Automated design of network security metrics

Many abstract security measurements are based on characteristics of a graph that represents the network. These are typically simple and quick to compute but are often of little practical use in making real-world predictions. Practical network security is often measured using simulation or real-world exercises. These approaches better represent realistic outcomes but can be costly and time-consuming. This work aims to combine the strengths of these two approaches, developing efficient heuristics that accurately predict attack success. Hyper-heuristic machine learning techniques, trained on network attack simulation training data, are used to produce novel graph-based security metrics. These low-cost metrics serve as an approximation for simulation when measuring network security in real time. The approach is tested and verified using a simulation based on activity from an actual large enterprise network. The results demonstrate the potential of using hyper-heuristic techniques to rapidly evolve and react to emerging cybersecurity threats.

[1]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[2]  Kyle Robert Harrison Network Similarity Measures and Automatic Construction of Graph Models using Genetic Programming , 2014 .

[3]  John R. Koza,et al.  Genetic programming - on the programming of computers by means of natural selection , 1993, Complex adaptive systems.

[4]  Alexander D. Kent,et al.  Connected Components and Credential Hopping in Authentication Graphs , 2014, 2014 Tenth International Conference on Signal-Image Technology and Internet-Based Systems.

[5]  Daniel R. Tauritz,et al.  A Comparison of Genetic Programming Variants for Hyper-Heuristics , 2015, GECCO.

[6]  Radia Perlman,et al.  An algorithm for distributed computation of a spanningtree in an extended LAN , 1985, SIGCOMM '85.

[7]  John Dunagan,et al.  Heat-ray: combating identity snowball attacks using machinelearning, combinatorial optimization and attack graphs , 2009, SOSP '09.

[8]  Daniel R. Tauritz,et al.  Evolving Multi-level Graph Partitioning Algorithms , 2016, 2016 IEEE Symposium Series on Computational Intelligence (SSCI).

[9]  Alex Kent Anonymized User-Computer Authentication Associations in Time , 2014 .

[10]  Alexander Bailey,et al.  Genetic Programming for the Automatic Inference of Graph Models for Complex Networks , 2014, IEEE Transactions on Evolutionary Computation.

[11]  Daniel R. Tauritz,et al.  Evolving random graph generators: A case for increased algorithmic primitive granularity , 2016, 2016 IEEE Symposium Series on Computational Intelligence (SSCI).

[12]  Michel Gendreau,et al.  Hyper-heuristics: a survey of the state of the art , 2013, J. Oper. Res. Soc..

[13]  Juston Moore,et al.  Poisson factorization for peer-based anomaly detection , 2016, 2016 IEEE Conference on Intelligence and Security Informatics (ISI).

[14]  Lorie M. Liebrock,et al.  Authentication graphs: Analyzing user behavior within an enterprise network , 2015, Comput. Secur..

[15]  Zhi-Li Zhang,et al.  Unveiling core network-wide communication patterns through application traffic activity graph decomposition , 2009, SIGMETRICS '09.

[16]  Patricia Diane Hough,et al.  Modern Machine Learning for Automatic Optimization Algorithm Selection. , 2006 .

[17]  C. Hummel Why Crack When You Can Pass the Hash? , 2015 .

[18]  Radia J. Perlman,et al.  An algorithm for distributed computation of a spanningtree in an extended LAN , 1985, SIGCOMM '85.

[19]  Pavel Minarík,et al.  NetFlow Data Visualization Based on Graphs , 2008, VizSEC.

[20]  John R. Woodward,et al.  Hyper-heuristics tutorial , 2017, GECCO.

[21]  Rayford B. Vaughn,et al.  Cluster Security Research Involving the Modeling of Network Exploitations Using Exploitation Graphs , 2006, Sixth IEEE International Symposium on Cluster Computing and the Grid (CCGRID'06).

[22]  Curtis B. Storlie,et al.  Scan Statistics for the Online Detection of Locally Anomalous Subgraphs , 2013, Technometrics.

[23]  Lee Spector,et al.  Improving generalization of evolved programs through automatic simplification , 2017, GECCO.

[24]  Cynthia A. Phillips,et al.  Computer-attack graph generation tool , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[25]  kc claffy,et al.  Internet topology: connectivity of IP graphs , 2001, SPIE ITCom.

[26]  David J. Montana,et al.  Strongly Typed Genetic Programming , 1995, Evolutionary Computation.

[27]  Rodolphe Ortalo,et al.  Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..

[28]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[29]  Frank Harary,et al.  Dynamic graph models , 1997 .

[30]  Alexander Kent,et al.  Evolving Bipartite Authentication Graph Partitions , 2019, IEEE Transactions on Dependable and Secure Computing.