cloudy with a chance of breach forecasting cyber security
play

Cloudy with a Chance of Breach: Forecasting Cyber Security Incidents - PowerPoint PPT Presentation

Feb 18, 2023 •334 likes •842 views

Cloudy with a Chance of Breach: Forecasting Cyber Security Incidents Yang Liu , Armin Sarabi , Jing Zhang , Parinaz Naghizadeh Manish Karir , Michael Bailey , Mingyan Liu , EECS Department, University of Michigan, Ann

  1. Cloudy with a Chance of Breach: Forecasting Cyber Security Incidents Yang Liu § , Armin Sarabi § , Jing Zhang § , Parinaz Naghizadeh § Manish Karir ♯ , Michael Bailey ∗ , Mingyan Liu § ,♯ § EECS Department, University of Michigan, Ann Arbor ♯ QuadMetrics, Inc. ∗ ECE Department, University of Illinois, Urbana-Champaign http://grs.eecs.umich.edu Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 1 / 28

  2. Intro Introduction Motivation Increasingly frequent and high-impact data breaches ◮ Target, JP Morgan Chase, Home Depot, to name a few ◮ Increasing social and economic impact of such cyber incidents Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 2 / 28

  3. Intro Introduction Limitation of current approaches ◮ Heavily detection based ◮ Fail to detect, or too late by the time a breach is detected ◮ Not suited for cost/damage control ◮ Urgent need for more proactive measures Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 3 / 28

  4. Intro Introduction Prediction Detection ◮ predicting whether a presently ◮ analogous to diagnosing a healthy person may become ill patient who may already be ill based on a variety of relevant (e.g., by using biopsy). factors. ◮ [Qian et al. NDSS14, Wang ◮ [Soska & Christin, USENIX et al. USENIX Sec14] Sec14] Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 4 / 28

  5. Intro Introduction Prediction Detection ◮ predicting whether a presently ◮ analogous to diagnosing a healthy person may become ill patient who may already be ill based on a variety of relevant (e.g., by using biopsy). factors. ◮ [Qian et al. NDSS14, Wang ◮ [Soska & Christin, USENIX et al. USENIX Sec14] Sec14] Our goal: ◮ Understand the extent to which one can forecast incidents on an organizational level. Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 4 / 28

  6. Intro Introduction Objective To develop the ability to forecast security incidences ◮ Applicability: we rely solely on externally observed data; do not require information on the internal workings of a network or its hosts. Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 5 / 28

  7. Intro Introduction Objective To develop the ability to forecast security incidences ◮ Applicability: we rely solely on externally observed data; do not require information on the internal workings of a network or its hosts. ◮ Robustness: we do not have control over or direct knowledge of the error embedded in the data. Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 5 / 28

  8. Intro Introduction Objective To develop the ability to forecast security incidences ◮ Applicability: we rely solely on externally observed data; do not require information on the internal workings of a network or its hosts. ◮ Robustness: we do not have control over or direct knowledge of the error embedded in the data. Key idea: ◮ tap into a diverse set of data that captures different aspects of a network’s security posture, ranging from the explicit to latent . Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 5 / 28

  9. Intro Introduction Why prediction? Forecast enables entirely new classes of applications which are otherwise not feasible. Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 6 / 28

  10. Intro Introduction Why prediction? Forecast enables entirely new classes of applications which are otherwise not feasible. ◮ Prediction allows proactive policies and measures to be adopted rather than reactive measures following the detection. Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 6 / 28

  11. Intro Introduction Why prediction? Forecast enables entirely new classes of applications which are otherwise not feasible. ◮ Prediction allows proactive policies and measures to be adopted rather than reactive measures following the detection. Forecast enables effective risk management schemes Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 6 / 28

  12. Intro Introduction Why prediction? Forecast enables entirely new classes of applications which are otherwise not feasible. ◮ Prediction allows proactive policies and measures to be adopted rather than reactive measures following the detection. Forecast enables effective risk management schemes ◮ Internal to an org.: more informed decisions on resource allocation. Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 6 / 28

  13. Intro Introduction Why prediction? Forecast enables entirely new classes of applications which are otherwise not feasible. ◮ Prediction allows proactive policies and measures to be adopted rather than reactive measures following the detection. Forecast enables effective risk management schemes ◮ Internal to an org.: more informed decisions on resource allocation. ◮ External to an org.: incentive mechanisms such as cyber insurance. Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 6 / 28

  14. Intro Introduction Outline of the talk ◮ Data and Preliminaries - Description of the data - Data pre-processing ◮ Forecasting methods - Construction of the predictor ◮ Forecasting results - Main prediction results & analysis Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 7 / 28

