Multi-stage Attacks Research Articles

Evaluation of Attackers’ Skill Levels in Multi-Stage Attacks

The rapid move to digitalization and usage of online information systems brings new and evolving threats that organizations must protect themselves from and respond to. Monitoring an organization’s network for malicious activity has become a standard practice together with event and log collection from network hosts. Security operation centers deal with a growing number of alerts raised by intrusion detection systems that process the collected data and monitor networks. The alerts must be processed so that the relevant stakeholders can make informed decisions when responding to situations. Correlation of alerts into more expressive intrusion scenarios is an important tool in reducing false-positive and noisy alerts. In this paper, we propose correlation rules for identifying multi-stage attacks. Another contribution of this paper is a methodology for inferring from an alert the values needed to evaluate the attack in terms of the attacker’s skill level. We present our results on the CSE-CIC-IDS2018 data set.

Adaptive Cyber Defense Against Multi-Stage Attacks Using Learning-Based POMDP

Growing multi-stage attacks in computer networks impose significant security risks and necessitate the development of effective defense schemes that are able to autonomously respond to intrusions during vulnerability windows. However, the defender faces several real-world challenges, e.g., unknown likelihoods and unknown impacts of successful exploits. In this article, we leverage reinforcement learning to develop an innovative adaptive cyber defense to maximize the cost-effectiveness subject to the aforementioned challenges. In particular, we use Bayesian attack graphs to model the interactions between the attacker and networks. Then we formulate the defense problem of interest as a partially observable Markov decision process problem where the defender maintains belief states to estimate system states, leverages Thompson sampling to estimate transition probabilities, and utilizes reinforcement learning to choose optimal defense actions using measured utility values. The algorithm performance is verified via numerical simulations based on real-world attacks.

A formal and automated approach to exploiting multi-stage attacks of web applications

We propose a formal and automated approach that allows one to (i) reason about vulnerabilities of web applications and (ii) combine multiple vulnerabilities for the identification of complex, multi-stage attacks. We have developed WAFEx, an automatic tool that implements our approach and we show its efficiency by applying it to real-world case studies. WAFEx was able to generate, and exploit, previously unknown attacks.

Cyber Attacks Mitigation: Detecting Malicious Activities in Network Traffic – A Review of Literature

Cyber attacks are becoming more common and over the last decade, many attacks have made top news, targeting manufacturing firms and governmental organisations. Such attacks have triggered substantial financial damage and they've been trying to obstruct key public sector operations. Furthermore, as the Internet of Things (IoT) has arisen, the number of Internet-connected devices is increasingly growing and being easy target of cyber attacks. To counter cyber attacks, information security researchers rely extensively on intrusion detection systems (IDSs) that can identify suspicious activities by comparing patterns of documented attacks or detecting anomaly-based activities. This survey aims to tackle Trust, Protection, identification and activity on a wide scale networks and Internet of Things. The proposed research aims at developing a practically deployable cyber security solution to one or more of the cyber attacks. Multi-Stage Attacks (MSAs), APT, DoS attacks, wireless injection attacks, botnets or other malicious activities will be investigated. In this literature survey we are highlighting the work Performed throughout the area of cyber security by various researchers, various types of cyber attacks and its stages, various approaches to prevent cyber attacks, different challenges faced by a preventer, and some gaps in the research. This literature review is carried out by using the secondary data obtained from peer-reviewed journals and other sources on the web. This review aims to explain Detecting Malicious Activities in Network Traffic.

Detection of Low-Frequency and Multi-Stage Attacks in Industrial Internet of Things

The increasingly sophisticated cyber attacks have become a serious challenge for Industrial Internet of Things (IIoT), which presents two new characteristics: low frequency and multi-stage. That is, hackers could gain authority to attack industrial equipment/infrastructure gradually in a long interval through lurking, lateral intrusion and privilege escalation. While, the existing Machine Learning (ML) based intrusion detection schemes all require the participation of expert knowledge, so it is difficult to adaptively select an attack interval and a retraining period of the detection model in IIoT, resulting in poor detection performance. To solve above problems, a bidirectional long and short-term memory network with multi-feature layer (B-MLSTM) is designed. Firstly, sequence and stage feature layers are introduced in the model training phase model which can learn the corresponding attack interval from historical data, so that the model can effectively detect attacks with different intervals. Then, a double-layer reverse unit is introduced to update the detection model. By collecting information from test data and making association analysis with historical data, the retraining period is adaptively selected to match the new attack interval. Compared with the previous works, our proposed scheme has a lower false positive rate than existing schemes by at least 46.79%, and the false negative rate is reduced by at least 79.85%, which are carried out on three classic IIoT datasets.

