towards predicting cyber attacks using information
play

TOWARDS PREDICTING CYBER ATTACKS USING INFORMATION EXCHANGE AND - PowerPoint PPT Presentation

Sep 23, 2022 •233 likes •372 views

TOWARDS PREDICTING CYBER ATTACKS USING INFORMATION EXCHANGE AND DATA MINING Tuesday 26 th June, 2018 Martin Husk Jaroslav Kapar Introduction Information Exchange From collaborative intrusion detection to sharing expertise Numerous alert

  1. TOWARDS PREDICTING CYBER ATTACKS USING INFORMATION EXCHANGE AND DATA MINING Tuesday 26 th June, 2018 Martin Husák Jaroslav Kašpar

  2. Introduction Information Exchange From collaborative intrusion detection to sharing expertise Numerous alert sharing platforms and communities Predictions and Early Warnings Common attackers follow certain patterns Attack progression – from reconnaissance to intrusion Address space patterns – large scans, worm infections, etc. Leveraging such knowledge is a subject of research Collaborative Attack Prediction Page 2 / 12

  3. Approach Data Mining Sequential rule mining TopKRules algorithm implemented in SPMF library Top-10 sequential rules mined every day for one week Research Question? Comparison of mined rules – are they the same of different? How does their support and confidence values evolve? How much time does a prediction rule leave for reaction? Collaborative Attack Prediction Page 3 / 12

  4. Experiment Setup SABU Alert Sharing Platform Originated in academic networks of Czech Republic Contributors from academia, public and private sectors https://sabu.cesnet.cz/en/start Dataset 1,100,000 alerts collected over 1 week from 22 organizations Honeypots and network-based IDS as alert sources 220,000 alerts per day 130,000 attack sequences per day Collaborative Attack Prediction Page 4 / 12

  5. Example of an Alert { "Format": "IDEA0", "ID": "3ad275e3-559a-45c0-8299-6807148ce157", "DetectTime": "2014-03-22T10:12:56Z", "Category": ["Recon.Scanning"], "ConnCount": 633, "Description": "Ping scan", "Source": [ { "IP4": ["93.184.216.119"], "Proto": ["icmp"] } ], "Target": [ { "Proto": ["icmp"], "IP4": ["93.184.216.0/24"], "Anonymised": true } ] } Collaborative Attack Prediction Page 5 / 12

  6. Illustrative Results SSH Brute-forcing in multiple networks Organization_A.kippo:Attempt.Login:22, Organization_B.cowrie:Attempt.Login:22 => Organization_C.kippo:Attempt.Login:22 #SUPP: 0.00367 #CONF: 0.54545 Network scanning followed by exploitation Organization_A.dionaea1:Recon.Scanning:139 => Organization_A.dionaea1:Attempt.Exploit:445 #SUPP: 0.00551 #CONF: 0.9 Organization_A.dionaea2:Recon.Scanning:139 => Organization_A.dionaea2:Attempt.Exploit:445 #SUPP: 0.00613 #CONF: 0.83333 Collaborative Attack Prediction Page 6 / 12

  7. Top-10 sequential rules – support and con fi dence Rule Input Output Support Con fi dence ⇒ 1 Org_A.tarpit:Recon.Scanning:2323, Org_A.tarpit:Recon.Scanning:23 0.00438 0.88386 Org_A.nemea.hoststats:Recon.Scanning::None ⇒ 2 Org_A.nemea.bruteforce:Attempt.Login:23 Org_A.tarpit:Recon.Scanning:23 0.00824 0.53465 ⇒ 3 Org_A.nemea.hoststats:Recon.Scanning:None Org_A.hoststats:Recon.Scanning:None 0.01987 0.68214 ⇒ 4 Org_A.tarpit:Recon.Scanning:2323 Org_A.tarpit:Recon.Scanning:23 0.06655 0.70099 ⇒ 5 Org_A.tarpit:Recon.Scanning:2222 Org_A.tarpit:Recon.Scanning:22 0.00834 0.58155 ⇒ 6 Org_A.tarpit:Recon.Scanning:2323, Org_A.tarpit:Recon.Scanning:23 0.00487 0.89071 Org_A.hoststats:Recon.Scanning:None ⇒ 7 Org_A.nemea.hoststats:Recon.Scanning:None, Org_A.hoststats:Recon.Scanning:None 0.00544 0.80088 Org_B.nemea.hoststats:Recon.Scanning:None ⇒ 8 Org_A.hoststats:Recon.Scanning:None, Org_A.tarpit:Recon.Scanning:80 0.00289 0.90000 Org_A.tarpit:Recon.Scanning:443 ⇒ 9 Org_A.hoststats:Recon.Scanning:None, Org_A.nemea.hoststats:Recon.Scanning: 0.00411 0.60284 Org_B.nemea.hoststats:Recon.Scanning:None None ⇒ 10 Org_A.tarpit:Recon.Scanning:2323, Org_A.tarpit:Recon.Scanning:23 0.00266 0.83962 Org_A.hoststats:Recon.Scanning:None, Org_A.nemea.hoststats:Recon.Scanning:None Collaborative Attack Prediction Page 7 / 12

