Date of Award

Fall 12-2021

Document Type

Dissertation

Degree Name

Doctor of Philosophy (PhD)

Department

Electrical & Computer Engineering

Program/Concentration

Electrical and Computer Engineering

Committee Director

Hongyi Wu

Committee Member

Sachin Shetty

Committee Member

Chunsheng Xin

Committee Member

Amin Hassanzadeh

Abstract

The growth of information and communication technology is constantly revolutionizing various domains, e.g., energy utility systems, healthcare, the internet of things, etc. This inception of widespread cyber technology enables reliability and first operability of the system, yet simultaneously imposed a risk of significant impact due to disruption of safe and secure operation. The attack surface is expanding, creating a cyber exposure gap which indicates a higher threat landscape and increased risk of compromise. Motivated by this increased threat exposure, this dissertation investigates the attack surface as a static and dynamic indicator of adversary propagation, seeking an efficient modeling paradigm to initiate threat-informed defense. Our work explores multi-stage attack propagation within three different aspects such as opportunity, capability, and intent to characterize an attack successfully.

First, we proposed three criticality metrics for each host based on the opportunity it provides to facilitate cyber attacks. These metrics represent diverse interactions between attackers system components through social attack vectors, topological connectivity, and information ow dependency in the network. Following this analysis, we proposed an intrusion response system by considering the diverse strategy attackers could employ in their lateral movement within the target environment. The local alert information corresponding to the compromised host helps defenders to understand the security state and underlying plan of the attacker.

Next, we addressed the challenge of understanding the attacker's capability and knowledge evolve throughout the attack surface for realistic threat modeling. A cyber threat analysis framework has been proposed based on characterizing adversarial behavior in a multi-stage cyber attack process. The framework extracts logical dependencies between stepping stones by leveraging technical indicator in the attack surface prior to enriching from multiple threat intelligence sources. The model reveals the meaningful insight of the attack phase in terms of the local and global threat landscape. Our analysis results in a novel path hardness metric that is leveraged to enumerate the risk posture of an agile security platform.

Finally, We proposed PatternMiner to mine threat intelligence reports for unified pattern identification. These reports contain inclusive detailed information of the campaign but in an unstructured way. To classify and extract meaningful information from campaign reports PatternMiner employs a two-fold framework. First, we design a multi-label ML classifier identify TTP in campaign reports. Although the MITRE database is developed based on threat reports and expert knowledge, it is not possible to include all attributes in it. In the same way, security practitioners don't often follow straight TTP keywords from the ATT&CK database. Thus we proposed a neural network architecture to capture these unknown behavioral artifacts in the cyber campaign. We call it Pattern Entity Recognition (PER), a framework that models the task of collecting adversarial attack pattern entities as a task of sequence labeling of natural language processing. By applying a sequence labeling model, each token in an unstructured campaign report is assigned with a label, and tokens assigned with attack patterns are then collected accordingly. With a two-fold structure, PatternMiner effectively capture known and unknown attack patterns from unstructured threat intel data.

DOI

10.25777/wzvk-py57

Available for download on Saturday, January 13, 2024

Share

COinS