54 research outputs found
HeATed Alert Triage (HeAT): Transferrable Learning to Extract Multistage Attack Campaigns
With growing sophistication and volume of cyber attacks combined with complex
network structures, it is becoming extremely difficult for security analysts to
corroborate evidences to identify multistage campaigns on their network. This
work develops HeAT (Heated Alert Triage): given a critical indicator of
compromise (IoC), e.g., a severe IDS alert, HeAT produces a HeATed Attack
Campaign (HAC) depicting the multistage activities that led up to the critical
event. We define the concept of "Alert Episode Heat" to represent the analysts
opinion of how much an event contributes to the attack campaign of the critical
IoC given their knowledge of the network and security expertise. Leveraging a
network-agnostic feature set, HeAT learns the essence of analyst's assessment
of "HeAT" for a small set of IoC's, and applies the learned model to extract
insightful attack campaigns for IoC's not seen before, even across networks by
transferring what have been learned. We demonstrate the capabilities of HeAT
with data collected in Collegiate Penetration Testing Competition (CPTC) and
through collaboration with a real-world SOC. We developed HeAT-Gain metrics to
demonstrate how analysts may assess and benefit from the extracted attack
campaigns in comparison to common practices where IP addresses are used to
corroborate evidences. Our results demonstrates the practical uses of HeAT by
finding campaigns that span across diverse attack stages, remove a significant
volume of irrelevant alerts, and achieve coherency to the analyst's original
assessments
VTAC: Virtual Terrain Assisted Impact Assessment for Cyber Attacks
Overwhelming intrusion alerts have made timely response to network security breaches a difficult task. Correlating alerts to produce a higher level view of intrusion state of a network, thus, becomes an essential element in network defense. This work proposes to analyze correlated or grouped alerts and determine their ‘impact’ to services and users of the network. A network is modeled as ‘virtual terrain’ where cyber attacks maneuver. Overlaying correlated attack tracks on virtual terrain exhibits the vulnerabilities exploited by each track and the relationships between them and different network entities. The proposed impact assessment algorithm utilizes the graph-based virtual terrain model and combines assessments of damages caused by the attacks. The combined impact scores allow to identify severely damaged network services and affected users. Several scenarios are examined to demonstrate the uses of the proposed Virtual Terrain Assisted Impact Assessment for Cyber Attacks (VTAC)
Intrusion Signature Creation via Clustering Anomalies
Current practices for combating cyber attacks typically use Intrusion Detection Systems (IDSs) to detect and block multistage attacks. Because of the speed and impacts of new types of cyber attacks, current IDSs are limited in providing accurate detection while reliably adapting to new attacks. In signature-based IDS systems, this limitation is made apparent by the latency from day zero of an attack to the creation of an appropriate signature. This work hypothesizes that this latency can be shortened by creating signatures via anomaly-based algorithms. A hybrid supervised and unsupervised clustering algorithm is proposed for new signature creation. These new signatures created in real-time would take effect immediately, ideally detecting new attacks. This work first investigates a modified density-based clustering algorithm as an IDS, with its strengths and weaknesses identified. A signature creation algorithm leveraging the summarizing abilities of clustering is investigated. Lessons learned from the supervised signature creation are then leveraged for the development of unsupervised real-time signature classification. Automating signature creation and classification via clustering is demonstrated as satisfactory but with limitations
The Effect of Collision Avoidance for Autonomous Robot Team Formation
As technology and research advance to the era of cooperative robots, many autonomous robot team algorithms have emerged. Shape formation is a common and critical task in many cooperative robot applications. While theoretical studies of robot team formation have shown success, it is unclear whether such algorithms will perform well in a real-world environment. This work examines the effect of collision avoidance schemes on an ideal circle formation algorithm, but behaves similarly if robot-to-robot communications are in place. Our findings reveal that robots with basic collision avoidance capabilities are still able to form into a circle, under most conditions. Moreover, the robot sizes, sensing ranges, and other critical physical parameters are examined to determine their effects on algorithm’s performance
On the Evaluation of Sequential Machine Learning for Network Intrusion Detection
Recent advances in deep learning renewed the research interests in machine
learning for Network Intrusion Detection Systems (NIDS). Specifically,
attention has been given to sequential learning models, due to their ability to
extract the temporal characteristics of Network traffic Flows (NetFlows), and
use them for NIDS tasks. However, the applications of these sequential models
often consist of transferring and adapting methodologies directly from other
fields, without an in-depth investigation on how to leverage the specific
circumstances of cybersecurity scenarios; moreover, there is a lack of
comprehensive studies on sequential models that rely on NetFlow data, which
presents significant advantages over traditional full packet captures. We
tackle this problem in this paper. We propose a detailed methodology to extract
temporal sequences of NetFlows that denote patterns of malicious activities.
Then, we apply this methodology to compare the efficacy of sequential learning
models against traditional static learning models. In particular, we perform a
fair comparison of a `sequential' Long Short-Term Memory (LSTM) against a
`static' Feedforward Neural Networks (FNN) in distinct environments represented
by two well-known datasets for NIDS: the CICIDS2017 and the CTU13. Our results
highlight that LSTM achieves comparable performance to FNN in the CICIDS2017
with over 99.5\% F1-score; while obtaining superior performance in the CTU13,
with 95.7\% F1-score against 91.5\%. This paper thus paves the way to future
applications of sequential learning models for NIDS
TANDI: Threat Assessment of Network Data and Information
Current practice for combating cyber attacks typically use Intrusion Detection Sensors (IDSs) to passively detect and block multi-stage attacks. This work leverages Level-2 fusion that correlates IDS alerts belonging to the same attacker, and proposes a threat assessment algorithm to predict potential future attacker actions. The algorithm, TANDI, reduces the problem complexity by separating the models of the attacker\u27s capability and opportunity, and fuse the two to determine the attacker\u27s intent. Unlike traditional Bayesian-based approaches, which require assigning a large number of edge probabilities, the proposed Level-3 fusion procedure uses only 4 parameters. TANDI has been implemented and tested with randomly created attack sequences. The results demonstrate that TANDI predicts future attack actions accurately as long as the attack is not part of a coordinated attack and contains no insider threats. In the presence of abnormal attack events, TANDI will alarm the network analyst for further analysis. The attempt to evaluate a threat assessment algorithm via simulation is the first in the literature, and shall open up a new avenue in the area of high level fusion
- …