research-article

Automated Cyber Threat Sensing and Responding: Integrating Threat Intelligence into Security-Policy-Controlled Systems

Authors:
Peter Amthor

Technische Universität Ilmenau, Ilmenau, Germany

Technische Universität Ilmenau, Ilmenau, Germany
View Profile

,
Daniel Fischer

Technische Universität Ilmenau, Ilmenau, Germany

Technische Universität Ilmenau, Ilmenau, Germany
View Profile

,
Winfried E. Kühnhauser

Technische Universität Ilmenau, Ilmenau, Germany

Technische Universität Ilmenau, Ilmenau, Germany
View Profile

,
Dirk Stelzer

Technische Universität Ilmenau, Ilmenau, Germany

Technische Universität Ilmenau, Ilmenau, Germany
View Profile

ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and SecurityAugust 2019Article No.: 86Pages 1–10https://doi.org/10.1145/3339252.3340509

Published:26 August 2019Publication History

ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security

Pages 1–10

ABSTRACT

Cyber security management requires fast and cost efficient responses to threat alerts. Automation of cyber threat sensing and responding is one way to achieve immediate reactions to imminent threats. There are already tools for an extensive automation of threat sensing, e.g. threat intelligence sharing platforms. Methods, techniques and tools for reacting to menacing states and events, e.g. security-policy-controlled systems, have also been explored and published for some time. What is still missing, however, is the integration of these two approaches. This paper describes first steps towards an integration of threat intelligence sharing platforms and security-policy-controlled systems. We present a conceptual design for threat reaction strategies, security architectures and mechanisms and information representation requirements. We use two exemplary threat scenarios to demonstrate our proposals.