  15. Data Methodology Datasets at a glance Category Collection period Datasets Mismanagement Feb’13 - Jul’13 Open Recursive Resolvers, DNS Source Port, symptoms BGP misconfiguration, Untrusted HTTPS, Open SMTP Mail Relays Malicious May’13 - Dec’14 CBL, SBL, SpamCop, UCEPROTECT, activities WPBL, SURBL, PhishTank, hpHosts, Darknet scanners list, Dshield, OpenBL Incident Aug’13 - Dec’14 VERIS Community Database, reports Hackmageddon, Web Hacking Incidents ◮ Mismanagement and malicious activities used to extract features. ◮ Incident reports used to generate labels for training and testing. Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 8 / 28

  16. Data Methodology Security posture data Mismanagement symptoms ◮ Deviation from known best practices; indicators of lack of policy or expertise: - Misconfigured- HTTPS cert, DNS (resolver+source port), mail server, BGP. ◮ Collected around mid-2013 (pre-incidnts). Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 9 / 28

  17. Data Methodology Security posture data Mismanagement symptoms ◮ Deviation from known best practices; indicators of lack of policy or expertise: - Misconfigured- HTTPS cert, DNS (resolver+source port), mail server, BGP. ◮ Collected around mid-2013 (pre-incidnts). Malicious Activity Data: a set of 11 reputation blacklists (RBLs) ◮ Daily collections of IPs seen engaged in some malicious activity. ◮ Three malicious activity types: spam, phishing, scan. ◮ Use data between May 2013 and December 2014. Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 9 / 28

  18. Data Methodology Security incident Data Three incident datasets ◮ Hackmageddon ◮ Web Hacking Incidents Database (WHID) ◮ VERIS Community Database (VCDB) Incident type SQLi Hijacking Defacement DDoS Hackmageddon 38 9 97 59 WHID 12 5 16 45 Incident type Crimeware Cyber Esp. Web app. Else VCDB 59 16 368 213 Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 10 / 28

  19. Data Data Pre-processing Data Pre-processing Incident cleaning. ◮ Remove irrelevant cases, e.g., robbery at liquor store, something happened etc. Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 11 / 28

  20. Data Data Pre-processing Data Pre-processing Incident cleaning. ◮ Remove irrelevant cases, e.g., robbery at liquor store, something happened etc. Data diversity presents challenge in alignment in time and space. ◮ Security posture records information at the host IP-address level. ◮ Cyber incident reports associated with an organization. ◮ Such alignment is not travial: reallocation makes boundary unclear. Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 11 / 28

  21. Data Data Pre-processing Data Pre-processing Incident cleaning. ◮ Remove irrelevant cases, e.g., robbery at liquor store, something happened etc. Data diversity presents challenge in alignment in time and space. ◮ Security posture records information at the host IP-address level. ◮ Cyber incident reports associated with an organization. ◮ Such alignment is not travial: reallocation makes boundary unclear. A mapping process: ◮ Summarizing owner IDs from RIR databases. ◮ 4.4 million prefixes listed under 2.6 million owner IDs: finer degree compared to routing table. ◮ Sample IP from organization + search in above table. Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 11 / 28

  22. Forecast Outline of the talk ◮ Data and Preliminaries - Description of the data - Data pre-processing ◮ Forecasting methods - Construction of the predictor ◮ Forecasting results - Main prediction results & analysis Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 12 / 28

  23. Forecast Methodology Approach at a glance Feature extraction ◮ 258 features extracted from the datasets: Primary + Secondary features. Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 13 / 28

  24. Forecast Methodology Approach at a glance Feature extraction ◮ 258 features extracted from the datasets: Primary + Secondary features. Label generation ◮ 1,000+ incident reports from the three incident sets Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 13 / 28

Recommend

The IT Forecast: Cloudy With A Chance of Breach? Christopher Yula Director of Sales, Siwel

The IT Forecast: Cloudy With A Chance of Breach? Christopher Yula Director of Sales, Siwel

The IT Forecast: Cloudy With A Chance of Breach? Christopher Yula Director of Sales, Siwel Consulting Kaz Khumush Sr. Sales Engineer, Trend Micro Keys for Cloud Infrastructure Virtual Infrastructure Stable, Predictable, &

267 views • 13 slides
CYBER INSURANCE Luxury or necessary protection? What is a data breach? A breach is defined as an

CYBER INSURANCE Luxury or necessary protection? What is a data breach? A breach is defined as an

CYBER INSURANCE Luxury or necessary protection? What is a data breach? A breach is defined as an event in which an individuals name plus personal information such as an address, phone number and/or financial record such as a social security