Attack plan recognition using hidden Markov and probabilistic inference

Intrusion detection systems perform well with single attack phase but not complex multi-step attacks which largely reduce their reliability. Multi-stage attack plan recognition aims at inferring attack plans and predicting upcoming attacks by analyzing the causal relationship between attack phases. Recent research often uses machine learning to deal with attack issues. However, some problems still exist. When probabilistic inference is applied to construct a causal network, researchers fail to take temporal sequence association into consideration, which makes it difficult for the model to deal with incomplete data. While the hidden Markov model can be used to recognize an attack plan, it cannot predict multiple intents nor their probabilities. This paper proposes a probability model based on the hidden Markov model and probabilistic inference responding to malicious events at runtime. This model uses online parameter updating rules which make it better suited to the rapidly changing cyber environment. Experimental results show that this model can achieve better performance compared to only using a single method and detect attack intent in an earlier stage.

Multi-stage attack weapon target allocation method based on defense area analysis

For better reflecting the interactive defense between targets in practical combat scenarios, the basic weapon-target allocation (WTA) framework needs to be improved. A multi-stage attack WTA method is proposed. First, a defense area analysis is presented according to the targets' positions and the radii of the defense areas to analyze the interactive coverage and protection between targets' defense areas. Second, with the coverage status and coverage layer number, a multi-stage attack planning method is proposed and the multi-stage attack objective function model is established. Simulation is conducted with interactive defense combat scenarios, the traditional WTA method and the multi-stage WTA method are compared, and the objective function model is validated with the Monte-Carlo method. The results suggest that if the combat scenario involves interactive coverage of targets' defense areas, it is imperative to analyze the defense areas and apply the multi-stage attack method to weakening the target defense progressively for better combat effectiveness.

Evaluation of HMM-Based Network Intrusion Detection System for Multiple Multi-Stage Attacks

With the explosive growth of network security threats, there is a dire need to build secure network systems. In this article, we address the challenges of modeling and detecting advanced network attacks. In particular, we investigate how interleaving multiple multi-stage can exacerbate the stealthiness of the attack and deceive network intrusion detection systems. We design a detection architecture based on a leading statistical machine learning technique, HMM. The proposed architecture deploys a set of HMM templates of recognized multi-stage attacks to detect and track the progress of stealthy attacks. Extensive simulation experiments are conducted to assess the performance of the proposed architecture for multiple multi-stage attack scenarios in the presence of imperfect partitioning of network data streams and false alerts with various rates.

A Bayesian Belief Network Model For Detecting Multi-stage Attacks With Malicious IP Addresses

A Bayesian Belief Network Model For Detecting Multi-stage Attacks With Malicious IP Addresses

Hierarchical Multi-Stage Cyber Attack Scenario Modeling Based on G&E Model for Cyber Risk Simulation Analysis

With the advancement in cyber-defense capabilities, cyber attacks have continued to evolve like living creatures to breach security. Assuming the possibility of various enemy attacks, it is necessary to select an appropriate course of action by proactively analyzing and predicting the consequences of a particular security event. Cyber attacks, especially in large-scale military network environments, have a fatal effect on security; therefore, various experiments and analyses must be conducted to establish the necessary preparations. Herein, we propose a hierarchical multi-stage cyber attack scenario modeling based on the goal and effect (G&E) model and analysis system, which enables expression of various goals of attack and damage effects without being limited to specific type. The proposed method is applicable to large-scale networks and can be utilized in various scenario-based cyber combat experiments.

Deep learning model for preicting multistage cyber attacks

The prediction of cyberattacks has been a major concern in cybersecurity. This is due to the huge financial and resource losses incurred by organisations after a cyberattack. The emergence of new applications and disruptive technologies has come with new vulnerabilities, most of which are novel – with no immediate remediation available. Recent attacks signatures are becoming evasive, deploying very complex techniques and algorithms to infiltrate a network, leading to unauthorized access and modification of system parameters and classified data. Although there exists several approaches to mitigating attacks, challenges of using known attack signatures and modeled behavioural profiles of network environments still linger. Consequently, this paper discusses the use of unsupervised statistical and supervised deep learning techniques to predict attacks by mapping hyper-alerts to class labels of attacks. This enhances the processes of feature extraction and transformation, as a means of giving structured interpretation of the dynamic profiles of a network.Keywords: Alert correlation, Cyberattack prediction, Cybersecurity, Deep learning, Cyberattacks, Supervised and Unsupervised LearningVol. 26 No 1, June 2019

