On Detecting Manifestation of Adversary Characteristics

Adversaries are conducting attack campaigns with increasing levels of sophistication. Additionally, with the prevalence of out-of-the-box toolkits that simplify attack operations during different stages of an attack campaign, multiple new adversaries and attack groups have appeared over the past decade. Characterizing the behavior and the modus operandi of different adversaries is critical in identifying the appropriate security maneuver to detect and mitigate the impact of an ongoing attack. To this end, in this paper, we study two characteristics of an adversary: Risk-averseness and Experience level. Risk-averse adversaries are more cautious during their campaign while fledgling adversaries do not wait to develop adequate expertise and knowledge before launching attack campaigns. One manifestation of these characteristics is through the adversary's choice and usage of attack tools. To detect these characteristics, we present multi-level machine learning (ML) models that use network data generated while under attack by different attack tools and usage patterns. In particular, for risk-averseness, we considered different configurations for scanning tools and trained the models in a testbed environment. The resulting model was used to predict the cautiousness of different red teams that participated in the Cyber Shield ‘16 exercise. The predictions matched the expected behavior of the red teams. For Experience level, we considered publicly-available remote access tools and usage patterns. We developed a Markov model to simulate usage patterns of attackers with different levels of expertise and through experiments on CyberVAN, we showed that the ML model has a high accuracy.

[1]  Sushil Jajodia,et al.  A Probabilistic Logic of Cyber Deception , 2017, IEEE Transactions on Information Forensics and Security.

[2]  Phyllis A. Schneck,et al.  Cybersecurity: From Months to Milliseconds , 2015, Computer.

[3]  M Marvel Lisa,et al.  CyberVAN: A Cyber Security Virtual Assured Network testbed , 2016 .

[4]  Arvind Narayanan,et al.  When Coding Style Survives Compilation: De-anonymizing Programmers from Executable Binaries , 2015, NDSS.

[5]  William H. Sanders,et al.  Adversary-driven state-based system security evaluation , 2010, MetriSec '10.

[6]  Blake D. Bryant,et al.  IEEE Transactions on Information Forensics and Security , 2018 .

[7]  Ananthram Swami,et al.  Malware traffic detection using tamper resistant features , 2015, MILCOM 2015 - 2015 IEEE Military Communications Conference.

[8]  D M Faissol,et al.  Taxonomies of Cyber Adversaries and Attacks: A Survey of Incidents and Approaches , 2009 .

[9]  Arvind Narayanan,et al.  De-anonymizing Programmers via Code Stylometry , 2015, USENIX Security Symposium.

[10]  Sushil Jajodia,et al.  Moving Target Defense - Creating Asymmetric Uncertainty for Cyber Threats , 2011, Moving Target Defense.

[11]  William H. Sanders,et al.  Characterizing the Behavior of Cyber Adversaries : The Means , Motive , and Opportunity of Cyberattacks , 2010 .

[12]  Fabio Massacci,et al.  The Work-Averse Attacker Model , 2015, ECIS.

[13]  S. L. N. Hald,et al.  An updated taxonomy for characterizing hackers according to their threat properties , 2012, 2012 14th International Conference on Advanced Communication Technology (ICACT).