cloudy with a chance of breach forecasting cyber security
play

Cloudy with a Chance of Breach: Forecasting Cyber Security Incidents - PowerPoint PPT Presentation

Feb 18, 2023 •334 likes •842 views

Cloudy with a Chance of Breach: Forecasting Cyber Security Incidents Yang Liu , Armin Sarabi , Jing Zhang , Parinaz Naghizadeh Manish Karir , Michael Bailey , Mingyan Liu , EECS Department, University of Michigan, Ann

  1. Cloudy with a Chance of Breach: Forecasting Cyber Security Incidents Yang Liu § , Armin Sarabi § , Jing Zhang § , Parinaz Naghizadeh § Manish Karir ♯ , Michael Bailey ∗ , Mingyan Liu § ,♯ § EECS Department, University of Michigan, Ann Arbor ♯ QuadMetrics, Inc. ∗ ECE Department, University of Illinois, Urbana-Champaign http://grs.eecs.umich.edu Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 1 / 28

  2. Intro Introduction Motivation Increasingly frequent and high-impact data breaches ◮ Target, JP Morgan Chase, Home Depot, to name a few ◮ Increasing social and economic impact of such cyber incidents Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 2 / 28

  3. Intro Introduction Limitation of current approaches ◮ Heavily detection based ◮ Fail to detect, or too late by the time a breach is detected ◮ Not suited for cost/damage control ◮ Urgent need for more proactive measures Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 3 / 28

  4. Intro Introduction Prediction Detection ◮ predicting whether a presently ◮ analogous to diagnosing a healthy person may become ill patient who may already be ill based on a variety of relevant (e.g., by using biopsy). factors. ◮ [Qian et al. NDSS14, Wang ◮ [Soska & Christin, USENIX et al. USENIX Sec14] Sec14] Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 4 / 28

  5. Intro Introduction Prediction Detection ◮ predicting whether a presently ◮ analogous to diagnosing a healthy person may become ill patient who may already be ill based on a variety of relevant (e.g., by using biopsy). factors. ◮ [Qian et al. NDSS14, Wang ◮ [Soska & Christin, USENIX et al. USENIX Sec14] Sec14] Our goal: ◮ Understand the extent to which one can forecast incidents on an organizational level. Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 4 / 28

  6. Intro Introduction Objective To develop the ability to forecast security incidences ◮ Applicability: we rely solely on externally observed data; do not require information on the internal workings of a network or its hosts. Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 5 / 28

  7. Intro Introduction Objective To develop the ability to forecast security incidences ◮ Applicability: we rely solely on externally observed data; do not require information on the internal workings of a network or its hosts. ◮ Robustness: we do not have control over or direct knowledge of the error embedded in the data. Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 5 / 28

  8. Intro Introduction Objective To develop the ability to forecast security incidences ◮ Applicability: we rely solely on externally observed data; do not require information on the internal workings of a network or its hosts. ◮ Robustness: we do not have control over or direct knowledge of the error embedded in the data. Key idea: ◮ tap into a diverse set of data that captures different aspects of a network’s security posture, ranging from the explicit to latent . Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 5 / 28

  9. Intro Introduction Why prediction? Forecast enables entirely new classes of applications which are otherwise not feasible. Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 6 / 28

  10. Intro Introduction Why prediction? Forecast enables entirely new classes of applications which are otherwise not feasible. ◮ Prediction allows proactive policies and measures to be adopted rather than reactive measures following the detection. Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 6 / 28

  11. Intro Introduction Why prediction? Forecast enables entirely new classes of applications which are otherwise not feasible. ◮ Prediction allows proactive policies and measures to be adopted rather than reactive measures following the detection. Forecast enables effective risk management schemes Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 6 / 28

  12. Intro Introduction Why prediction? Forecast enables entirely new classes of applications which are otherwise not feasible. ◮ Prediction allows proactive policies and measures to be adopted rather than reactive measures following the detection. Forecast enables effective risk management schemes ◮ Internal to an org.: more informed decisions on resource allocation. Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 6 / 28

  13. Intro Introduction Why prediction? Forecast enables entirely new classes of applications which are otherwise not feasible. ◮ Prediction allows proactive policies and measures to be adopted rather than reactive measures following the detection. Forecast enables effective risk management schemes ◮ Internal to an org.: more informed decisions on resource allocation. ◮ External to an org.: incentive mechanisms such as cyber insurance. Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 6 / 28

  14. Intro Introduction Outline of the talk ◮ Data and Preliminaries - Description of the data - Data pre-processing ◮ Forecasting methods - Construction of the predictor ◮ Forecasting results - Main prediction results & analysis Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 7 / 28

