HeAT PATRL: Network-Agnostic Cyber Attack Campaign Triage With Pseudo-Active Transfer Learning

SOC (Security Operation Center) analysts historically struggled to keep up with the growing sophistication and daily prevalence of cyber attackers. To aid in the detection of cyber threats, many tools like IDS’s (Intrusion Detection Systems) are utilized to monitor cyber threats on a network. However, a common problem with these tools is the volume of the logs generated is extreme and does not stop, further increasing the chance for an adversary to go unnoticed until it’s too late. Typically, the initial evidence of an attack is not an isolated event but a part of a larger attack campaign describing prior events that the attacker took to reach their final goal. If an analyst can quickly identify each step of an attack campaign, a timely response can be made to limit the impact of the attack or future attacks. In this work, we ask the question “Given IDS alerts, can we extract out the cyber-attack kill chain for an observed threat that is meaningful to the analyst?” We present HeAT-PATRL, an IDS attack campaign extractor that leverages multiple deep machine learning techniques, network-agnostic feature engineering, and the analyst’s knowledge of potential threats to extract out cyber-attack campaigns from IDS alert logs. HeAT-PATRL is the culmination of two works. Our first work “PATRL” (Pseudo-Active Transfer Learning), translates the complex alert signature description to the Action-Intent Framework (AIF), a customized set of attack stages. PATRL employs a deep language model with cyber security texts (CVE’s, C-Sec Blogs, etc.) and then uses transfer learning to classify alert descriptions. To further leverage the cyber-context learned in the language model, we develop Pseudo-Active learning to self-label unknown unlabeled alerts to use as additional training data. We show PATRL classifying the entire Suricata database (~70k signatures) with a top-1 of 87\% and top-3 of 99\% with less than 1,200 manually labeled signatures. The final work, HeAT (Heated Alert Triage), captures the analyst’s domain knowledge and opinion of the contribution of IDS events to an attack campaign given a critical IoC (indicator of compromise). We developed network-agnostic features to characterize and generalize attack campaign contributions so that prior triages can aid in identifying attack campaigns for other attack types, new attackers, or network infrastructures. With the use of cyber-attack competition data (CPTC) and data from a real SOC operation, we demonstrate that the HeAT process can identify campaigns reflective of the analysts thinking while greatly reducing the number of actions to be assessed by the analyst. HeAT has the unique ability to uncover attack campaigns meaningful to the analyst across drastically different network structures while maintaining the important attack campaign relationships defined by the analyst

Knowledge-based Decision Making for Simulating Cyber Attack Behaviors

Computer networks are becoming more complex as the reliance on these network increases in this era of exponential technological growth. This makes the potential gains for criminal activity on these networks extremely serious and can not only devastate organizations or enterprises but also the general population. As complexity of the network increases so does the difficulty to protect the networks as more potential vulnerabilities are introduced. Despite best efforts, traditional defenses like Intrusion Detection Systems and penetration tests are rendered ineffective to even amateur cyber adversaries. Networks now need to be analyzed at all times to preemptively detect weaknesses which harbored a new research field called Cyber Threat Analytics. However, current techniques for cyber threat analytics typically perform static analysis on the network and system vulnerabilities but few address the most variable and most critical piece of the puzzle -- the attacker themselves. This work focuses on defining a baseline framework for modeling a wide variety of cyber attack behaviors which can be used in conjunction with a cyber attack simulator to analyze the effects of individual or multiple attackers on a network. To model a cyber attacker\u27s behaviors with reasonable accuracy and flexibility, the model must be based on aspects of an attacker that are used in real scenarios. Real cyber attackers base their decisions on what they know and learn about the network, vulnerabilities, and targets. This attacker behavior model introduces the aspect of knowledge-based decision making to cyber attack behavior modeling with the goal of providing user configurable options. This behavior model employs Cyber Attack Kill Chain along with an ensemble of the attacker capabilities, opportunities, intent, and preferences. The proposed knowledge-based decision making model is implemented to enable the simulation of a variety of network attack behaviors and their effects. This thesis will show a number of simulated attack scenarios to demonstrate the capabilities and limitations of the proposed model

HeATed Alert Triage (HeAT): Transferrable Learning to Extract Multistage Attack Campaigns

With growing sophistication and volume of cyber attacks combined with complex network structures, it is becoming extremely difficult for security analysts to corroborate evidences to identify multistage campaigns on their network. This work develops HeAT (Heated Alert Triage): given a critical indicator of compromise (IoC), e.g., a severe IDS alert, HeAT produces a HeATed Attack Campaign (HAC) depicting the multistage activities that led up to the critical event. We define the concept of "Alert Episode Heat" to represent the analysts opinion of how much an event contributes to the attack campaign of the critical IoC given their knowledge of the network and security expertise. Leveraging a network-agnostic feature set, HeAT learns the essence of analyst's assessment of "HeAT" for a small set of IoC's, and applies the learned model to extract insightful attack campaigns for IoC's not seen before, even across networks by transferring what have been learned. We demonstrate the capabilities of HeAT with data collected in Collegiate Penetration Testing Competition (CPTC) and through collaboration with a real-world SOC. We developed HeAT-Gain metrics to demonstrate how analysts may assess and benefit from the extracted attack campaigns in comparison to common practices where IP addresses are used to corroborate evidences. Our results demonstrates the practical uses of HeAT by finding campaigns that span across diverse attack stages, remove a significant volume of irrelevant alerts, and achieve coherency to the analyst's original assessments

