The Markov multi-phase transferable belief model : a data fusion theory for enhancing cyber situational awareness

Ioannou, Georgios

January 2015

eXfiltration Advanced Persistent Threats (XAPTs) increasingly account for incidents concerned with critical information exfiltration from High Valued Targets (HVT's) by terrorists, cyber criminals or enemy states. Existing Cyber Defence frameworks and data fusion models do not adequately address (i) the multi-stage nature of XAPTs and (ii) the uncertainty and conflicting information associated with XAPTs. A new data fusion theory, called the Markov Multi-phase Transferable Belief Model (MM-TBM) is developed, for tracking and predicting XAPTs. MM-TBM expands the attack kill-chain model to attack trees and introduces a novel approach for combining various sources of cyber evidence, which takes into account the multi-phased nature of XAPTs and the characteristics of the cyberspace. As a data fusion theory, MM-TBM constitutes a novel approach for performing hypothesis assessment and evidence combination across phases, by means of a new combination rule, called the Multi-phase Combination Rule with conflict Reset (MCR2). This is the first combination rule in the field of data fusion that formalises a new method for combining evidence from multiple, causally connected hypotheses spaces and eliminating the bias from preceding phases of the kill-chain. Moreover, this is the first time a data fusion theory utilises the conflict mass m(Ø) for identifying paradoxes. In addition, a diagnostic formula for managing missing pieces of evidence within attack trees is presented. MM-TBM is designed, developed and evaluated using a Design Science Research approach within two iterations. Evaluation is conducted in a relevant computer network environment using scenario-based testing. The experimental design has been reviewed and approved by Cyber Security Subject Matter Experts from MoD’s Defence Science Technology Laboratory and Airbus Group. The experimental results validate the novel capabilities introduced by the new MM-TBM theory to Cyber Defence in the presence of information clutter, conflict and congestion. Furthermore, the results underpin the importance of selecting an optimal sampling policy to effectively track and predict XAPTs. This PhD bridges the gaps in the body of knowledge concerned with multi-phase fusion under uncertainty and Cyber SA against XAPTs. MM-TBM is a novel mathematical fusion theory for managing applications that existing fusion models do not address. This research has demonstrated MM-TBM enables the successful Tracking and Prediction of XAPTs to deliver an enhanced Cyber SA capability.

Simulation d'activités et d'attaques : application à la cyberdéfense / Simulation of activities and attacks : application to cyberdefense

Bajan, Pierre-Marie

05 July 2019

Alors que l'importance des infrastructures ne fait que croître, les systèmes de détections et de traitements des attaques sont majoritairement faits pour remonter un seul type des deux grands formats d'attaques : les attaques de masses. Les attaques ciblées quant à elle, bien que d'une grande dangerosité de par leur spécificité et des profondeurs atteintes dans les systèmes, restent traités avec une certaine inefficacité par les systèmes informatiques. Pourtant il y a des équipements remontants des informations et des alertes mais les opérateurs souvent peu entraînés à la gestion des incidents se retrouvent engloutis par la quantité d'informations qu'ils leur sont remontés. Le principe de cette thèse serait de fournir des outils permettant la formation des opérateurs et un meilleur traitement des informations remontées. On approcherait le problème de la manière suivante : on va tout d'abord émuler le système informatique d'une petite entreprise avec ces différents utilisateurs et ces services informatiques. Cela servira à générer les données d'un comportement normal et régulier du système mais également le comportement d'une attaque. Une fois le système est émulé et les données sont générées on va se servir de ces données pour simuler le système selon les besoins que nous avons de la simulation. Cette simulation sera plus légère que l'émulation et sera capable de passage à l'échelle et une modification plus dynamique de l'architecture et du comportement du système. Le but étant d'avoir un outil léger et adaptable capable de simuler différents comportements et conditions d'un système d'entreprise pour être utiliser pour faire des formations d'opérateurs et des tests d'utilisation plus complet d'outil de sécurité. Le tout sera supervisé par la console de contrôle de simulation qui va gérer la simulation mais également recevoir les informations de chaque composant et de la console opérateur. Le contrôle de la simulation inclue la capacité de créer des incidents et problèmes dans le système mais également de créer des attaques à l'encontre du système. / The concern over the security of the infrastructure of a company is only growing deeper and became a source of worries for companies. They use different systems to detect and deal with attack but those systems are usually made to detect one type only of the two main type of attack: attacks made to target the largest amount of people possible. Targeted attacks are rarer but more dangerous as it penetrates deep into a system and are very specifics. However the systems used to deal with it are proved of limited efficiency. Even when they send alerts and news to the operator, there is just to much information going along with it making the often ill-trained operators unable to react and overwhelm by massive information. The goal of this thesis is to create a tool that would help to form operator but also help to test more efficiently security systems. We'll approach the problem by first emulating the infrastructure and services of a small company with its different users and services. It will be use to create the data of the regular operations and interactions of a company during normal activity but also under attack. Once the system is emulated and we collected the necessary data, we will start to simulate the system according to what we need the simulation for. This simulation would need less resources than the emulation and will be scalable and capable to be dynamically change according to the needs. The aim is to have a light tool capable to simulate different behaviors and different type of realist simulation of a system to help improve the formation of operators and also test security devices more fully. The whole would be supervised by a console of control of the simulation who will receive the information of the simulated elements and the simulated operator console. It would have the capacity to create incidents and problems into the systems along with attacks.

