-
Exposing Surveillance Detection Routes via Reinforcement Learning, Attack Graphs, and Cyber Terrain
Authors:
Lanxiao Huang,
Tyler Cody,
Christopher Redino,
Abdul Rahman,
Akshay Kakkar,
Deepak Kushwaha,
Cheng Wang,
Ryan Clark,
Daniel Radke,
Peter Beling,
Edward Bowen
Abstract:
Reinforcement learning (RL) operating on attack graphs leveraging cyber terrain principles are used to develop reward and state associated with determination of surveillance detection routes (SDR). This work extends previous efforts on develo** RL methods for path analysis within enterprise networks. This work focuses on building SDR where the routes focus on exploring the network services while…
▽ More
Reinforcement learning (RL) operating on attack graphs leveraging cyber terrain principles are used to develop reward and state associated with determination of surveillance detection routes (SDR). This work extends previous efforts on develo** RL methods for path analysis within enterprise networks. This work focuses on building SDR where the routes focus on exploring the network services while trying to evade risk. RL is utilized to support the development of these routes by building a reward mechanism that would help in realization of these paths. The RL algorithm is modified to have a novel warm-up phase which decides in the initial exploration which areas of the network are safe to explore based on the rewards and penalty scale factor.
△ Less
Submitted 6 November, 2022;
originally announced November 2022.
-
Lateral Movement Detection Using User Behavioral Analysis
Authors:
Deepak Kushwaha,
Dhruv Nandakumar,
Akshay Kakkar,
Sanvi Gupta,
Kevin Choi,
Christopher Redino,
Abdul Rahman,
Sabthagiri Saravanan Chandramohan,
Edward Bowen,
Matthew Weeks,
Aaron Shaha,
Joe Nehila
Abstract:
Lateral Movement refers to methods by which threat actors gain initial access to a network and then progressively move through said network collecting key data about assets until they reach the ultimate target of their attack. Lateral Movement intrusions have become more intricate with the increasing complexity and interconnected nature of enterprise networks, and require equally sophisticated det…
▽ More
Lateral Movement refers to methods by which threat actors gain initial access to a network and then progressively move through said network collecting key data about assets until they reach the ultimate target of their attack. Lateral Movement intrusions have become more intricate with the increasing complexity and interconnected nature of enterprise networks, and require equally sophisticated detection mechanisms to proactively detect such threats in near real-time at enterprise scale. In this paper, the authors propose a novel, lightweight method for Lateral Movement detection using user behavioral analysis and machine learning. Specifically, this paper introduces a novel methodology for cyber domain-specific feature engineering that identifies Lateral Movement behavior on a per-user basis. Furthermore, the engineered features have also been used to develop two supervised machine learning models for Lateral Movement identification that have demonstrably outperformed models previously seen in literature while maintaining robust performance on datasets with high class imbalance. The models and methodology introduced in this paper have also been designed in collaboration with security operators to be relevant and interpretable in order to maximize impact and minimize time to value as a cyber threat detection toolkit. The underlying goal of the paper is to provide a computationally efficient, domain-specific approach to near real-time Lateral Movement detection that is interpretable and robust to enterprise-scale data volumes and class imbalance.
△ Less
Submitted 29 August, 2022;
originally announced August 2022.
-
Discovering Exfiltration Paths Using Reinforcement Learning with Attack Graphs
Authors:
Tyler Cody,
Abdul Rahman,
Christopher Redino,
Lanxiao Huang,
Ryan Clark,
Akshay Kakkar,
Deepak Kushwaha,
Paul Park,
Peter Beling,
Edward Bowen
Abstract:
Reinforcement learning (RL), in conjunction with attack graphs and cyber terrain, are used to develop reward and state associated with determination of optimal paths for exfiltration of data in enterprise networks. This work builds on previous crown jewels (CJ) identification that focused on the target goal of computing optimal paths that adversaries may traverse toward compromising CJs or hosts w…
▽ More
Reinforcement learning (RL), in conjunction with attack graphs and cyber terrain, are used to develop reward and state associated with determination of optimal paths for exfiltration of data in enterprise networks. This work builds on previous crown jewels (CJ) identification that focused on the target goal of computing optimal paths that adversaries may traverse toward compromising CJs or hosts within their proximity. This work inverts the previous CJ approach based on the assumption that data has been stolen and now must be quietly exfiltrated from the network. RL is utilized to support the development of a reward function based on the identification of those paths where adversaries desire reduced detection. Results demonstrate promising performance for a sizable network environment.
△ Less
Submitted 25 April, 2022; v1 submitted 28 January, 2022;
originally announced January 2022.
-
A Complexity measure based on Requirement Engineering Document
Authors:
Ashish Sharma,
D. S. Kushwaha
Abstract:
Research shows, that the major issue in development of quality software is precise estimation. Further this estimation depends upon the degree of intricacy inherent in the software i.e. complexity. This paper attempts to empirically demonstrate the proposed complexity which is based on IEEE Requirement Engineering document. It is said that a high quality SRS is pre requisite for high quality softw…
▽ More
Research shows, that the major issue in development of quality software is precise estimation. Further this estimation depends upon the degree of intricacy inherent in the software i.e. complexity. This paper attempts to empirically demonstrate the proposed complexity which is based on IEEE Requirement Engineering document. It is said that a high quality SRS is pre requisite for high quality software. Requirement Engineering document (SRS) is a specification for a particular software product, program or set of program that performs some certain functions for a specific environment. The various complexity measure given so far are based on Code and Cognitive metrics value of software, which are code based. So these metrics provide no leverage to the developer of the code. Considering the shortcoming of code based approaches, the proposed approach identifies complexity of software immediately after freezing the requirement in SDLC process. The proposed complexity measure compares well with established complexity measures. Finally the trend can be validated with the result of proposed measure. Ultimately, Requirement based complexity measure can be used to understand the complexity of proposed software much before the actual implementation of design thus saving on cost and manpower wastage.
△ Less
Submitted 14 June, 2010;
originally announced June 2010.
-
A Decentralized Approach for Service Discovery & Availability in P-Grids
Authors:
Rohit Vashishtha,
Ankit Gupta,
Piyush Gupta,
Shakti Mishra,
D S Kushwaha
Abstract:
The widespread emergence of the Internet as a platform for electronic data distribution and the advent of structured information have revolutionized our ability to deliver information to any corner of the world. Although Service Oriented Architecture (SOA) is a paradigm for organizing and utilizing distributed capabilities that may be under the control of different ownership domains and implemente…
▽ More
The widespread emergence of the Internet as a platform for electronic data distribution and the advent of structured information have revolutionized our ability to deliver information to any corner of the world. Although Service Oriented Architecture (SOA) is a paradigm for organizing and utilizing distributed capabilities that may be under the control of different ownership domains and implemented using various technology stacks and every organization may not be geared up for this. To harness the various software / service resources placed on various systems, we have proposed and implemented a model that is able to establish discovery and sharing in load balanced P-grid environment. The experimental results show that the proposed approach has dramatically lowered the network traffic (nearly negligible), while achieving load balancing in P2P grid systems. Our model is able to support discovery and sharing of resources also.
△ Less
Submitted 14 June, 2010;
originally announced June 2010.