Terrain and behavior modeling for projecting multistage cyber attacks

Contributions from the information fusion community have enabled comprehensible traces of intrusion alerts occurring on computer networks. Traced or tracked cyber attacks are the bases for threat projection in this work. Due to its complexity, we separate threat projection into two sub-tasks: predicting likely next targets and predicting attacker behavior. A virtual cyber terrain is proposed for identifying likely targets. Overlaying traced alerts onto the cyber terrain reveals exposed vulnerabilities, services, and hosts. Meanwhile, a novel attempt to extract cyber attack behavior is discussed. Leveraging traditional work on prediction and compression, this work identities behavior patterns from traced cyber attack data. The extracted behavior patterns are expected to further refine projections deduced from the cyber terrain.

[1]  Peng Ning,et al.  Alert correlation through triggering events and common resources , 2004, 20th Annual Computer Security Applications Conference.

[2]  Ian H. Witten,et al.  Text Compression , 1990, 125 Problems in Text Algorithms.

[3]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[4]  Moises Sudit,et al.  TANDI: threat assessment of network data and information , 2006, SPIE Defense + Commercial Sensing.

[5]  Yu Liu,et al.  Network vulnerability assessment using Bayesian networks , 2005, SPIE Defense + Commercial Sensing.

[6]  S. Vidalis,et al.  Using Vulnerability Trees for Decision Making in Threat Assessment , 2003 .

[7]  R. Stapleton-Gray,et al.  Rendering the Elephant: Characterizing Sensitive Networks for an Uncleared Audience , 2006, 2006 IEEE Information Assurance Workshop.

[8]  S. Upadhyaya,et al.  Real-time multistage attack awareness through enhanced intrusion alert clustering , 2005, MILCOM 2005 - 2005 IEEE Military Communications Conference.

[9]  Wenke Lee,et al.  Attack plan recognition and prediction using causal networks , 2004, 20th Annual Computer Security Applications Conference.

[10]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[11]  Samuel T. King,et al.  Enriching Intrusion Alerts Through Multi-Host Causality , 2005, NDSS.

[12]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[13]  Ran El-Yaniv,et al.  On Prediction Using Variable Order Markov Models , 2004, J. Artif. Intell. Res..

[14]  Tim Bass,et al.  Intrusion detection systems and multisensor data fusion , 2000, CACM.

[15]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[16]  Pascal Vasseur,et al.  Introduction to Multisensor Data Fusion , 2005, The Industrial Information Technology Handbook.

[17]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[18]  Yvan Labiche,et al.  Context-Based Intrusion Detection Using Snort, Nessus and Bugtraq Databases , 2005, PST.

[19]  Adam Stotz,et al.  Situational awareness of a coordinated cyber attack , 2005, SPIE Defense + Commercial Sensing.

[20]  Peng Ning,et al.  Techniques and tools for analyzing intrusion alerts , 2004, TSEC.