  8. Support and con fi dence values of Top- 10 sequential rules during the experiment Day 1 (133,785 seq.) Day 2 (129,180 seq.) Day 3 (137,364 seq.) Day 4 (140,093 seq.) Day 5 (140,844 seq.) Rule Supp. Conf. Supp. Conf. Supp. Conf. Supp. Conf. Supp. Conf. 1 0.00438 0.88386 0.00544 0.89453 0.00468 0.86909 0.00595 0.90554 0.00580 0.90476 2 0.00824 0.53465 0.00955 0.54844 0.00750 0.57953 0.00733 0.59387 0.00655 0.56178 3 0.01987 0.68214 0.02789 0.76877 0.02637 0.77863 0.02558 0.74947 0.02641 0.74415 4 0.06655 0.70099 0.06864 0.71114 0.06246 0.71855 0.06838 0.74378 0.06551 0.75104 5 0.00834 0.58155 0.00818 0.58045 0.00708 0.59474 0.00758 0.55777 0.00930 0.58606 6 0.00487 0.89071 0.00557 0.87378 0.00537 0.86925 0.00727 0.89938 0.00739 0.89356 7 0.00544 0.80088 0.00587 0.89504 0.00546 0.89618 0.00524 0.88341 0.00559 0.89545 8 0.00289 0.9 0.00129 0.78403 0.00138 0.86758 0.00119 0.59011 0.00130 0.77542 9 0.00411 0.60284 0.00414 0.62941 0.00397 0.64311 0.00369 0.60023 0.00401 0.62431 10 0.00266 0.83962 0.00412 0.87070 0.00355 0.83022 0.00478 0.88859 0.00427 0.875 Collaborative Attack Prediction Page 8 / 12

  9. Evolution of support (left) and con fi dence (right) values in sequential rules in consecutive day 1 Rule 1 Rule 2 0 . 06 0 . 9 Rule 3 Rule 4 Rule 5 0 . 8 0 . 04 Rule 6 Rule 7 Rule 8 0 . 7 Rule 9 0 . 02 Rule 10 0 . 6 0 0 . 5 Day 1 Day 2 Day 3 Day 4 Day 5 Day 1 Day 2 Day 3 Day 4 Day 5 Collaborative Attack Prediction Page 9 / 12

  10. Top- 10 sequential rules – minimal and average time di ff erences (in seconds) Min. ∆ t Avg. ∆ t Rule I nput Output ⇒ 1 Org_A.tarpit:Recon.Scanning:2323, Org_A.tarpit:Recon.Scanning:23 12 1,530 Org_A.nemea.hoststats:Recon.Scanning::None ⇒ 2 Org_A.nemea.bruteforce:Attempt.Login:23 Org_A.tarpit:Recon.Scanning:23 121 7,539 ⇒ 3 Org_A.nemea.hoststats:Recon.Scanning:None Org_A.hoststats:Recon.Scanning:None 1 401 ⇒ 4 Org_A.tarpit:Recon.Scanning:2323 Org_A.tarpit:Recon.Scanning:23 901 5,882 ⇒ 5 Org_A.tarpit:Recon.Scanning:2222 Org_A.tarpit:Recon.Scanning:22 914 7,041 ⇒ 6 Org_A.tarpit:Recon.Scanning:2323, Org_A.tarpit:Recon.Scanning:23 21 2,019 Org_A.hoststats:Recon.Scanning:None ⇒ 7 Org_A.nemea.hoststats:Recon.Scanning:None, Org_A.hoststats:Recon.Scanning:None 4 735 Org_B.nemea.hoststats:Recon.Scanning:None ⇒ 8 Org_A.hoststats:Recon.Scanning:None, Org_A.tarpit:Recon.Scanning:80 35 22,754 Org_A.tarpit:Recon.Scanning:443 ⇒ 9 Org_A.hoststats:Recon.Scanning:None, Org_A.nemea.hoststats:Recon.Scanning: 1 2,698 Org_B.nemea.hoststats:Recon.Scanning:None None ⇒ 10 Org_A.tarpit:Recon.Scanning:2323, Org_A.tarpit:Recon.Scanning:23 12 1,528 Org_A.hoststats:Recon.Scanning:None, Org_A.nemea.hoststats:Recon.Scanning:None Collaborative Attack Prediction Page 10 / 12

