empirical studies in cybersecurity some challenges
play

Empirical Studies in Cybersecurity: Some Challenges Michel Cukier - PowerPoint PPT Presentation

Oct 30, 2022 •282 likes •661 views

Empirical Studies in Cybersecurity: Some Challenges Michel Cukier Adding Science to Cybersecurity Empirical studies are needed to add science to cybersecurity Challenges: Security metrics are lacking Security data are not

  1. Empirical Studies in Cybersecurity: Some Challenges Michel Cukier

  2. Adding Science to Cybersecurity • Empirical studies are needed to add science to cybersecurity • Challenges: – Security metrics are lacking – Security data are not publicly available

  3. Availability of Security Data • Few available datasets have issues (e.g., MIT LL 98/99) • NSF helped initiating collaborations but none succeeded (2001) • NSF workshop on the lack of available data (2010) • DHS PREDICT dataset: – Context is missing – More datasets will be added over time

  4. The End?

  5. A Rare Collaboration • Unique relationship with – G. Sneeringer, Director of Security, and his security team at the Office of Information Technology • Access to security related data collected on the UMD network • Development of testbeds for monitoring attackers Enables unique empirical studies

  6. Incident Data • Incidents: – Confirmed compromised computers – More than 12,000 records since June 2001 • Models: – Software reliability growth models, time series, epidemiological models • Questions: – # incidents: relevant metric? – Impact of time (age, duration)?

  7. Intrusion Prevention System (IPS) Data • Intrusion Prevention System (IPS) alerts: – IPSs located at the border and inside UMD network – More than 7 million events since September 2006 • Models: – Identify outliers, define metrics containing some memory • In-house validation

  8. Network Flows • Network flows: – 130,000 IP addresses monitored (two class B networks belonging to UMD) • Tool: – Goal: increase network visibility – Nfsight (available on sourceforge) • In-house validation • Next goal: – An efficient flow-based IDS

  9. Backend Algorithm Request flow: 2009-07-30 09:34:56.321 TCP 10.0.0.1: 2455 → 10.1.2.3: 80 Host 2 Host 1 Reply flow: 2009-07-30 09:34:56.322 TCP 10.1.2.3: 80 → 10.0.0.1: 2455 Algorithm : • Receive a batch of 5 minutes of flows • Pair up unidirectional flows using {src/dst IP/port and protocol} • Run heuristics and calculate probabilities for each end point to host a service • Output end point results and bidirectional flows Client Server Bi-flow: 2009-07-30 09:34:56.321 TCP 10.0.0.1 :2455 → 10.1.2.3: 80 10.0.0.1 10.1.2.3 to tcp/80 hosts tcp/80

  10. Heuristics Heuristic ID Features and Formula Used Output Values Timing: Timestamp of request < [0, …] Heuristic 0 Timestamp of reply Port numbers: Heuristic 1 Src port > Dst port {0, 0.5, 1} Heuristic 2 Src port > 1024 > Dst port {0, 0.5, 1} Heuristic 3 Port in /etc/services {0, 0.5, 1} Fan in/out relationships: [0, …] Heuristic 4 # ports related [0, …] Heuristic 5 # IP related [0, …] Heuristic 6 # tuples related

  11. Front-end

  12. Case Study: Scanning Activity

  13. Case Study: Worm Outbreak

  14. Case Study: Distributed Attacks

  15. Honeypot (HP) Data • Honeypot data: – Malicious activity collected on more than 1,200 HPs (low and high interaction) – Low interaction HPs deployed at UIUC, AT&T, PJM, France and Morocco – High interaction HPs for study of attacks/attackers

  16. Details of Experiment • Easy access to honeypots though entry point: SSH • Multiple honeypots per attacker for an extended period of time: one month • Configure honeypots given to one attacker with increasing network limitations: some ports blocked • Collect data such as network traffic, keystrokes entered and rogue software downloaded