A Supervised Intrusion Detection System for Smart Home IoT Devices

The proliferation in Internet of Things (IoT) devices, which routinely collect sensitive information, is demonstrated by their prominence in our daily lives. Although such devices simplify and automate every day tasks, they also introduce tremendous security flaws. Current insufficient security measures employed to defend smart devices make IoT the “weakest” link to breaking into a secure infrastructure, and therefore an attractive target to attackers. This paper proposes a three layer intrusion detection system (IDS) that uses a supervised approach to detect a range of popular network based cyber-attacks on IoT networks. The system consists of three main functions: 1) classify the type and profile the normal behavior of each IoT device connected to the network; 2) identifies malicious packets on the network when an attack is occurring; and 3) classifies the type of the attack that has been deployed. The system is evaluated within a smart home testbed consisting of eight popular commercially available devices. The effectiveness of the proposed IDS architecture is evaluated by deploying 12 attacks from 4 main network based attack categories, such as denial of service (DoS), man-in-the-middle (MITM)/spoofing, reconnaissance, and replay. Additionally, the system is also evaluated against four scenarios of multistage attacks with complex chains of events. The performance of the system’s three core functions result in an ${F}$ -measure of: 1) 96.2%; 2) 90.0%; and 3) 98.0%. This demonstrates that the proposed architecture can automatically distinguish between IoT devices on the network, whether network activity is malicious or benign, and detect which attack was deployed on which device connected to the network successfully.

Integrating Traffics with Network Device Logs for Anomaly Detection

Advanced cyberattacks are often featured by multiple types, layers, and stages, with the goal of cheating the monitors. Existing anomaly detection systems usually search logs or traffics alone for evidence of attacks but ignore further analysis about attack processes. For instance, the traffic detection methods can only detect the attack flows roughly but fail to reconstruct the attack event process and reveal the current network node status. As a result, they cannot fully model the complex multistage attack. To address these problems, we present Traffic-Log Combined Detection (TLCD), which is a multistage intrusion analysis system. Inspired by multiplatform intrusion detection techniques, we integrate traffics with network device logs through association rules. TLCD correlates log data with traffic characteristics to reflect the attack process and construct a federated detection platform. Specifically, TLCD can discover the process steps of a cyberattack attack, reflect the current network status, and reveal the behaviors of normal users. Our experimental results over different cyberattacks demonstrate that TLCD works well with high accuracy and low false positive rate.

Unsupervised multi-stage attack detection framework without details on single-stage attacks

Abstract Majority of network attacks currently consist of sophisticated multi-stage attacks, which break down network attacks into several single-stage attacks. The early multi-stage attack detection methods focused on describing the detection rule based on the occurrence sequence of each single-stage attacks. That is, such works assumed that after details on single-stage attack behavior are obtained from attack knowledge, attack semantics or attack statistical analysis, the detection rules can be generated from their possible occurrence sequence. However, their practical usage is limited due to the high false negative ratio while detecting multi-stage attack that consists of diverse combinations of single-stage attacks during the long time period. In this paper, we propose a new multi-stage attack detection framework, which consists of multi-stage attack detection rule generation phase and multi-stage attack detection phase. After comparing the incoming traffics with the generated multi-stage attack detection rules, various multi-stage attack patterns are detected without pre-observed details on the single-stage attack behavior. From DARPA LLS DDoS dataset, we show that all the possible multi-stage attack patterns are correctly detected. Also, from datasets in CTU-13 including the large volume of multi-stage attack patterns, we observe F 1 -measure of 0.938 at maximum.

Scalable min-max multi-objective cyber-security optimisation over probabilistic attack graphs

We present a framework to efficiently solve a multi-objective optimisation problem for cyber-security defence. Facing an attacker who can mount a multi-stage attack (modelled using attack graphs), the defence problem is to select a portfolio of security controls which minimises the security risk and the (direct and indirect) costs of the portfolio of controls. The main challenges for the optimisation are: (a) the effect of the security controls is in general probabilistic, for example, the effect of staff anti-phishing training; moreover, some controls like taking regular back-ups do not have an attack-preventing effect, but rather, mitigate the losses of a successful attack; (b) each control may affect multiple vulnerabilities; and each vulnerability may be affected by multiple controls; (c) there can be a prohibitively large number of attack paths, each involving exploitation of different vulnerabilities. Our mathematical framework deals with all these problems. In particular, we model the problem as a min-max multi-objective optimisation. Using techniques such as ILP conversion, exact LP relaxation and dualisation, we convert the problem into a very efficient MILP. For instance, it returns the optimal solution for attack graphs with 20,000 nodes in less than four minutes typically.

