quantitative cybersecurity breach prediction and
play

Quantitative Cybersecurity: Breach Prediction and Incentive Design - PowerPoint PPT Presentation

Feb 02, 2024 •44 likes •654 views

Intro Data Forecast Info sharing Insurance Conclusion Quantitative Cybersecurity: Breach Prediction and Incentive Design Mingyan Liu Joint work with Yang Liu, Armin Sarabi, Parinaz Naghizadeh, Michael Bailey, Manish Karir M. Liu (U.

  1. Intro Data Forecast Info sharing Insurance Conclusion Quantitative Cybersecurity: Breach Prediction and Incentive Design Mingyan Liu Joint work with Yang Liu, Armin Sarabi, Parinaz Naghizadeh, Michael Bailey, Manish Karir M. Liu (U. Michigan) Quantitative Cybersecurity 1 / 44

  2. Intro Data Forecast Info sharing Insurance Conclusion Threats to Internet security and availability From unintentional to intentional, random to financially driven: • misconfiguration • mismanagement • botnets, worms, SPAM, DoS attacks, . . . Typical countermeasures are host based: • blacklisting malicious hosts; used for filtering/blocking • installing solutions on individual hosts, e.g., intrusion detection Also heavily detection based: • Even when successful, could be too late • Damage control post breach M. Liu (U. Michigan) Quantitative Cybersecurity 2 / 44

  3. Intro Data Forecast Info sharing Insurance Conclusion Our vision To assess networks as a whole, not individual hosts • a network is typically governed by consistent policies • changes in system administration on a larger time scale • changes in resource and expertise on a larger time scale • consistency (though dynamic) leads to predictability From a policy perspective: • leads to proactive security policies and enables incentive mechanisms , • many of which can only be applied at a network/org level. M. Liu (U. Michigan) Quantitative Cybersecurity 3 / 44

  4. Intro Data Forecast Info sharing Insurance Conclusion More specifically To what extent can we quantify and assess the security posture of a network/organization? • Enterprise risk management • Prioritize resources and take proactive actions • Third-party/Vendor validation To what extent can we utilize such assessment to design better incentive mechanisms • Incentives properly tied to actual security posture and security interdependence M. Liu (U. Michigan) Quantitative Cybersecurity 4 / 44

  5. Intro Data Forecast Info sharing Insurance Conclusion Outline of the talk • A incident forecasting framework and results • As a way to quantify security posture and security risks • Data sources and processing • A supervised learning approach • Risk assessment as a form of “public monitoring” • Enables inter-temporal incentives in enforcing long-term security information sharing agreements • Risk assessment as a form of “pre-screening” • Enables judicious premium discrimination in cyber insurance to mitigate moral hazard M. Liu (U. Michigan) Quantitative Cybersecurity 5 / 44

  6. Intro Data Forecast Info sharing Insurance Conclusion An incident forecasting framework Desirable features: • Scalability: we rely solely on externally observed data. • Robustness: data will be noisy, incomplete, not all of which is under our control. M. Liu (U. Michigan) Quantitative Cybersecurity 6 / 44

  7. Intro Data Forecast Info sharing Insurance Conclusion An incident forecasting framework Desirable features: • Scalability: we rely solely on externally observed data. • Robustness: data will be noisy, incomplete, not all of which is under our control. Key steps: • Tap into a diverse set of data that captures different aspects of a network’s security posture: source, type ( explicit vs. latent ). • Follow a supervised learning framework. M. Liu (U. Michigan) Quantitative Cybersecurity 6 / 44

  8. Intro Data Forecast Info sharing Insurance Conclusion Security posture data Malicious Activity Data: a set of 11 reputation blacklists (RBLs) • Daily collections of IPs seen engaged in some malicious activity. • Three malicious activity types: spam, phishing, scan. M. Liu (U. Michigan) Quantitative Cybersecurity 7 / 44

  9. Intro Data Forecast Info sharing Insurance Conclusion Security posture data Malicious Activity Data: a set of 11 reputation blacklists (RBLs) • Daily collections of IPs seen engaged in some malicious activity. • Three malicious activity types: spam, phishing, scan. Mismanagement symptoms • Deviation from known best practices; indicators of lack of policy or expertise: • Misconfigured HTTPS cert, DNS (resolver+source port), mail server, BGP. M. Liu (U. Michigan) Quantitative Cybersecurity 7 / 44

