131 research outputs found
Emergent Behavior in Cybersecurity
We argue that emergent behavior is inherent to cybersecurity.Comment: 2 pages, HotSoS'2014 (2014 Symposium and Bootcamp on the Science of
Security
A Characterization of Cybersecurity Posture from Network Telescope Data
Data-driven understanding of cybersecurity posture is an important problem
that has not been adequately explored. In this paper, we analyze some real data
collected by CAIDA's network telescope during the month of March 2013. We
propose to formalize the concept of cybersecurity posture from the perspectives
of three kinds of time series: the number of victims (i.e., telescope IP
addresses that are attacked), the number of attackers that are observed by the
telescope, and the number of attacks that are observed by the telescope.
Characterizing cybersecurity posture therefore becomes investigating the
phenomena and statistical properties exhibited by these time series, and
explaining their cybersecurity meanings. For example, we propose the concept of
{\em sweep-time}, and show that sweep-time should be modeled by stochastic
process, rather than random variable. We report that the number of attackers
(and attacks) from a certain country dominates the total number of attackers
(and attacks) that are observed by the telescope. We also show that
substantially smaller network telescopes might not be as useful as a large
telescope
A Stochastic Model of Active Cyber Defense Dynamics
The concept of active cyber defense has been proposed for years. However,
there are no mathematical models for characterizing the effectiveness of active
cyber defense. In this paper, we fill the void by proposing a novel Markov
process model that is native to the interaction between cyber attack and active
cyber defense. Unfortunately, the native Markov process model cannot be tackled
by the techniques we are aware of. We therefore simplify, via mean-field
approximation, the Markov process model as a Dynamic System model that is
amenable to analysis. This allows us to derive a set of valuable analytical
results that characterize the effectiveness of four types of active cyber
defense dynamics. Simulations show that the analytical results are inherent to
the native Markov process model, and therefore justify the validity of the
Dynamic System model. We also discuss the side-effect of the mean-field
approximation and its implications
Characterizing the Power of Moving Target Defense via Cyber Epidemic Dynamics
Moving Target Defense (MTD) can enhance the resilience of cyber systems
against attacks. Although there have been many MTD techniques, there is no
systematic understanding and {\em quantitative} characterization of the power
of MTD. In this paper, we propose to use a cyber epidemic dynamics approach to
characterize the power of MTD. We define and investigate two complementary
measures that are applicable when the defender aims to deploy MTD to achieve a
certain security goal. One measure emphasizes the maximum portion of time
during which the system can afford to stay in an undesired configuration (or
posture), without considering the cost of deploying MTD. The other measure
emphasizes the minimum cost of deploying MTD, while accommodating that the
system has to stay in an undesired configuration (or posture) for a given
portion of time. Our analytic studies lead to algorithms for optimally
deploying MTD.Comment: 12 pages; 4 figures; Hotsos 14, 201
Adaptive Epidemic Dynamics in Networks: Thresholds and Control
Theoretical modeling of computer virus/worm epidemic dynamics is an important
problem that has attracted many studies. However, most existing models are
adapted from biological epidemic ones. Although biological epidemic models can
certainly be adapted to capture some computer virus spreading scenarios
(especially when the so-called homogeneity assumption holds), the problem of
computer virus spreading is not well understood because it has many important
perspectives that are not necessarily accommodated in the biological epidemic
models. In this paper we initiate the study of such a perspective, namely that
of adaptive defense against epidemic spreading in arbitrary networks. More
specifically, we investigate a non-homogeneous
Susceptible-Infectious-Susceptible (SIS) model where the model parameters may
vary with respect to time. In particular, we focus on two scenarios we call
semi-adaptive defense and fully-adaptive} defense, which accommodate implicit
and explicit dependency relationships between the model parameters,
respectively. In the semi-adaptive defense scenario, the model's input
parameters are given; the defense is semi-adaptive because the adjustment is
implicitly dependent upon the outcome of virus spreading. For this scenario, we
present a set of sufficient conditions (some are more general or succinct than
others) under which the virus spreading will die out; such sufficient
conditions are also known as epidemic thresholds in the literature. In the
fully-adaptive defense scenario, some input parameters are not known (i.e., the
aforementioned sufficient conditions are not applicable) but the defender can
observe the outcome of virus spreading. For this scenario, we present adaptive
control strategies under which the virus spreading will die out or will be
contained to a desired level.Comment: 20 pages, 8 figures. This paper was submitted in March 2009, revised
in August 2009, and accepted in December 2009. However, the paper was not
officially published until 2014 due to non-technical reason
- …