  11. Conclusion and Future Work Conclusion Examination of real-world security alerts and possibility of attack prediction in collaborative environment Mined sequential rules are stable over time Many rules are unfit for practical use – proper (manual) filtering is recommended The rules leave enough time to react (often in order of minutes) Future Work Further development of the prediction component of SABU Visualization of the mined rules Collaborative Attack Prediction Page 11 / 12

  12. THANK YOU FOR YOUR ATTENT I ON! Martin Husák csirt.muni.cz @csirtmu husakm@ics.muni.cz

Recommend

90% OF CYBER ATTACKS ARE 90% OF CYBER ATTACKS ARE SUCCESSFUL DUE TO HUMAN SUCCESSFUL DUE TO

90% OF CYBER ATTACKS ARE 90% OF CYBER ATTACKS ARE SUCCESSFUL DUE TO HUMAN SUCCESSFUL DUE TO

90% OF CYBER ATTACKS ARE 90% OF CYBER ATTACKS ARE SUCCESSFUL DUE TO HUMAN SUCCESSFUL DUE TO HUMAN ERROR ERROR CYBER AWARE CYBER AWARE NEXT-GEN SECURITY AWARENESS TRAINING Cyber Crime Is Now A Cyber Crime Is Now A Business Opportunity

550 views • 25 slides
Understanding Cyber Risks and Security Options The Spectrum of Cyber Attacks Advanced

Understanding Cyber Risks and Security Options The Spectrum of Cyber Attacks Advanced

Understanding Cyber Risks and Security Options The Spectrum of Cyber Attacks Advanced Persistent Threats (APT) Cybercriminals, Exploits and Malware Denial of Service attacks (DDoS) Domain name hijacking Corporate

347 views • 13 slides
PII Awareness Briefing Introduction Cyber attacks on private, public and government

PII Awareness Briefing Introduction Cyber attacks on private, public and government

PII Awareness Briefing Introduction Cyber attacks on private, public and government information systems are becoming all too common. From hackers to cyber criminals and nation states, todays attackers are more disciplined,

918 views • 12 slides
Conceptualizing Human Resilience in the Face of the Global Epidemiology of Cyber Attacks L Jean

Conceptualizing Human Resilience in the Face of the Global Epidemiology of Cyber Attacks L Jean

Conceptualizing Human Resilience in the Face of the Global Epidemiology of Cyber Attacks L Jean Camp, Marthie Grobler, Julian Jang-Jaccard, Christian Probst, Karen Renaud, Paul Watters Cyber is Global It is unrealistic to study cyber at a

719 views • 36 slides
The Challenge LGNZ 6 June 2014 100 % Cyber Attacks Data Indicative National Risk Matrix

The Challenge LGNZ 6 June 2014 100 % Cyber Attacks Data Indicative National Risk Matrix

The Challenge LGNZ 6 June 2014 100 % Cyber Attacks Data Indicative National Risk Matrix Severe Weather Hazardous Spill Failed Large Pacific rural flood Global Financial Asia 10 % State Crisis Interstate Cyber Attacks Conflict

335 views • 11 slides
Analyzing Resiliency of Smart Grid Communication Architectures under Cyber Attacks Anas Al

Analyzing Resiliency of Smart Grid Communication Architectures under Cyber Attacks Anas Al

Analyzing Resiliency of Smart Grid Communication Architectures under Cyber Attacks Anas Al Majali, Arun Viswanathan and Clifford Neuman USC/Information Sciences Institute 1 Information Sciences Institute Part I Quick Overview 2

