Abstract
Having dedicated the previous chapter to the second level of SA, we now proceed to the third level. The highest level of SA—projection—involves envisioning how the current situation may evolve into the future situation and the anticipation of the future elements of the situation. In the context of CSA, particularly important is the projection of future cyber attacks, or future phases of an ongoing cyber attack. Attacks often take a long time and involve multitudes of reconnaissance, exploitations, and obfuscation activities to achieve the goal of cyber espionage or sabotage. The anticipation of future attack actions is generally derived from the presently observed malicious activities. This chapter reviews the existing state-of-the-art techniques for network attack projection, and then explains how the estimates of ongoing attack strategies can then be used to provide a prediction of likely upcoming threats to critical assets of the network.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
A discussion of how to assess the similarity/difference between attack models will be presented in Sect. 3.1.
References
Aben, E. et al. The CAIDA UCSD Network Telescope Two Days in November 2008 Dataset. (Access Date: Dec. 2013).
Bell, T. C., Cleary, J. G., and Witten, I. H. Text Compression. Prentice Hall, 1990.
Chakrabarti, A., and Manimaran, G. Internet infrastructure security: a taxonomy. IEEE Network, 16(6):13–21, Nov/Dec 2002.
Cheng, B.-C., Liao, G.-T., Huang, C.-C., and Yu, M.-T. A novel probabilistic matching algorithm for multi-stage attack forecasts. IEEE Transactions on Selected Areas in Communications, 29(7):1438–1448, 2011.
Cheung, S., Lindqvist, U., and Fong, M. W. Modeling multistep cyber attacks for scenario recognition. In Proceedings of DARPA Information Survivability Conference and Exposition, volume 1, pages 284–292, April 2003.
Cipriano, C., Zand, A., Houmansadr, A., Kruegel, C., and Vigna, G. Nexat: A history-based approach to predict attacker actions. In Proceedings of the 27th Annual Computer Security Applications Conference, pages 383–392. ACM, 2011.
Cohen, F. Information system defences: A preliminary classification scheme. Computers & Security, 16(2):94–114, 1997.
Cohen, F. Simulating cyber attacks, defences, and consequences. Computers & Security, 18(6):479–518, 1999.
Daley, K., Larson, R., and Dawkins, J. A structural framework for modeling multi-stage network attacks. In Proceedings of International Conference on Parallel Processing, pages 5–10, 2002.
Debar, H., Dacier, M., and Wespi, A. Towards a taxonomy of intrusion-detection systems. Computer Networks, 31(8):805–822, 1999.
DSheild. Internet Storm Center. http://www.dshield.org/. (Access Date: Dec. 2013).
Du, H., and Yang, S. J. Characterizing transition behaviors in internet attack sequences. In Proceedings of the 20th International Conference on Computer Communications and Networks (ICCCN), Maui HI, USA, August 1–4 2011.
Du, H., and Yang, S. J. Discovering collaborative cyber attack patterns using social network analysis. In Proceedings of International Conference on Social Computing, Behavioral-Cultural Modeling and Prediction, pages 129–136, College Park MD, USA, March 29–21 2011. Springer.
Du, H., and Yang, S. J. Temporal and spatial analyses for large-scale cyber attacks. In V.S. Subrahmanian, editor, Handbook of Computational Approaches to Counterterrorism, pages 559–578. Springer New York, 2013.
Du, H., and Yang, S. J. Probabilistic inference for obfuscated network attack sequences. In Proceedings of IEEE/ISIF International Conference on Dependable Systems and Networks, Atlanta, GA, June 23–26 2014.
Du, H., Liu, D. F., Holsopple, J., and Yang, S. J. Toward Ensemble Characterization and Projection of Multistage Cyber Attacks. In Proceedings of the 19th International Conference on Computer Communications and Networks (ICCCN), Zurich, Switzerland, August 2–5 2010. IEEE.
Fava, D. S., Byers, S. R., and Yang, S. J. Projecting cyberattacks through variable-length markov models. IEEE Transactions on Information Forensics and Security, 3(3):359–369, September 2008.
