Andrew Fielder,Emmanouil Panaousis,Pasquale Malacaria,Chris Hankin,Fabrizio Smeraldi

DOI: https://doi.org/10.48550/arXiv.1502.05532

2015-02-19

Abstract:When investing in cyber security resources, information security managers have to follow effective decision-making strategies. We refer to this as the cyber security investment challenge. In this paper, we consider three possible decision-support methodologies for security managers to tackle this challenge. We consider methods based on game theory, combinatorial optimisation and a hybrid of the two. Our modelling starts by building a framework where we can investigate the effectiveness of a cyber security control regarding the protection of different assets seen as targets in presence of commodity threats. In terms of game theory we consider a 2-person control game between the security manager who has to choose among different implementation levels of a cyber security control, and a commodity attacker who chooses among different targets to attack. The pure game theoretical methodology consists of a large game including all controls and all threats. In the hybrid methodology the game solutions of individual control-games along with their direct costs (e.g. financial) are combined with a knapsack algorithm to derive an optimal investment strategy. The combinatorial optimisation technique consists of a multi-objective multiple choice knapsack based strategy. We compare these approaches on a case study that was built on SANS top critical controls. The main achievements of this work is to highlight the weaknesses and strengths of different investment methodologies for cyber security, the benefit of their interaction, and the impact that indirect costs have on cyber security investment.

Computer Science and Game Theory,Cryptography and Security

Rainer Diesch,Matthias Pfaff,Helmut Krcmar

DOI: https://doi.org/10.1016/j.cose.2020.101747

2020-05-01

Abstract:<p>Decision-making in the context of organizational information security is highly dependent on various information. For information security managers, not only relevant information has to be clarified but also their interdependencies have to be taken into account. Thus, the purpose of this research is to develop a comprehensive model of relevant management success factors (MSF) for organizational information security. First, a literature survey with an open-axial-selective analysis of 136 articles was performed to identify factors influencing information security. These factors were categorized into 12 areas: physical security, vulnerability, infrastructure, awareness, access control, risk, resources, organizational factors, CIA, continuity, security management, compliance &amp; policy. Second, an interview series with 19 experts from the industry was used to evaluate the relevance of these factors in practice and explore interdependencies between them. Third, a comprehensive model was developed. The model shows that there are key-security-indicators, which directly impact the security-status of an organization while other indicators are only indirectly connected. Based on these results, information security managers should be aware of direct and indirect MSFs to make appropriate decisions.</p>

computer science, information systems

Ihab Mohamed,Hesham A. Hefny,Nagy R. Darwish

2024-07-27

Abstract:Cybersecurity is a big challenge as hackers are always trying to find new methods to attack and exploit system vulnerabilities. Cybersecurity threats and risks have increased in recent years, due to the increasing number of devices and networks connected. This has led to the development of new cyberattack patterns, such as ransomware, data breaches, and advanced persistent threats (APT). Consequently, defending such complicated attacks needs to stay up to date with the latest system vulnerabilities and weaknesses to set a proper cybersecurity defense strategy. This paper aims to propose a defense strategy for the presented security threats by determining and prioritizing which security control to put in place based on combining the MITRE ATT&CK framework with multi-criteria decision-making (MCDM) techniques. This approach helps organizations achieve a more robust and resilient cybersecurity posture.

Cryptography and Security

Xiaofan Zhou,Simon Yusuf Enoch,Dong Seong Kim

DOI: https://doi.org/10.48550/arXiv.2207.05436

2022-07-12

Cryptography and Security

Abstract:It is challenging for a security analyst to detect or defend against cyber-attacks. Moreover, traditional defense deployment methods require the security analyst to manually enforce the defenses in the presence of uncertainties about the defense to deploy. As a result, it is essential to develop an automated and resilient defense deployment mechanism to thwart the new generation of attacks. In this paper, we propose a framework based on Markov Decision Process (MDP) and Q-learning to automatically generate optimal defense solutions for networked system states. The framework consists of four phases namely; the model initialization phase, model generation phase, Q-learning phase, and the conclusion phase. The proposed model collects real network information as inputs and then builds them into structural data. We implement a Q-learning process in the model to learn the quality of a defense action in a particular state. To investigate the feasibility of the proposed model, we perform simulation experiments and the result reveals that the model can reduce the risk of network systems from cyber attacks. Furthermore, the experiment shows that the model has shown a certain level of flexibility when different parameters are used for Q-learning.

