As the scale of the system and network grows, IT infrastructure becomes more complex and hard to be managed. Many organizations have a serious problem to manage their system and network security. In addition, vulnerabilities of hardware and software are increasing in number rapidly. In such a complex IT environment, security administrators need more practical and automated threat assessment methods to reduce their manual tasks. Adversary emulation based automated assessment is one of the solutions to solve the aforementioned problems because it helps to discover the attack paths and vulnerabilities to be exploited. However, it is still inefficient to perform the adversary emulation because adversary emulation requires well-designed attack scenarios created by security experts. Besides, a manual-based penetration test cannot be frequently performed. To overcome this limitation, we propose an adversary emulation framework composed of the red team and blue team agent. The red team agent carries out automated attacks based on the automatically generated scenarios by the proposed framework. The blue team agent deploys defense measures to react to the red team agent’s attack patterns. To test our framework, we test multiple attack scenarios on remote servers that have various vulnerable software. In the experiment, we show the red team agent can gain an administrator’s privilege from the remote side when the blue team agent’s intervention is not enabled. The blue team agent can successfully block the red team’s incoming attack when enabled. As a result, we show our proposed framework is beneficial to support routine threat assessment from the adversary’s perspective. It will be useful for security administrators to make security defense strategy based on the test results.
A network intrusion detection (NID) system plays a critical role in cybersecurity. However, the existing machine learning-based NID research has a vital issue that their experimental settings do not reflect real-world situations where unknown attacks are constantly emerging. In particular, their train and test sets are from a single data set, which inevitably overestimates the detection power since all test attack types are known in training, and test cases will have similar characteristics to the training data. This paper introduces a new strategy to constitute test data with updated traffic with attack types not included in training data. In the proposed setting, the prediction accuracy of the existing detectors is dropped by about 20% compared to what has been reported. Also, in-depth analysis of detection performance by attack types has revealed that the existing models have strength at certain attack types but struggle to detect the other attack types such as DoS, DDoS, web attack, and port scan. To overcome the issues, we propose a new neural detector, called MHSA, based on a multi-head self-attention mechanism whose architecture suits better to capture scattered pieces of evidence in network traffic. Our model improved the overall detection performance by 29% in false positive rate at the true positive rate of 0.9 and by 9% in AUC over the current state-of-the-art models, successfully detecting the attacks that are not well captured before. Furthermore, we show that our proposed MHSA model even outperforms the best ensemble detector constructed by joining the state-of-the-art classifiers.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.