of identity and belonging in the UK. The study is important because it presents the first analysis since the Brexit Referendum on how current plans for Britain to leave the European Union are impacting on young Eastern Europeansâ lives. We have gathered the opinions and experiences of over 1,100 young people on a range of issues, including Brexit, their participation in communities and access to services, their experiences of racism and exclusion, their relationships, well-being and plans for future now that the UK is planning to leave the EU. These Briefings aim to inform a wide range of audiences on the experiences of young Eastern Europeans living in contemporary Britain. The Briefings should also help local authorities and other organisations develop policies and improve services for young people, taking into account their needs and experiences