307 views • 16 slides
Michael McCartney President, Avalon Cyber The Cyber Problem Data Breach Landscape

Michael McCartney President, Avalon Cyber The Cyber Problem Data Breach Landscape

Prentice Wealth Management Michael McCartney President, Avalon Cyber The Cyber Problem Data Breach Landscape Verizon VBIR 2015 Report Cyber Breach Trending Outsider v Insider Threat Personal Identity Protection

819 views • 12 slides
NW Tax Wire Cloudy With a Chance of Tax On-demand self-service : The user allows the

NW Tax Wire Cloudy With a Chance of Tax On-demand self-service : The user allows the

miller nash llp | Fall 2011 brought to you by the tax law practice team NW Tax Wire Cloudy With a Chance of Tax On-demand self-service : The user allows the resource provider to scale can use computer resources (e.g., server a

499 views • 6 slides
Cyber Security Readiness & New Mandatory Data Breach Notification Laws Norton Rose Fulbright

Cyber Security Readiness & New Mandatory Data Breach Notification Laws Norton Rose Fulbright

Cyber Security Readiness & New Mandatory Data Breach Notification Laws Norton Rose Fulbright Australia April 2018 Purpose This presentation has been commissioned by CyberHound Pty Ltd (part of the Superloop Group) to assist schools that are

646 views • 26 slides
CAN ORGANIZATIONS SURVIVE A POLI-CYBER BREACH ? K e y n o t e b y K h a l e d F a t t a l MLi

CAN ORGANIZATIONS SURVIVE A POLI-CYBER BREACH ? K e y n o t e b y K h a l e d F a t t a l MLi

CAN ORGANIZATIONS SURVIVE A POLI-CYBER BREACH ? K e y n o t e b y K h a l e d F a t t a l MLi Group, C h a i r m a n ( @ ) M L i G r p ( d o t ) c o m 1 WHAT IS A POLI-CYBER ? CYBER ATTACKS PERPETRATED OR INSPIRED BY EXTREMIST

520 views • 17 slides
Cyber Security User Overview Martin Dinham Martin.Dinham@cfsystems.co.uk 01209 340030 Some

Cyber Security User Overview Martin Dinham Martin.Dinham@cfsystems.co.uk 01209 340030 Some

Cyber Security User Overview Martin Dinham Martin.Dinham@cfsystems.co.uk 01209 340030 Some context Daily Mail online, April 2017 52 % the number of small businesses that had a security breach in 2016 UK Government Cyber Security

619 views • 39 slides
Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework Reporting Objectives Executive Summary Information Assess Current Cyber Security Posture Measure Progress Toward Improvement Assess

634 views • 5 slides
Network Security & Privacy Liability: An Overview of Loss Mitigation Concepts and Data Breach

Network Security & Privacy Liability: An Overview of Loss Mitigation Concepts and Data Breach

Network Security & Privacy Liability: An Overview of Loss Mitigation Concepts and Data Breach Response Services March 20 th , 2012 Brian Cole, Managing Director Professional Liability Specialty Practice Overview of Topics Cyber Security

611 views • 21 slides
Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A

Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A

Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A security breach/attack is defined as an event in which a corporations network is compromised or an individuals name plus Social Security Name (SSN),

890 views • 12 slides
Protection and Security Threat is potential security violation Attack is attempt to breach

Protection and Security Threat is potential security violation Attack is attempt to breach

CSC 4103 - Operating Systems The Security Problem Spring 2007 Security must consider external environment of the system, and protect the system resources Lecture - XX Intruders (crackers) attempt to breach security Protection and

195 views • 4 slides
W ITH THE DATA BREACH AT information for cyber criminals. As consultants to determine whether

W ITH THE DATA BREACH AT information for cyber criminals. As consultants to determine whether

LAW Best Practices for Protecting Electronic Business Data Companies are under attack from cyber-criminals, hackers and spies. Is your data at risk? C OMPILED BY M ILES Z. E PSTEIN E DITOR , COMMERCE W ITH THE DATA BREACH AT information for

290 views • 3 slides
Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

ABB MINING USER CONFERENCE, MAY 02-05, 2017 Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial Automation Division Agenda Why worry about cyber security? ABBs approach to cyber security Cyber security

1.07k views • 39 slides
Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web application weaknesses XSS AJAX weaknesses SQL Injection Attacks (Slides from Lars Olson)

588 views • 41 slides
Cyber Security Maintaining Your Identity on the Net Why Cyber Security? There are three

Cyber Security Maintaining Your Identity on the Net Why Cyber Security? There are three

Cyber Security Maintaining Your Identity on the Net Why Cyber Security? There are three points of failure in any secure network: Technology (hardware and software) Technology Support (ITS) End Users (USD students and employees)