  15. Data Methodology Datasets at a glance Category Collection period Datasets Mismanagement Feb’13 - Jul’13 Open Recursive Resolvers, DNS Source Port, symptoms BGP misconfiguration, Untrusted HTTPS, Open SMTP Mail Relays Malicious May’13 - Dec’14 CBL, SBL, SpamCop, UCEPROTECT, activities WPBL, SURBL, PhishTank, hpHosts, Darknet scanners list, Dshield, OpenBL Incident Aug’13 - Dec’14 VERIS Community Database, reports Hackmageddon, Web Hacking Incidents ◮ Mismanagement and malicious activities used to extract features. ◮ Incident reports used to generate labels for training and testing. Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 8 / 28

  16. Data Methodology Security posture data Mismanagement symptoms ◮ Deviation from known best practices; indicators of lack of policy or expertise: - Misconfigured- HTTPS cert, DNS (resolver+source port), mail server, BGP. ◮ Collected around mid-2013 (pre-incidnts). Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 9 / 28

  17. Data Methodology Security posture data Mismanagement symptoms ◮ Deviation from known best practices; indicators of lack of policy or expertise: - Misconfigured- HTTPS cert, DNS (resolver+source port), mail server, BGP. ◮ Collected around mid-2013 (pre-incidnts). Malicious Activity Data: a set of 11 reputation blacklists (RBLs) ◮ Daily collections of IPs seen engaged in some malicious activity. ◮ Three malicious activity types: spam, phishing, scan. ◮ Use data between May 2013 and December 2014. Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 9 / 28

  18. Data Methodology Security incident Data Three incident datasets ◮ Hackmageddon ◮ Web Hacking Incidents Database (WHID) ◮ VERIS Community Database (VCDB) Incident type SQLi Hijacking Defacement DDoS Hackmageddon 38 9 97 59 WHID 12 5 16 45 Incident type Crimeware Cyber Esp. Web app. Else VCDB 59 16 368 213 Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 10 / 28

  19. Data Data Pre-processing Data Pre-processing Incident cleaning. ◮ Remove irrelevant cases, e.g., robbery at liquor store, something happened etc. Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 11 / 28

  20. Data Data Pre-processing Data Pre-processing Incident cleaning. ◮ Remove irrelevant cases, e.g., robbery at liquor store, something happened etc. Data diversity presents challenge in alignment in time and space. ◮ Security posture records information at the host IP-address level. ◮ Cyber incident reports associated with an organization. ◮ Such alignment is not travial: reallocation makes boundary unclear. Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 11 / 28

  21. Data Data Pre-processing Data Pre-processing Incident cleaning. ◮ Remove irrelevant cases, e.g., robbery at liquor store, something happened etc. Data diversity presents challenge in alignment in time and space. ◮ Security posture records information at the host IP-address level. ◮ Cyber incident reports associated with an organization. ◮ Such alignment is not travial: reallocation makes boundary unclear. A mapping process: ◮ Summarizing owner IDs from RIR databases. ◮ 4.4 million prefixes listed under 2.6 million owner IDs: finer degree compared to routing table. ◮ Sample IP from organization + search in above table. Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 11 / 28

  22. Forecast Outline of the talk ◮ Data and Preliminaries - Description of the data - Data pre-processing ◮ Forecasting methods - Construction of the predictor ◮ Forecasting results - Main prediction results & analysis Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 12 / 28

  23. Forecast Methodology Approach at a glance Feature extraction ◮ 258 features extracted from the datasets: Primary + Secondary features. Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 13 / 28

  24. Forecast Methodology Approach at a glance Feature extraction ◮ 258 features extracted from the datasets: Primary + Secondary features. Label generation ◮ 1,000+ incident reports from the three incident sets Y.Liu (U. Michigan) Forecasting Cyber Security Incidents 13 / 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The IT Forecast: Cloudy With A Chance of Breach? Christopher Yula Director of Sales, Siwel

The IT Forecast: Cloudy With A Chance of Breach? Christopher Yula Director of Sales, Siwel

The IT Forecast: Cloudy With A Chance of Breach? Christopher Yula Director of Sales, Siwel Consulting Kaz Khumush Sr. Sales Engineer, Trend Micro Keys for Cloud Infrastructure Virtual Infrastructure Stable, Predictable, &

267 views • 13 slides
CYBER INSURANCE Luxury or necessary protection? What is a data breach? A breach is defined as an

CYBER INSURANCE Luxury or necessary protection? What is a data breach? A breach is defined as an

CYBER INSURANCE Luxury or necessary protection? What is a data breach? A breach is defined as an event in which an individuals name plus personal information such as an address, phone number and/or financial record such as a social security