761 views • 42 slides
AFIIA 2017 Cyber Attack Demonstration Overview of Information Security Information Security

AFIIA 2017 Cyber Attack Demonstration Overview of Information Security Information Security

5/30/2017 Presentation Outline Cyber Security - Safeguarding your IT Environment Cyber Attack Demonstration Overview of Information Security Situational Analysis of Current Attacks Wednesday, May 17, 2017 @ AFIIA Conference, 2017

498 views • 5 slides
DEFENDING DIGITAL BUSINESS AGAINST CYBER ATTACKS Presentation SAI 21/02/2019 Our Agenda 1

DEFENDING DIGITAL BUSINESS AGAINST CYBER ATTACKS Presentation SAI 21/02/2019 Our Agenda 1

www.nviso.be DEFENDING DIGITAL BUSINESS AGAINST CYBER ATTACKS Presentation SAI 21/02/2019 Our Agenda 1 Demo time 2 Threat actor groups 3 Nation states 4 Hacktivism 5 Organized cyber crime 6 The bad competitor 7 The Internet of

777 views • 42 slides
SARNET ENHANCING RESILIENCE AGAINST CYBER ATTACKS Frank Fransen | 5 October 2016 SARNET -

SARNET ENHANCING RESILIENCE AGAINST CYBER ATTACKS Frank Fransen | 5 October 2016 SARNET -

SARNET ENHANCING RESILIENCE AGAINST CYBER ATTACKS Frank Fransen | 5 October 2016 SARNET - Enhancing Cyber Resilience Relation to NCSRA II SARNET | October 5th 2016 CYBER THREATS ARE EVOLVING Key trends Cyber Cyber Cyber Magnitude of

153 views • 13 slides
Cyber attacks as use of force in international relations: ius ad bellum and ius in bello Prof.

Cyber attacks as use of force in international relations: ius ad bellum and ius in bello Prof.

Cyber attacks as use of force in international relations: ius ad bellum and ius in bello Prof. Marco Pedrazzi Department of International, Legal, Historical and Political Studies Milan University 1 Cyber war and outer space Satellites =

583 views • 27 slides
Anatomy of a Data Theft Attack For Sacramento ISACA January 2016 Mike Landeck Cyber Security

Anatomy of a Data Theft Attack For Sacramento ISACA January 2016 Mike Landeck Cyber Security

Anatomy of a Data Theft Attack For Sacramento ISACA January 2016 Mike Landeck Cyber Security Consultant Agenda 1. USB Attacks 2. QR Code Attacks 3. Advanced Phishing Attacks 4. Malvertising 5. Watering Hole Attacks 6. How Simple Browser

1.32k views • 33 slides
WORLDWIDE CYBER-ATTACKS: THEIR IMPACT ON THE INTERNATIONAL HEALTH SERVICES AND THEIR ANSWER IN

WORLDWIDE CYBER-ATTACKS: THEIR IMPACT ON THE INTERNATIONAL HEALTH SERVICES AND THEIR ANSWER IN

MOL2NET 2017, International Conference on Multidisciplinary Sciences, 3rd edition. Section 08: LAWSCI-01: Wokshop on Challenges in Law, Technology, Life, and Social Sciences. 25 30 July, 2017. Bilbao, Spain. WORLDWIDE CYBER-ATTACKS: THEIR

78 views • 5 slides
Responding to Skyrocketing Cyber Attacks Managing Risk, Responding to Breaches and OCR

Responding to Skyrocketing Cyber Attacks Managing Risk, Responding to Breaches and OCR

Presenting a live 90-minute webinar with interactive Q&A Data Breaches in Healthcare: Responding to Skyrocketing Cyber Attacks Managing Risk, Responding to Breaches and OCR Investigations, Minimizing HIPAA Liability THURSDAY, MARCH 24, 2016

795 views • 76 slides
on Cyber Security Presentation by Control Risks James Owen Partner, Cyber, EMEA William Brown

on Cyber Security Presentation by Control Risks James Owen Partner, Cyber, EMEA William Brown

The impact of Covid-19 on Cyber Security Presentation by Control Risks James Owen Partner, Cyber, EMEA William Brown Director, Cyber, Middle East 1 Control Risks Cyber attacks exploiting the pandemic Share of attack vector of organized

