Integrating attacker behavior in IT security analysis: a discrete-event simulation approach

Ekelhart, Andreas; Kiesling, Elmar; Grill, Bernhard; Strauß, Christine; Stummer, Christian

doi:10.1007/s10799-015-0232-6

Cited by 21 publications

(13 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Table 3 lists the probabilities of these nodes at the certain time period. The attack probability for each vulnerability is computed through the game Nash equilibrium, and the attack probability for each node, recorded as "tot" in the table, is computed through (15). From the table we can see that, for some vulnerability, the attack probability decreased to zero and never increase, such as the vulnerability 2 in node 1, which means this vulnerability had been fixed at certain time.…”

Section: Methodsmentioning

confidence: 99%

“…Analyzing the attacker behavior is of great importance when measuring the network security. Ekelhart et al [15] developed a simulation-driven approach which took attack strategies and attacker behavior into consideration. AlJarrah and Arafat [16] used the time delay neural network which embedded the temporal behavior of the attacks to maximize the recognition rate of network.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Security Measurement for Unknown Threats Based on Attack Preferences

Yin

Sun

Wang

et al. 2018

Security and Communication Networks

View full text Add to dashboard Cite

Security measurement matters to every stakeholder in network security. It provides security practitioners the exact security awareness. However, most of the works are not applicable to the unknown threat. What is more, existing efforts on security metric mainly focus on the ease of certain attack from a theoretical point of view, ignoring the "likelihood of exploitation." To help administrator have a better understanding, we analyze the behavior of attackers who exploit the zero-day vulnerabilities and predict their attack timing. Based on the prediction, we propose a method of security measurement. In detail, we compute the optimal attack timing from the perspective of attacker, using a long-term game to estimate the risk of being found and then choose the optimal timing based on the risk and profit. We design a learning strategy to model the information sharing mechanism among multiattackers and use spatial structure to model the long-term process. After calculating the Nash equilibrium for each subgame, we consider the likelihood of being attacked for each node as the security metric result. The experiment results show the efficiency of our approach.

show abstract

Section: Methodsmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Security Measurement for Unknown Threats Based on Attack Preferences

Yin

Sun

Wang

et al. 2018

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…These metrics are gathered into families, which are combined into a risk metric for the network. A simulation-driven approach is developed by [29] for secure information system design. This method can be utilized by security analysts to determine (a) the capability of a modeled system to deal with attacks and (b) the result of alterations of the system on its overall security.…”

Section: Introductionmentioning

confidence: 99%

Attack Graph Implementation and Visualization for Cyber Physical Systems

et al. 2019

View full text Add to dashboard Cite

Cyber-attacks threaten the safety of cyber physical systems (CPSs) as a result of the existence of weaknesses in the multiple structural units constituting them. In this paper, three cyber physical systems case studies of a pressurized water nuclear power plant (NPP), an industrial control system (ICS), and a vehicular network system (VNS) are examined, formally presented, and implemented utilizing Architecture Analysis and Design Language, determining system design, links, weaknesses, resources, potential attack instances, and their pre-and post-conditions. Then, the developed plant models are checked with a security property using JKind model checker embedded software. The attack graphs causing plants disruptions for the three applications are graphically visualized using a new graphical user interface (GUI) windows application.Processes 2020, 8, 12 2 of 22 aiding designers in implementing prevention strategies through making risk analysis [6]. The novelty of this work lies in presenting a model-based technique for implementing attack graphs for three cyber physical systems (CPSs): a nuclear power plant (NPP) control system, an industrial control system (ICS), and a vehicular network system (VNS). This demands a general specification of systems models and the security properties being studied. The models and their security properties are encoded using Architecture Analysis and Design Language (AADL) [7] and verified using JKind model checker embedded software [8]. The generated graphs are visualized using a new graphical user interface (GUI) windows application implemented with C# language in Microsoft Visual Studio (VS) [9]. This paper extends the conference version [10] significantly by introducing a newly developed visualizer Windows application that creates a GUI that is encoded using C# within Microsoft VS. The JKind model checker generates significantly large spreadsheet attack scenarios. Therefore, the visualizer Windows application manages the number of rows of the produced attack scenarios and represents them in an appealing, user friendly, graphical way. Simulation results are shown for the NPP system, the ICS, and the VNS.The contribution of this work is twofold. First, system models are formalized for three CPS case studies. The formal descriptions capture the architectural specifications of the systems-their elements and their connectivity. In addition to that, the descriptions capture systems behaviors-their dynamic state variables, pre and post conditions of the attacks instances, and the security properties. The models are encoded using AADL, translated to Lustre using Assume Guarantee Reasoning Environment (AGREE), and finally checked using JKind. The generated attack scenarios are fed to a newly developed visualizer Windows application that can graphically illustrate a specific attack sequence of interest, its spread sheet, and the complete attack graph. The remainder of this paper is assembled as follows. Section 1.1 revises the related work. Section 2 describes the NPP system. Section 3 pre...

show abstract

“…Recently several AIOS techniques have been developed for proactive defense decisions like sandboxing (Malkhi and Reiter, 2000) and isolation (Liu et al, 2000). Proactive decisions in real time scenario is very difficult since alerts from intrusion detection system (IDS) detected in earlier stage of attack leads to many false alarms (Ekelhart et al, 2015). Such misinterpretations have been found to be very expensive in terms of both denial of service (DoS) and resource depletion (Thakar et al, 2010).…”

Section: Introductionmentioning

confidence: 99%

BAIT: behaviour aided intruder testimony technique for attacker intention prediction in business data handling

Mallikarjunan¹,

Shalinie²,

Bhuvaneshwaran³

2019

IJBIDM

View full text Add to dashboard Cite

During business transactions there are lot of opportunity for data theft and data misinterpretation. Mostly, the legitimate users act like malicious users and try to misuse their privileges. So, it is very important to know their intentions and different strategies they apply for business data theft. In this paper, we develop an information analytics based technique for inferring attacker intent objectives and strategies (AIOS). The input to the model is the alert logs in real-world attack-defense scenario and output are the discovered attack strategies or patterns. The implementation of this model is done on a real-world attack-defence scenario to increase the learning efficiency of the technique. Experimental results on expected impact and attack path shows that the technique provides better results than conventional intrusion detection systems.

show abstract

Integrating attacker behavior in IT security analysis: a discrete-event simulation approach

Cited by 21 publications

References 25 publications

Security Measurement for Unknown Threats Based on Attack Preferences

Security Measurement for Unknown Threats Based on Attack Preferences

Attack Graph Implementation and Visualization for Cyber Physical Systems

BAIT: behaviour aided intruder testimony technique for attacker intention prediction in business data handling

Contact Info

Product

Resources

About