Max Landauer,Florian Skopik,Maximilian Frank,Wolfgang Hotwagner,Markus Wurzenberger,Andreas Rauber

DOI: https://doi.org/10.1109/TDSC.2022.3201582

2022-03-16

Abstract:Intrusion detection systems (IDS) monitor system logs and network traffic to recognize malicious activities in computer networks. Evaluating and comparing IDSs with respect to their detection accuracies is thereby essential for their selection in specific use-cases. Despite a great need, hardly any labeled intrusion detection datasets are publicly available. As a consequence, evaluations are often carried out on datasets from real infrastructures, where analysts cannot control system parameters or generate a reliable ground truth, or private datasets that prevent reproducibility of results. As a solution, we present a collection of maintainable log datasets collected in a testbed representing a small enterprise. Thereby, we employ extensive state machines to simulate normal user behavior and inject a multi-step attack. For scalable testbed deployment, we use concepts from model-driven engineering that enable automatic generation and labeling of an arbitrary number of datasets that comprise repetitions of attack executions with variations of parameters. In total, we provide 8 datasets containing 20 distinct types of log files, of which we label 8 files for 10 unique attack steps. We publish the labeled log datasets and code for testbed setup and simulation online as open-source to enable others to reproduce and extend our results.

Cryptography and Security

Michael R. Grimaila,Adedeji Badiru

DOI: https://doi.org/10.1007/s12351-010-0102-2

IF: 2.7

2011-01-23

Operational Research

Abstract:The increased reliance on information technology systems and communications networks in support of the core organizational processes creates an environment where significant, and potentially catastrophic, losses can result from a loss or corruption of a critical information resource. Risk assessment is the widely accepted process used to understand, quantify, and document the effects of undesirable events on organizational objectives so that risk management, continuity of operations planning, and contingency planning can be performed. In this paper, we present the application of a simulation-based hybrid analytic dynamic forecasting methodology that combines the techniques of analytic hierarchy process, factor analysis, and spanning tree to the problem of selecting among a set contingency measures following events which place the organizational mission at risk. The methodology makes use of qualitative subjective assessments by subject matter experts at multiple levels of the organization and uses historical event occurrences (when available) to provide the decision maker with a ongoing recommendation of the best contingency measures to employ to assure the organizational mission objectives. The method is novel because it augments the decision maker’s experiential knowledge with a probabilistic forecast of the best contingency measure to take in response to events based upon subject matter expert knowledge, historical evidence, and the real-time status critical resources. The methodology provides a structured approach to mitigate operational risk in complex environments and decreases the time required to make decisions under conditions of uncertainty.

operations research & management science

Michael D. Iannacone,Robert A. Bridges

DOI: https://doi.org/10.48550/arXiv.1902.00053

2019-10-25

Abstract:Metrics and frameworks to quantifiably assess security measures have arisen from needs of three distinct research communities - statistical measures from the intrusion detection and prevention literature, evaluation of cyber exercises, e.g.,red-team and capture-the-flag competitions, and economic analyses addressing cost-versus-security tradeoffs. In this paper we provide two primary contributions to the security evaluation literature - a representative survey, and a novel framework for evaluating security that is flexible, applicable to all three use cases, and readily interpretable. In our survey of the literature we identify the distinct themes from each community's evaluation procedures side by side and flesh out the drawbacks and benefits of each. The evaluation framework we propose includes comprehensively modeling the resource, labor, and attack costs in dollars incurred based on expected resource usage, accuracy metrics, and time. This framework provides a unified approach in that it incorporates the accuracy and performance metrics, which dominate intrusion detection evaluation, the time to detection and impact to data and resources of an attack, favored by educational competitions' metrics, and the monetary cost of many essential security components used in financial analysis. Moreover, it is flexible enough to accommodate each use case, easily interpretable and comparable, and comprehensive in terms of costs <a class="link-external link-http" href="http://considered.Finally" rel="external noopener nofollow">this http URL</a>, we provide two examples of the framework applied to real-world use cases. Overall, we provide a survey and a grounded, flexible framework with multiple concrete examples for evaluating security which can address the needs of three currently distinct communities.

