A General Self-Adaptive Cyber Security Framework

Spurred by the ever-growing availability of online services and resources, threat models are becoming a moving target, constantly evolving. As a result, the same security techniques that were sufficient a decade, or even a few years ago, can prove inadequate today. In particular, recent advances in polymorphic attacks and the increasing volume of zero-day and targeted attacks threaten to overwhelm defense mechanisms. As attackers are finding new ways to gain access to networks and systems, so defense mechanisms must find new ways to protect them.

Adaptive security mechanisms become a necessity rather than an option for coping with the 'moving target' nature of cyber threats. Such mechanisms will provide effective threat detection and prevention capabilities, while minimizing the cost of security. In this work, we expand upon our previous contribution [1] on methods for self-sanitizing, self- calibrating and self-updating anomaly detection sensors, and propose a general security defense framework that can automatically adapt to the system under protection, combining detection performance with ease of deployment and operation.

An adaptive security mechanism implies learning the behavior of a system or its threat model. In this process, attackers can target the learning phase itself; hence the proposed self-sanitization mechanism aims to detect and remove malicious activity from the learning process improving its quality. Moreover, we propose to enhance the security mechanisms with a self-calibration phase that can be employed in conjunction with the sanitization technique resulting in a fully automated maintenance cycle. These techniques can be applied in an online fashion to ensure that the resulting mechanisms reflect changes in the system's or attackers' behavior, resulting in a self-updating process.

The race between the attacker and defender for gaining access to the protected system is one of skill, information and resources. A well-equipped attacker, armed with intimate information on the protected system as well as extensive resources, can still attempt attacks that change the learnt behavior. To cope with this possibility, our framework proposes to use "a better view of global network attack activity" [2] as opposed to the single site view. By leveraging the location diversity of collaborating sites, a more precise model of an attacker's behavior and intent can be provided.