Simulation

Attaques

Activité

Cyber-défense

Simulation

Attacks

Activity

Cyber-defence

Fall in Line or Fall Behind? : Cooperation in cyberspace between the North Atlantic Treaty Organisation and the European Union.

Rupp, Vendela

January 2019

This study explores the relationship between the North Atlantic Treaty Organisation and the European Union in cyberspace. The two organisations have differing approaches to combat threats from cyberspace but are continuously deepening their cooperative efforts. The former is arguably militarising the domain and is less inclined to share information with outside parties, while the latter is more willing in this respect but is struggling to balance a free and open Internet with a secure one. NATO’s focus on cyber defence and the EU’s focus on cyber security is connected to the organisations’ different identities as security actors. The difference is identifiable in the Joint Declaration on EU-NATO Cooperation established in 2016. While cyber defence and cyber security are notable in texts, it is yet to be determined how the respective organisations’ differing focus impacts their cooperation in cyberspace. The purpose of this study is thus to investigate the continuation of the Joint-Declaration given NATO and the EU’s different frameworks to combat cyberthreats. The study will use Michel Foucault’s Security Dispositive theory by looking at normalising discourses within the organisations’ respective agendas influenced by various cyberattacks in the 21st century. NATO focuses on developing offensive as well as defensive cyber capabilities while the EU primarily presents a more passive strategy. Considering the Alliance’s ability to set demands on partner actors, results suggested that the Joint Declaration is able to continue if the EU falls in line with the precedent set by NATO as the organisation continues to expand its militarising discourse of cyberspace.

Cyberspace

Cyber-Defence

Cyber-Security

Policy

Strategy

NATO

EU

Political Science

Statsvetenskap

Cybersoldater under frammarsch : Är vi på rätt väg?