Cryptography and Security

Simon Yusuf Enoch,Mengmeng Ge,Jin B. Hong,Dong Seong Kim

DOI: https://doi.org/10.1109/rams48097.2021.9605784

2021-05-24

Abstract:Summary &amp; Conclusions Model-based evaluation in cybersecurity has a long history. Attack Graphs (AGs) and Attack Trees (ATs) were the earlier developed graphical security models for cybersecurity analysis. However, they have limitations (e.g., scalability problem, state-space explosion problem, etc.) and lack the ability to capture other security features (e.g., countermeasures). To address the limitations and to cope with various security features, a graphical security model named attack countermeasure tree (ACT) was developed to perform security analysis by taking into account both attacks and countermeasures. In our research, we have developed different variants of a hierarchical graphical security model to solve the complexity, dynamicity, and scalability issues involved with security models in the security analysis of systems. In this paper, we summarize and classify security models into the following; graph-based, tree-based, and hybrid security models. We discuss the development of a hierarchical attack representation model (HARM) and different variants of the HARM, its applications, and usability in a variety of domains including the Internet of Things (IoT), Cloud, Software- Defined Networking, and Moving Target Defenses. Moreover, we discuss the pros and cons of each variant of HARM based on its applications and usage. Furthermore, several security metrics have been developed to be used with the graphical security model (including HARMs) to analyze the security posture of the systems and evaluate the effectiveness of defense mechanisms which is also being taken as input into optimization algorithms to compute optimal defense deployment. Thus, we provide the classification of the security metrics, including their discussions. Finally, we highlight existing problems and suggest future research directions in the area of graphical security models and applications. As a result of this work, a decision-maker can understand which type of HARM will suit their network or security analysis requirements.

Maximilian Rosenberg,Bettina Schneider,Christopher Scherb,Petra Maria Asprion

2023-08-02

Abstract:In corporations around the world, the topic of cybersecurity and information security is becoming increasingly important as the number of cyberattacks on themselves continues to grow. Nowadays, it is no longer just a matter of protecting against cyberattacks, but rather of detecting such attacks at an early stage and responding accordingly. There is currently no generic methodological approach for the implementation of Security Information and Event Management (SIEM) systems that takes academic aspects into account and can be applied independently of the product or developers of the systems. Applying Hevner's design science research approach, the goal of this paper is to develop a holistic procedure model for implementing respective SIEM systems in corporations. According to the study during the validation phase, the procedure model was verified to be applicable. As desire for future research, the procedure model should be applied in various implementation projects in different enterprises to analyze its applicability and completeness.

Cryptography and Security,Computers and Society

Jonathan M. Spring,Eric Hatleback

DOI: https://doi.org/10.1093/cybsec/tyw012

2017-01-04

Journal of Cyber Security

Abstract:We integrate two established modeling methods from disparate fields: mechanisms from the philosophy of science literature and intrusion kill chain modeling from the computer security literature. The result demonstrates that model accuracy can be improved by incorporating methods from philosophy of science. Modeling security accurately is a key function in the science of security. Mechanistic modeling of computer security incidents clarifies the existing model and points toward areas for substantive improvement for computer security professionals. Additional models of computer security incidents are translated mechanistically to compare results and to demonstrate such modeling can be applied in multiple situations. This integration of philosophy of science and computer security is sensible only by integrating new adaptations to mechanistic modeling, specifically conceived to enable better modeling of engineered systems such as computers. The results indicate continued integration of the fields of philosophy of science and information security will be fruitful.