References

Md Sahrom Abu, Siti Rahayu Selamat, Aswami Ariffin, and Robiah Yusof. 2018. Cyber Threat Intelligence--Issue and Challenges. Indonesian Journal of Electrical Engineering and Computer Science 10, 1 (2018), 371--379.Google ScholarCross Ref
Peter Amthor. 2019. Aspect-oriented Security Engineering. Cuvillier Verlag, Göttingen, Germany. 260 pages. ISBN 978-3-7369-9980-0.Google Scholar
James P. Anderson. 1972. Computer Security Technology Planning Study. Technical Report ESD-TR-73-51. Air Force Electronic Systems Division, Hanscom AFB, Bedford, MA, USA. Also available as Vol. I, DITCAD-758206. Vol. II DITCAD-772806.Google Scholar
Syam Appala, Nancy Cam-Winget, David McGrew, and Jyoti Verma. 2015. An Actionable Threat Intelligence System Using a Publish-Subscribe Communications Model. In Proceedings of the 2Nd ACM Workshop on Information Sharing and Collaborative Security (WISCS '15). ACM, New York, NY, USA, 61--70. Google ScholarDigital Library
D. Elliott Bell and Leonard J. LaPadula. 1976. Secure Computer System: Unified Exposition and Multics Interpretation. Technical Report AD-A023 588. MITRE.Google Scholar
Guillaume Benats, Arosha Bandara, Yijun Yu, Jean-Noël Colin, and Bashar Nuseibeh. 2011. PrimAndroid: Privacy Policy Modelling and Analysis for Android Applications. In 2011 IEEE International Symposium on Policies for Distributed Systems and Networks (Policy 2011). IEEE, 129--132. Google ScholarDigital Library
Elisa Bertino, Piero Andrea Bonatti, and Elena Ferrari. 2001. TRBAC: A Temporal Role-based Access Control Model. ACM Trans. Inf. Syst. Secur. 4, 3 (Aug. 2001), 191--233. Google ScholarDigital Library
Sarah Brown, Joep Gommers, and Oscar Serrano. 2015. From Cyber Security Information Sharing to Threat Management. In Proceedings of the 2Nd ACM Workshop on Information Sharing and Collaborative Security (WISCS '15). ACM, New York, NY, USA, 43--49. Google ScholarDigital Library
Liang Chen and Jason Crampton. 2012. Risk-Aware Role-based Access Control. In Proceedings of the 7th International Conference on Security and Trust Management (STM'11). Springer-Verlag, Berlin, Heidelberg, 140--156. Google ScholarDigital Library
David Chismon and Martyn Ruks. 2015. Threat intelligence: Collecting, analysing, evaluating. Technical Report. Basingstoke, UK.Google Scholar
Jason Crampton, Gregory Gutin, and Rémi Watrigant. 2016. Resiliency Policies in Access Control Revisited. In Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies (SACMAT '16). ACM, New York, NY, USA, 101--111. Google ScholarDigital Library
Luc Dandurand and Oscar Serrano. 2013. Towards improved cyber security information sharing. In 2013 5th International Conference on Cyber Conflict (CYCON 2013). IEEE, 1--16.Google Scholar
Maryam Davari and Elisa Bertino. 2018. Reactive Access Control Systems. In Proceedings of the 23nd ACM Symposium on Access Control Models and Technologies (SACMAT '18). ACM, New York, NY, USA, 205--207. Google ScholarDigital Library
Daniel Díaz-López, Ginés Dólera-Tormo, Félix Gómez-Mármol, and Gregorio Martínez-Pérez. 2016. Dynamic Counter-measures for Risk-based Access Control Systems. Future Gener. Comput. Syst. 55, C (Feb. 2016), 321--335. Google ScholarDigital Library
OASIS Cyber Threat Intelligence (CTI) Technical Committee (Ed.). 2017. STIX™ Version 2.0. Part 2: STIX Objects. Committee Specification 01. Retrieved April 1, 2019 from http://docs.oasis-open.org/cti/stix/v2.0/cs01/part2-stix-objects/stix-v2.0-cs01-part2-stix-objects.htmlGoogle Scholar
ENISA. 2018. Exploring the opportunities and limitations of current Threat Intelligence Platforms. Technical Report. Heraklion, Greece.Google Scholar
David Ferraiolo, Ramaswamy Chandramouli, Rick Kuhn, and Vincent Hu. 2016. Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). In Proceedings of the 2016 ACM International Workshop on Attribute Based Access Control (ABAC '16). ACM, New York, NY, USA, 13--24. Google ScholarDigital Library
David Ferraiolo, D. Richard Kuhn, and Ramaswamy Chandramouli. 2007. Role-Based Access Control. Artech House. 381 pages. Second Edition, ISBN 978-1-59693-113-8. Google ScholarDigital Library
David F. Ferraiolo, Serban I. Gavrila, and Wayne Jansen. 2015. Policy Machine: Features, Architecture, and Specification. Technical Report NIST Interagency/Internal Report (NISTIR) -- 7987 Rev 1. National Institute of Standards and Technology, Palo Alto, CA 94301.Google Scholar
Jon Friedman and Mark Bouchard. 2015. Definitive guide to cyber threat intelligence. Technical Report. Annapolis, MD, USA.Google Scholar
Joseph A. Goguen and José Meseguer. 1982. Security Policies and Security Models. In Proc. IEEE Symposium on Security and Privacy. IEEE, 11--20.Google Scholar
