Abstract
Attack attribution in cyber-attacks tends to be a qualitative exercise with a substantial room forerror. Graph theory is already a proven tool for modeling any connected system. Utilizing graph theory canprovide a quantitative, mathematically rigorous methodology for attack attribution. By identifyinghomomorphic subgraphs as points of comparison, one can create a fingerprint of an attack. That would allowone to match that fingerprint to new attacks and determine if the same threat actor conducted the attack. Thiscurrent study provides a mathematical method to create network intrusion fingerprints by applying graph theoryhomomorphisms. This provides a rigorous method for attack attribution. A case study is used to test thismethodology and determine its efficacy in identifying attacks perpetrated by the same threat actor and/or usingthe same threat vector.
Highlights
Network intrusions come in many different varieties
The ATT&CK methodology helps the analyst to understand how a specific attack was conducted but is only moderately useful for attack attribution. It does not adequately integrate the attack path, or the target network into its model. This methodology highlights a gap in the literature, that the current study proposes to fill
This is done because each original graph contains an induced subgraph that is being compared to an induced subgraph in the other complete graph
Summary
Network intrusions come in many different varieties. There are Denial of Service (DoS) attacks, malware infections, remote access, and others. Graph theory provides a tool that is appropriate for developing a fingerprint of spyware activity. Graph theory has already been utilized to model digital attacks in by matching indicators of compromise on a system wide basis [12]. Algebraic graph theory has been utilized to model network intrusions and better understand the attack [13][14]. Identifying Indicators of Compromise in cyber attacks attempts to provide some of this level of rigor but falls short. What is needed in the domain of cyber investigations is something that is the equivalent in rigor with a fingerprint. This would move cyber attack attribution from a subjective, qualitative process to an objective, quantitative science
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: WSEAS TRANSACTIONS ON INFORMATION SCIENCE AND APPLICATIONS
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
