asymmetric threat response and analysis program
play

Asymmetric Threat Response and Analysis Program Michael L. - PowerPoint PPT Presentation

Nov 13, 2023 •374 likes •817 views

Asymmetric Threat Response and Analysis Program Michael L. Valenzuela Jerzy W. Rozenblit 11/10/2013 1 Overview What is the Asymmetric Threat Response and Analysis Program (ATRAP)? Data Ingestion Structured vs. unstructured

  1. Asymmetric Threat Response and Analysis Program Michael L. Valenzuela Jerzy W. Rozenblit 11/10/2013 1

  2. Overview • What is the Asymmetric Threat Response and Analysis Program (ATRAP)? • Data Ingestion – Structured vs. unstructured • Link Charts • Game Theoretic Decision Support Tool 11/10/2013 2

  3. Note • We apologize in advance – The original security data has ITAR restrictions – Thus we cannot show this data publically • Instead we have medical data – Statically correct, but sanitized – Can still be used to show ATRAP’s features 11/10/2013 3

  4. Asymmetric Threat Response and Analysis Program 11/10/2013 4

  5. ATRAP • Originally a tool for military intelligence analysts • Built upon a “human -in-the- loop” philosophy – Avoids a fully automated tool making mistakes – Provides transparency and introspection into data processing • Much like a toolbox of individual tools – Like Matlab, except for security – Due to the number of tools, we will only show a few tools • Now encompasses many security domains 11/10/2013 5

  6. ATRAP – Motivation • Think about this – Inside jobs cause the majority of damage – This tool helps an analyst/detective trace from evidence back to the insider(s) • Suppose – Network traffic is available and events have already been detected via some other tool – Some connections between individuals, computers, and events are known 11/10/2013 6

  7. Data Ingestion • ATRAP operates on databases (Microsoft or Oracle) • Data can be structured (xml, csv, html, etc.) • Data can be unstructured (free text) – Free text data can be structured with a text- processing tool which includes some basic natural language processing 11/10/2013 7

  8. Data Ingestion • Structured data can be directly imported as any user defined types. – E.g., provided a user defined meta-protocol, each field can be imported from the structured data – Nonstandard protocols can be user defined or subtyped 11/10/2013 8

  9. Data Ingestion – free text • Entities (structured information) can be extracted from free text – ATRAP provides some natural language processing – Still requires the use of a person to create a structured piece of information from the text 11/10/2013 9

  10. Entities (structured data) • Entities (any structured data) may have – Meta-data – Data-time information – Attributes – Associated files (multimedia, reports, etc.) – Relationships with other entities • ATRAP has tools to perform queries on any of these properties 11/10/2013 10

  11. Link Charts 11/10/2013 11

  12. Link Charts • Link charts are used to display and explore relationships between entities – Color represents a type of entity • Icons are used to distinguish between subtypes – Relationships are directional and typed – Many common graph tools including • Clustering • Searching by connection patterns • Displaying central and broker nodes • Extracting subgraphs 11/10/2013 12

  13. Link Charts – Several Tools 11/10/2013 13

  14. Link Charts – Showing Brokers and Betweenness Centrality 11/10/2013 14

  15. Link Charts • No limits on the size of the link charts – Except those that storage and memory impose • Sometimes it is better to work with smaller groups of entities • ATRAP allows this through extracting clusters • Entities can be organized neatly through the use of spring embedders 11/10/2013 15

  16. Link Charts – Data Reduction by Clusters 11/10/2013 16

  17. Link Charts – Growing New Connections • Suppose the investigator has a hunch as to how entities may be related • Assuming this can be codified based on the – Entities, – Types of entities, – Types of relationships, and – A relationship pattern • New suspected connections can be made 11/10/2013 17

  18. Link Charts – Growing New Connections 11/10/2013 18

  19. Link Charts – Growing New Connections • Suppose a network administrator want to generate a list of insider suspects • The administrator could create suspect-links using: AttackEvent  Computers  Users  Coworkers • The results could be further processed with additional filters and queries 11/10/2013 19

  20. Game Theoretic Decision Support • Game theory has been applied to cyber- security to – Resource allocation [1-4] – Countermeasures or responses to an attack [5-11] • We present a tool for determining optimal responses to an attacker – Grounded in stochastic game theoretic context 11/10/2013 20

  21. Game Theoretic Decision Support 11/10/2013 21

  22. Game Theoretic Decision Support – Stochastic Context • A play may not take the optimal action, only probabilistically • This results in outcome/payoff distributions – Need a certainty equivalent to recover a payoff – A second-order model takes the expected value and variance into account – The relative importance of the variance is determined by the player’s risk aversion 11/10/2013 22