  10. Intro Data Forecast Info sharing Insurance Conclusion Cyber incident Data Three incident datasets • Hackmageddon • Web Hacking Incidents Database (WHID) • VERIS Community Database (VCDB) SQLi Hijacking Defacement DDoS Incident type Hackmageddon 38 9 97 59 WHID 12 5 16 45 Incident type Crimeware Cyber Esp. Web app. Else VCDB 59 16 368 213 M. Liu (U. Michigan) Quantitative Cybersecurity 8 / 44

  11. Intro Data Forecast Info sharing Insurance Conclusion Datasets at a glance Category Collection period Datasets Mismanagement Feb’13 - Jul’13 Open Recursive Resolvers, DNS Source Port, symptoms BGP misconfiguration, Untrusted HTTPS, Open SMTP Mail Relays Malicious May’13 - Dec’14 CBL, SBL, SpamCop, UCEPROTECT, activities WPBL, SURBL, PhishTank, hpHosts, Darknet scanners list, Dshield, OpenBL Incident Aug’13 - Dec’14 VERIS Community Database, reports Hackmageddon, Web Hacking Incidents • Mismanagement and malicious activities used to extract features. • Incident reports used to generate labels for training and testing. M. Liu (U. Michigan) Quantitative Cybersecurity 9 / 44

  12. Intro Data Forecast Info sharing Insurance Conclusion Data pre-processing Conservative processing of incident reports: • Remove irrelevant or ambiguous cases, e.g., robbery at liquor store, ”something happened”, etc. M. Liu (U. Michigan) Quantitative Cybersecurity 10 / 44

  13. Intro Data Forecast Info sharing Insurance Conclusion Data pre-processing Conservative processing of incident reports: • Remove irrelevant or ambiguous cases, e.g., robbery at liquor store, ”something happened”, etc. Challenge in data alignment, both in time and in space: • Security posture records information at the host IP-address level. • Cyber incident reports associated with an organization. • Alignment non-trivial: address reallocation, hosting services, etc. M. Liu (U. Michigan) Quantitative Cybersecurity 10 / 44

  14. Intro Data Forecast Info sharing Insurance Conclusion Primary and secondary features Mismanagement symptoms. • Five symptoms; each measured as a fraction • Predictive power of these symptoms. 1 1 CDF CDF 0.5 0.5 Victim org. Non−victim org. Victim org. Non−victim org. 0 0 0 0.5 1 0 0.2 0.4 % Untrusted HTTPS % openresolver M. Liu (U. Michigan) Quantitative Cybersecurity 11 / 44

  15. Intro Data Forecast Info sharing Insurance Conclusion Malicious activity time series. • Three time series over a period: spam, phishing, scan. • Recent 60 v.s. Recent 14. 4 1k 10k 3 8k 800 2 6k 600 1 4k 400 0 2k 10 20 30 40 50 60 10 20 30 40 50 60 10 20 30 40 50 60 Days Days Days M. Liu (U. Michigan) Quantitative Cybersecurity 12 / 44

  16. Intro Data Forecast Info sharing Insurance Conclusion Malicious activity time series. • Three time series over a period: spam, phishing, scan. • Recent 60 v.s. Recent 14. 4 1k 10k 3 8k 800 2 6k 600 1 4k 400 0 2k 10 20 30 40 50 60 10 20 30 40 50 60 10 20 30 40 50 60 Days Days Days Secondary features • Measuring persistence and responsiveness. M. Liu (U. Michigan) Quantitative Cybersecurity 12 / 44

  17. Intro Data Forecast Info sharing Insurance Conclusion A look at their predictive power: 1 1 CDF CDF 0.5 0.5 Victim org. Victim org. Non−victim org. Non−victim org. 0 0 0 0.5 1 0 10 20 30 Normalized "good" magnitude "Bad" duration M. Liu (U. Michigan) Quantitative Cybersecurity 13 / 44

