Publications

Refine Results

(Filters Applied) Clear All

By

Balancing security and performance for agility in dynamic threat environments

June 28, 2016
  |
Conference Paper
Author:
Michael L. Winterrose
Published in:
46th IEEE/IFIP Int. Conf. on Dependable Systems and Networks, DSN 2016, 28 June - 1 July 2016.
Topic:
machine learning
R&D area:
R&D group:

Summary

In cyber security, achieving the desired balance between system security and system performance in dynamic threat environments is a long-standing open challenge for cyber defenders. Typically an increase in system security comes at the price of decreased system performance, and vice versa, easily resulting in systems that are misaligned to operator specified requirements for system security and performance as the threat environment evolves. We develop an online, reinforcement learning based methodology to automatically discover and maintain desired operating postures in security-performance space even as the threat environment changes. We demonstrate the utility of our approach and discover parameters enabling an agile response to a dynamic adversary in a simulated security game involving prototype cyber moving target defenses.
READ LESS

Summary

In cyber security, achieving the desired balance between system security and system performance in dynamic threat environments is a long-standing open challenge for cyber defenders. Typically an increase in system security comes at the price of decreased system performance, and vice versa, easily resulting in systems that are misaligned to...

READ MORE
Balancing security and performance for agility in dynamic threat environments

Quantitative evaluation of dynamic platform techniques as a defensive mechanism

September 17, 2014
  |
Conference Paper
Author:
Hamed Okhravi
Published in:
RAID 2014: 17th Int. Symp. on Research in Attacks, Intrusions, and Defenses, 17-19 September 2014.
Topic:
systems analysis
R&D area:
R&D group:

Summary

Cyber defenses based on dynamic platform techniques have been proposed as a way to make systems more resilient to attacks. These defenses change the properties of the platforms in order to make attacks more complicated. Unfortunately, little work has been done on measuring the effectiveness of these defenses. In this work, we first measure the protection provided by a dynamic platform technique on a testbed. The counter-intuitive results obtained from the testbed guide us in identifying and quantifying the major effects contributing to the protection in such a system. Based on the abstract effects, we develop a generalized model of dynamic platform techniques which can be used to quantify their effectiveness. To verify and validate out results, we simulate the generalized model and show that the testbed measurements and the simulations match with small amount of error. Finally, we enumerate a number of lessons learned in our work which can be applied to quantitative evaluation of other defensive techniques.
READ LESS

Summary

Cyber defenses based on dynamic platform techniques have been proposed as a way to make systems more resilient to attacks. These defenses change the properties of the platforms in order to make attacks more complicated. Unfortunately, little work has been done on measuring the effectiveness of these defenses. In this...

READ MORE
Quantitative evaluation of dynamic platform techniques as a defensive mechanism

Adaptive attacker strategy development against moving target cyber defenses

May 1, 2014
  |
Journal Article
Author:
Michael L. Winterrose
Published in:
Proc. MODSIM World, May 2014.
Topic:
cyber security
R&D area:
R&D group:

Summary

A model of strategy formulation is used to study how an adaptive attacker learns to overcome a moving target cyber defense. The attacker-defender interaction is modeled as a game in which a defender deploys a temporal platform migration defense. Against this defense, a population of attackers develop strategies specifying the temporal ordering of resource investments that bring targeted zero-day exploits into existence. Attacker response to two defender temporal platform migration scheduling policies are examined. In the first defender scheduling policy, the defender selects the active platform in each match uniformly at random from a pool of available platforms. In the second policy the defender schedules each successive platform to maximize the diversity of the source code presented to the attacker. Adaptive attacker response strategies are modeled by finite state machine (FSM) constructs that evolve during simulated play against defender strategies via an evolutionary algorithm. It is demonstrated that the attacker learns to invest heavily in exploit creation for the platform with the least similarity to other platforms when faced with a diversity defense, while avoiding investment in exploits for this least similar platform when facing a randomization defense. Additionally, it is demonstrated that the diversity-maximizing defense is superior for shorter duration attacker-defender engagements, but performs sub-optimally in extended attacker-defender interactions.
READ LESS

Summary

A model of strategy formulation is used to study how an adaptive attacker learns to overcome a moving target cyber defense. The attacker-defender interaction is modeled as a game in which a defender deploys a temporal platform migration defense. Against this defense, a population of attackers develop strategies specifying the...

READ MORE
Adaptive attacker strategy development against moving target cyber defenses

Strategic evolution of adversaries against temporal platform diversity active cyber defenses

April 13, 2014
  |
Conference Paper
Author:
Michael L. Winterrose
Published in:
2014 Spring Simulation Multi-Confernece, SpringSim 2014, 13-16 April 2014.
Topic:
machine learning
R&D area:
R&D group:

Summary

Adversarial dynamics are a critical facet within the cyber security domain, in which there exists a co-evolution between attackers and defenders in any given threat scenario. While defenders leverage capabilities to minimize the potential impact of an attack, the adversary is simultaneously developing countermeasures to the observed defenses. In this study, we develop a set of tools to model the adaptive strategy formulation of an intelligent actor against an active cyber defensive system. We encode strategies as binary chromosomes representing finite state machines that evolve according to Holland's genetic algorithm. We study the strategic considerations including overall actor reward balanced against the complexity of the determined strategies. We present a series of simulation results demonstrating the ability to automatically search a large strategy space for optimal resultant fitness against a variety of counter-strategies.
READ LESS

Summary

Adversarial dynamics are a critical facet within the cyber security domain, in which there exists a co-evolution between attackers and defenders in any given threat scenario. While defenders leverage capabilities to minimize the potential impact of an attack, the adversary is simultaneously developing countermeasures to the observed defenses. In this...