  17. Configuration Details • The network gateway has two network interfaces: – One in front of the Internet, configured with 40 public IP addresses from the University of Maryland – One configured with a private IP address • OpenSSH was modified to reject SSH attempts on its public IP addresses until the 150 th try • Up to 40 honeypots can exist in parallel • Attackers can deploy up to 3 honeypots • Honeypots: – HP1: no network limitation – HP2: main IRC port blocked (port 6667) – HP3: every port blocked except HTTP, HTTPS, FTP, DNS, and SSH

  18. Test-bed Architecture

  19. Attacker Identification • Attacker IP address • Attacker AS number (identifies network on the Internet) • Attacker actions: – Rogue software origin – Way of performing specific actions – Files accessed • Comparison of keystroke profiles

  20. Attacker Skills • Analyst assesses attacker skill • Preferred approach easier to reproduce • Criteria based on: – Is the attacker careful about not being seen? – Does the attacker check the target environment? – How familiar is the attacker with the rogue software? – Is the attacker protecting the compromised target?

  21. Attacker Skills (Cont.) Criterion Assessment Hide Ratio of # sessions where attacker hid Restore deleted files Ratio # sessions where deleted files were restored Check presence Ratio # sessions where presence checked Delete downloaded 0 if downloaded file is not deleted, 1 otherwise file Check system 0 if system has never been checked, 1 otherwise Edit configuration file 0 if configuration file has never been edited, 1 otherwise Change system 0 if system has never been modified, 1 otherwise Change password 0 if password has never been changed, 1 otherwise Create new user 0 if no new user has been created, 1 otherwise Rogue software 0 if less than half of the installed rogue software is adequacy adequate, 1 otherwise

  22. Overall Results • Experiment run from May 17 th , 2010 to November 5 th , 2010 Honeypot # sessions # non-empty sessions All 312 211 (68%) HP1 160 110 (69%) HP2 105 74 (70%) HP3 47 27 (57%)

  23. Who Launched the Attacks? Based on AS Number Based on IP Address Top countries brute force: Top countries compromise: China (34) Romania (75) USA (27) Lebanon (32) Korea (8) USA (24) Italy (7) UK (16)

  24. Analysis as a Function of Attacker Skill All honeypots 95% 95% Percentage of 100% 79% • Results: 77% attackers 80% 59% 56% 49% 60% 46% – 95% check presence 40% 21% 15% or system 20% 0% – 79% delete downloaded 1 2 3 4 5 6 7 8 9 10 Criterion ID file – 77% change the password – 15% create a new user • There might be a link between attackers actions and their skills

  25. Analysis as a Function of Attacker Skill (Cont.) Create new user Hide 60% 50% Percentage of 50% Percentage of 39% 50% 40% attackers attackers 40% 33% 30% 22% 30% 17% 20% 13% 13% 20% 4% 4% 4% 10% 10% 0% 0% 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 Skill level Skill level (a) (b) Average skill level= 7.7 Average skill level= 6.3

  26. Analysis as a Function of Attacker Skill (Cont.) Password change Check presence 35% 27% 30% 30% Percentage of Percentage of 24% 30% 25% 23% attackers attackers 25% 20% 17% 20% 14% 13% 15% 15% 8% 8% 8% 8% 10% 7% 10% 3% 3% 3% 3% 5% 5% 0% 0% 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 Skill level Skill level (d) (c) Average skill level= 6.0 Average skill level= 5.5

  27. Why Was the Attack Launched? Average number of attackers per Honeypot type • HP1 For the 60 deployed honeypots, 9 (15%) 2 HP2 were targeted Average number of 1.44 1.5 1.20 by more than one attacker 1.18 attackers 1 HP3 1 • 7 honeypots were 0.5 targeted by 2 different All attackers, one honeypot 0 Honeypot type by 3 different attackers and 1 honeypot by 5 different attackers • Raises the important issue about how access is shared and why • Even though 77% of the attackers changed the password, 15% did share access with at least 1 other attacker

  28. Challenges • Generalization? – Replication (same method) – Reproduction (different method) – Re-analysis of data • Issues: – Need collaborations for replication – Need to develop a new method for reproduction – Re-analysis might not be possible