  18. Intro Data Forecast Info sharing Insurance Conclusion Training subjects A subset of victim organizations, or incident group. • Training-testing ratio, e.g., 70-30 or 50-50 split . • Split strictly according to time: use past to predict future . Hackmageddon VCDB WHID Training Oct 13 – Dec 13 Aug 13 – Dec 13 Jan 14 – Mar 14 Testing Jan 14 – Feb 14 Jan 14 – Dec 14 Apr 14 – Nov 14 M. Liu (U. Michigan) Quantitative Cybersecurity 14 / 44

  19. Intro Data Forecast Info sharing Insurance Conclusion Training subjects A subset of victim organizations, or incident group. • Training-testing ratio, e.g., 70-30 or 50-50 split . • Split strictly according to time: use past to predict future . Hackmageddon VCDB WHID Training Oct 13 – Dec 13 Aug 13 – Dec 13 Jan 14 – Mar 14 Testing Jan 14 – Feb 14 Jan 14 – Dec 14 Apr 14 – Nov 14 A random subset of non-victims, or non-incident group. • Random sub-sampling necessary to avoid imbalance; procedure is repeated over different random subsets. M. Liu (U. Michigan) Quantitative Cybersecurity 14 / 44

  20. Intro Data Forecast Info sharing Insurance Conclusion Prediction performance 1 0.9 True positive 0.8 VCDB 0.7 Hackmageddon WHID 0.6 ALL 0.5 0.4 0.1 0.2 0.3 0.4 0.5 False positive Example of desirable operating points of the classifier: Accuracy Hackmageddon VCDB WHID All True Positive (TP) 96% 88% 80% 88% False Positive (FP) 10% 10% 5% 4% M. Liu (U. Michigan) Quantitative Cybersecurity 15 / 44

Recommend

Security & Surveillance Data Breach Notification and Cybersecurity Standards in the U.S. and

Security & Surveillance Data Breach Notification and Cybersecurity Standards in the U.S. and

Security & Surveillance Data Breach Notification and Cybersecurity Standards in the U.S. and E.U. Jonathan P . Armstrong, Eversheds LLP , Leeds and Bruce A. Heiman, Preston Gates Ellis & Rouvelas Meeds LLP , Washington D.C.

181 views • 7 slides
Trends in Data Breach and Cybersecurity Regulation, Legislation and Litigation Part I March 20,

Trends in Data Breach and Cybersecurity Regulation, Legislation and Litigation Part I March 20,

Trends in Data Breach and Cybersecurity Regulation, Legislation and Litigation Part I March 20, 2014 Speakers John J. Sullivan, Partner, rejoined Mayer Brown after serving as General Counsel at the US Department of Commerce in 2005 and then,

497 views • 34 slides
Trends in Data Breach and Cybersecurity Regulation, Legislation and Litigation Part 2 April 17,

Trends in Data Breach and Cybersecurity Regulation, Legislation and Litigation Part 2 April 17,

Trends in Data Breach and Cybersecurity Regulation, Legislation and Litigation Part 2 April 17, 2014 For nearly a decade, weve had major data breaches at companies both large and small. Millions of consumers have suffered the

645 views • 46 slides
Trends in Data Breach and Cybersecurity Regulation, Legislation and Litigation April 17, 2014

Trends in Data Breach and Cybersecurity Regulation, Legislation and Litigation April 17, 2014

Trends in Data Breach and Cybersecurity Regulation, Legislation and Litigation April 17, 2014 For nearly a decade, weve had major data breaches at companies both large and small. Millions of consumers have suffered the

891 views • 42 slides
Advising the C-Suite and Boards of Directors on Cybersecurity February 11, 2015 Agenda

Advising the C-Suite and Boards of Directors on Cybersecurity February 11, 2015 Agenda

Advising the C-Suite and Boards of Directors on Cybersecurity February 11, 2015 Agenda Introductions / Administrative Cybersecurity risk legal landscape Cyber threats Legal risks in the aftermath of a breach The role of the

207 views • 19 slides
U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity cybersecurity? William J. Perry Martin Casado Keith Coleman Dan Wendlandt MS&E 91SI Spring 2004 Stanford University U.S. National Cybersecurity