Subil Abraham,Suku Nair

DOI: https://doi.org/10.48550/arXiv.1501.01901

2015-01-08

Cryptography and Security

Abstract:Numerous security metrics have been proposed in the past for protecting computer networks. However we still lack effective techniques to accurately measure the predictive security risk of an enterprise taking into account the dynamic attributes associated with vulnerabilities that can change over time. In this paper we present a stochastic security framework for obtaining quantitative measures of security using attack graphs. Our model is novel as existing research in attack graph analysis do not consider the temporal aspects associated with the vulnerabilities, such as the availability of exploits and patches which can affect the overall network security based on how the vulnerabilities are interconnected and leveraged to compromise the system. Gaining a better understanding of the relationship between vulnerabilities and their lifecycle events can provide security practitioners a better understanding of their state of security. In order to have a more realistic representation of how the security state of the network would vary over time, a nonhomogeneous model is developed which incorporates a time dependent covariate, namely the vulnerability age. The daily transition-probability matrices are estimated using Frei's Vulnerability Lifecycle model. We also leverage the trusted CVSS metric domain to analyze how the total exploitability and impact measures evolve over a time period for a given network.

Ahmed Alghamdi

DOI: https://doi.org/10.52783/cana.v31.1476

2024-09-02

Abstract:The growing sophistication of malware in exisiting environment poses tough demands on its detection methods of another kind. This paper introduces a framework for cyber security improvement, a means to solve strongly the probability issue of how to determine the behavior algorithmically in your system. This research is applied to malware detection systems based on methods (Support Vector Machines, Random Forest) and Neural Networks that are robust against deception. Statistical analysis of security threats and a review of current methods used for malware detection are given at its outset. The proposed framework, with its statistical framework analysis, looks for patterns and anomalies that indicate malice. It then integrates cryptographic techniques onto data transmission, computation processes; that the core of our system remains untouched by potential disturbances. The concept is further elaborated with open-source code from the field, Machine Learning (SVM, Random Forest, Neural Networks), As if with this variety of tools we can now detect and classify types of malware that generate irregular patterns but do not necessarily resemble known signatures at all. Such a hybrid security mechanism as described here, combining the best of statistics, cryptographic security, and machine learning, gives a precision of detection beyond compare to today's systems. The experiments show large gains in both detection accuracy and response speed, demonstrating this whole-element approach's potential to better safeguard cybersecurity in all manner of fields. It may be foreseen that this proposed line of research could well become a key new tool, capable of adaptation and expansion with the needs expanding around us.

Winnie Bahati Mbaka,Katja Tuma

2024-08-15

Abstract:The arrival of recent cybersecurity standards has raised the bar for security assessments in organizations, but existing techniques don't always scale well. Threat analysis and risk assessment are used to identify security threats for new or refactored systems. Still, there is a lack of definition-of-done, so identified threats have to be validated which slows down the analysis. Existing literature has focused on the overall performance of threat analysis, but no previous work has investigated how deep must the analysts dig into the material before they can effectively validate the identified security threats. We propose a controlled experiment with practitioners to investigate whether some analysis material (like LLM-generated advice) is better than none and whether more material (the system's data flow diagram and LLM-generated advice) is better than some material. In addition, we present key findings from running a pilot with 41 MSc students, which are used to improve the study design. Finally, we also provide an initial replication package, including experimental material and data analysis scripts and a plan to extend it to include new materials based on the final data collection campaign with practitioners (e.g., pre-screening questions).

