A Retroactive-Burst Framework for Automated Intrusion Response System

Shameli‐Sendi, Alireza; Desfossez, Julien; Dagenais, Michel R.; Jabbarifar, Masoume

doi:10.1155/2013/134760

Cited by 14 publications

(7 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The finite states machine (FSM) model is used in [22] to design a multi-attack response system. The model sends an alert only after there is a state change without predicting the whole attack path.…”

Section: Related Workmentioning

confidence: 99%

Hidden Markov Model and Cyber Deception for the Prevention of Adversarial Lateral Movement

et al. 2021

View full text Add to dashboard Cite

Advanced persistent threats (APTs) have emerged as multi-stage attacks that have targeted nation-states and their associated entities, including private and corporate sectors. Cyber deception has emerged as a defense approach to secure our cyber infrastructure from APTs. Practical deployment of cyber deception relies on defenders' ability to place decoy nodes along the APT path optimally. This paper presents a cyber deception approach focused on predicting the most likely sequence of attack paths and deploying decoy nodes along the predicted path. Our proposed approach combines reactive (graph analysis) and proactive (cyber deception technology) defense to thwart the adversaries' lateral movement. The proposed approach is realized through two phases. The first phase predicts the most likely attack path based on Intrusion Detection System (IDS) alerts and network trace, and the second phase is determining optimal deployment of decoy nodes along the predicted path. We employ transition probabilities in a Hidden Markov Model to predict the path. In the second phase, we utilize the predicted attack path to deploy decoy nodes. However, it is likely that the attacker will not follow that predicted path to move laterally. To address this challenge, we employ a Partially Observable Monte-Carlo Planning (POMCP) framework. POMCP helps the defender assess several defense actions to block the attacker when it deviates from the predicted path. The evaluation results show that our approach can predict the most likely attack paths and thwarts the adversarial lateral movement.

show abstract

Section: Related Workmentioning

confidence: 99%

Hidden Markov Model and Cyber Deception for the Prevention of Adversarial Lateral Movement

et al. 2021

View full text Add to dashboard Cite

show abstract

“…Intrusion detection systems analyze network packets and look at their payload to find and detect attack signatures. Similar to intrusion detection systems, trace analysis tools, upon detecting such a problematic pattern, may generate an alarm or even trigger an automatic response (eg, killing a process and rebooting the system) …”

Section: Multilevel Trace Abstraction Techniquesmentioning

confidence: 99%

“…1 Similar to intrusion detection systems, trace analysis tools, upon detecting such a problematic pattern, may generate an alarm or even trigger an automatic response (eg, killing a process and rebooting the system). 68 One of the other techniques to reduce trace complexity and improve understanding is visualization. A proper visualization, specially multi-scale visualization, can significantly help to alleviate big data analysis problems, as investigated in the next section.…”

Section: Applications Of Trace Abstraction Techniquesmentioning

confidence: 99%

Multi‐scale navigation of large trace data: A survey

Ezzati‐Jivan

Dagenais

2017

Concurrency and Computation

View full text Add to dashboard Cite

Summary Dynamic analysis through execution traces is frequently used to analyze the runtime behavior of software systems. However, tracing long running executions generates voluminous data, which are complicated to analyze and manage. Extracting interesting performance or correctness characteristics out of large traces of data from several processes and threads is a challenging task. Trace abstraction and visualization are potential solutions to alleviate this challenge. Several efforts have been made over the years in many subfields of computer science for trace data collection, maintenance, analysis, and visualization. Many analyses start with an inspection of an overview of the trace, before digging deeper and studying more focused and detailed data. These techniques are common and well supported in geographical information systems, automatically adjusting the level of details depending on the scale. However, most trace visualization tools operate at a single level of representation, which are not adequate to support multilevel analysis. Sophisticated techniques and heuristics are needed to address this problem. Multi‐scale (multilevel) visualization with support for zoom and focus operations is an effective way to enable this kind of analysis. Considerable research and several surveys are proposed in the literature in the field of trace visualization. However, multi‐scale visualization has yet received little attention. In this paper, we provide a survey and methodological structure for categorizing tools and techniques aiming at multi‐scale abstraction and visualization of execution trace data and discuss the requirements and challenges faced to be able to meet evolving user demands.

show abstract

“…Recently, a hot research topic in the protection strategies for ICS has been to focus on the active protection, which implements active protection strategies based on the risk assessment on the current security risk of the ICS. Shameli-Sendi et al proposed a retrospective burst response method based on an adaptive and cost-sensitive model [ 16 ]. This method takes into account the effectiveness of the application response.…”

Section: Introductionmentioning

confidence: 99%

Optimal Security Protection Strategy Selection Model Based on Q-Learning Particle Swarm Optimization

Gao

Yang

et al. 2022

Entropy

View full text Add to dashboard Cite

With the rapid development of Industrial Internet of Things technology, the industrial control system (ICS) faces more and more security threats, which may lead to serious risks and extensive damage. Naturally, it is particularly important to construct efficient, robust, and low-cost protection strategies for ICS. However, how to construct an objective function of optimal security protection strategy considering both the security risk and protection cost, and to find the optimal solution, are all significant challenges. In this paper, we propose an optimal security protection strategy selection model and develop an optimization framework based on Q-Learning particle swarm optimization (QLPSO). The model performs security risk assessment of ICS by introducing the protection strategy into the Bayesian attack graph. The QLPSO adopts the Q-Learning to improve the local optimum, insufficient diversity, and low precision of the PSO algorithm. Simulations are performed on a water distribution ICS, and the results verify the validity and feasibility of our proposed model and the QLPSO algorithm.

show abstract

A Retroactive-Burst Framework for Automated Intrusion Response System

Cited by 14 publications

References 11 publications

Hidden Markov Model and Cyber Deception for the Prevention of Adversarial Lateral Movement

Hidden Markov Model and Cyber Deception for the Prevention of Adversarial Lateral Movement

Multi‐scale navigation of large trace data: A survey

Optimal Security Protection Strategy Selection Model Based on Q-Learning Particle Swarm Optimization

Contact Info

Product

Resources

About