79 views • 7 slides
Using Genetic Distance to Infer the Accuracy of Genomic Prediction (for Quantitative Traits)

Using Genetic Distance to Infer the Accuracy of Genomic Prediction (for Quantitative Traits)

Using Genetic Distance to Infer the Accuracy of Genomic Prediction (for Quantitative Traits) Marco Scutari scutari@stats.ox.ac.uk Department of Statistics University of Oxford September 7, 2015 The Problem The extent to which predictive

425 views • 20 slides
S ENS A: Sensitivity Analysis for Quantitative Change-impact Prediction Haipeng Cai Siyuan

S ENS A: Sensitivity Analysis for Quantitative Change-impact Prediction Haipeng Cai Siyuan

S ENS A: Sensitivity Analysis for Quantitative Change-impact Prediction Haipeng Cai Siyuan Jiang Raul Santelices Ying-jie Zhang* Yiji Zhang University of Notre Dame, USA * Tsinghua University, China Supported by ONR Award

365 views • 18 slides
MANDATORY BREACH REPORTING: REVIEW OF THE REQUIREMENTS UNDER PHIPA OVERVIEW OF BREACH

MANDATORY BREACH REPORTING: REVIEW OF THE REQUIREMENTS UNDER PHIPA OVERVIEW OF BREACH

MANDATORY BREACH REPORTING: REVIEW OF THE REQUIREMENTS UNDER PHIPA OVERVIEW OF BREACH NOTIFICATION AND IPC STATISTICS Fida Hindi, Legal Counsel Office of the Information and Privacy Commissioner of Ontario This presentation is

352 views • 23 slides
CYBER INSURANCE Luxury or necessary protection? What is a data breach? A breach is defined as an

CYBER INSURANCE Luxury or necessary protection? What is a data breach? A breach is defined as an

CYBER INSURANCE Luxury or necessary protection? What is a data breach? A breach is defined as an event in which an individuals name plus personal information such as an address, phone number and/or financial record such as a social security

307 views • 16 slides
PRIVACY BREACH GUIDELINES Purpose The Privacy Breach Guidelines may provide to contain, assess

PRIVACY BREACH GUIDELINES Purpose The Privacy Breach Guidelines may provide to contain, assess

Office of the Saskatchewan Information and Privacy Commissioner PRIVACY BREACH GUIDELINES Purpose The Privacy Breach Guidelines may provide to contain, assess and analyze a privacy some guidance to government institutions, breach. The

291 views • 10 slides
Quantitative Security Colorado State University Yashwant K Malaiya CS 559 L6: Probability &

Quantitative Security Colorado State University Yashwant K Malaiya CS 559 L6: Probability &

Quantitative Security Colorado State University Yashwant K Malaiya CS 559 L6: Probability & Intrusion Detection CSU Cybersecurity Center Computer Science Dep 1 Quantitative Security 1 About this Course CS 559 is a research-oriented

615 views • 35 slides
Quantitative Cyber-Security Colorado State University Yashwant K Malaiya CS559 Course

Quantitative Cyber-Security Colorado State University Yashwant K Malaiya CS559 Course

Quantitative Cyber-Security Colorado State University Yashwant K Malaiya CS559 Course Introduction CSU Cybersecurity Center Computer Science Dept 1 1 Wish we were there! 2 About the course Quantitative and algorithmic view of

1.03k views • 32 slides
Quantitative prediction of skin sensitisation potency based on structural alert spaces vICGM,

Quantitative prediction of skin sensitisation potency based on structural alert spaces vICGM,

Quantitative prediction of skin sensitisation potency based on structural alert spaces vICGM, April 2016 Martyn Chilton Scientist martyn.chilton@lhasalimited.org Overview Background Lhasa EC3 dataset Data gathering and curation

475 views • 23 slides
Auditd for the Masses Philipp Krenn @xeraa Learn about a breach From the press or

Auditd for the Masses Philipp Krenn @xeraa Learn about a breach From the press or