  23. Game Theoretic Decision Support – The Components • Two players – Initial state, payoff function, and risk aversion • State – Defined by user-defined model ( e.g. , ASCOPE) • Area, structures, capabilities, organizations, people, events • Actions • Rules – Determines when actions are valid and for whom 11/10/2013 23

  24. Game Theoretic Decision Support 11/10/2013 24

  25. Game Theoretic Decision Support – The Action Set • The most costly part of game theoretic analysis comes from the construction of the actions in a game • ATRAP allows the user to recycle actions from other games and to create new actions • Each action invokes an affine transformation on the game state – For an n -dimensional model, each action has an 2n x 2n + 1 transformation matrix. 11/10/2013 25

  26. Game Theoretic Decision Support – The Action Set 11/10/2013 26

  27. Game Theoretic Decision Support – The Rule Set • Not all actions are always valid – An action maybe replaced with a more/less effective action provided certain circumstances have been met • Each action may trigger a rule – Allowing/disallowing/replacing one set of actions with another set of actions – These may last for any number of turns – May affect either player 11/10/2013 27

  28. Game Theoretic Decision Support – The Rule Set 11/10/2013 28

  29. Game Theoretic Decision Support – Running the Game • The user may optionally enter a look-ahead amount for the game – Otherwise the system takes its best guess at how far it can look ahead without exhausting memory. 11/10/2013 29

  30. Game Theoretic Decision Support – Running the Game 11/10/2013 30

  31. Game Theoretic Decision Support – Running the Game • Our game avoids artifacts by technically having no end – Even the last move shown is still looking as far ahead as the look-ahead permits – Actions remain valid until a rule disallows them • The light (dark) gray boxes represent the first (second) player’s actions • The resulting path through the game tree is the one each player thinks is optimal under uncertainty 11/10/2013 31

  32. Game Theoretic Decision Support – Introspection 11/10/2013 32

  33. Game Theoretic Decision Support – Introspection • Each action can be expanded to show alternatives at that point in time • Each alternative can have its state inspected • When inspecting an action or its alternative, a description of the rules that triggered are also provided – Much like code, complex games may require debugging 11/10/2013 33

  34. Game Theoretic Decision Support – Introspection 11/10/2013 34

  35. Game Theoretic Decision Support – Converting to a Query 11/10/2013 35

  36. Game Theoretic Decision Support – Converting to a Query • In the top right corner there is an option to send the resulting path through the game tree to another tool • This query model builder allows the game to be instantiated as a series of queries – Allows for the search of empirical evidence supporting such an outcome 11/10/2013 36

  37. Game Theoretic Decision Support – Converting to a Query 11/10/2013 37

  38. Game Theoretic Decision Support – Converting to a Query • Queries have an input and output type • Queries can search any entity data • Queries may be chained together • Queries may be modified by soft-factors (skillfulness or organization size) – Allows for better sorting of suspects 11/10/2013 38

  39. Conclusions • ATRAP is a toolbox full of human-in-the-loop data analysis tools – Analysis of relationships between entities – Game Theory to help predict potential outcomes and how to best respond • Geared toward security data mining 11/10/2013 39

  40. References • [1] Hausken, K.: Strategic defense and attack of series systems when agents move sequentially. IIE Trans. 43(7), 483 – 504 (2011). DOI 10.1080/0740817X.2010. 541178. URL http://www.tandfonline.com/doi/ abs/10.1080/0740817X.2010.541178 • [2] Hausken, K., Bier, V.M., Azaiez, M.N.: Defending against terrorism, natural disaster, and all hazards. In: Bier, V.M., Azaiez, M.N. (eds.) Game Theoretic Risk Analysis of Security Threats, International Series in Operations Research & Management Science, vol. 128, chap. 4, pp. 1 – 33. Springer, New York (2009). DOI 10. 1007/978-0-387-87767-9_4. URL http://dx.doi. org/10.1007/978-0-387-87767-9_4 11/10/2013 40

Recommend

Active Threat on Campus Prevention & Response Active threat defined An active threat can be

Active Threat on Campus Prevention & Response Active threat defined An active threat can be

Active Threat on Campus Prevention & Response Active threat defined An active threat can be defined as: A person whose immediate activity can cause death and/or serious injury An active threat can involve a firearm or another