447 views • 10 slides
Attacks on Cardiac Devices to appear in IEEE/ACM International Conference Cyber-Physical Systems

Attacks on Cardiac Devices to appear in IEEE/ACM International Conference Cyber-Physical Systems

Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices to appear in IEEE/ACM International Conference Cyber-Physical Systems (ICCPS 2019) Nicola Paoletti Royal Holloway, University of London Joint work with: Scott A Smolka, Shan Lin,

406 views • 36 slides
National Cybersecurity preparation to deal with Cyber Attacks Dr. Chaichana Mitrpant Assistant

National Cybersecurity preparation to deal with Cyber Attacks Dr. Chaichana Mitrpant Assistant

National Cybersecurity preparation to deal with Cyber Attacks Dr. Chaichana Mitrpant Assistant Executive Director, Electronic Transactions Development Agency (ETDA) 1 Analog to Digital Era Over all Internet usage in Thailand

183 views • 15 slides
Cyber/Information Cyber/Information Security Cyber/Information Cyber/Information Security

Cyber/Information Cyber/Information Security Cyber/Information Cyber/Information Security

Cyber/Information Cyber/Information Security Cyber/Information Cyber/Information Security Security Insurance: Security Insurance: Insurance: Insurance: A Montana Perspective A Montana Perspective Presented by: d b Brett E. Dahl,

197 views • 8 slides
O tt itti Outtwitting the Twitterers th T itt Predicting Information Predicting

O tt itti Outtwitting the Twitterers th T itt Predicting Information Predicting

O tt itti Outtwitting the Twitterers th T itt Predicting Information Predicting Information Cascades in Microblogs Wojciech Galuba Karl Aberer Wojciech Galuba , Karl Aberer EPFL, Switzerland Dipanjan Chakraborty Dipanjan Chakraborty

398 views • 36 slides
CAN ORGANIZATIONS SURVIVE A POLI-CYBER BREACH ? K e y n o t e b y K h a l e d F a t t a l MLi

CAN ORGANIZATIONS SURVIVE A POLI-CYBER BREACH ? K e y n o t e b y K h a l e d F a t t a l MLi

CAN ORGANIZATIONS SURVIVE A POLI-CYBER BREACH ? K e y n o t e b y K h a l e d F a t t a l MLi Group, C h a i r m a n ( @ ) M L i G r p ( d o t ) c o m 1 WHAT IS A POLI-CYBER ? CYBER ATTACKS PERPETRATED OR INSPIRED BY EXTREMIST

520 views • 17 slides
Cyber-Physical Systems 07/24/2019 Heechul Yun University of Kansas 1 Modern Cyber-Physical

Cyber-Physical Systems 07/24/2019 Heechul Yun University of Kansas 1 Modern Cyber-Physical

Micro-Architectural Attacks on Cyber-Physical Systems 07/24/2019 Heechul Yun University of Kansas 1 Modern Cyber-Physical Systems Cyber Physical Systems (CPS) Cyber (Computer) + Physical (Plant) Real-time Control physical

310 views • 29 slides
CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-i/ DDoS Attacks 1,700 Gbps!! 2015 :-/

748 views • 20 slides
KNOW YOUR ROLE DO YOUR JOB: A mapping of skills and building a Cyber Security Career EILEEN. A.

KNOW YOUR ROLE DO YOUR JOB: A mapping of skills and building a Cyber Security Career EILEEN. A.

KNOW YOUR ROLE DO YOUR JOB: A mapping of skills and building a Cyber Security Career EILEEN. A. Cyber Defense and Forensics Analyst The Dilemma Caught in a web, ever growing cyber attacks, changes in technology. Strategies seem to last an

452 views • 28 slides
Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web application weaknesses XSS AJAX weaknesses SQL Injection Attacks (Slides from Lars Olson)

588 views • 41 slides
Vulnerability Analysis Of Optimal Power Flow Problem Under Cyber-Physical Security Attacks

Vulnerability Analysis Of Optimal Power Flow Problem Under Cyber-Physical Security Attacks

Vulnerability Analysis Of Optimal Power Flow Problem Under Cyber-Physical Security Attacks Devendra Shelar and Saurabh Amin Massachusetts Institute of Technology INFORMS November 15 th , 2016 Vulnerable Electricity Networks: Key issues Two

391 views • 7 slides

More recommend