Chapter 2 - Proactive Cyber Defense

Abstract

There is great interest to develop proactive approaches to cyber defense, in which future attack strategies are anticipated and these insights are incorporated into defense designs. This chapter considers the problem of protecting computer networks against intrusions and other disruptions in a proactive manner. We begin by leveraging the coevolutionary relationship between attackers and defenders to derive two new proactive filter-based methods for network defense. The first of these filters is a bipartite graph-based machine learning algorithm that enables information concerning previous attacks to be “transferred” for application against novel attacks, thereby substantially increasing the rate at which defense systems can successfully respond to new attacks. The second approach involves exploiting basic threat information (obtained from, for example, network security analysts) to generate “synthetic” attack data for use in learning appropriate defense actions, resulting in network defenses that are effective against both current and (near) future attacks. The utility of these two filter-based methods is demonstrated by showing that they outperform standard techniques for the task of detecting malicious network activity in two publicly available cyber datasets. We then consider the problem of anticipating and characterizing impending attack events with sufficient specificity and timeliness to enable mitigating defensive actions to be taken, and propose a novel early warning method as a solution to this problem. The warning method is based upon the fact that certain classes of attacks require the attackers to coordinate their actions, and exploits signatures of this coordination to provide effective attack warning. The potential of the warning-based approach to cyber defense is illustrated through a case study involving politically motivated Internet attacks.