Holsopple, J., Sudit, M., Nusinov, M., Liu, D., Du, H., and Yang, S. Enhancing Situation Awareness via Automated Situation Assessment. IEEE Communications Magazine, pages 146–152, March 2010.
Howard, J., and Longstaff, T. A common language for computer security incidents. Technical report, Sandia National Laboratories, 1998.
Jacquet, P., Szpankowski, W., and Apostol, I. A universal predictor based on pattern matching. IEEE Transactions on Information Theory, 48(6):1462–1472, June 2002.
King, S. T., Mao, Z. M., Lucchetti, D. G., and Chen, P. M. Enriching intrusion alerts through multi-host causality. In Proceedings of the 2005 Network and Distributed System Security Symposium (NDSS’05), Washington D.C., February 2005.
Kotenko, I., and Man’kov, E. Experiments with simulation of attacks against computer networks. In Vladimir Gorodetsky, Leonard Popyack, and Victor Skormin, editors, Computer Network Security, volume 2776 of Lecture Notes in Computer Science, pages 183–194. Springer Berlin Heidelberg, 2003.
Kuhl, M. E., Kistner, J., Costantini, K., and Sudit, M. Cyber attack modeling and simulation for network security analysis. In Proceedings of the 39th Conference on Winter Simulation, pages 1180–1188. IEEE Press, 2007.
Lane, T., and Brodley, C. Temporal sequence learning and data reduction for anomaly detection. ACM Transactions on Information and System Security, 2:295–331, 1999.
Latora, V., and Marchiori, M. Efficient behavior of small-world networks. Phys. Rev. Lett., 87:198701, Oct 2001.
Lee, W., Stolfo, S. J., and Chan, P. K. Learning patterns from Unix process execution traces for intrusion detection. In Proceedings of the workshop on AI Approaches to Fraud Detection and Risk Management, pages 50–56, 1997.
MIT Lincoln Laboratory. DARPA intrusion detection data set (1998, 1999, 2000). http://www.ll.mit.edu/mission/communications/cyber/CSTcorpora/ideval/data/. (Access Date: Dec. 2013).
Moskal, S., Kreider, D., Hays, L., Wheeler, B., Yang, S. J., and Kuhl, M. Simulating attack behaviors in enterprise networks. In Proceedings of IEEE Communications and Network Security, Washington, DC, 2013.
Moskal, S., Wheeler, B., Kreider, D., and Kuhl, M., and Yang, S. J. Context model fusion for multistage network attack simulation. In Proceedings of IEEE MILCOM, Baltimore, MD, 2014.
Newman, M. E. J. Scientific collaboration networks. I. network construction and fundamental results. Phys Rev E, 64(1), July 2001.
Ning, P., Cui, Y., and Reeves, D. S. Analyzing intensive intrusion alerts via correlation. In Lecture notes in computer science, pages 74–94. Springer, 2002.
Ning, P., Xu, D., Healey, C. G., and Amant, R. S. Building attack scenarios through integration of complementary alert correlation methods. In Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS’04), pages 97–111, 2004.
Noel, S., and Jajodia, S. Advanced vulnerability analysis and intrusion detection through predictive attack graphs. Critical Issues in C4I, Armed Forces Communications and Electronics Association (AFCEA) Solutions Series. International Journal of Command and Control, 2009.
Noel, S., Robertson, E., and Jajodia, S. Correlating intrusion events and building attack scenarios through attack graph distances. In Proceedings of 20th Annual Computer Security Applications Conference, December 2004.
Park, J. S., Lee, J.-S., Kim, H. K., Jeong, J.-R., Yeom, D.-B., and Chi, S.-D. Secusim: A tool for the cyber-attack simulation. In Information and Communications Security, pages 471–475. Springer, 2001.
Phillips, C., and Swiler, L. P. A graph-based system for network-vulnerability analysis. In Proceedings of the 1998 workshop on New security paradigms, pages 71–79, Charlottesville, Virginia, United States, 1998.
Qin, X., and Lee, W. Attack plan recognition and prediction using causal networks. In Proceedings of 20th Annual Computer Security Applications Conference, pages 370–379. IEEE, December 2004.
