Linkographs have been used in the past to model behavioral patterns for creative professionals. Recently, linkographs have been applied to the context of cyber security to study the behavioral patterns of remote attackers of cyber systems. We propose a human supervised algorithm that refines abstractions to be used for linkographic analysis of common attack patterns. The refinement algorithm attempts to maximize the accuracy of computer-derived linkographs by optimally merging and splitting abstraction classes, represented as regular expressions (regexes). We first describe an algorithm to select and perform a globally optimal merge of two abstraction classes. We then describe a counterpart algorithm to select and split a single abstraction class into two separate ones. We cast a regex as a conjunction of disjunctions and refine it by adding and removing conjunctive and disjunctive elements. We also show how to use the Stoer-Wagner algorithm, normally used for least cost cuts of graphs, to create two optimal subsets of a set of elements.
Increasingly, cyberspace is the battlefield of choice for twenty first century criminal activity and foreign conflict. This suggests that traditional modeling and simulation approaches have stalled in the information security domain. We propose a game theoretic model based on a multistage model of computer network exploitation (CNE) campaigns comprising reconnaissance, tooling, implant, lateral movement, exfiltration and cleanup stages. In each round of the game, the attacker chooses whether to proceed with the next stage of the campaign, nature decides whether the defender is cognizant of the campaign's progression, and the defender chooses to respond in an active or passive fashion. We propose a dynamic, asymmetric, complete-information, general-sum game to model CNE campaigns and techniques to estimate this game's parameters. Researchers can extend this work to other threat models, and practitioners can use this work for decision support.
Sophisticated cyber attacks by state-sponsored and criminal actors continue to plague government and industrial infrastructure. Intuitively, partitioning cyber systems into survivable, intrusion tolerant compartments is a good idea. This prevents witting and unwitting insiders from moving laterally and reaching back to their command and control (C2) servers. However, there is a lack of artifacts that can predict the effectiveness of this approach in a realistic setting. We extend earlier work by relaxing simplifying assumptions and providing a new attacker-facing metric. In this article, we propose new closed-form mathematical models and a discrete time simulation to predict three critical statistics: probability of compromise, probability of external host compromise and probability of reachback. The results of our new artifacts agree with one another and with previous work, which suggests they are internally valid and a viable method to evaluate the effectiveness of cyber zone defense.
Attacks on cyber systems continue to plague public and private sector enterprises. While cyber zone defense is an appealing strategy to prevent, disrupt and tolerate these attacks, existing approaches assign hosts to zones based on their function (for example, printer zones and sensor zones) or place in the architecture (for example, corporate zones and demilitarized zones). This leaves the large number of human-operated commodity workstations within an enterprise unaddressed. We propose a dynamic zoning algorithm which periodically or asynchronously assigns hosts to zones based on peer requests made by their human operators. The proposed algorithm runs quickly on basic hardware for a large enterprise, and the zone statistics converge to values that match what simple mathematical models predict. We conclude that dynamic cyber zone defense calls for additional research and is a candidate for technology transfer.
The competition between cyber attackers and defenders is fundamentally a game. In this game, the stakes are high, the decisions are difficult and the timescale is very short. To date, most researchers in this area have focused on the strategic level decisions. This focus enables what-if scenarios that hinge on the opening move of the game. However, this approach does not allow for flexibility after the players choose these high-level opening moves. We compare this situation to a turn-based style of play where we hope to end the game quickly, for example, by halting the execution of a software program when we detect a signature that matches some definition of malicious.
Since our last paper, cyber attacks have shown no evidence of declining in frequency or sophistication. We claim that applying isolation zones is an effective way to defend cyber systems; our team proposes a simulation and mathematical model that provide numerical data that supports this claim. This paper extends our earlier cyber zone defense (CZD) framework in two critical ways. First, we relax our assumption that zones completely isolate nodes and consider interzone boundaries to be porous. Second, we investigate methods to estimate one of the legacy parameters inherited from our earlier work and the new porosity parameter. The extended simulation and model more closely approximate real world cyber systems and have lower residuals than our previous investigation.
Moving Target Defense (MTD) is the concept of controlling change across multiple system dimensions, aiming to disrupt the adversary in the attack sequence for intrusion prevention. To date, there is a lack of progress in MTD modeling and evaluation to test the effectiveness of MTD techniques. In this paper we develop two analytical models based on closed-form solutions and Stochastic Petri Nets to analyze the effect of a dynamic platform technique based MTD on attack success rate. The numerical results from these two models agree with one another, providing cross validation. Furthermore, the output of these models indicates the existence of parameter settings that decrease the security of the protected resource and settings that make MTD most effective in terms of minimizing the attack success probability.
We will introduce a new framework called cyber zone defense (CZD) that treats malware like a black box: a process we can study solely based on its internal and external communication. We can reduce the impact of malware, without regard to its functionality or even existence, by limiting only these connections. In this paper, we propose two metrics for measuring CZD effectiveness and an illustrative simulation and a closed form mathematical model that predicts these statistics. The simulation is intuitive; it allows the analyst to provision arbitrary configurations and see how changes in topology affect the efficacy of the CZD. The model provides a mathematical verification for CZD and matches the results of the simulation well. These artifacts test the feasibility of CZD while deferring implementation details.
The war to establish cyber supremacy continues, and the literature is crowded with strictly technical cyber security measures. We present the results of a three year LDRD project using Linkography, a methodology new to the field of cyber security, we establish the foundation necessary to track and profile the microbehavior of humans attacking cyber systems. We also propose ways to leverage this understanding to influence and deceive these attackers. We studied the science of linkography, applied it to the cyber security domain, implemented a software package to manage linkographs, generated the preprocessing blocks necessary to ingest raw data, produced machine learning models, created ontology refinement algorithms and prototyped a web application for researchers and practitioners to apply linkography. Machine learning produced some of our key results: We trained and validated multinomial classifiers with a real world data set and predicted the attacker's next category of action with 86 to 98% accuracy; dimension reduction techniques indicated that the linkography-based features were among the most powerful. We also discovered ontology refinement algorithms that advanced the state of the art in linkography in general and cyber security in particular. We conclude that linkography is a viable tool for cyber security; we look forward to expanding our work to other data sources and using our prediction results to enable adversary deception techniques.