Software Engineering

Mohammad Aziz,Ali Saeed Alfoudi

2023-08-09

Abstract:Malicious software is an integral part of cybercrime defense. Due to the growing number of malicious attacks and their target sources, detecting and preventing the attack becomes more challenging due to the assault's changing behavior. The bulk of classic malware detection systems is based on statistics, analytic techniques, or machine learning. Virus signature methods are widely used to identify malware. The bulk of anti-malware systems categorizes malware using regular expressions and patterns. While antivirus software is less likely to update its databases to identify and block malware, file features must be updated to detect and prevent newly generated malware. Creating attack signatures requires practically all of a human being's work. The purpose of this study is to undertake a review of the current research on intrusion detection models and the datasets that support them. In this article, we discuss the state-of-the-art, focusing on the strategy that was devised and executed, the dataset that was utilized, the findings, and the assessment that was undertaken. Additionally, the surveyed articles undergo critical analysis and statements in order to give a thorough comparative review. Machine learning and deep learning methods, as well as new classification and feature selection methodologies, are studied and researched. Thus far, each technique has proved the capability of constructing very accurate intrusion detection models. The survey findings reveal that Clearly, the MultiTree and adaptive voting algorithms surpassed all other models in terms of persistency and performance, averaging 99.98 percent accuracy on average.

Cryptography and Security

Adam M. Houser,Matthew L. Bolton,Adam M. HouserMatthew L. Boltona Johns Hopkins University Applied Physics Laboratory,Laurel,MD,USAb Department of Systems and Information Engineering,University of Virginia,Charlottesville,VA,USAAdam M. Houser received the Ph.D. in industrial engineering from the State University of New York at Buffalo in Buffalo,New York,USA in 2018. Since then,he has worked at the Johns Hopkins University Applied Physics Laboratory as a senior systems engineer.Matthew Bolton is an Associate Professor of Systems and Information Engineering at the University of Virginia. He obtained his Ph.D. in Systems Engineering from UVA in 2010. He previously held academic appointments at the University of Illinois in Chicago and the University at Buffalo.

DOI: https://doi.org/10.1080/10447318.2024.2314353

IF: 4.92

2024-03-08

International Journal of Human-Computer Interaction

Abstract:Human users are increasingly recognized as a vector of cybersecurity attack. One problem that contributes to this condition is the growing complexity of digital tools. Such complexity can make it difficult for users to understand how tools work and how their actions will impact security. This work sought to answer the research question: Can mental modeling analyses (from human factors engineering and human-automation interaction) be developed to effectively discover cybersecurity risks? To answer this, we extend mental models with cybersecurity-specific concepts. The resulting models are then incorporated into model checking analyses (an automated approach to formal verification) to discover if and when mismatches between human mental models and systems can cause security failures. We evaluated our approach by successfully applying it to a case study regarding the security configuration of a popular cloud data storage service. We ultimately discuss the results of this analysis and outline future research possibilities.

computer science, cybernetics,ergonomics

Shweta More,Moad Idrissi,Haitham Mahmoud,A. Taufiq Asyhari

DOI: https://doi.org/10.3390/a17020064

2024-02-01

Algorithms

Abstract:The rapid proliferation of new technologies such as Internet of Things (IoT), cloud computing, virtualization, and smart devices has led to a massive annual production of over 400 zettabytes of network traffic data. As a result, it is crucial for companies to implement robust cybersecurity measures to safeguard sensitive data from intrusion, which can lead to significant financial losses. Existing intrusion detection systems (IDS) require further enhancements to reduce false positives as well as enhance overall accuracy. To minimize security risks, data analytics and machine learning can be utilized to create data-driven recommendations and decisions based on the input data. This study focuses on developing machine learning models that can identify cyber-attacks and enhance IDS system performance. This paper employed logistic regression, support vector machine, decision tree, and random forest algorithms on the UNSW-NB15 network traffic dataset, utilizing in-depth exploratory data analysis, and feature selection using correlation analysis and random sampling to compare model accuracy and effectiveness. The performance and confusion matrix results indicate that the Random Forest model is the best option for identifying cyber-attacks, with a remarkable F1 score of 97.80%, accuracy of 98.63%, and low false alarm rate of 1.36%, and thus should be considered to improve IDS system security.

