Temporal Cyber Attack Detection.
Abstract
Rigorous characterization of the performance and generalization ability of cyber defense systems is extremely difficult, making it hard to gauge uncertainty, and thus, confidence. This difficulty largely stems from a lack of labeled attack data that fully explores the potential adversarial space. Currently, performance of cyber defense systems is typically evaluated in a qualitative manner by manually inspecting the results of the system on live data and adjusting as needed. Additionally, machine learning has shown promise in deriving models that automatically learn indicators of compromise that are more robust than analyst-derived detectors. However, to generate these models, most algorithms require large amounts of labeled data (i.e., examples of attacks). Algorithms that do not require annotated data to derive models are similarly at a disadvantage, because labeled data is still necessary when evaluating performance. In this work, we explore the use of temporal generative models to learn cyber attack graph representations and automatically generate data for experimentation and evaluation. Training and evaluating cyber systems and machine learning models requires significant, annotated data, which is typically collected and labeled by hand for one-off experiments. Automatically generating such data helps derive/evaluate detection models and ensures reproducibility of results. Experimentally, we demonstrate the efficacymore »
- Authors:
-
- Sandia National Lab. (SNL-NM), Albuquerque, NM (United States)
- Publication Date:
- Research Org.:
- Sandia National Lab. (SNL-NM), Albuquerque, NM (United States)
- Sponsoring Org.:
- USDOE National Nuclear Security Administration (NNSA)
- OSTI Identifier:
- 1409921
- Report Number(s):
- SAND-2017-12585R
658867
- DOE Contract Number:
- AC04-94AL85000
- Resource Type:
- Technical Report
- Country of Publication:
- United States
- Language:
- English
- Subject:
- 97 MATHEMATICS AND COMPUTING
Citation Formats
Ingram, Joey Burton, Draelos, Timothy J., Galiardi, Meghan, and Doak, Justin E. Temporal Cyber Attack Detection.. United States: N. p., 2017.
Web. doi:10.2172/1409921.
Ingram, Joey Burton, Draelos, Timothy J., Galiardi, Meghan, & Doak, Justin E. Temporal Cyber Attack Detection.. United States. https://doi.org/10.2172/1409921
Ingram, Joey Burton, Draelos, Timothy J., Galiardi, Meghan, and Doak, Justin E. 2017.
"Temporal Cyber Attack Detection.". United States. https://doi.org/10.2172/1409921. https://www.osti.gov/servlets/purl/1409921.
@article{osti_1409921,
title = {Temporal Cyber Attack Detection.},
author = {Ingram, Joey Burton and Draelos, Timothy J. and Galiardi, Meghan and Doak, Justin E.},
abstractNote = {Rigorous characterization of the performance and generalization ability of cyber defense systems is extremely difficult, making it hard to gauge uncertainty, and thus, confidence. This difficulty largely stems from a lack of labeled attack data that fully explores the potential adversarial space. Currently, performance of cyber defense systems is typically evaluated in a qualitative manner by manually inspecting the results of the system on live data and adjusting as needed. Additionally, machine learning has shown promise in deriving models that automatically learn indicators of compromise that are more robust than analyst-derived detectors. However, to generate these models, most algorithms require large amounts of labeled data (i.e., examples of attacks). Algorithms that do not require annotated data to derive models are similarly at a disadvantage, because labeled data is still necessary when evaluating performance. In this work, we explore the use of temporal generative models to learn cyber attack graph representations and automatically generate data for experimentation and evaluation. Training and evaluating cyber systems and machine learning models requires significant, annotated data, which is typically collected and labeled by hand for one-off experiments. Automatically generating such data helps derive/evaluate detection models and ensures reproducibility of results. Experimentally, we demonstrate the efficacy of generative sequence analysis techniques on learning the structure of attack graphs, based on a realistic example. These derived models can then be used to generate more data. Additionally, we provide a roadmap for future research efforts in this area.},
doi = {10.2172/1409921},
url = {https://www.osti.gov/biblio/1409921},
journal = {},
number = ,
volume = ,
place = {United States},
year = {Wed Nov 01 00:00:00 EDT 2017},
month = {Wed Nov 01 00:00:00 EDT 2017}
}