This is a test
- 224 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Dynamic Networks And Cyber-security
Book details
Book preview
Table of contents
Citations
About This Book
As an under-studied area of academic research, the analysis of computer network traffic data is still in its infancy. However, the challenge of detecting and mitigating malicious or unauthorised behaviour through the lens of such data is becoming an increasingly prominent issue.
This collection of papers by leading researchers and practitioners synthesises cutting-edge work in the analysis of dynamic networks and statistical aspects of cyber security. The book is structured in such a way as to keep security application at the forefront of discussions. It offers readers easy access into the area of data analysis for complex cyber-security applications, with a particular focus on temporal and network aspects.
Chapters can be read as standalone sections and provide rich reviews of the latest research within the field of cyber-security. Academic readers will benefit from state-of-the-art descriptions of new methodologies and their extension to real practical problems while industry professionals will appreciate access to more advanced methodology than ever before.
Contents:
- Network Attacks and the Data They Affect (M Morgan, J Sexton, J Neil, A Ricciardi & J Theimer)
- Cyber-Security Data Sources for Dynamic Network Research (A D Kent)
- Modelling User Behaviour in a Network Using Computer Event Logs (M J M Turcotte, N A Heard & A D Kent)
- Network Services as Risk Factors: A Genetic Epidemiology Approach to Cyber-Security (S Gil)
- Community Detection and Role Identification in Directed Networks: Understanding the Twitter Network of the Care.Data Debate (B Amor, S Vuik, R Callahan, A Darzi, S N Yaliraki & M Barahona)
- Anomaly Detection for Cyber Security Applications (P Rubin-Delanchy, D J Lawson & N A Heard)
- Exponential Random Graph Modelling of Static and Dynamic Social Networks (A Caimo)
- Hierarchical Dynamic Walks (A V Mantzaris, P Grindrod & D J Higham)
- Temporal Reachability in Dynamic Networks (A Hagberg, N Lemons & S Misra)
Readership: Researchers and practitioners in dynamic network analysis and cyber-security.
Cyber-Security;Dynamic Network;Netflow;Network Traffic;Monitoring;Hypothesis Test Key Features:
- Detailed descriptions of the behaviour of attackers
- Discussions of new public domain data sources, including data quality issues
- A collection of papers introducing novel methodology for cyber-data analysis
Frequently asked questions
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlegoās features. The only differences are the price and subscription period: With the annual plan youāll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weāve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access Dynamic Networks And Cyber-security by Niall Adams, Nick Heard in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.
Information
Chapter 1
Network attacks and the data they affect
Matthew Morgan*, Joseph Sexton, Joshua Neil, Aleta Ricciardi and Joshua Theimer
In this chapter, we discuss techniques to improve the detection of intruders within a computer network. We begin with an understanding of the behaviours of intruders, the actions and steps they must take in order to gain access, and the actions they may take to realise their objectives and the constraints imposed on them by the systems and networks they target. Each of these actions leaves evidence in system logs and we show how to use the knowledge of the intruder behaviour to hone statistical analyses of these logs. By understanding the sequence and coincidence of an intruderās actions we improve the accuracy of detections. When compared against the historical activity within a network, these rare events, and even rarer sequences of events become highly suggestive. Our approach contrasts to the so-called signature-based detection, which examines activity against known attacks. One consequence is that signatures can only detect what has been seen before. Moreover, signatures are generally used to detect the initial system breach; they do not address the free-range activity of an intruder once successfully inside the target network (indeed, detecting malicious activity from insider threats is a particularly sensitive issue). Statistical analysis of system and network activity, informed by the knowledge of threat actors behaviour, addresses both these shortcomings.
1. Introduction
The dominant approach to commercial intrusion detection in computer networks is based on detecting signatures or indicators of previously uncovered and analysed attacks. Examples include file hashes, known-bad IP addresses and domains, and traffic characteristics of known Command and Control (C&C) protocol. When a signature is detected, it may be evidence of an ongoing intrusion, and typically warrants investigation.
Unfortunately, signature detection can be easily evaded: recompiling a malicious program with a minor modification will alter its hash, and changing C&C servers will circumvent the use of blacklists to identify known-bad IP addresses and domain names. These weaknesses have been known for many years by both attackers and defenders and recent years have witnessed a steep rise in the number of successful network intrusions.
Behaviour-based detection is a relatively new approach that uses statistical models to reflect normal behaviour, and alternative hypotheses can be formed that reflect attack behaviour when deviation from the model is evident. While the paradigm may be new in practice, the data-centric approach is not (e.g. Ref. 1 argued in 2013 that extensive network monitoring is the key to successful detection). This approach requires the analysis of data from a wide variety of sources. Statisticians have an important role to play in these developments. The magnitude of the dataa requires automated approaches to baselining activity, and careful calibration of anomaly scores to assess activity patterns extracted from data sets with widely varying distributions. In addition, it is critical that statistical approaches be guided by security expertise, to ensure that the methods employed are sensitive to real attacker methodology. Blind application of statistical methods without subject matter guidance is likely to fail.2, 3
This chapter captures both the attackerās and the defenderās perspective. In Section 2, we give a detailed description of the behaviours of attackers and provide some concrete examples. In Section 3, we describe the types of evidence these behaviours leave behind in system logs. Section 4 presents statistical analyses, emphasising ways to make the signal more prominent. Finally, in Section 5, we introduce the further complication of detecting insider threats and suggest ways to incorporate indicators of these type of attacks.