Jeff Gothelf and Josh Seiden. 2017. Sense and Respond - How Successful Organizations Listen to Customers and Create New Products Continuously. Harvard Business Press, Boston, MA, USA.Google Scholar
Roger A. Grimes and Jesper M. Johansson. 2007. Windows Vista Security: Securing Vista Against Malicious Attacks. John Wiley & Sons, Inc., New York, NY, USA. Google ScholarDigital Library
Mathias Gschwandtner, Lukas Demetz, Matthias Gander, and Ronald Maier. 2018. Integrating Threat Intelligence to Enhance an Organization's Information Security Management. In Proceedings of the 13th International Conference on Availability, Reliability and Security (ARES 2018). ACM, New York, NY, USA, Article 37, 8 pages. Google ScholarDigital Library
Andy Chunliang Hsu and Indrakshi Ray. 2016. Specification and Enforcement of Location-Aware Attribute-Based Access Control for Online Social Networks. In Proceedings of the 2016 ACM International Workshop on Attribute Based Access Control (ABAC '16). ACM, New York, NY, USA, 25--34. Google ScholarDigital Library
International Organization for Standardization. 2016. ISO/IEC 27035:2016: Information technology -- Security techniques -- Information security incident management. ISO 27035:2016. International Organization for Standardization (ISO), Geneva, Switzerland.Google Scholar
Jesper M. Johansson. 2008. The Long-Term Impact of User Account Control. https://technet.microsoft.com/en-us/library/2007.09.securitywatch.aspx {Online; accessed 2017-11-10}.Google Scholar
Chris Johnson, Lee Badger, David Waltermire, Julie Snyder, and Clem Skorupka. 2016. Guide to cyber threat information sharing. NIST special publication 800-150. Technical Report. Gaithersburg, MD, USA.Google Scholar
Panos Kampanakis. 2014. Security automation and threat information-sharing options. IEEE Security & Privacy 12, 5 (2014), 42--51.Google ScholarCross Ref
Winfried E. Kühnhauser. 2004. Root Kits: An Operating Systems Viewpoint. SIGOPS Operating Systems Review 38, 1 (Jan. 2004), 12--23. Google ScholarDigital Library
Robert M. Lee. 2016. Intelligence Defined and its Impact on Cyber Threat Intelligence. Retrieved March 2, 2019 from http://robertmlee.org/intelligencedefined-and-its-impact-on-cyber-threat-intelligenceGoogle Scholar
Peter A. Loscocco and Stephen D. Smalley. 2001. Integrating Flexible Support for Security Policies into the Linux Operating System. In 2001 USENIX Annual Technical Conference, Clem Cole (Ed.). 29--42. Google ScholarDigital Library
Rob McMillan. 2013. Definition: Threat Intelligence. Retrieved March 29, 2019 from https://www.gartner.com/doc/2487216/definition-threat-intelligenceGoogle Scholar
Florian Menges and Günther Pernul. 2018. A comparative analysis of incident reporting formats. Computers & Security 73 (2018), 87--101.Google ScholarCross Ref
Jelena Mirkovic and Peter Reiher. 2004. A Taxonomy of DDoS Attack and DDoS Defense Mechanisms. SIGCOMM Computer Communication Review 34, 2 (April 2004), 39--53. Google ScholarDigital Library
Aziz Mohaisen, Omar Al-Ibrahim, Charles Kamhoua, Kevin Kwiat, and Laurent Njilla. 2017. Rethinking Information Sharing for Threat Intelligence. In Proceedings of the Fifth ACM/IEEE Workshop on Hot Topics in Web Systems and Technologies (HotWeb '17). ACM, New York, NY, USA, Article 6, 7 pages. Google ScholarDigital Library
Raydel Montesino and Stefan Fenz. 2011. Information Security Automation: How Far Can We Go?. In 2011 Sixth International Conference on Availability, Reliability and Security. 280--285. Google ScholarDigital Library
Qun Ni, Elisa Bertino, and Jorge Lobo. 2010. Risk-based Access Control Systems Built on Fuzzy Inferences. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (ASIACCS '10). ACM, New York, NY, USA, 250--260. Google ScholarDigital Library
Ken Peffers, Tuure Tuunanen, Marcus A Rothenberger, and Samir Chatterjee. 2007. A design science research methodology for information systems research. Journal of management information systems 24, 3 (2007), 45--77. Google ScholarDigital Library
Paul Poputa-Clean. 2015. Automated Defense - Using Threat Intelligence to Augment Security. Technical Report. Swansea, SA3 9BB, UK.Google Scholar
Syed Zain R. Rizvi, Philip W.L. Fong, Jason Crampton, and James Sellwood. 2015. Relationship-Based Access Control for an Open-Source Medical Records System. In Proceedings of the 20th ACM Symposium on Access Control Models and Technologies (SACMAT '15). ACM, New York, NY, USA, 113--124. Google ScholarDigital Library
John Rushby. 1992. Noninterference, Transitivity, and Channel-Control Security Policies. Technical Report. http://www.csl.sri.com/papers/csl-92-2/Google Scholar
Giovanni Russello, Mauro Conti, Bruno Crispo, and Earlence Fernandes. 2012. MOSES: Supporting Operation Modes on Smartphones. In Proceedings of the 17th ACM symposium on Access Control Models and Technologies (SACMAT '12). ACM, New York, NY, USA, 3--12. Google ScholarDigital Library
