Toward Ensemble Characterization and Projection of Multistage Cyber Attacks

Abstract

Abstract —With expanding network infrastructures, increasingvulnerabilities and uncertain malicious activities, cyber securityresearch has begun to provide situation assessment beyondIntrusion Detection Systems (IDSs). A key goal of cyber situationassessment is to efficiently and effectively project the likely futuretargets of ongoing multistage attacks. This work presents two en-semble techniques that combine real-time projection algorithmsmodeling the behavior, capability, and opportunity of maliciousactivities in a network. Sugeno fuzzy inference system and Trans-ferable Belief Model are used to combine supporting evidence andresolve conflicts between the algorithm outputs. The two ensembletechniques are analyzed and compared using simulated attackdatasets generated for varying network environments and attackparameters. The results are discussed to reveal the benefits andlimitations of individual algorithms and ensemble techniques. I. I NTRODUCTION Like other problem domains, computer network securityexhibits noisy observations due to not only malicious, butalso trusted and false positive activities. Due to the sheerquantity of observables from cyber security sensors, effectivecomputer security tools must be able to reduce the searchspace of observables by identifying the most malicious andimportant activities. Built upon various Intrusion DetectionSystems (IDSs), alert correlation and attack projection havebeen gaining interest from the research community. Alertcorrelation [1]–[4] seeks to intelligently associate observables.Attack projection [5]–[7] analyzes the aggregated alerts, re-ferred to as multistage attacks, and projects each into thefuture to estimate potentially threatened targets in a network.This paper examines attack projections algorithms that assessdifferent characteristics of multistage attacks and discusseshow ensemble approaches can benefit the projection process.Alert correlation and attack projection share the need tocharacterize or model the progression of cyber attacks. Areasonably administered computer network will require sophis-ticated hackers to perform multiple attack actions before reach-ing critical data or services. The complexity, the uncertainty,and the distributed nature of network and system configura-tions make the modeling of attack progression challenging.Past work on vulnerability trees [8] can be used to modelattacks where an attack may begin at a leaf node and progressto a single root goal. Such an approach may be impracticalbecause there can be a number of large trees that need to beimplemented to capture not only all possible goals, but alsodifferent paths through the network. In fact, attacks towarda single goal may not progress in a tree-like manner. Morecompact approaches have utilized directed acyclic graphs,called attack graphs, and applied Bayesian analysis [6], [9]–[11]. While theoretically sound, generating a comprehensiveset of attack graphs for a given network may be too challengingof a task in the real world. Lippmann [12] reviewed 16 paperson attack graph generation, and found that none has analyzedmore than 20 machines and none has considered a reasonablenumber of vulnerabilities and the complexity of firewall rules.Recognizing the challenge of generating attack graphs,Holsopple