307 views • 16 slides
Michael McCartney President, Avalon Cyber The Cyber Problem Data Breach Landscape

Michael McCartney President, Avalon Cyber The Cyber Problem Data Breach Landscape

Prentice Wealth Management Michael McCartney President, Avalon Cyber The Cyber Problem Data Breach Landscape Verizon VBIR 2015 Report Cyber Breach Trending Outsider v Insider Threat Personal Identity Protection

819 views • 12 slides
NW Tax Wire Cloudy With a Chance of Tax On-demand self-service : The user allows the

NW Tax Wire Cloudy With a Chance of Tax On-demand self-service : The user allows the

miller nash llp | Fall 2011 brought to you by the tax law practice team NW Tax Wire Cloudy With a Chance of Tax On-demand self-service : The user allows the resource provider to scale can use computer resources (e.g., server a

499 views • 6 slides
Cyber Security Readiness & New Mandatory Data Breach Notification Laws Norton Rose Fulbright

Cyber Security Readiness & New Mandatory Data Breach Notification Laws Norton Rose Fulbright

Cyber Security Readiness & New Mandatory Data Breach Notification Laws Norton Rose Fulbright Australia April 2018 Purpose This presentation has been commissioned by CyberHound Pty Ltd (part of the Superloop Group) to assist schools that are

646 views • 26 slides
CAN ORGANIZATIONS SURVIVE A POLI-CYBER BREACH ? K e y n o t e b y K h a l e d F a t t a l MLi

CAN ORGANIZATIONS SURVIVE A POLI-CYBER BREACH ? K e y n o t e b y K h a l e d F a t t a l MLi

CAN ORGANIZATIONS SURVIVE A POLI-CYBER BREACH ? K e y n o t e b y K h a l e d F a t t a l MLi Group, C h a i r m a n ( @ ) M L i G r p ( d o t ) c o m 1 WHAT IS A POLI-CYBER ? CYBER ATTACKS PERPETRATED OR INSPIRED BY EXTREMIST

520 views • 17 slides
Cyber Security User Overview Martin Dinham Martin.Dinham@cfsystems.co.uk 01209 340030 Some

Cyber Security User Overview Martin Dinham Martin.Dinham@cfsystems.co.uk 01209 340030 Some

Cyber Security User Overview Martin Dinham Martin.Dinham@cfsystems.co.uk 01209 340030 Some context Daily Mail online, April 2017 52 % the number of small businesses that had a security breach in 2016 UK Government Cyber Security

619 views • 39 slides
Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework Reporting Objectives Executive Summary Information Assess Current Cyber Security Posture Measure Progress Toward Improvement Assess

634 views • 5 slides
Network Security & Privacy Liability: An Overview of Loss Mitigation Concepts and Data Breach

Network Security & Privacy Liability: An Overview of Loss Mitigation Concepts and Data Breach

Network Security & Privacy Liability: An Overview of Loss Mitigation Concepts and Data Breach Response Services March 20 th , 2012 Brian Cole, Managing Director Professional Liability Specialty Practice Overview of Topics Cyber Security

611 views • 21 slides
Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A

Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A

Security & Compliance Thursday, September 4 2014 What is a security breach/attack? A security breach/attack is defined as an event in which a corporations network is compromised or an individuals name plus Social Security Name (SSN),

890 views • 12 slides
Protection and Security Threat is potential security violation Attack is attempt to breach

Protection and Security Threat is potential security violation Attack is attempt to breach

CSC 4103 - Operating Systems The Security Problem Spring 2007 Security must consider external environment of the system, and protect the system resources Lecture - XX Intruders (crackers) attempt to breach security Protection and

195 views • 4 slides
W ITH THE DATA BREACH AT information for cyber criminals. As consultants to determine whether

W ITH THE DATA BREACH AT information for cyber criminals. As consultants to determine whether

LAW Best Practices for Protecting Electronic Business Data Companies are under attack from cyber-criminals, hackers and spies. Is your data at risk? C OMPILED BY M ILES Z. E PSTEIN E DITOR , COMMERCE W ITH THE DATA BREACH AT information for

290 views • 3 slides
Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

ABB MINING USER CONFERENCE, MAY 02-05, 2017 Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial Automation Division Agenda Why worry about cyber security? ABBs approach to cyber security Cyber security

1.07k views • 39 slides
Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web application weaknesses XSS AJAX weaknesses SQL Injection Attacks (Slides from Lars Olson)

588 views • 41 slides
Cyber Security Maintaining Your Identity on the Net Why Cyber Security? There are three