  29. The End?

  30. Theories from Social Sciences to Add Science to Cybersecurity • For the last year: – Focus on criminological theories – Collaboration with David Maimon and his research team • Consider various criminological theories • Identify theories that need to be adapted to cybersecurity

  31. New Use of IPS Alerts • Application to Routine Activity Theory (RAT): – Crime is normal and depends on the opportunities available – If a target is not protected enough, and if the reward is worth it, crime will happen • Alerts = Attack attempts (blocked by IPS) • Results: – Number of alerts is linked to daily activity – Origin of attack is linked to user origin

  32. Use of Honeypot Data • Describe attacker/attack: – Network data – Attacker keystrokes • Empirical study: – Effect of warnings – Various HPs configurations (CPU, memory, disk space)

  33. Issues • Mismatch between what criminological theories need and what HPs data contain • Need statistically significant results (e.g., 6 months, over 120 HPs/week deployed, about 2900 HPs, 3700 sessions) • Experiments need to be deployed over a long period of time: attacks/attackers might evolve

  34. Some Good News • Empirical studies are solid scientific work • Developed approaches can be applied at other locations • Results do not need to be identical (e.g., crime varies between cities)

  35. The End!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Challenges to make heating renewable Empirical results from six European case studies Edith

Challenges to make heating renewable Empirical results from six European case studies Edith

Challenges to make heating renewable Empirical results from six European case studies Edith Chassein, IREES IAEE European Conference 5th September 2017 ProgRESsHEAT Supporting the progress of renewable energies for heating and cooling in

386 views • 17 slides
Empirical Studies &amp; Domain Experts Alark Joshi Visualization and Graphics Lab

Empirical Studies &amp; Domain Experts Alark Joshi Visualization and Graphics Lab

Empirical Studies &amp; Domain Experts Alark Joshi Visualization and Graphics Lab vgl.cs.usfca.edu Empirical Studies } Empirical - originating in or based on observation or experience } Share my experience of working with domain experts } Tool

314 views • 13 slides
U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity

U.S. National U.S. National Why are we talking about Cybersecurity Cybersecurity cybersecurity? William J. Perry Martin Casado Keith Coleman Dan Wendlandt MS&amp;E 91SI Spring 2004 Stanford University U.S. National Cybersecurity

79 views • 7 slides
28 th Annual Conference Changes, Challenges, and Collaborations: Effective Cybersecurity

28 th Annual Conference Changes, Challenges, and Collaborations: Effective Cybersecurity

28 th Annual Conference Changes, Challenges, and Collaborations: Effective Cybersecurity Training National Institute of Standards and Technology Gaithersburg, Maryland Tuesday, March 24, 2015 AGENDA

178 views • 3 slides
AN EMPIRICAL STUDY OF PRACTITIONERS PERSPECTIVES ON GREEN SOFTWARE ENGINEERING Empirical

AN EMPIRICAL STUDY OF PRACTITIONERS PERSPECTIVES ON GREEN SOFTWARE ENGINEERING Empirical

AN EMPIRICAL STUDY OF PRACTITIONERS PERSPECTIVES ON GREEN SOFTWARE ENGINEERING Empirical studies of how developer decisions Irene Manotas, * Christian Bird, impact energy consumption (design patterns, web Lori Pollock, * and James

354 views • 32 slides
Challenges of Cybersecurity Research in a Multi-User Testbed THOMAS EDGAR, THOMAS E. CARROLL , AND

Challenges of Cybersecurity Research in a Multi-User Testbed THOMAS EDGAR, THOMAS E. CARROLL , AND

Challenges of Cybersecurity Research in a Multi-User Testbed THOMAS EDGAR, THOMAS E. CARROLL , AND DAVID MANZ Pacific Northwest National Laboratory Richland, WA May 4, 2012 NIST Cybersecurity for Cyber-Physical Systems 2012 1 Cyber-Physical

271 views • 26 slides
Open Source Software &amp; Key Challenges Selvaraj K, SAP Labs India CyberSecurity India 2016

