Biblio

To defend networks against security attacks, cyber defenders have to identify vulnerabilities that could be exploited by an attacker and fix them. However, vulnerabilities are constantly evolving and their number is rising. In addition, the resources required (i.e., time and cost) to patch all the identified vulnerabilities and update the affected assets are not always affordable. For these reasons, the defender needs to have a set of metrics that could be used to automatically map new discovered vulnerabilities to potential attack tactics. Using such a mapping to attack tactics, will allow security solutions to better respond inline to any vulnerabilities exploitation tentatives, by selecting and prioritizing suitable response strategy. In this work, we provide a multilabel classification approach to automatically map a detected vulnerability to the MITRE Adversarial Tactics that could be used by the attacker. The proposed approach will help cyber defenders to prioritize their defense strategies, ensure a rapid and efficient investigation process, and well manage new detected vulnerabilities. We evaluate a set of machine learning algorithms (BinaryRelevance, LabelPowerset, ClassifierChains, MLKNN, BRKNN, RAkELd, NLSP, and Neural Networks) and found out that ClassifierChains with RandomForest classifier is the best method in our experiment.

One of the most critical challenges facing cyber defense nowadays is the complexity of recent released cyber-attacks, which are capable of disrupting critical industries and jeopardizing national economy. In this context, moving beyond common security approaches to make it possible to neutralize and react to security attacks at their early stages, becomes a requisite. We develop in this paper a formal model for the proactive assessment of security damages. We define a network of observer agents capable of observing incomplete information about attacks and affected cyber systems, and generating security observations useful for the identification of ongoing attack scenarios and their evolution in the future. A set of analytics are developed for the generation and management of scenario contexts as a set of measures useful for the proactive assessment of damages in the future, and the launching of countermeasures. A case study is provided to exemplify the proposal.

The infrastructures of Supervisory Control and Data Acquisition (SCADA) systems have evolved through time in order to provide more efficient supervision services. Despite the changes made on SCADA architectures, several enhancements are still required to address the need for: a) large scale supervision using a high number of sensors, b) reduction of the reaction time when a malicious activity is detected; and c) the assurance of a high interoperability between SCADA systems in order to prevent the propagation of incidents. In this context, we propose a novel sensor cloud based SCADA infrastructure to monitor large scale and inter-dependant critical infrastructures, making an effective use of sensor clouds to increase the supervision coverage and the processing time. It ensures also the interoperability between interdependent SCADAs by offering a set of services to SCADA, which are created through the use of templates and are associated to set of virtual sensors. A simulation is conducted to demonstrate the effectiveness of the proposed architecture.

Securing cyber system is a major concern as security attacks become more and more sophisticated. We develop in this paper a novel graph-based Active Cyber Defense (ACD) model to proactively respond to cyber attacks. The proposed model is based on the use of a semantically rich graph to describe cyber systems, types of used interconnection between them, and security related data useful to develop active defense strategies. The developed model takes into consideration the probabilistic nature of cyber attacks, and their degree of complexity. In this context, analytics are provided to proactively test the impact of vulnerabilities/threats increase on the system, analyze the consequent behavior of cyber systems and security solution, and decide about the security state of the whole cyber system. Our model integrates in the same framework decisions made by cyber defenders based on their expertise and knowledge, and decisions that are automatically generated using security analytic rules.