Cyber Security Maintaining Your Identity on the Net Why Cyber Security? There are three

Cyber Security Maintaining Your Identity on the Net Why Cyber Security? There are three points of failure in any secure network: Technology (hardware and software) Technology Support (ITS) End Users (USD students and employees)

359 views • 23 slides
PR PROACTIVE CTIVE SE SECUR CURITY ITY: : DATA A BREA BREACH CH ASSE ASSESSM SSMENT

PR PROACTIVE CTIVE SE SECUR CURITY ITY: : DATA A BREA BREACH CH ASSE ASSESSM SSMENT

PR PROACTIVE CTIVE SE SECUR CURITY ITY: : DATA A BREA BREACH CH ASSE ASSESSM SSMENT ENT CyberSecurity Chicago September 2018 Security In The News Frequency and severity of cyber security news on the rise 2 PROPRIETARY AND

449 views • 21 slides
Market Capacity Definitions and Generation Adequacy Cynthia Bothwell Benjamin F. Hobbs Johns

Market Capacity Definitions and Generation Adequacy Cynthia Bothwell Benjamin F. Hobbs Johns

Market Capacity Definitions and Generation Adequacy Cynthia Bothwell Benjamin F. Hobbs Johns Hopkins University FERC Workshop/ 9 th Annual Trans-Atlantic Infraday October 30, 2015 Work Supported in part by NSF grants OISE 1243482

436 views • 9 slides
Criteria Considerations Warren Lasher Director of System Planning PUC Workshop Commission

Criteria Considerations Warren Lasher Director of System Planning PUC Workshop Commission

Resource Adequacy and Reliability Criteria Considerations Warren Lasher Director of System Planning PUC Workshop Commission Proceeding Regarding Policy Options on Resource Adequacy July 27, 2012 Resource Adequacy Analysis in ERCOT The

490 views • 13 slides
Michel Juillard Bayesian Estimation of GPM with Dynare MacroFinancial Linkages, Oil Prices and

Michel Juillard Bayesian Estimation of GPM with Dynare MacroFinancial Linkages, Oil Prices and

M A -L L I , O I P R D E W O M O - S , O P D W P AC CR RO IN NK KA AG GE ES IL L RI IC CE ES S A AN ND D EF FL LA AT TI IO ON N OR RK KS SH HO OP J A 6 9 9, , 20 00 09 9 J 6 2 AN NU UA AR

1.06k views • 78 slides
Obtaining simultaneous equation models from a set of variables through genetic algorithms Jos

Obtaining simultaneous equation models from a set of variables through genetic algorithms Jos

Obtaining simultaneous equation models from a set of variables through genetic algorithms Jos J. Lpez Universidad Miguel Hernndez (Elche, Spain) Domingo Gimnez Universidad de Murcia (Murcia, Spain) IC ICCS 2010 CS 2010 1 Contents

350 views • 17 slides
Predic'ng Coherence Communica'on by Tracking Synchroniza'on Points

Predic'ng Coherence Communica'on by Tracking Synchroniza'on Points

Predic'ng Coherence Communica'on by Tracking Synchroniza'on Points at Run Time Socrates Demetriades and Sangyeun Cho 45 th Interna+onal Symposium in

554 views • 29 slides
Lecture 4: Introduction to Regression CS109A Introduction to Data Science Pavlos Protopapas,

Lecture 4: Introduction to Regression CS109A Introduction to Data Science Pavlos Protopapas,

Lecture 4: Introduction to Regression CS109A Introduction to Data Science Pavlos Protopapas, Kevin Rader and Chris Tanner Background Roadmap: Lecture 1 What is Data Science? Lecture 2 Data: types, formats, issues, etc, and briefly

643 views • 45 slides
techniques for daily precipitation: Results from the CORDEX Flagship Pilot Study in South America

techniques for daily precipitation: Results from the CORDEX Flagship Pilot Study in South America

A comparison of statistical downscaling techniques for daily precipitation: Results from the CORDEX Flagship Pilot Study in South America Bettolli ML, Gutirrez JM, Iturbide M, Bao-Medina J, Huth R, Solman S, Fernndez J, da Rocha RP,

389 views • 21 slides
Veterans Employment Preferences Texas A&M University Rita Bowden, Manager of Recruitment

Veterans Employment Preferences Texas A&M University Rita Bowden, Manager of Recruitment

Veterans Employment Preferences Texas A&M University Rita Bowden, Manager of Recruitment and Workforce Planning at Texas A&M University 1 2 Designed for Education I couldnt imagine working with anyone other than

478 views • 26 slides

More recommend