Abstract

Advanced persistent threats (APTs) have emerged as multi-stage attacks that have targeted nation-states and their associated entities, including private and corporate sectors. Cyber deception has emerged as a defense approach to secure our cyber infrastructure from APTs. Practical deployment of cyber deception relies on defenders' ability to place decoy nodes along the APT path optimally. This paper presents a cyber deception approach focused on predicting the most likely sequence of attack paths and deploying decoy nodes along the predicted path. Our proposed approach combines reactive (graph analysis) and proactive (cyber deception technology) defense to thwart the adversaries' lateral movement. The proposed approach is realized through two phases. The first phase predicts the most likely attack path based on Intrusion Detection System (IDS) alerts and network trace, and the second phase is determining optimal deployment of decoy nodes along the predicted path. We employ transition probabilities in a Hidden Markov Model to predict the path. In the second phase, we utilize the predicted attack path to deploy decoy nodes. However, it is likely that the attacker will not follow that predicted path to move laterally. To address this challenge, we employ a Partially Observable Monte-Carlo Planning (POMCP) framework. POMCP helps the defender assess several defense actions to block the attacker when it deviates from the predicted path. The evaluation results show that our approach can predict the most likely attack paths and thwarts the adversarial lateral movement.

Highlights

  • Given the growing spate of cyber attacks, it is very imperative to design resilient cyber infrastructure

  • Adversaries have lately resorted to using Advanced Persistent Threats (APT) to conduct cybercrime

  • This paper proposes a method to predict the most likely attack path for adversarial lateral movement and deter the adversarial lateral movement using a cyber deception approach

Read more

Summary

INTRODUCTION

Given the growing spate of cyber attacks, it is very imperative to design resilient cyber infrastructure. In this paper, we use Hidden Markov Model (HMM) to identify the most likely attack path an attacker could take to reach the goal state. We present an approach to predict the most likely attack path for the adversarial lateral movement by leveraging HMM. This approach helps the defender understand the attacker’s strategies and aims and plays a vital role for the security team to take the necessary actions (deploying decoy) before the attacker progresses into the predicted path and reaches the goal state. Ussath et al [31] have discussed a 3 stage APT attack life cycle model focusing only on initial compromise, lateral movement, and command & control activity. For the illustrative example in the evaluation section, we assume that the attacker will move first and attempt an exploit

SYSTEM ARCHITECTURE
THREAT MODEL
PREDICTION VALUES
STATE SEQUENCE AND PROBABILITY
ATTACK PATHS PREDICTION
DEFENDER’s AVAILABLE INFORMATION
BALANCING SECURITY AND AVAILABILITY COST
THE DEFENSE ALGORITHM
ATTACKER’s CAPABILITY ASSESSMENT
Findings
CONCLUSION
Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call