READ MORE
Strategic evolution of adversaries against temporal platform diversity active cyber defenses

Probabilistic threat propagation for malicious activity detection

May 25, 2013
  |
Conference Paper
Author:
Kevin M. Carter
Published in:
Proc. IEEE Int. Conf. on Acoustics, Speech and Signal Processing, ICASSP, 25-31 May 2013.
Topic:
machine learning
R&D area:
R&D group:

Summary

In this paper, we present a method for detecting malicious activity within networks of interest. We leverage prior community detection work by propagating threat probabilities across graph nodes, given an initial set of known malicious nodes. We enhance prior work by employing constraints which remove the adverse effect of cyclic propagation that is a byproduct of current methods. We demonstrate the effectiveness of Probabilistic Threat Propagation on the task of detecting malicious web destinations.
READ LESS

Summary

In this paper, we present a method for detecting malicious activity within networks of interest. We leverage prior community detection work by propagating threat probabilities across graph nodes, given an initial set of known malicious nodes. We enhance prior work by employing constraints which remove the adverse effect of cyclic...

READ MORE
Probabilistic threat propagation for malicious activity detection

An Expectation Maximization Approach to Detecting Compromised Remote Access Accounts(267.16 KB)

May 22, 2013
  |
Conference Paper
Author:
Kevin C. Gold
Published in:
Proceedings of FLAIRS 2013, St. Pete Beach, Fla.
Topic:
machine learning
R&D area:
R&D group:

Summary

Just as credit-card companies are able to detect aberrant transactions on a customer’s credit card, it would be useful to have methods that could automatically detect when a user’s login credentials for Virtual Private Network (VPN) access have been compromised. We present here a novel method for detecting that a VPN account has been compromised, in a manner that bootstraps a model of the second unauthorized user.
READ LESS

Summary

Just as credit-card companies are able to detect aberrant transactions on a customer’s credit card, it would be useful to have methods that could automatically detect when a user’s login credentials for Virtual Private Network (VPN) access have been compromised. We present here a novel method for detecting that a...

READ MORE
An Expectation Maximization Approach to Detecting Compromised Remote Access Accounts

Probabilistic reasoning for streaming anomaly detection

August 5, 2012
  |
Conference Paper
Author:
Kevin M. Carter
Published in:
2012 SSP: 2012 IEEE Statistical Signal Processing Workshop, 5-8 August 2012, pp. 377-380.
Topic:
intrusion detection & monitoring
R&D area:
R&D group:

Summary

In many applications it is necessary to determine whether an observation from an incoming high-volume data stream matches expectations or is anomalous. A common method for performing this task is to use an Exponentially Weighted Moving Average (EWMA), which smooths out the minor variations of the data stream. While EWMA is efficient at processing high-rate streams, it can be very volatile to abrupt transient changes in the data, losing utility for appropriately detecting anomalies. In this paper we present a probabilistic approach to EWMA which dynamically adapts the weighting based on the observation probability. This results in robustness to data anomalies yet quick adaptability to distributional data shifts.
READ LESS

Summary

In many applications it is necessary to determine whether an observation from an incoming high-volume data stream matches expectations or is anomalous. A common method for performing this task is to use an Exponentially Weighted Moving Average (EWMA), which smooths out the minor variations of the data stream. While EWMA...

READ MORE
Probabilistic reasoning for streaming anomaly detection

Temporally oblivious anomaly detection on large networks using functional peers

November 1, 2010
  |
Conference Paper
Author:
Kevin M. Carter
Published in:
IMC'10, Proc. of the ACM SIGCOMM Internet Measurement Conf., 1 November 2010, pp. 465-471.
Topic:
machine learning
R&D area:
R&D group:

Summary

Previous methods of network anomaly detection have focused on defining a temporal model of what is "normal," and flagging the "abnormal" activity that does not fit into this pre-trained construct. When monitoring traffic to and from IP addresses on a large network, this problem can become computationally complex, and potentially intractable, as a state model must be maintained for each address. In this paper, we present a method of detecting anomalous network activity without providing any historical context. By exploiting the size of the network along with the minimal overhead of NetFlow data, we are able to model groups of hosts performing similar functions to discover anomalous behavior. As a collection, these anomalies can be further described with a few high-level characterizations and we provide a means for creating and labeling these categories. We demonstrate our method on a very large-scale network consisting of 30 million unique addresses, focusing specifically on traffic related to web servers.
READ LESS

Summary

Previous methods of network anomaly detection have focused on defining a temporal model of what is "normal," and flagging the "abnormal" activity that does not fit into this pre-trained construct. When monitoring traffic to and from IP addresses on a large network, this problem can become computationally complex, and potentially...

READ MORE
Temporally oblivious anomaly detection on large networks using functional peers
1-8 of 8