Auditd for the Masses Philipp Krenn @xeraa Learn about a breach From the press or users Learn about a breach Attackers asking for a ransom Learn about a breach Cloud provider's bill Learn about a breach Yourself after the

942 views • 51 slides
Quantitative Evaluation Adapted in part from:

Quantitative Evaluation Adapted in part from:

Quantitative Evaluation Adapted in part from: http://www.cs.cornell.edu/Courses/cs578/2003fa/performance_measures.pdf Accuracy Target: 0/1, -1/+1, True/False, Prediction = f(inputs) = f(x): 0/1 or Real Threshold: f(x) >

477 views • 22 slides
PR PROACTIVE CTIVE SE SECUR CURITY ITY: : DATA A BREA BREACH CH ASSE ASSESSM SSMENT

PR PROACTIVE CTIVE SE SECUR CURITY ITY: : DATA A BREA BREACH CH ASSE ASSESSM SSMENT

PR PROACTIVE CTIVE SE SECUR CURITY ITY: : DATA A BREA BREACH CH ASSE ASSESSM SSMENT ENT CyberSecurity Chicago September 2018 Security In The News Frequency and severity of cyber security news on the rise 2 PROPRIETARY AND

449 views • 21 slides
Cyber Security Presentation 1. Cybersecurity is a growing priority for federal and state

Cyber Security Presentation 1. Cybersecurity is a growing priority for federal and state

Cyber Security Presentation 1. Cybersecurity is a growing priority for federal and state government. It is a growing and pervasive problem From January 1, 2009 to May 31, 2012, there have been 268 breach incidents in government agencies with more

330 views • 4 slides
Quantitative Security Colorado State University Yashwant K Malaiya CS 559 Vulnerability

Quantitative Security Colorado State University Yashwant K Malaiya CS 559 Vulnerability

Quantitative Security Colorado State University Yashwant K Malaiya CS 559 Vulnerability Discovery Models CSU Cybersecurity Center Computer Science Dept 1 1 Modeling Vulnerability Discovery Quantitative Vulnerability Assessment Alhazmi

983 views • 59 slides
Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives: Define Cybersecurity & why its important Provide information about Dept. Homeland Security Cybersecurity Campaigns: National

328 views • 22 slides
Uncertainty in weather prediction Where does it come from and what does it look like? George C.

Uncertainty in weather prediction Where does it come from and what does it look like? George C.

Uncertainty in weather prediction Where does it come from and what does it look like? George C. Craig Meteorologisches Institut Fakutt fr Physik, LMU Mnchen Outline 1. A meteorologist's picture of weather 2. Quantitative forecasting 3.

431 views • 18 slides
SSL, GONE IN 30 SECONDS b r e a c h A BREACH beyond CRIME SSL, GONE IN 30 SECONDS AGENDA

SSL, GONE IN 30 SECONDS b r e a c h A BREACH beyond CRIME SSL, GONE IN 30 SECONDS AGENDA

Angelo Prado Neal Harris Yoel Gluck SSL, GONE IN 30 SECONDS b r e a c h A BREACH beyond CRIME SSL, GONE IN 30 SECONDS AGENDA Proceed with caution: Review of CRIME Introducing BREACH In the weeds Demo time! Mitigations b r e a c h SSL,

526 views • 40 slides
Class Actions on Data Breach Class Actions on Data Breach and Privacy on the Rise Litigating Class

Class Actions on Data Breach Class Actions on Data Breach and Privacy on the Rise Litigating Class

Presenting a live 90 minute webinar with interactive Q&A Class Actions on Data Breach Class Actions on Data Breach and Privacy on the Rise Litigating Class Claims, Alleging and Challenging Damages, and Evaluating Insurance Coverage WEDNES

735 views • 55 slides
Compliance Component Simon Bingham Development Unit Manager 4 th December, Golden Lion

Compliance Component Simon Bingham Development Unit Manager 4 th December, Golden Lion

Compliance Component Simon Bingham Development Unit Manager 4 th December, Golden Lion Compliance Assessment Scheme (CAS) No Breaches Minor Significant ELC Breach(es)/ Breach/ >1 Gross Breach or 1 Gross repeated minor Breach breach

1.91k views • 6 slides

More recommend