359 views • 23 slides
PR PROACTIVE CTIVE SE SECUR CURITY ITY: : DATA A BREA BREACH CH ASSE ASSESSM SSMENT

PR PROACTIVE CTIVE SE SECUR CURITY ITY: : DATA A BREA BREACH CH ASSE ASSESSM SSMENT

PR PROACTIVE CTIVE SE SECUR CURITY ITY: : DATA A BREA BREACH CH ASSE ASSESSM SSMENT ENT CyberSecurity Chicago September 2018 Security In The News Frequency and severity of cyber security news on the rise 2 PROPRIETARY AND

449 views • 21 slides
CYBER SECURITY PROTECTING AGAINST CYBER FRAUD IN SCALEUP COMPANIES AND WHAT TO DO SHOULD THEY

CYBER SECURITY PROTECTING AGAINST CYBER FRAUD IN SCALEUP COMPANIES AND WHAT TO DO SHOULD THEY

CYBER SECURITY PROTECTING AGAINST CYBER FRAUD IN SCALEUP COMPANIES AND WHAT TO DO SHOULD THEY HAPPEN London June 2019 INTRODUCTION Cyber Security The activity or process, ability or capability, or state whereby information and

735 views • 24 slides
ICSS2015: International Cyber Security Strategy Congress: Cyber Security and Forensic Readiness* *

ICSS2015: International Cyber Security Strategy Congress: Cyber Security and Forensic Readiness* *

ICSS2015: International Cyber Security Strategy Congress: Cyber Security and Forensic Readiness* * Preliminary programme, subject to revision/update status 16 December 2014 4 February 2015 Day 1: Cyber Security Readiness Registration KU

306 views • 4 slides
Cloudy With a Chance of Misconceptions Dominik Wermke* Nicolas Huaman Christian Stransky

Cloudy With a Chance of Misconceptions Dominik Wermke* Nicolas Huaman Christian Stransky

Cloudy With a Chance of Misconceptions Dominik Wermke* Nicolas Huaman Christian Stransky Leibniz University Hannover Leibniz University Hannover Leibniz University Hannover Niklas Busch Yasemin Acar Sascha Fahl Leibniz University Hannover

363 views • 24 slides
Cyber Security Presentation 1. Cybersecurity is a growing priority for federal and state

Cyber Security Presentation 1. Cybersecurity is a growing priority for federal and state

Cyber Security Presentation 1. Cybersecurity is a growing priority for federal and state government. It is a growing and pervasive problem From January 1, 2009 to May 31, 2012, there have been 268 breach incidents in government agencies with more

330 views • 4 slides
Homeland Security Perspectives: Cyber Security Partnerships and Measurement Activities Bradford

Homeland Security Perspectives: Cyber Security Partnerships and Measurement Activities Bradford

16 Oct 2012 Homeland Security Perspectives: Cyber Security Partnerships and Measurement Activities Bradford Willke Cyber Security Advisor, MidAtlantic Region National Cyber Security Division (NCSD) Office of Cybersecurity and Communications

443 views • 20 slides
Cyber security Current challenges Ludovic M, septembre 2019 Cyber security ? Three triptychs !

Cyber security Current challenges Ludovic M, septembre 2019 Cyber security ? Three triptychs !

Cyber security Current challenges Ludovic M, septembre 2019 Cyber security ? Three triptychs ! 3 properties ... Confidentiality (including personal data) Integrity Availability 2 -Sminaire LIRIMA: Cyber security: current

876 views • 64 slides
2018 Legislative Ag Chairs Summit Cyber Security Geoff Jenista, CISSP Cyber Security Advisor,

2018 Legislative Ag Chairs Summit Cyber Security Geoff Jenista, CISSP Cyber Security Advisor,

2018 Legislative Ag Chairs Summit Cyber Security Geoff Jenista, CISSP Cyber Security Advisor, Region VII Office of Cybersecurity and Communications (CS&C) National Protection and Programs Directorate (NPPD) FOUO / UNCLASS Cyber Security

333 views • 12 slides
QUANTIFYING THE COST OF DATA BREACH UNDERSTANDING (AND AVOIDING) FUTURE PITFALLS Prepared by

QUANTIFYING THE COST OF DATA BREACH UNDERSTANDING (AND AVOIDING) FUTURE PITFALLS Prepared by

QUANTIFYING THE COST OF DATA BREACH UNDERSTANDING (AND AVOIDING) FUTURE PITFALLS Prepared by Castlebridge and TechPolis for Verimatrix Source: Cisco 2017 Annual Cyber Security Report

606 views • 16 slides

More recommend