Andersson, Björn, Seger, Henrik

January 2023

Syfte - Precis som samhället i övrigt digitaliserar Försvarsmakten sin verksamhet i ökande grad. Det höjer förmågan men ökar riskerna för cyberangrepp. Som en av flera åtgärder introducerade därför Försvarsmakten personalkategorin cybersoldat. Syftet med denna studie är att utreda hur införandet av cybersoldater har hanterats inom Försvarsmaktens organisation och på vilket sätt det har påverkat cyberförsvarsförmågan.  Design/metod/approach - Studien är genomförd som en kvalitativ intervjustudie där respondenter från olika organisationsnivåer inom Försvarsmakten har gett sin syn på cybersoldatinförandet. Detta för att följa cybersoldatsrollen ur ett livscykelperspektiv från planeringsstadiet genom utbildningen och vidare mot karriären. Slutsatser – Resultatet av studien visar att strategin för uppbyggnaden av cyberförsvaret och cybersoldaternas roll inte är tillräckligt väl kommunicerad inom Försvarsmaktens organisation. Studien visar att det behövs ett livscykelperspektiv på cybersoldaternas kompetensutveckling som sträcker sig bortom värnplikten, vilket kan ses som ett paradigmskifte för hur Försvarsmakten normalt sett utbildar och hanterare krigsplacerad personal. / Purpose - Just like society in general, the Swedish Armed Forces are increasingly digitizing their operations. It increases capability but increases the risks of cyberattacks. As one of several measures, the Swedish Armed Forces therefore introduced the Cyber Soldier personnel category. The purpose of this study is to investigate how the introduction of cyber soldiers has been handled within the Swedish Armed Forces' organization and in what way it has affected cyber defence capability. Design/methodology/approach - The study was conducted as a qualitative interview study where respondents from different organizational levels gave their views on the cyber soldier introduction. This by following the cyber soldier role from a life cycle perspective from the planning stage through the education and on to the career. Findings - The findings of the study shows that the strategy for building up cyber defence and the role of cyber soldiers are not sufficiently well communicated within the Armed Forces. The study shows that there is a need for a life cycle perspective for cyber soldiers' competence development that extends beyond conscription, which can be seen as a paradigm shift for how the Armed Forces normally train and handle war-deployed personnel.

cyber defence

cyber soldier

cyberprofession

cyberförsvar

cybersoldat

cyberprofession

Business Administration

Företagsekonomi

Between Defence and Offence: An Analysis Of The US "Cyber Strategic Culture" / Between Defence and Offence: An Analysis Of The US "Cyber Strategic Culture"

Persoglia, Davide

January 2018

The present thesis deals with the US strategic approach and posture to cybersecurity from a national point of view. On such a topic much has been written already, nonetheless the present work finds a degree of originality by tackling such object of analysis shifting the focus to a ideational perspective. By drawing insights from the meta-theory of Constructivism and the rich research tradition on strategic culture, the present thesis aims at understanding what kind of norms seem to be informing/mirroring what has been labelled the US "cyber strategic culture", and if it is possible to speak of a "shift", or at least track an evolution regarding them, in a historical timeframe that runs from the early 2000s up to the present days. To pursue the stated research agenda, a methodology grounded in discourse and thematic analysis is utilised, with an analytical framework centred around two opposite "thematic normative categories" (themes) called "defensiveness" and "offensiveness", each characterised by a "story" made up by three sub-themes, delineating specific strategic behaviours. A set of official strategies, all tackling cybersecurity and published during the mentioned timeframe by both the White House and the military, form the primary sources to which such methodology is applied, with particular...

Decision Support Elements and Enabling Techniques to Achieve a Cyber Defence Situational Awareness Capability

