An Approach to Incorporating Uncertainty in Network Security Analysis

The best way to approach a target point in cyberspace has often been challenged solving complexity such as network weakness, accessibility, time efficiency, and concealment. Therefore, there is a need for techniques to classify, automate, and optimize various operational elements belonging to the three layers of cyberspace necessary for approach. If the policy-making technique used by the military is applied, optimization can be used for the quantification and determination of the best decision-making process to approach the objective. Thus, in this study, cyber operations elements will be classified according to the 5W1H method for cyber-attack and defense training. Then, we propose the way of establishing course of action (COA) through quantifying and evaluating each category of 5W1H and prioritizing it. The effectiveness was analyzed by applying the extracted COA to a famous cyber-attack case, and the factors that had the greatest influence could be extracted. This purpose of this study is to be helpful in establishing the best cyber operational COA when conducting cyber-attack and defense training. INDEX TERMSCyber warfare, Cyberspace, Cyber operation, Course of action, 5W1H method I. INTRODUCTION JCOPP(Joint Cyber Operational Planning Process) 2. Mission Analysis 3. COA Development 4. COA Analysis 5.

show abstract

“…2) NETWORK TOPOLOGY CONFIGURATION Nguyen, et al [25] analyzed the STUXNET attack case and drew the attack graph shown in Fig. 7.…”

Section: ) Analysis Of Stuxnet Attack Casementioning

confidence: 99%

“…By referring to the STUXNET analysis report and STUXNET attack graph, COEs such as the OS, installed applications, vulnerabilities, and cyber weapons were identified [23][24][25]. These were mapped to each node in Fig.…”

Section: ) Scenario Data Configurationmentioning

confidence: 99%

Study on Prioritization of Actions by Classifying and Quantifying Cyber Operational Elements Using 5W1H Method

et al. 2022

View full text Add to dashboard Cite

show abstract

“…It is crucial to question, could the attack on the centrifuge in the Natanz Uranium Enrichment plant be prevented, if it had a logger to record the events of a machine with a shared printer, to prevent the exploitation of remote code execution on this machine? The answer is no because there were many other vulnerabilities such as WinCC DB exploit, network share, and server service vulnerability, in parallel to print server vulnerability that compromised the Web Navigation Server which was connected to the Engineering Station that configured the S7-315 PLCs which over-speeded the centrifuge [36]. Hence, the deployment of cyber telemetry in every computing node in an ICS network is a solution that seems attractive but results in numerous false alarms.…”

Section: Data Fusion In Power Systemsmentioning

confidence: 99%

Multi-Source Multi-Domain Data Fusion for Cyberattack Detection in Power Systems

Sahu

Mao

Wlazlo³

et al. 2021

IEEE Access

View full text Add to dashboard Cite

Modern power systems equipped with advanced communication infrastructure are cyberphysical in nature. The traditional approach of leveraging physical measurements for detecting cyberinduced physical contingencies are insufficient to reflect the accurate cyber-physical states. Moreover, deploying conventional rule-based and anomaly-based intrusion detection systems for cyberattack detection results in higher false positives. Hence, independent usage of detection tools of cyberattacks in cyber and physical sides has a limited capability. In this work, a mechanism to fuse real-time data from cyber and physical domains, to improve situational awareness of the whole system is developed. It is demonstrated how improved situational awareness can help reduce false positives in intrusion detection. This cyber and physical data fusion results in cyber-physical state space explosion which is addressed using different feature transformation and selection techniques. Our fusion engine is further integrated into a cyber-physical power system testbed as an application that collects cyber and power system telemetry from multiple sensors emulating real-world data sources found in a utility. These are synthesized into features for algorithms to detect cyber intrusions. Results are presented using the proposed data fusion application to infer False Data and Command Injection (FDI and FCI)-based Man-in-The-Middle attacks. Post collection, the data fusion application uses time-synchronized merge and extracts features. This is followed by pre-processing such as imputation, categorical encoding, and feature reduction, before training supervised, semi-supervised, and unsupervised learning models to evaluate the performance of the intrusion detection system. A major finding is the improvement of detection accuracy by fusion of features from cyber, security, and physical domains. Additionally, it is observed that the semi-supervised co-training technique to perform at par with supervised learning methods with the proposed feature vector. The approach and toolset as well as the dataset that are generated can be utilized to prevent threats such as false data or command injection attacks from being carried out by identifying cyber intrusions accurately.

show abstract

“…It is crucial to question, could we have prevented the attack on the centrifuge in the Natanz Uranium Enrichment plant, if we had a logger to record the events of a machine with shared printer, so as to prevent the exploitation of remote code execution on this machine? The answer is no, because there were many other vulnerabilities such as WinCC DB exploit, network share, and server service vulnerability, in parallel to print server vulnerability that compromised the Web Navigation Server which was connected to the Engineering Station that configured the S7-315 PLCs which over-speeded the centrifuge [21]. Hence, the deployment of cyber telemetry in every computing node in an ICS network is a solution which seems attractive but results in numerous false alarms.…”

Section: B Multi-sensor Fusion Applicationsmentioning

confidence: 99%

Multi-Source Data Fusion for Cyberattack Detection in Power Systems

Sahu,

Mao,

Wlazlo

et al. 2021

Preprint

View full text Add to dashboard Cite

can cause a severe impact on power systems unless detected early. However, accurate and timely detection in critical infrastructure systems presents challenges, e.g., due to zero-day vulnerability exploitations and the cyberphysical nature of the system coupled with the need for high reliability and resilience of the physical system. Conventional rule-based and anomaly-based intrusion detection system (IDS) tools are insufficient for detecting zero-day cyber intrusions in the industrial control system (ICS) networks. Hence, in this work, we show that fusing information from multiple data sources can help identify cyber-induced incidents and reduce false positives. Specifically, we present how to recognize and address the barriers that can prevent the accurate use of multiple data sources for fusion-based detection. We perform multi-source data fusion for training IDS in a cyber-physical power system testbed where we collect cyber and physical side data from multiple sensors emulating real-world data sources that would be found in a utility and synthesizes these into features for algorithms to detect intrusions. Results are presented using the proposed data fusion application to infer False Data and Command injectionbased Man-in-The-Middle (MiTM) attacks. Post collection, the data fusion application uses time-synchronized merge and extracts features followed by pre-processing such as imputation and encoding before training supervised, semi-supervised, and unsupervised learning models to evaluate the performance of the IDS. A major finding is the improvement of detection accuracy by fusion of features from cyber, security, and physical domains. Additionally, we observed the co-training technique performs at par with supervised learning methods when fed with our features.

show abstract

An Approach to Incorporating Uncertainty in Network Security Analysis

Cited by 14 publications

References 27 publications

Study on Prioritization of Actions by Classifying and Quantifying Cyber Operational Elements Using 5W1H Method

Study on Prioritization of Actions by Classifying and Quantifying Cyber Operational Elements Using 5W1H Method

Multi-Source Multi-Domain Data Fusion for Cyberattack Detection in Power Systems

Multi-Source Data Fusion for Cyberattack Detection in Power Systems

Contact Info

Product

Resources

About