Skip to main content

2018 | Buch

Artificial Intelligence Tools for Cyber Attribution

insite
SUCHEN

Über dieses Buch

This SpringerBrief discusses how to develop intelligent systems for cyber attribution regarding cyber-attacks. Specifically, the authors review the multiple facets of the cyber attribution problem that make it difficult for “out-of-the-box” artificial intelligence and machine learning techniques to handle.

Attributing a cyber-operation through the use of multiple pieces of technical evidence (i.e., malware reverse-engineering and source tracking) and conventional intelligence sources (i.e., human or signals intelligence) is a difficult problem not only due to the effort required to obtain evidence, but the ease with which an adversary can plant false evidence.

This SpringerBrief not only lays out the theoretical foundations for how to handle the unique aspects of cyber attribution – and how to update models used for this purpose – but it also describes a series of empirical results, as well as compares results of specially-designed frameworks for cyber attribution to standard machine learning approaches.

Cyber attribution is not only a challenging problem, but there are also problems in performing such research, particularly in obtaining relevant data. This SpringerBrief describes how to use capture-the-flag for such research, and describes issues from organizing such data to running your own capture-the-flag specifically designed for cyber attribution. Datasets and software are also available on the companion website.

Inhaltsverzeichnis

Frontmatter
Chapter 1. Introduction
Abstract
Cyber attribution is the process by which the identity of an actor or aggressor in a cyberactivity is determined. Conducting this process presents several unique problems; chief among them are that the technical artifacts produced by cyberattacks are difficult to understand, and it is easy (and quite useful) for an actor to perform deception.
Eric Nunes, Paulo Shakarian, Gerardo I. Simari, Andrew Ruef
Chapter 2. Baseline Cyber Attribution Models
Abstract
Attributing the culprit of a cyberattack is widely considered one of the major technical and policy challenges of cybersecurity. While the lack of ground truth for an individual responsible for a given attack has limited previous studies, here we overcome this limitation by leveraging DEFCON capture-the-flag (CTF) exercise data where the actual ground truth is known. In this chapter, we use various classification techniques to identify the culprit in a cyberattack and find that deceptive activities account for the majority of misclassified attacks. We also explore several heuristics to alleviate some of the misclassification caused by deception.
Eric Nunes, Paulo Shakarian, Gerardo I. Simari, Andrew Ruef
Chapter 3. Argumentation-Based Cyber Attribution: The DeLP3E Model
Abstract
In cyber attribution, knowledge bases consisting of all the available information for a specific domain, along with the current state of affairs, will typically contain contradictory data coming from different sources, as well as data with varying degrees of uncertainty attached. In this chapter, we propose a probabilistic structured argumentation framework that arises from the extension of Presumptive Defeasible Logic Programming (PreDeLP) with probabilistic models, and argue that this formalism is especially suitable for handling such contradictory and uncertain data–hence the framework would be well-suited for cyber attribution. We conclude with the demonstration—via a case study—of how our framework can be used to address the attribution problem in cybersecurity.
Eric Nunes, Paulo Shakarian, Gerardo I. Simari, Andrew Ruef
Chapter 4. Belief Revision in DeLP3E
Abstract
Any artificial intelligence tool designed for cyber-attribution must deal with information coming from different sources that invariably leads to incompleteness, overspecification, or inherently uncertain content. The presence of these varying levels of uncertainty doesn’t mean that the information is worthless—rather, these are hurdles that the knowledge engineer must learn to work with. In this chapter, we continue developing the DeLP3E model introduced in the previous chapter, focusing now on the problem of belief revision in DeLP3E. We first propose a non-prioritized class of revision operators called AFO (Annotation Function-based Operators); then, we go on to argue that in some cases it may be desirable to define revision operators that take quantitative aspects into account (such as how the probabilities of certain literals or formulas of interest change after the revision takes place). As a result, we propose the QAFO (Quantitative Annotation Function-based Operators) class of operators, a subclass of AFO, and study the complexity of several problems related to their specification and application in revising knowledge bases. Finally, we present an algorithm for computing the probability that a literal is warranted in a DeLP3E knowledge base, and discuss how it could be applied towards implementing QAFO-style operators that compute approximations rather than exact operations.
Eric Nunes, Paulo Shakarian, Gerardo I. Simari, Andrew Ruef
Chapter 5. Applying Argumentation Models for Cyber Attribution
Abstract
A major challenge in cyberthreat analysis is combining information from different sources to find the person or the group responsible for the cyber-attack. In this chapter, we leverage the dataset from the capture-the-flag event held at DEFCON discussed in Chap. 2, and propose DeLP3E model comprised solely of the AM (that is, without probabilistic information) designed to aid an analyst in attributing a cyberattack. We build models from latent variables to reduce the search space of culprits (attackers), and show that this reduction significantly improves the accuracy of the classification-based approaches discussed in Chap. 2 from 37% to 62% in identifying the attacker.
Eric Nunes, Paulo Shakarian, Gerardo I. Simari, Andrew Ruef
Chapter 6. Enhanced Data Collection for Cyber Attribution
Abstract
Cyber attribution is a difficult problem, and conducting attribution research is made even more difficult by a lack of data with ground truth. In this chapter, we describe a game-based framework (Capture-the-Flag) to produce cyber attribution data with deception. We discuss the motivation and the design of the contest and the framework to record data. The framework is available as open source software.
Eric Nunes, Paulo Shakarian, Gerardo I. Simari, Andrew Ruef
Chapter 7. Conclusion
Abstract
There are many challenges in the area of cyber attribution. It is easy and useful for an actor to perform deception, hindering the decision making ability of standard machine learning models to identify the actor as demonstrated in Chap. 2. Structured argumentation-based frameworks like DeLP can help alleviate deception to some extent by providing arguments for the selection of a particular actor/actors responsible for the attack based on the evidence. In Chap. 5, we provided results showing how such models afford significant performance improvements over approaches based solely on machine learning techniques.
Eric Nunes, Paulo Shakarian, Gerardo I. Simari, Andrew Ruef
Metadaten
Titel
Artificial Intelligence Tools for Cyber Attribution
verfasst von
Dr. Eric Nunes
Paulo Shakarian
Gerardo I. Simari
Andrew Ruef
Copyright-Jahr
2018
Electronic ISBN
978-3-319-73788-1
Print ISBN
978-3-319-73787-4
DOI
https://doi.org/10.1007/978-3-319-73788-1