Clemens Sauerwein, Christian Sillaber, Andrea Mussmann, and Ruth Breu. 2017. Threat Intelligence Sharing Platforms: An Exploratory Study of Software Vendors and Research Perspectives. In Proceedings of the 13th International Conference on Wirtschaftsinformatik (WI 2017). 837--851.Google Scholar
Oscar Serrano, Luc Dandurand, and Sarah Brown. 2014. On the design of a cyber security data sharing system. In Proceedings of the 2014 ACM Workshop on Information Sharing & Collaborative Security (WISCS '14). ACM, New York, NY, USA, 61--69. Google ScholarDigital Library
Daniel Servos and Sylvia L. Osborn. 2017. Current Research and Open Problems in Attribute-Based Access Control. ACM Comput. Surv. 49, 4 (Jan. 2017), 65:1--65:45. Google ScholarDigital Library
Giuseppe Settanni, Yegor Shovgenya, Florian Skopik, Roman Graf, Markus Wurzenberger, and Roman Fiedler. 2017. Acquiring Cyber Threat Intelligence through Security Information Correlation. In 2017 3rd IEEE International Conference on Cybernetics (CYBCONF). IEEE, 1--7.Google ScholarCross Ref
Dave Shackleford. 2015. Who's using cyberthreat intelligence and how. Technical Report. Swansea, SA3 9BB, UK.Google Scholar
Jonathan Shahen, Jianwei Niu, and Mahesh Tripunitara. 2015. Mohawk+T: Efficient Analysis of Administrative Temporal Role-Based Access Control (ATRBAC) Policies. In Proceedings of the 20th ACM Symposium on Access Control Models and Technologies (SACMAT '15). ACM, New York, NY, USA, 15--26. Google ScholarDigital Library
Bilal Shebaro, Oyindamola Oluwatimi, and Elisa Bertino. 2014. Context-based Access Control Systems for Mobile Devices. IEEE Transactions on Dependable and Secure Computing 12, 2 (April 2014), 150--163.Google Scholar
Florian Skopik, Giuseppe Settanni, and Roman Fiedler. 2016. A problem shared is a problem halved: A survey on the dimensions of collective cyber defense through security information sharing. Computers & Security 60 (2016), 154--176. Google ScholarDigital Library
Wiem Tounsi and Helmi Rais. 2018. A survey on technical threat intelligence in the age of sophisticated cyber attacks. Computers & Security 72 (2018), 212--233. Google ScholarDigital Library
Sabrina De Capitani di Vimercati, Pierangela Samarati, and Sushil Jajodia. 2005. Policies, Models, and Languages for Access Control. In 4th International Workshop on Databases in Networkes Information Systems (DNIS 2005). LNCS, Vol. 3433/2005. Springer, 225--237. Google ScholarDigital Library
Rossouw von Solms and Johan van Niekerk. 2013. From information security to cyber security. IEEE Security & Privacy 38 (2013), 97--102. Cybercrime in the Digital Economy. Google ScholarDigital Library
Cynthia Wagner, Alexandre Dulaunoy, Gérard Wagener, and Andras Iklody. 2016. MISP: The Design and Implementation of a Collaborative Threat Intelligence Sharing Platform. In Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security (WISCS '16). ACM, New York, NY, USA, 49--56. Google ScholarDigital Library
Qihua Wang and Ninghui Li. 2010. Satisfiability and Resiliency in Workflow Authorization Systems. ACM Trans. Inf. Syst. Secur. 13, 4 (Dec. 2010), 40:1--40:35. Google ScholarDigital Library
Giorgio Zanin and Luigi Vincenzo Mancini. 2004. Towards a Formal Model for Security Policies Specification and Validation in the SELinux System. In Proc. of the 9th ACM Symposium on Access Control Models and Technologies. ACM, 136--145. Google ScholarDigital Library
Nickolai Zeldovich, Silas Boyd-Wickizer, and David Mazières. 2008. Securing Distributed Systems with Information Flow Control. In NSDI'08: Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation. USENIX Association, Berkeley, CA, USA, 293--308. Google ScholarDigital Library
Guangsen Zhang and Manish Parashar. 2004. Context-aware Dynamic Access Control for Pervasive Applications. In Proceedings of the Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2004), 2004 Western MultiConference (WMC). San Diego, CA, USA. TASSL/Papers/automate-sesame-cnds-04.pdfGoogle Scholar
Rui Zhang, Fausto Giunchiglia, Bruno Crispo, and Lingyang Song. 2010. Relation-Based Access Control: An Access Control Model for Context-Aware Computing Environment. Wireless Personal Communications 55, 1 (2010), 5--17. Google ScholarDigital Library
Yongsheng S. Zhang, Mingfeng F. Wu, Lei Wu, and Yuanyuan Y. Li. 2014. Attribute-Based Access Control Security Model in Service-Oriented Computing. Springer New York, New York, NY, 1473--1479.Google Scholar
Wanying Zhao and Gregory White. 2012. A collaborative information sharing framework for community cyber security. In 2012 IEEE Conference on Technologies for Homeland Security (HST). IEEE, 457--462.Google ScholarCross Ref

