Modern organisations largely depend on networks of computers supporting their business and that motivate cyber adversaries to attack such networks. Cyber attacks, commonly denoted with the CIA acronym (Confidentiality, Integrity, Availability), steal valuable information (confidentiality), alter data (integrity), or make information not available, blocking services and encrypting data (availability). Such attacks, may have significant impacts on an organisation¿s business, assets, reputation and legal liabilities. In the era of Web services, cloud computing and mobile computing, attacks find more and more vulnerable points, causing substantial damages.
The Calypso project aims at providing a platform supporting security operators in the management of cyber incidents, reducing attack detection and response time, investigating and defining new models and solutions aiming at:
A) Modeling the multidimensional characteristics of the attacks or Attack Strategy Vector (ASV) that is at the foundation of innovative Threat Modeling approaches;
B) Detecting the actual attack; and
C) Providing the operators with pieces of information about the actual attack and its possible future evolution.
To achieve these challenging objectives, new correlation algorithms will be researched to analyze and collect data in order to develop innovative threat models and their feasible ASVs. Moreover, an advanced visual analytic environment will be designed to improve the cyber situational awareness of the operators, linking the status of the systems being protected (e.g., system configuration, presence of vulnerabilities, identifiable incidents) to the innovative characteristics of the threat model that are independent of the system (e.g., observable indicators of compromise, exploit targets, etc.) offering new opportunities for visualization to improve operator levels of perception, comprehension and projection, these being the foundations of situation awareness.
Threat modeling
State-of-the-art. Numerous threat modeling methodologies are available, see, e.g., STIX [1] or PASTA [2]; we will accurately analyse them and inherit relevant concepts . In particular, we will analyse existing tools for threat modeling allowing to model threats by relying on the knowledge and expertise of security operators.
Beyond State of the art. Calypso will move forward by defining algorithms and techniques to support the threat modeling activities in a systematic and objective way, including the ability to create practical connections between the threat model and the system model.
[1] Barnum, Sean. "Standardizing cyber threat intelligence information with the Structured Threat Information eXpression (STIX)." MITRE Corporation 11, 2012
[2] T. Ucedave¿lez and M. M. Morana. Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis. John Wiley & Sons: Hobekin, 2015
Attack Detection
State-of-the-art. [1] provides a review of data analytics paradigms for intrusion detection with an overview of techniques that apply contextual information for intrusion detection. Signature-based intrusion detection techniques can be broadly divided in three main categories:
Classification approaches: algorithms that analyze network connection to understand whether they are legal or not, e.g., [2].
Association rule approaches: rules that correspond to suspicious activities are extracted from audit network data and used to investigate connections at run time [3].
Graph-based approaches: use attack graphs to discover correlations or causal relationships between alerts, e.g.,[1]
Probabilistic graphical models and causal models: used to analyse network activities and attack-induced failures at different scales, e.g., [4]
Beyond State of the art - All the existing approaches are based on static models that have not been designed to evolve with time. This limitation becomes critical in a world where targeted attacks evolve continuously over time, also as they unfold in the target infrastructure. Calypso will study, develop and evaluate novel graph-based models and methodologies aimed at tracking the evolution of ongoing attacks to effectively and promptly detect them.
[1] A. Aleroud and G. Karabatis. Contextual information fusion for intrusion detection: a survey and taxonomy. Knowledge and Information Systems, 2017
[2] O. Depren et al. An intelligent intrusion detection system (ids) for anomaly and misuse detection in computer networks. Expert Syst, 2005
[3] W. Lee and S. J. Stolfo. A framework for constructing features and models for intrusion detection systems. ACM Trans. Inf. Syst. Secur., 3(4):227¿261, Nov. 2000
[4] P. Thwaites, et al., Causal analysis with Chain Event Graphs, Artificial Intelligence 174, 2010
Visual Analytics
State-of-the-art. Several proposals visualize attacks on a network using graphs, see, e.g., [1] that uses a standard graph visualizations together with with pruning an deletions while [2] uses aggregations to make complex graph understandable. Extensions of such approaches, e.g., [3], use treemap visualization that reflects physical or logical topology and allows for displaying node reachability.
More recent proposals, e.g., [4], use visual analytics solutions, exploiting a composition of the above proposals and suitable automated computation to help security operators to anticipate the impact of security events.
Beyond State of the art. Calypso will provide novel visual solutions and analytics able to improve operators¿ situational awareness taking into account the multi-dimensionality of the modelled threats, together with the need of forecasting its evolution. That requires ad-hoc visualizations combined with powerful analytics components, able to deal with the increased complexity of situational awareness of Perception of data, Comprehension of meaning, and Projection of happenings on the near future.
Beside the classical information about attack progress, it is needed to add novel hints about the kind of ongoing attack, enriching the Perception and Comprehension phases to support Projection activities. Requirements will be gathered from SAGAT [5] queries.
[1] Lippmann, Rich, et al. Netspa: A network security planning architecture. Massachusetts Institute of Technology, 2002.
[2] S. Noel, S. Jajodia, Managing attack graph complexity through visual hierarchical aggregation, in: IEEE VizSec, 2004.
[3] Chu, Matthew, et al. "Visualizing attack graphs, reachability, and trust relationships with NAVIGATOR." Proceedings of the Seventh International Symposium on Visualization for Cyber Security. ACM, 2010.
[4] M. Angelini, N. Prigent, G. Santucci, Percival: proactive and reactive attack and response assessment for cyber incidents using visual analytics, in: IEEE VizSec, 2015
[5] Endsley, Mica R. "Direct measurement of situation awareness: Validity and use of SAGAT." Situation awareness analysis and measurement, 2000.