Llopis Sánchez, Salvador

15 June 2023

[ES] La presente tesis doctoral realiza un análisis en detalle de los elementos de decisión necesarios para mejorar la comprensión de la situación en ciberdefensa con especial énfasis en la percepción y comprensión del analista de un centro de operaciones de ciberseguridad (SOC). Se proponen dos arquitecturas diferentes basadas en el análisis forense de flujos de datos (NF3). La primera arquitectura emplea técnicas de Ensemble Machine Learning mientras que la segunda es una variante de Machine Learning de mayor complejidad algorítmica (lambda-NF3) que ofrece un marco de defensa de mayor robustez frente a ataques adversarios. Ambas propuestas buscan automatizar de forma efectiva la detección de malware y su posterior gestión de incidentes mostrando unos resultados satisfactorios en aproximar lo que se ha denominado un SOC de próxima generación y de computación cognitiva (NGC2SOC). La supervisión y monitorización de eventos para la protección de las redes informáticas de una organización debe ir acompañada de técnicas de visualización. En este caso, la tesis aborda la generación de representaciones tridimensionales basadas en métricas orientadas a la misión y procedimientos que usan un sistema experto basado en lógica difusa. Precisamente, el estado del arte muestra serias deficiencias a la hora de implementar soluciones de ciberdefensa que reflejen la relevancia de la misión, los recursos y cometidos de una organización para una decisión mejor informada. El trabajo de investigación proporciona finalmente dos áreas claves para mejorar la toma de decisiones en ciberdefensa: un marco sólido y completo de verificación y validación para evaluar parámetros de soluciones y la elaboración de un conjunto de datos sintéticos que referencian unívocamente las fases de un ciberataque con los estándares Cyber Kill Chain y MITRE ATT & CK. / [CA] La present tesi doctoral realitza una anàlisi detalladament dels elements de decisió necessaris per a millorar la comprensió de la situació en ciberdefensa amb especial èmfasi en la percepció i comprensió de l'analista d'un centre d'operacions de ciberseguretat (SOC). Es proposen dues arquitectures diferents basades en l'anàlisi forense de fluxos de dades (NF3). La primera arquitectura empra tècniques de Ensemble Machine Learning mentre que la segona és una variant de Machine Learning de major complexitat algorítmica (lambda-NF3) que ofereix un marc de defensa de major robustesa enfront d'atacs adversaris. Totes dues propostes busquen automatitzar de manera efectiva la detecció de malware i la seua posterior gestió d'incidents mostrant uns resultats satisfactoris a aproximar el que s'ha denominat un SOC de pròxima generació i de computació cognitiva (NGC2SOC). La supervisió i monitoratge d'esdeveniments per a la protecció de les xarxes informàtiques d'una organització ha d'anar acompanyada de tècniques de visualització. En aquest cas, la tesi aborda la generació de representacions tridimensionals basades en mètriques orientades a la missió i procediments que usen un sistema expert basat en lògica difusa. Precisament, l'estat de l'art mostra serioses deficiències a l'hora d'implementar solucions de ciberdefensa que reflectisquen la rellevància de la missió, els recursos i comeses d'una organització per a una decisió més ben informada. El treball de recerca proporciona finalment dues àrees claus per a millorar la presa de decisions en ciberdefensa: un marc sòlid i complet de verificació i validació per a avaluar paràmetres de solucions i l'elaboració d'un conjunt de dades sintètiques que referencien unívocament les fases d'un ciberatac amb els estàndards Cyber Kill Chain i MITRE ATT & CK. / [EN] This doctoral thesis performs a detailed analysis of the decision elements necessary to improve the cyber defence situation awareness with a special emphasis on the perception and understanding of the analyst of a cybersecurity operations center (SOC). Two different architectures based on the network flow forensics of data streams (NF3) are proposed. The first architecture uses Ensemble Machine Learning techniques while the second is a variant of Machine Learning with greater algorithmic complexity (lambda-NF3) that offers a more robust defense framework against adversarial attacks. Both proposals seek to effectively automate the detection of malware and its subsequent incident management, showing satisfactory results in approximating what has been called a next generation cognitive computing SOC (NGC2SOC). The supervision and monitoring of events for the protection of an organisation's computer networks must be accompanied by visualisation techniques. In this case, the thesis addresses the representation of three-dimensional pictures based on mission oriented metrics and procedures that use an expert system based on fuzzy logic. Precisely, the state-of-the-art evidences serious deficiencies when it comes to implementing cyber defence solutions that consider the relevance of the mission, resources and tasks of an organisation for a better-informed decision. The research work finally provides two key areas to improve decision-making in cyber defence: a solid and complete verification and validation framework to evaluate solution parameters and the development of a synthetic dataset that univocally references the phases of a cyber-attack with the Cyber Kill Chain and MITRE ATT & CK standards. / Llopis Sánchez, S. (2023). Decision Support Elements and Enabling Techniques to Achieve a Cyber Defence Situational Awareness Capability [Tesis doctoral]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/194242

Visualización

Verificación y validación

Conjuntos de datos

Aprendizaje automático

Apoyo a la toma de decisiones

Ciberdefensa

Verification and validation

Visualization

Datasets

Machine learning

Decision support

Cyber defence

INGENIERÍA TELEMÁTICA

MPLS-based mitigation technique to handle cyber attacks / Technique de mitigation des cyber-attaques basée sur MPLS