Index Terms

Automated Cyber Threat Sensing and Responding: Integrating Threat Intelligence into Security-Policy-Controlled Systems
1. Applied computing
  1. Enterprise computing
    1. Event-driven architectures
2. Security and privacy
  1. Formal methods and theory of security
    1. Formal security models
  2. Intrusion/anomaly detection and malware mitigation

Recommendations

Security defense against long-term and stealthy cyberattacks
Highlights
- We consider a dynamic game between a defender and a user who can be infected.
- The strategic hacker can stay undetected and steal data for a long time.
- Our equilibrium captures some characteristics of recent cyberattack incidents.
Abstract
Modern cyberattacks such as advanced persistent threats have become sophisticated. Hackers can stay undetected for an extended time and defenders do not have sufficient countermeasures to prevent advanced cyberattacks. Reflecting on this ...
Read More
The AI-Based Cyber Threat Landscape: A Survey

Recent advancements in artificial intelligence (AI) technologies have induced tremendous growth in innovation and automation. Although these AI technologies offer significant benefits, they can be used maliciously. Highly targeted and evasive attacks in ...
Read More
A Tripwire Grammar for Insider Threat Detection
MIST '16: Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats

The threat from insiders is an ever-growing concern for organisations, and in recent years the harm that insiders pose has been widely demonstrated. This paper describes our recent work into how we might support insider threat detection when actions are ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in

ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security
August 2019
979 pages
ISBN:9781450371643
DOI:10.1145/3339252

Copyright © 2019 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 26 August 2019
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Conceptual Integration Design
Cyber Threat Sensing and Responding
Security Automation
Security Policies
Threat Intelligence Sharing Platforms
Qualifiers
- research-article
- Research
- Refereed limited
Conference

Acceptance Rates
Overall Acceptance Rate228of451submissions,51%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 7
  Total Citations
  View Citations
- 560
  Total Downloads
- Downloads (Last 12 months)112
- Downloads (Last 6 weeks)13
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Automated Cyber Threat Sensing and Responding: Integrating Threat Intelligence into Security-Policy-Controlled Systems

ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Security defense against long-term and stealthy cyberattacks

The AI-Based Cyber Threat Landscape: A Survey

A Tripwire Grammar for Insider Threat Detection

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

Automated Cyber Threat Sensing and Responding: Integrating Threat Intelligence into Security-Policy-Controlled Systems

ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Security defense against long-term and stealthy cyberattacks

The AI-Based Cyber Threat Landscape: A Survey

A Tripwire Grammar for Insider Threat Detection

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media