Serfling, R.J. Probability inequalities for the sum in sampling without replacement. The Annals of Statistics, 2(1):39–48, 1974.
Shafer, G., editor. A Mathematical Theory of Evidence. Princeton University Press, 1976.
Shalizi, C. R., and Shalizi, K. L. Blind construction of optimal nonlinear recursive predictors for discrete sequences. In Proceedings of the 20 th Conference on Uncertainty in Artificial Intelligence, pages 504–511, 2004.
Shannon, C., and Moore, D. Network Telescopes: Remote Monitoring of Internet Worms and Denial-of-Service Attacks. Technical report, The Cooperative Association for Internet Data Analysis (CAIDA), 2004. (Technical Presentation - Access Date: Dec. 2013).
Smets, P. The combination of evidence in the transferable belief model. IEEE Transactions on Pattern Analysis and Machine Intelligence, 12(5):447–458, May 1990.
Soldo, F., Le, A., and Markopoulou, A. Blacklisting Recommendation System: Using Spatio-Temporal Patterns to Predict Future Attacks. IEEE Journal on Selected Areas in Communications, 29(7):1423–1437, August 2011.
Steinberg, A. Open interaction network model for recognizing and predicting threat events. In Proceedings of Information, Decision and Control (IDC) ’07, pages 285–290, Febuary 2007.
Stotz, A., and Sudit, M. INformation fusion engine for real-time decision-making (INFERD): A perceptual system for cyber attack tracking. In Proceedings of 10th International Conference on Information Fusion, July 2007.
Strapp, S., and Yang, S. J. Segmentating large-scale cyber attacks for online behavior model generation. In Proceedings of International Conference on Social Computing, Behavioral-Cultural Modeling, and Prediction, Washington, DC, April 1–4 2014.
Tidwell, T., Larson, R., Fitch, K., and Hale, J. Modeling internet attacks. In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, volume 59, 2001.
Treurniet, J. A Network Activity Classification Schema and Its Application to Scan Detection. IEEE/ACM Tran. on Networking, 19(5):1396–1404, October 2011.
Valeur, F., Vigna, G., Kruegel, C., and Kemmerer, R.A. A comprehensive approach to intrusion detection alert correlation. IEEE Transactions on dependable and secure computing, 1(3):146–169, 2004.
Vidalis, S., and Jones, A. Using vulnerability trees for decision making in threat assessment. Technical Report CS-03-2, University of Glamorgan, School of Computing, June 2003.
Vigna, G. et al. The iCTF Datasets from 2002 to 2010. http://ictf.cs.ucsb.edu/data.php. (Access Date: Dec. 2013).
Wang, L., Liu, A., and Jajodia, S. Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Computer Communications, 29(15):2917–2933, 2006.
Xu, K., Wang, F., and Gu, L. Network-aware behavior clustering of Internet end hosts. In Proceedings IEEE INFOCOM’11, pages 2078–2086. IEEE, April 2011.
Yang, S. J., Stotz, A., Holsopple, J., Sudit, M., and Kuhl, M. High level information fusion for tracking and projection of multistage cyber attacks. Elsevier International Journal on Information Fusion, 10(1):107–121, 2009.
Ye, N., Zhang, Y., and Borror, C. M. Robustness of the markov-chain model for cyber-attack detection. IEEE Transactions on Reliability, 53:116–123, 2004.
Zseby, T. Comparable Metrics for IP Darkspace Analysis. In Proceedings of 1st International Workshop on Darkspace and UnSolicited Traffic Analysis, May 2012.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Yang, S.J., Du, H., Holsopple, J., Sudit, M. (2014). Attack Projection. In: Kott, A., Wang, C., Erbacher, R. (eds) Cyber Defense and Situational Awareness. Advances in Information Security, vol 62. Springer, Cham. https://doi.org/10.1007/978-3-319-11391-3_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-11391-3_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-11390-6
Online ISBN: 978-3-319-11391-3
eBook Packages: Computer ScienceComputer Science (R0)