395 views • 15 slides
ACTIVE THREAT RESPONSE TRAINING PROGRAM JAMES LEE FOSTER, SHERIFF JIM SUBER, SUPERINTENDANT

ACTIVE THREAT RESPONSE TRAINING PROGRAM JAMES LEE FOSTER, SHERIFF JIM SUBER, SUPERINTENDANT

ACTIVE THREAT RESPONSE TRAINING PROGRAM JAMES LEE FOSTER, SHERIFF JIM SUBER, SUPERINTENDANT PROTECTING AND TEACHING OUR CHILDREN PARTNERSHIPS ARE THE KEY TO SUCCESS BEGAN WITH A COMPREHENSIVE PLAN BETWEEN SCHOOL DISTRICT AND SHERIFFS

326 views • 21 slides
Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los Chief Security Evangelist HP Software Shane MacDougall Principal Tactical Intelligence Modern threat modeling is a defensive response to

783 views • 52 slides
The New Security Frontier: Threat Hunting, Augmented Intelligence, and Automated Response

The New Security Frontier: Threat Hunting, Augmented Intelligence, and Automated Response

The New Security Frontier: Threat Hunting, Augmented Intelligence, and Automated Response Michael Melore, CISSP IBM Cyber Security Advisor @MichaelMelore June 2018 May 2018 May 2018 Threat Hunting Workflow Cognitive Advanced Analytics

443 views • 15 slides
Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

PUBLIC Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger Malware analysis Static RE with IDA pro Arme suisse EPFL 2019 2 Base daide au commandement BAC Applied Cyber Threat Intelligence

765 views • 63 slides
Assessing Targeted Attacks in Incident Response Threat Correlation Jan 2017

Assessing Targeted Attacks in Incident Response Threat Correlation Jan 2017

Assessing Targeted Attacks in Incident Response Threat Correlation Jan 2017 www.lookingglasscyber.com PRESENTER: Allan Thomson, CTO Dr Jamison Day, Principal Data Scientist 2017 LookingGlass Cyber Solutions Inc. 1 What threats are

344 views • 21 slides
a.k.a. Flight or Fight Response: Is a physiological reaction that occurs in response to a perceived

a.k.a. Flight or Fight Response: Is a physiological reaction that occurs in response to a perceived

The Stress Response a.k.a. Flight or Fight Response: Is a physiological reaction that occurs in response to a perceived harmful event, attack or threat to survival (or ego, or happiness invested thought) 114 EGO: I - Any thing that I think

543 views • 41 slides
Assessment What is Threat Assessment Threat assessment is the process of gathering

Assessment What is Threat Assessment Threat assessment is the process of gathering

Threat Assessment What is Threat Assessment Threat assessment is the process of gathering information to understand the threat of violence posed by a person. Threat management is the process of developing and executing plans to mitigate

332 views • 15 slides
Response to Cyber Security Threat NIEs Approach to Information Security Background

Response to Cyber Security Threat NIEs Approach to Information Security Background

Response to Cyber Security Threat NIEs Approach to Information Security Background NTU / NIE is corporatized in April 2006 (Not requires to comply with IM8) Mission - To provide effective ICT resources, services and

841 views • 6 slides
Town of Midland Policing Services Analysis Town of Midland Policing Service Analysis About

Town of Midland Policing Services Analysis Town of Midland Policing Service Analysis About

Town of Midland Policing Services Analysis Town of Midland Policing Service Analysis About Asymmetric and Pomax Asymmetric Consulting and Rudy Gheysen provides a very personal service based on 37 years law enforcement experience in

457 views • 20 slides
Preparing Your System for the Pandemic Responding to the COVID19 threat Presented by the Ohio

Preparing Your System for the Pandemic Responding to the COVID19 threat Presented by the Ohio

Preparing Your System for the Pandemic Responding to the COVID19 threat Presented by the Ohio RCAP Preparedness & Emergency Response Team Presented By: Rural Community Assistance Program Great Lakes Community Action Partnership 127 S.

