A method of detecting and predicting attack vectors based on genetic programming

Churakova, Yekatierina, Novikov, Oleksii

January 2023

This Master's thesis presents a novel approach for detecting and predicting attack vectors based on genetic programming. The proposed method utilizes a genetic algorithm to evolve a set of rules that predict attack vectors over the system based on caught indicators of compromise. The generated rules are then used to identify potential attack vectors and predict how it started and how it will develop in future. The research aims to improve the accuracy and efficiency of existing methods for attack detection and prediction. The proposed approach is evaluated using real-world attack data and compared against several state-of-the-art techniques. Results indicate that the proposed method outperforms existing approaches in terms of detection accuracy and prediction capability. This research has important implications for the field of cybersecurity and can assist organizations in developing more effective and proactive defense strategies against cyberattacks. Background. Cybersecurity is an increasingly critical issue in today's digital age. Cyberattacks are becoming more sophisticated, making it challenging for traditional defense mechanisms to detect and prevent them. Therefore, it is crucial to develop new and innovative methods for identifying and predicting potential attack vectors. In this context, this Master's thesis presents a novel approach to detecting and predicting attack vectors based on genetic programming. The proposed method aims to improve the accuracy and efficiency of existing approaches to cyberattack detection and prediction. Objectives.This Master’s thesis aims to reach the following objectives: 1. To identify the limitations of existing approaches to cyberattack detection and prevention and propose a novel method based on genetic programming. 2. To develop a genetic programming-based algorithm to evolve a model for attack-vectors prediction. 3. To evaluate the effectiveness of the proposed approach using real-world attack data Methods. The methods used in this Master's thesis combine literature review, data collection, algorithm development, experimentation, data analysis, and recommendations to improving approach to detecting and predicting attack vectors using genetic programming. The research aims to contribute to the field of cybersecurity by advancing our understanding of cyberattack detection and prevention. Results. The proposed method has the potential to enhance the accuracy and efficiency of cyberattack detection and prediction, which can help organizations prevent or mitigate the impact of cyberattacks. Future improvements can include more complex MITRE ATT&CK datasets, including Mobile and ICS matrices. Conclusions. The genetic programming-based algorithm developed in this thesis was shown to be effective in detecting and predicting attack vectors using real-world attack data. The proposed approach has the potential to improve organizations' cybersecurity posture by providing a proactive defense strategy against cyberattacks.

MITTRE ATT&CK

genetic programming

attack vectors

attack prediction

Computer Sciences

Datavetenskap (datalogi)

Hidden Markov models and alert correlations for the prediction of advanced persistent threats

Ghafir, Ibrahim, Kyriakopoulos, K.G., Lambotharan, S., Aparicio-Navarro, F.J., Assadhan, B., Binsalleeh, H., Diab, D.M.

24 January 2020

Yes / Cyber security has become a matter of a global interest, and several attacks target industrial companies and governmental organizations. The advanced persistent threats (APTs) have emerged as a new and complex version of multi-stage attacks (MSAs), targeting selected companies and organizations. Current APT detection systems focus on raising the detection alerts rather than predicting APTs. Forecasting the APT stages not only reveals the APT life cycle in its early stages but also helps to understand the attacker's strategies and aims. This paper proposes a novel intrusion detection system for APT detection and prediction. This system undergoes two main phases; the first one achieves the attack scenario reconstruction. This phase has a correlation framework to link the elementary alerts that belong to the same APT campaign. The correlation is based on matching the attributes of the elementary alerts that are generated over a configurable time window. The second phase of the proposed system is the attack decoding. This phase utilizes the hidden Markov model (HMM) to determine the most likely sequence of APT stages for a given sequence of correlated alerts. Moreover, a prediction algorithm is developed to predict the next step of the APT campaign after computing the probability of each APT stage to be the next step of the attacker. The proposed approach estimates the sequence of APT stages with a prediction accuracy of at least 91.80%. In addition, it predicts the next step of the APT campaign with an accuracy of 66.50%, 92.70%, and 100% based on two, three, and four correlated alerts, respectively. / The Gulf Science, Innovation and Knowledge Economy Programme of the U.K. Government under UK-Gulf Institutional Link Grant IL 279339985 and in part by the Engineering and Physical Sciences Research Council (EPSRC), U.K., under Grant EP/R006385/1.

Advanced persistent threat

Intrusion detection system

Alert correlation

Hidden Markov model

Attack prediction

Reputace zdrojů škodlivého provozu / Reputation of Malicious Traffic Sources

Bartoš, Václav

January 2019

An important part of maintaining network security is collecting and processing information about cyber threats, both from network operator's own detection tools and from third parties. A commonly used type of such information are lists of network entities (IP addresses, domains, URLs, etc.) which were identified as malicious. However, in many cases, the simple binary distinction between malicious and non-malicious entities is not sufficient. It is beneficial to keep other supplementary information for each entity, which describes its malicious activities, and also a summarizing score, which evaluates its reputation numerically. Such a score allows for quick comprehension of the level of threat the entity poses and allows to compare and sort entities. The goal of this work is to design a method for such summarization. The resulting score, called Future Maliciousness Probability (FMP score), is a value between 0 and 1, assigned to each suspicious network entity, expressing the probability that the entity will do some kind of malicious activity in a near future. Therefore, the scoring is based of prediction of future attacks. Advanced machine learning methods are used to perform the prediction. Their input is formed by previously received alerts about security events and other relevant data related to the entity. The method of computing the score is first described in a general way, usable for any kind of entity and input data. Then a more concrete version is presented for scoring IPv4 address by utilizing alerts from an alert sharing system and supplementary data from a reputation database. This variant is then evaluated on a real world dataset. In order to get enough amount and quality of data for this dataset, a part of the work is also dedicated to the area of security analysis of network data. A framework for analysis of flow data, NEMEA, and several new detection methods are designed and implemented. An open reputation database, NERD, is also implemented and described in this work. Data from these systems are then used to evaluate precision of the predictor as well as to evaluate selected use cases of the scoring method.