2. Behaviour of Attackers
To develop a behaviour-based approach to detecting attackers, it is important to understand the general characteristics of an attack. Hutchins4 examined targeted network intrusions, and identified the following seven steps, sometimes referred to as the attack chain or kill chain:
ā¢ Reconnaissance ā the attacker gains information about the target to identify potential sources of entry and intended data and systems to disrupt.
ā¢ Weaponisation ā the attacker prepares the means of exploit or malware.
ā¢ Delivery ā how the malware is launched.
ā¢ Exploitation ā the means by which the attacker actually gains entry.
ā¢ Installation ā the attacker establishes a base from which to execute.
ā¢ C&C ā the attacker establishes communication back to its own servers to receive stolen data or initiate actions from outside the target network.
ā¢ Actions ā achieving the specific objectives against the target network.
Because the first two steps typically occur outside the target network, we will focus on the last five steps.
An advanced persistent threat (APT)5 is characterised by the attacker maintaining access in the compromised network for a long period of time. As an example, consider a highly publicised attack campaign of late 2009, dubbed āOperation Aurora,ā that successfully targeted, among others, Google, Adobe, Juniper Networks, Rackspace, Yahoo and Symantec. According to Ref. 6, the attack targeted source code repositories within the companies, called software configuration management systems (SCM) (reconnaissance). The attacks typically started with spear-phishing emails (delivery) including a URL link. When the victim clicked on the link, a zero-day vulnerability (exploitation) in Internet Explorer resulted in malware (previously weaponised) being executed (installation) on the machine. The malware set up a backdoor into the compromised host, which then initiated a connection back to one of the attackerās servers (C&C). The attackers were then poised to carry out the main goal of their attack, accessing and exfiltrating code from the SCMs (action). Table 1 associates these steps with the evidence they left in system logs (we will discuss the evidence in greater detail in Section 3).b
Table 1.Operation Aurora attack chain.
| Attack phase | Mechanism | Log visibility |
| Delivery | Phishing w/URL | Email/Web |
| Exploit | URL, website w/malicious JavaScript JS exploited zero-day Internet Explorer vulnerability Downloads trojan Roarur.dr | Behavioural malware detection |
| Installation | Roarur.dr saves and executes %Application Data% \a.exe Downloads roarur.dll, and injects | Event logs New process |
| into svchost.exe, creating service and Reg.Key...\Services\RaS [.. 4 random char ..] | Registry modification New service | |
| C&C | RasMon backdoor connects back ex. 360.home[REMOVED].com | Web New domain traffic |
| Actions | SCM poorly secured easily accessed by attackers | |
| Downloading entire source-code trees | High bandwidth outbound |
2.1. Understanding network security practices
In order to be truly effective, attackers need to understand the networks of the enterprises that they target. Often, the culture and business of an enterprise give hints about the network and resources supporting it, which in turn suggest vulnerabilities (in both technology and practices) likely to exist within the network. Conversely, an attacker must perform certain actions to progress through a network in order to install, establish C&C and achieve their objectives. Thus, understanding the confines of an attacker and the stages of an attack lifecycle further contextualise events seen in system logs; this context helps to prioritise security monitoring resources and identify that an attack is in progress.
While it is reasonable to assume that larger networks can leverage more sophisticated infrastructure and apply complex security measures in a thorough and consistent manner, the reality is much different. The pace of growth, both in the improvement of existing technology as well as new technology being added to replace manual or analog processes and machinery, has made the concept of consistent security service delivery impractical. Many corporations do not have the resources to keep up with the changes resulting in asset inventories that are incorrect and incomplete, patches that are not at recommended levels, non-hardened default configurations in production, and unapproved hardware and software existing in the environment. The current trend in the so-called āInternet of Thingsā is to provide network connectivity for all technology, often before even a cursory vulnerability assessment is conducted. This results in ad hoc security practices added onto the technology, rather than those services being built-in at the design phase. Cyber security is typically handled by a series of periodic projects based on budget surpluses or drastic events, rather than a holistic integration with the business.
Attackers continue to seek ways to exploit lack of resources, poor situational awareness and inadequate security postures. For instance, if an attacker is able to determine that an organisationās security department is understaffed, they may assume the network contains systems that have not been sufficiently hardened and will prioritise their activities to target vulnerabilities in default configurations of common services. Alternately, if an attacker believes that the administrators of the network are security-minded but that the organisation as a whole does not provide adequate security awareness training for its personnel, the attacker may focus their attention on low-level users as opposed to attempting to gain administrator privileges at the outset.
This ability to adapt is the main reason the scales are tipped in the attackerās favour. Cyber security has traditionally been a c...
Table of contents
- Cover page
- Title page
- Copyright page
- Preface
- Contents
- 1. Network attacks and the data they affect
- 2. Cyber security data sources for dynamic network research
- 3. Modelling user behaviour in a network using computer event logs
- 4. Network services as risk factors: A genetic epidemiology approach to cyber-security
- 5. Community detection and role identification in directed networks: Understanding the Twitter network of the care.data debate
- 6. Anomaly detection for cyber security applications
- 7. Exponential random graph modelling of static and dynamic social networks
- 8. Hierarchical dynamic walks
- 9. Temporal reachability in dynamic networks
- Subject Index