A Collaborative Tool for Modelling Multi-stage Attacks

Ian Herwono, Fadi Ali El-Moussa

Abstract

Cyber-attacks that are conducted in multiple stages over short or long periods of time are becoming more common. One approach for detecting such attacks at an early stage is to make use of attack patterns and attack signatures to provide a structure for correlating events collected from various sensors in the network. In this paper, we present our ongoing work on a pattern recognition system that aims to support cyber-defence analysts in sharing their attack knowledge and threat intelligence in the form of attack patterns or scenarios that can later be used to discover potential security breaches in their network. Our main goal is to allow the analysts to associate the attack patterns with their own organisation’s security data and thus benefit from the collective attack knowledge without revealing any confidential information. We present the architecture of the system and describe a typical process for modelling multi-stage attacks. We demonstrate how its analytics engine interprets an attack pattern, tasks the data source agents to fetch and correlate relevant security events, and reports the results back for visualisation and further investigation.

References

  1. Clark, D. D., Landau, S. 2010. The Problem isn't Attribution; It's Multi-Stage Attacks. In Proceedings of the Re-Architecting the Internet Workshop (Philadelphia, US, Nov 2010). ReArch 2010. ACM.
  2. Alserhani, F., Akhlaq, M., Awan, I. U., Cullen, A. J., Mirchandani, P. 2010. MARS: Multi-stage Attack Recognition System. In Proceedings of the 24th IEEE International Conference on Advanced Information Networking and Applications (Perth, WA, April 20-23, 2010).
  3. Bhatt, P., Yano, E. T., Gustavsson, P. M. 2014. Towards a Framework to Detect Multi-Stage Advanced Persistent Threats Attacks. In Proceedings of the IEEE 8th International Symposium on Service Oriented System Engineering (Oxford, UK, Apr 2014). SOSE 2014.
  4. Hutchins, E., Cloppert, M., Amin, R. 2011. IntelligenceDriven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. In Proceedings of the 6th International Conference on Information Warfare and Security (Washington, DC, Mar 2011).
  5. Barnum, S. 2007. An Introduction to Attack Patterns as a Software Assurance Knowledge Resource. In OMG Software Assurance Workshop (Fairfax, VA, Mar 2007).
  6. Ammann, P., Wijesekera, D., and Kaushik, S. 2002. Scalable, Graph-based Network Vulnerability Analysis. In Proceedings of the 9th ACM Conference on Computer and Communications Security (Washington, DC, Nov 2002). CCS'02.
  7. MACCDC. 2012. Capture files from Mid-Atlantic CCDC (Collegiate Cyber Defense Competition). URL: https://www.netresec.com/?page=MACCDC.
Download


Paper Citation


in Harvard Style

Herwono I. and El-Moussa F. (2017). A Collaborative Tool for Modelling Multi-stage Attacks . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 312-317. DOI: 10.5220/0006137103120317


in Bibtex Style

@conference{icissp17,
author={Ian Herwono and Fadi Ali El-Moussa},
title={A Collaborative Tool for Modelling Multi-stage Attacks},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2017},
pages={312-317},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006137103120317},
isbn={978-989-758-209-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - A Collaborative Tool for Modelling Multi-stage Attacks
SN - 978-989-758-209-7
AU - Herwono I.
AU - El-Moussa F.
PY - 2017
SP - 312
EP - 317
DO - 10.5220/0006137103120317