Hachem, Nabil

04 July 2014

Les cyber-attaques pourraient engendrer des pertes qui sont de plus en plus importantes pour les utilisateurs finaux et les fournisseurs de service. Ces attaques sont, en outre, élevées par une myriade des ressources infectées et comptent surtout sur les réseaux pour être contrôlées, se propager ou endommager. Face à ces risques, il y a un besoin essentiel qui se manifeste dans la réponse à ces nombreuses attaques par des stratégies de défense efficaces. Malgré les multitudes efforts dévouées pour mettre en œuvre des techniques de défense complètes afin de se protéger contre les attaques réseaux; les approches proposées n’ont pas parvenus à satisfaire toutes les exigences. Les stratégies de défense impliquent un processus de détection complété par des actions de mitigation. Parallèlement à l’importance accordée à la conception des stratégies de détection, il est essentiel de fermer la boucle de sécurité avec des techniques efficaces permettant d’atténuer les impacts des différentes attaques. Dans cette thèse, nous proposons une technique pour réagir aux attaques qui abusent les ressources du réseau, par exemple, DDoS, botnet, distribution des vers, etc. La technique proposée s’appuie sur des approches de gestion du trafic et utilise le standard Multiprotocol Label Switching (MPLS) pour gérer le trafic diagnostiqué comme abusant du réseau, tout en invoquant les processus de détection. Les objectifs de notre technique peuvent être résumés comme suit: d’une part, fournir les moyens — par la qualité de service et schémas de routage — à séparer les flux suspects des légitimes, et d’autre part de prendre le contrôle des flux suspects. Nous bénéficions de l’extension du MPLS au niveau d’inter-domaine pour permettre une coopération entre les fournisseurs, permettant par suite la construction d’un mécanisme de défense à grande échelle. Nous développons un système afin de compléter les aspects de gestion de la technique proposée. Ce système effectue plusieurs tâches telles que l’extraction de données d’alerte, l’adaptation de la stratégie et la configuration des équipements. Nous modélisons le système en utilisant une approche de regroupement et un langage de politiques de sécurité afin de gérer de manière cohérente et automatique le contexte et l’environnement dans lequel la technique de mitigation est exécutée. Enfin, nous montrons l’applicabilité de la technique et du système à travers des différentes simulations tout en évaluant la qualité de service dans des réseaux MPLS. L’application de la technique a démontré son efficacité dans non seulement la mitigation des impacts des attaques mais aussi dans l’offre des avantages financiers aux acteurs de la chaîne de sécurité, à savoir les fournisseurs de service / Cyber attacks cause considerable losses not only for end-users but also service providers. They are fostered by myriad of infected resources and mostly rely on network resources for whether propagating, controlling or damaging. There is an essential need to address these numerous attacks by efficient defence strategies. Researchers have dedicated large resources without reaching a comprehensive method to protect from network attacks. Defence strategies involve first a detection process, completed by mitigation actions. Research on detection is more active than on mitigation. Yet, it is crucial to close the security loop with efficient technique to mitigate counter attacks and their effects. In this thesis, we propose a novel technique to react to attacks that misuse network resources, e.g., DDoS, Botnet, worm spreading, etc. Our technique is built upon network traffic management techniques. We use the Multiprotocol Label Switching (MPLS) technology to manage the traffic diagnosed to be part of a network misuse by detection processes. The goals of our technique can be summarized as follows: first to provide the means — via QoS and routing schemes — to segregate the suspicious flows from the legitimate traffic; and second, to take control over suspicious flows. We profit from the enhancement on the inter-domain MPLS to permit a cooperation among providers building a large-scale defence mechanism. We develop a system to complete the management aspects of the proposed technique. This system performs tasks such as alert data extraction, strategy adaptation and equipments configurations. We model the system using a clustering method and a policy language in order to consistently and automatically manage the mitigation context and environment in which the proposed technique is running. Finally, we show the applicability of the technique and the system through simulation. We evaluate and analyse the QoS and financial impacts inside MPLS networks. The application of the technique demonstrates its effectiveness and reliability in not only alleviating attacks but also providing financial benefits for the different players in the mitigation chain, i.e., service providers

Sécurité des réseaux

Cybersécurité

Cyberdéfense

MPLS

Qualité de service (QoS)

Réponses aux attaques

Gestion du trafic réseau

Gestion des politiques de sécurité

Network security

Cyber security

Cyber defence

MPLS

QoS (Quality of Service)