Open Source Software &amp; Key Challenges Selvaraj K, SAP Labs India CyberSecurity India 2016

Open Source Software &amp; Key Challenges Selvaraj K, SAP Labs India CyberSecurity India 2016 Conference February 19 th , 2016 Agenda #1 Introduction #2 Recent cases #3 Challenges #4 Key Takeaways Disclaimer: Views expressed in this

730 views • 16 slides
EMPIRICAL RESEARCH EMPIRICAL RESEARCH IS . . . H ELP WITH IDEAS AND FUNDING A PPROVAL FROM YOUR

EMPIRICAL RESEARCH EMPIRICAL RESEARCH IS . . . H ELP WITH IDEAS AND FUNDING A PPROVAL FROM YOUR

CHALLENGES OF EMPIRICAL RESEARCH EMPIRICAL RESEARCH IS . . . H ELP WITH IDEAS AND FUNDING A PPROVAL FROM YOUR INSTITUTION R ESEARCH TEAM D ATA = N OT ALWAYS EASY TO GET PUBLISHED WHERE DO I START? FUNDING IDEAS Internal campus

122 views • 10 slides
Critique #2 M. Sha, G. Hackmann and C. Lu, Real-world Empirical Studies on Multi- Channel

Critique #2 M. Sha, G. Hackmann and C. Lu, Real-world Empirical Studies on Multi- Channel

Critique #2 M. Sha, G. Hackmann and C. Lu, Real-world Empirical Studies on Multi- Channel Reliability and Spectrum Usage for Home-Area Sensor Networks, IEEE Transactions on Network and Service Management, 10(1): 56-69, March 2013. Due on

707 views • 28 slides
CYBERSECURITY Cultural Change to Support the Business Sandra E. Paul-Blanc, CISO NARA Dr. Philip

CYBERSECURITY Cultural Change to Support the Business Sandra E. Paul-Blanc, CISO NARA Dr. Philip

CYBERSECURITY Cultural Change to Support the Business Sandra E. Paul-Blanc, CISO NARA Dr. Philip Kulp, Cybersecurity Consultant, NARA Agenda Cybersecurity culture Layered security Incident Response Challenges with public systems

364 views • 32 slides
Healthcare: Is the Cyber Threat Real? President Obama has identified cybersecurity as one of the

Healthcare: Is the Cyber Threat Real? President Obama has identified cybersecurity as one of the

Healthcare: Is the Cyber Threat Real? President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation..!Whitehouse.gov Dr. Emma Garrison-Alexander Vice Dean, Cybersecurity

355 views • 8 slides
Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives:

Presented by: Islanders Bank Cybersecurity Awareness Cybersecurity Awareness Objectives: Define Cybersecurity &amp; why its important Provide information about Dept. Homeland Security Cybersecurity Campaigns: National

328 views • 22 slides
in the Energy Sector Cybersecurity for Energy Delivery Systems (CEDS) Energy Sector

in the Energy Sector Cybersecurity for Energy Delivery Systems (CEDS) Energy Sector

Working to Achieve Cybersecurity in the Energy Sector Cybersecurity for Energy Delivery Systems (CEDS) Energy Sector Cybersecurity Challenges Open Protocols Open industry standard protocols are replacing vendor-specific

609 views • 36 slides
Keeping the Lights On: Challenges of Cybersecurity Training and Awareness for the Smart Grid

Keeping the Lights On: Challenges of Cybersecurity Training and Awareness for the Smart Grid

Keeping the Lights On: Challenges of Cybersecurity Training and Awareness for the Smart Grid Susan Farrand What is the Grid? Why is the Grid like it is? The War of the Currents Thomas Edison Nikola Tesla George Westinghouse Electricity

303 views • 27 slides
Handout: Power Laws and Preferential Attachment 1 Preferential Attachment Empirical studies of

Handout: Power Laws and Preferential Attachment 1 Preferential Attachment Empirical studies of

CS224W: Social and Information Network Analysis Fall 2014 Handout: Power Laws and Preferential Attachment 1 Preferential Attachment Empirical studies of real world networks revealed that degree distribution often follows a heavy- tailed