Evolving Code with A Large Language Model

Algorithms that use Large Language Models (LLMs) to evolve code arrived on the Genetic Programming (GP) scene very recently. We present LLM GP, a formalized LLM-based evolutionary algorithm designed to evolve code. Like GP, it uses evolutionary operators, but its designs and implementations of those operators radically differ from GP's because they enlist an LLM, using prompting and the LLM's pre-trained pattern matching and sequence completion capability. We also present a demonstration-level variant of LLM GP and share its code. By addressing algorithms that range from the formal to hands-on, we cover design and LLM-usage considerations as well as the scientific challenges that arise when using an LLM for genetic programming.Comment: 34 pages, 9 figures, 6 Table

Eastern European Young People in Brexit Britain : Racism, Anxiety and a Precarious Future [Research and Policy Briefing No.1]

Here to Stay? is a research project which explores the lives of young people who arrived in the UK as migrant children from Central and Eastern Europe (CEE). It focuses on young people aged 12-18 who migrated after the EU enlargement in 2004 and have lived in the UK for at least 3 years. The project explores how migration and current immigration policies are impacting their lives, how satisfied they are with local services, the quality of their relationships, and what are their feelings of identity and belonging in the UK. The study is important because it presents the first analysis since the Brexit Referendum on how current plans for Britain to leave the European Union are impacting on young Eastern Europeans’ lives. We have gathered the opinions and experiences of over 1,100 young people on a range of issues, including Brexit, their participation in communities and access to services, their experiences of racism and exclusion, their relationships, well-being and plans for future now that the UK is planning to leave the EU. These Briefings aim to inform a wide range of audiences on the experiences of young Eastern Europeans living in contemporary Britain. The Briefings should also help local authorities and other organisations develop policies and improve services for young people, taking into account their needs and experiences

ILLiad and Resource Sharing in the University System of Maryland and Affiliated Institutions Consortium of Libraries

A presentation at the OCLC ILLiad International Conference, Dublin, OH, USA, March 16, 2006The mission of the USMAI (University System of Maryland and Affiliated Institutions) consortium is to support effective access to library resources by providing and promoting a range of resource sharing services which support the objectives and maximize resources of the individual libraries of the member institutions. The consortium has a long-established service through which patrons can request that books be sent from one campus to another via a patron placed hold function, most recently within the Aleph OPAC. Beginning in 2004 the consortium’s Council of Library Directors (CLD) established a Resource Sharing Task Group (RSTG) to “address issues relating to USMAI resource sharing activities, including patron placed holds, direct borrowing, ILL, and delivery systems.” This group was established particularly to ensure the continuity of ILL services as Passport and the ILL Microenhancer were ‘sunsetted.’ As part of its charge the RSTG undertook an analysis of applications available to enhance member ILL services, and also to enhance article delivery between consortium members. At the time of the analysis, the consortium had 6 separate live or planned ILLiad implementations. In 2005 the RSTG recommended to the CLD that ILLiad be implemented consortium wide during the fall of 2005. A panel of USMAI librarians and staff will present our vision for resource sharing, how the combination of ILLiad, Odyssey and Aleph are being used to request materials between our campuses, the various approaches to authentication used across the consortium, and how support is being done for a consortium in which 7 members have separate ILLiad installations and the remainder are supported from a newer central site.OCL

Eastern European Young People's Use of Services in the UK

Here to Stay? is a research project which explores the lives of young people who arrived in the UK as migrant children from Central and Eastern Europe (CEE). It focuses on young people aged 12-18 who migrated after the EU enlargement in 2004 and have lived in the UK for at least 3 years. The project explores how migration and current immigration policies are impacting their lives, how satisfied they are with local services, the quality of their relationships, and what are their feelings of identity and belonging in the UK. The study is important because it presents the first analysis since the Brexit Referendum on how current plans for Britain to leave the European Union are impacting on young Eastern Europeans’ lives. We have gathered the opinions and experiences of over 1,100 young people on a range of issues, including Brexit, their participation in communities and access to services, their experiences of racism and exclusion, their relationships, well-being and plans for future now that the UK is planning to leave the EU. These Briefings aim to inform a wide range of audiences on the experiences of young Eastern Europeans living in contemporary Britain. The Briefings should also help local authorities and other organisations develop policies and improve services for young people, taking into account their needs and experiences

Eastern European Young People's Political and Community Engagement in the UK

Here to Stay? is a research project which explores the lives of young people who arrived in the UK as migrant children from Central and Eastern Europe (CEE). It focuses on young people aged 12-18 who migrated after the EU enlargement in 2004 and have lived in the UK for at least 3 years. The project explores how migration and current immigration policies are impacting their lives, how satisfied they are with local services, the quality of their relationships, and what are their feelings of identity and belonging in the UK. The study is important because it presents the first analysis since the Brexit Referendum on how current plans for Britain to leave the European Union are impacting on young Eastern Europeans’ lives. We have gathered the opinions and experiences of over 1,100 young people on a range of issues, including Brexit, their participation in communities and access to services, their experiences of racism and exclusion, their relationships, well-being and plans for future now that the UK is planning to leave the EU. These Briefings aim to inform a wide range of audiences on the experiences of young Eastern Europeans living in contemporary Britain. The Briefings should also help local authorities and other organisations develop policies and improve services for young people, taking into account their needs and experiences