Attacks responses

Network traffic management

Policy-based management

StrideLang : Creation of a Domain-Specific Threat Modeling Language using STRIDE, DREAD and MAL / StrideLang : Skapandet av ett Domän-Specifikt Hotmodellerings-Språk med STRIDE, DREAD och MAL

Cerovic, Lazar

January 2022

Cybersecurity is still one of the main challenges of the digital era for organizations and individuals alike. Threat modeling is an important tool for building systems that are reliable and secure. The research question for this study is to create a domain specific language (DSL) with the Meta Attack Language (MAL), STRIDE and DREAD. One of the main challenges is to choose a DSL that is suitable for threat modeling. The purpose of the study is to provide people with threat modeling with additional tools that can be used in attack simulations. MAL is a meta language used for creating DSL that can be used for attack simulations. An example of a MAL project that usually serves as a template for other DSL is coreLang, which models the general IT infrastructure. STRIDE is a model used in threat modeling to enumerate and categorization of cyberthreats. DREAD is a model used for risk assessment that scores each threat by a value between one and ten. The proposed method for answering the research question is the Design Research Science Method (DRSM), which is often used for creating artifacts. Evaluation of the results is done with tests written in Java using the Junit framework. The result of the study is the creation of strideLang that maps attack steps in coreLang (MAL implementation of the general IT infrastructure DSL) to STRIDE and DREAD models. The primary source of error in the investigation is the risk assessment with DREAD, which can be somewhat inaccurate depending on what specific DSL is used. It would have been valuable if the study incorporated feedback from domain experts specifically with risk assessment. The nature of the STRIDE and DREAD models is that the models are very subjective in practice. However, this study does provide insights in how a DSL can be created based on DREAD and STRIDE. Future work might investigate a different DSL, incorporate tools such as SecuriCAD and compare different threat models. / Cybersäkerhet är fortfarande en av de främsta utmaningarna i den digitala eran för såväl organisationer som individer. Hotmodellering är ett viktigt verktyg för att bygga tillförlitliga och säkra system. Huvudmålet för denna studie är att skapa ett domänspecifikt språk (DSL) med Meta Attack Language (MAL), STRIDE och DREAD. En av de främsta utmaningarna för att nå målet med studien är att hitta ett domänspecifikt språk som är lämpligt för denna typ av hotmodellering. Syftet med studien är att förse personer som arbetar med hotmodellering med ytterligare verktyg för att kunna använda i sina attacksimuleringar. MAL är ett metaspråk som används för att skapa domän-specifika språk och utföra attacksimuleringar. Ett exempel på ett MAL projekt som oftast används som en mall för att skapa nya domänspecifika och modellerar den generella IT infrastrukturen. STRIDE modellen används för att lista och kategorisera digitala hot. DREAD brukar användas tillsammans med STRIDE och används för att risk bedöma digitala hot genom att betygsätta hoten med ett värde mellan ett och tio. Den valda metoden för att lösa forskningsfrågan är Design Research Science Method (DSRM), som används oftast i samband med skapandet av artefakter. Evaluering av resultatet gjordes med tester skrivna i Java med ramverket JUnit. Studien resulterade med skapande av strideLang som mappar attack steg i coreLang till STRIDE och DREAD modellerna. Den främsta felkällan i denna studie är riskbedömningen med DREAD eftersom noggrannheten på riskbedömningen kan variera från specifika domän i IT infrastrukturen. Det hade varit värdefullt om studien integrera domänexperters bedömning i studien främst för DREAD bedömningen. STRIDE och DREAD modellerna är subjektiva vilket betyder att olika experter kan komma till olika slutsatser för samma hot. Däremot så kan studien förse med intressanta insikter om hur ett domän-specifikt språk kan skapas baserat på DREAD och STRIDE modellerna. Framtida studier kan undersöka en mer specifik domän inom IT infrastrukturen, integrera verktyg som SecuriCAD och jämföra olika modeller som används inom hotmodelleringen

Meta attack language

Domain specific language

Attack graphs

Threat modeling

STRIDE

DREAD

Attack simulation

Cyber defence

Meta attack language

Domänspecifika språk

Attack grafer

Hotmodellering

STRIDE

DREAD

Attack simulering

Cyberförsvar

Computer Sciences

Datavetenskap (datalogi)