556 views • 7 slides
development, trade promotion and regional integration - Lessons from empirical studies Freetown,

development, trade promotion and regional integration - Lessons from empirical studies Freetown,

Job Creation through private sector development, trade promotion and regional integration - Lessons from empirical studies Freetown, Sierra Leone April 13 2018 NEW DIRECTION A united, peaceful, progressive, dynamic, confident,

614 views • 23 slides
Internet measurements at complexnetworks.fr Guillaume Valadon - http://valadon.complexnetworks.fr

Internet measurements at complexnetworks.fr Guillaume Valadon - http://valadon.complexnetworks.fr

Internet measurements at complexnetworks.fr Guillaume Valadon - http://valadon.complexnetworks.fr LIP6 (CNRS - UPMC) Complex Networks team http://complexnetworks.fr The team http://complexnetworks.fr : plots &amp; videos 4 permanent

899 views • 44 slides
DIY Blue Teaming DIY Blue Teaming (Keeping attackers out, with duct tape and chewing gum!) DIY

DIY Blue Teaming DIY Blue Teaming (Keeping attackers out, with duct tape and chewing gum!) DIY

DIY Blue Teaming DIY Blue Teaming (Keeping attackers out, with duct tape and chewing gum!) DIY Blue Teaming DIY Blue Teaming Ways to make malware not work Security by obscurity (because sucker punches work, even though nobody wants to admit

1.11k views • 78 slides
FDM curriculum group moderated by Frank Neven Questions / issues FDM topics for non-DB

FDM curriculum group moderated by Frank Neven Questions / issues FDM topics for non-DB

FDM curriculum group moderated by Frank Neven Questions / issues FDM topics for non-DB courses intro DB course graduate FDM course FDM book educate &amp; attract FDM in non-DB course TCS: from reg exps to RPQs DBs

452 views • 9 slides
Information warfare The term information warfare refers to peace time activities

Information warfare The term information warfare refers to peace time activities

Information warfare The term information warfare refers to peace time activities psychological operations (psyop) cyber war/net war In wartime the term is Command, Control, Communications, Intelligence, Sensors Warfare(C3ISW)

287 views • 13 slides
Big Data Analytics, Human Data Interaction, and the Databox Richard Mortier Cambridge

Big Data Analytics, Human Data Interaction, and the Databox Richard Mortier Cambridge

Big Data Analytics, Human Data Interaction, and the Databox Richard Mortier Cambridge University Computer Laboratory Networks &amp; Operating Systems SRG, Computer Laboratory Outline Part I Part II We are all data subjects,

1.25k views • 46 slides
1 Models for Translucent Objects Models for Translucent Objects Models for Translucent Objects

1 Models for Translucent Objects Models for Translucent Objects Models for Translucent Objects

Translucent Objects Translucent Objects Realistic Materials Realistic Materials Translucent Materials light is scattered through the object incident illumination smoothed due to diffuse scattering inside media Inhomogeneous

524 views • 5 slides
Dating Patterns Aino Vonge Corry @apaipi Big Disclaimer How many times, have you thought 'Boy,

Dating Patterns Aino Vonge Corry @apaipi Big Disclaimer How many times, have you thought 'Boy,

Dating Patterns Aino Vonge Corry @apaipi Big Disclaimer How many times, have you thought 'Boy, I sure wish there was an easier way to pick up women, like published API with code samples?' What would you say if such documentation was not only

623 views • 24 slides
Understanding and Securing Device Vulnerabilities through Automated Bug Report Analysis Xuan Feng

Understanding and Securing Device Vulnerabilities through Automated Bug Report Analysis Xuan Feng

Understanding and Securing Device Vulnerabilities through Automated Bug Report Analysis Xuan Feng , Xiaojing Liao, XiaoFeng Wang, Haining Wang, Qiang Li, Kai Yang, Hongsong Zhu, Limin Sun USENIX Security 2019 Internet-of-Things (IoT) Devices IoT

422 views • 23 slides

More recommend