Erick Galinkin,John Carter,Spiros Mancoridis

DOI: https://doi.org/10.48550/arXiv.2109.11592

2021-09-23

Cryptography and Security

Abstract:In cybersecurity, attackers range from brash, unsophisticated script kiddies and cybercriminals to stealthy, patient advanced persistent threats. When modeling these attackers, we can observe that they demonstrate different risk-seeking and risk-averse behaviors. This work explores how an attacker's risk seeking or risk averse behavior affects their operations against detection-optimizing defenders in an Internet of Things ecosystem. Using an evaluation framework which uses real, parametrizable malware, we develop a game that is played by a defender against attackers with a suite of malware that is parameterized to be more aggressive and more stealthy. These results are evaluated under a framework of exponential utility according to their willingness to accept risk. We find that against a defender who must choose a single strategy up front, risk-seeking attackers gain more actual utility than risk-averse attackers, particularly in cases where the defender is better equipped than the two attackers anticipate. Additionally, we empirically confirm that high-risk, high-reward scenarios are more beneficial to risk-seeking attackers like cybercriminals, while low-risk, low-reward scenarios are more beneficial to risk-averse attackers like advanced persistent threats.

Ilhan Firat Kilincer,Fatih Ertam,Abdulkadir Sengur

DOI: https://doi.org/10.1016/j.comnet.2021.107840

IF: 5.493

2021-04-01

Computer Networks

Abstract:The increase in internet usage brings security problems with it. Malicious software can affect the operation of the systems and disrupt data confidentiality due to the security gaps in the systems. Intrusion Detection Systems (IDS) have been developed to detect and report attacks. In order to develop IDS systems, artificial intelligence-based approaches have been used more frequently. In this study, literature studies using CSE-CIC IDS-2018, UNSW-NB15, ISCX-2012, NSL-KDD and CIDDS-001 data sets, which are widely used to develop IDS systems, are reviewed in detail. In addition, max-min normalization was performed on these data sets and classification was made with support vector machine (SVM), K-Nearest neighbor (KNN), Decision Tree (DT) algorithms, which are among the classical machine learning approaches. As a result, more successful results have been obtained in some of the studies given in the literature. The study is thought to be useful for developing IDS systems on the basis of artificial intelligence with approaches such as machine learning.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Ying Chen,Junho Hong,Chen-Ching Liu

DOI: https://doi.org/10.1109/tsg.2016.2614603

IF: 10.275

2018-01-01

IEEE Transactions on Smart Grid

Abstract:Cyber intrusions to substations are critical issues to a power grid, which must be defended and mitigated. Essentially, to better understand a cyber intrusion, reconnaissance activities should be modeled. Then, strategies of cyber attacker and defender can be studied, which help to identify substations vulnerable to cyber-attacks. In this paper, a successful intrusion is regarded as a probabilistic event related to reconnaissance activities. Its probability can be approximated by the Poisson distribution of the number of vulnerabilities discovered by the attacker. Furthermore, models of intrusion and defense in competition for control of the substations are proposed using Markov decision process (MDP). Key characteristics of target substation, attacker and defender are considered for determining probabilistic state transitions related to intrusion and defense actions. Thus, by solving the MDP models, the optimal strategies (action policies) of both the attacker and defender can be obtained. With these optimal strategies, the cyber security status of a substation can be evaluated within varied time frames. The case study validates the proposed models and method, including time-based strategies of the attacker and defender.

Wenke Lee,Wei Fan,Matthew Miller,Salvatore J. Stolfo,Erez Zadok

DOI: https://doi.org/10.3233/jcs-2002-101-202

2002-01-01

Journal of Computer Security

Abstract:Intrusion detection systems (IDSs) must maximize the realization of security goals while minimizing costs. In this paper, we study the problem of building cost-sensitive intrusion detection models. We examine the major cost factors associated with an IDS, which include development cost, operational cost, damage cost due to successful intrusions, and the cost of manual and automated response to intrusions. These cost factors can be qualified according to a defined attack taxonomy and site-specific security policies and priorities. We define cost models to formulate the total expected cost of an IDS, and present cost-sensitive machine learning techniques that can produce detection models that are optimized for user-defined cost metrics. Empirical experiments show that our cost-sensitive modeling and deployment techniques are effective in reducing the overall cost of intrusion detection.

English Else