On the alert correlation process for the detection of multi-step attacks and a graph-based realization

Monitoring tools like Intrusion Detection Systems (IDS), Firewalls, or Honeypots are a second line of defense in the face of an increasing number of distributed, increasingly sophisticated, and targeted attacks. A huge amount of security alerts needs to be analyzed and correlated to gather the complete picture of an attack. However, most conventional IDS fall short in correlating alerts that have different sources, so that many distributed attacks remain completely unnoticed. In this paper, we define alert correlation as a process and describe the consecutive steps along with their properties and goals. Following this process, we propose Graph-based Alert Correlation (GAC), a novel correlation algorithm that isolates attacks, identifies attack scenarios, and assembles multi-stage attacks from huge alert sets. Our evaluation results on artificial and real-world data indicates that GAC is robust against false positives, can detect distributed attacks, and scales with an increasing number of alerts.

A Novel Deep Learning Stack for APT Detection

We present a novel Deep Learning (DL) stack for detecting Advanced Persistent threat (APT) attacks. This model is based on a theoretical approach where an APT is observed as a multi-vector multi-stage attack with a continuous strategic campaign. To capture these attacks, the entire network flow and particularly raw data must be used as an input for the detection process. By combining different types of tailored DL-methods, it is possible to capture certain types of anomalies and behaviour. Our method essentially breaks down a bigger problem into smaller tasks, tries to solve these sequentially and finally returns a conclusive result. This concept paper outlines, for example, the problems and possible solutions for the tasks. Additionally, we describe how we will be developing, implementing and testing the method in the near future.

A Multistage Game in Smart Grid Security: A Reinforcement Learning Solution.

Existing smart grid security research investigates different attack techniques and cascading failures from the attackers' viewpoints, while the defenders' or the operators' protection strategies are somehow neglected. Game theoretic methods are applied for the attacker-defender games in the smart grid security area. Yet, most of the existing works only use the one-shot game and do not consider the dynamic process of the electric power grid. In this paper, we propose a new solution for a multistage game (also called a dynamic game) between the attacker and the defender based on reinforcement learning to identify the optimal attack sequences given certain objectives (e.g., transmission line outages or generation loss). Different from a one-shot game, the attacker here learns a sequence of attack actions applying for the transmission lines and the defender protects a set of selected lines. After each time step, the cascading failure will be measured, and the line outage (and/or generation loss) will be used as the feedback for the attacker to generate the next action. The performance is evaluated on W&W 6-bus and IEEE 39-bus systems. A comparison between a multistage attack and a one-shot attack is conducted to show the significance of the multistage attack. Furthermore, different protection strategies are evaluated in simulation, which shows that the proposed reinforcement learning solution can identify optimal attack sequences under several attack objectives. It also indicates that attacker's learned information helps the defender to enhance the security of the system.

Hidden Markov Models and Alert Correlations for the Prediction of Advanced Persistent Threats

Cyber security has become a matter of a global interest, and several attacks target industrial companies and governmental organizations. The advanced persistent threats (APTs) have emerged as a new and complex version of multi-stage attacks (MSAs), targeting selected companies and organizations. Current APT detection systems focus on raising the detection alerts rather than predicting APTs. Forecasting the APT stages not only reveals the APT life cycle in its early stages but also helps to understand the attacker’s strategies and aims. This paper proposes a novel intrusion detection system for APT detection and prediction. This system undergoes two main phases; the first one achieves the attack scenario reconstruction. This phase has a correlation framework to link the elementary alerts that belong to the same APT campaign. The correlation is based on matching the attributes of the elementary alerts that are generated over a configurable time window. The second phase of the proposed system is the attack decoding. This phase utilizes the hidden Markov model (HMM) to determine the most likely sequence of APT stages for a given sequence of correlated alerts. Moreover, a prediction algorithm is developed to predict the next step of the APT campaign after computing the probability of each APT stage to be the next step of the attacker. The proposed approach estimates the sequence of APT stages with a prediction accuracy of at least 91.80%. In addition, it predicts the next step of the APT campaign with an accuracy of 66.50%, 92.70%, and 100% based on two, three, and four correlated alerts, respectively.

Architectures for Detecting Interleaved Multi-stage Network Attacks Using Hidden Markov Models

With the growing amount of cyber threats, the need for development of high-assurance cyber systems is becoming increasingly important. The objective of this paper is to address the challenges of modeling and detecting sophisticated network attacks, such as multiple interleaved attacks. We present the interleaving concept and investigate how interleaving multiple attacks can deceive intrusion detection systems. Using one of the important statistical machine learning (ML) techniques, Hidden Markov Models (HMM), we develop two architectures that take into account the stealth nature of the interleaving attacks, and that can detect and track the progress of these attacks. These architectures deploy a database of HMM templates of known attacks and exhibit varying performance and complexity. For performance evaluation, in the presence of multiple multi-stage attack scenarios, various metrics are proposed which include (1) attack risk probability, (2) detection error rate, and (3) the number of correctly detected stages. Extensive simulation experiments are used to demonstrate the efficacy of the proposed architectures.