752 views • 34 slides
Clare Civil Defence The Civil Defence was established in 1950 in response to the threat of

Clare Civil Defence The Civil Defence was established in 1950 in response to the threat of

Clare Civil Defence The Civil Defence was established in 1950 in response to the threat of nuclear disaster posed by the atomic bomb following world war II. Its purpose was to provide aid, assistance and disaster relief to citizens in time

405 views • 12 slides
Spill Prevention, Preparedness and Response Program Prevention Section Vessel Inspections

Spill Prevention, Preparedness and Response Program Prevention Section Vessel Inspections

Spill Prevention, Preparedness and Response Program Prevention Section Vessel Inspections Oil Transfer Inspections Risk Analysis Preparedness Section Contingency Plan Approval Industry Drill Program Response Contractor

563 views • 54 slides
Azure Advanced Threat Protection

Azure Advanced Threat Protection

SecOps and Incident Response with Azure Advanced Threat Protection THE DAILY NEWS Attack shuts down xxxxxx organization for 2 days Investigation determined Wrecking ball

264 views • 10 slides
Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von

Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von Mobilfunk-Botnetzen im Hinblick auf DoS-Angriffe)

311 views • 20 slides
Distributed Sensor Data Contextualization at Scale for Threat Intelligence Analysis Jason Trost

Distributed Sensor Data Contextualization at Scale for Threat Intelligence Analysis Jason Trost

Distributed Sensor Data Contextualization at Scale for Threat Intelligence Analysis Jason Trost January 12, 2016 whoami Jason Trost VP of Threat Research @ ThreatStream Previously at Sandia, DoD, Booz Allen, Endgame Inc. Background

473 views • 28 slides
Step Response Analysis. Frequency Response, Relation Between Model Descriptions Automatic

Step Response Analysis. Frequency Response, Relation Between Model Descriptions Automatic

Step Response Analysis. Frequency Response, Relation Between Model Descriptions Automatic Control, Basic Course, Lecture 3 Gustav Nilsson 17 November 2016 Lund University, Department of Automatic Control Content 1. Step Response Analysis 2.

617 views • 57 slides
Symmetric and Asymmetric Key Cryptography(Part 2) By Radhika B S Contents Asymmetric Key

Symmetric and Asymmetric Key Cryptography(Part 2) By Radhika B S Contents Asymmetric Key

Symmetric and Asymmetric Key Cryptography(Part 2) By Radhika B S Contents Asymmetric Key Cryptography Security Requirements Advantages Modes of Use Diffie-Hellman Key Exchange RSA Cryptosystem ElGamal

584 views • 32 slides
Analysis of the Binary Asymmetric Joint Sparse Form Clemens Heuberger * Sara Kropf

Analysis of the Binary Asymmetric Joint Sparse Form Clemens Heuberger * Sara Kropf

Analysis of the Binary Asymmetric Joint Sparse Form Clemens Heuberger * Sara Kropf Alpen-Adria-Universit at Klagenfurt and TU Graz Supported by the Austrian Science Fund: W1230 Menorca, 2013-05-29 1 Digital Expansions and Scalar

1.14k views • 66 slides
Using Contextual Security Policies for Threat Response Yohann THOMAS - Herv DEBAR France

Using Contextual Security Policies for Threat Response Yohann THOMAS - Herv DEBAR France

Using Contextual Security Policies for Threat Response Yohann THOMAS - Herv DEBAR France Tlcom R&D - Caen, France Frdric CUPPENS - Nora CUPPENS-BOULAHIA ENST Bretagne - Rennes, France Research & Development DIMVA06 - July

570 views • 27 slides
Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to

Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to

Honeymoon Threat Restoration Rescue Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to normal living. A disaster has not yet oc- curred, but there is a sense of impending doom. Individual

604 views • 6 slides
Human Resources Interaction With An Insider Threat Program 1 INTRODUCTION Davita N. Carpenter,

Human Resources Interaction With An Insider Threat Program 1 INTRODUCTION Davita N. Carpenter,

Human Resources Interaction With An Insider Threat Program 1 INTRODUCTION Davita N. Carpenter, SHRM-SCP Novetta Inc. Vice President, Human Resources/Employee Care Ethics/Compliance Officer Insider Threat Group Member 25+ years in Human

520 views • 16 slides
A Threat Analysis on UOCAVA Voting Systems Overview Lynne S. Rosenthal lynne.rosenthal@nist.gov

A Threat Analysis on UOCAVA Voting Systems Overview Lynne S. Rosenthal lynne.rosenthal@nist.gov

A Threat Analysis on UOCAVA Voting Systems Overview Lynne S. Rosenthal lynne.rosenthal@nist.gov NIST Voting Program National Institute of Standards and Technology EAC Standards Board Meeting February 26-27, 2009 Todays Topics EAC/NIST

333 views • 12 slides
BPA Demand Response Program Agenda Introductions Demand Response Program details

BPA Demand Response Program Agenda Introductions Demand Response Program details

BPA Demand Response Program Agenda Introductions Demand Response Program details Program update Program benefits EnerNOC experience 2 Proprietary & Confidential Demand Response Proprietary & Confidential Demand

646 views • 20 slides

More recommend