Information fusion and visualization of cyber-attack graphs
Many security sensors and other protection mechanisms are deployed at different levels to provide what is known as defense-in-depth for systems and networks. However, the large volume of security alerts experienced makes it challenging for operators to analyze the attack situation and take an appropriate response. Based on network configurations there are two major challenges to display and analyze potentially very-large and complex graphs of multi-step cyber attacks against networks. One is to transform large quantities of network security data into real-time actionable intelligence. The other is to visualize the complex graphs, including all possible network attack paths, while still keeping complexity manageable.
We have proposed a comprehensive and innovative approach that is based on of three bodies of work: attack graph research,1–4 alert correlation research,5–10 and attack visualization research.11–16 As can be seen in Figure 1, there are two major components: attack analysis and attack-graph visualization modules. Based on the proposed these, we can easily display and analyze potentially very-large and complex graphs of multi-step cyber attacks against networks based upon network vulnerabilities, connectivity, and attacker exploits.
The attack graph visualization module consists of three fundamental blocks: hierarchy construction, hierarchical graph complexity reduction, and radial space-filling (RSF) hierarchy visualization. The visualization module provides access to all possible network attack paths while keeping complexity manageable via interactive hierarchical graph complexity reduction. Moreover, the RSF technique has the advantage of efficiently using the display space while conveying the hierarchical structure better than other space-filling techniques. It also provides varying degrees of support for interactive operations such that one can first obtain high-level overviews quickly, and then drill down to specific details.
The attack analysis module includes correlating isolated alert sets, attack plan recognition, and attack prediction. We apply Bayesian-network-based17 mechanisms to reason and correlate attack steps based on security states of systems and networks. These incorporate prior knowledge of attack transition patterns and handle uncertainty in the correlation process. Since cyber attackers exploit vulnerabilities in unexpected ways in order to incrementally penetrate the network and compromise critical systems, the probability-based reasoning method manages risks and significantly reduces the impact of attacks by knowing the possible attack network paths. The Bayesian-network reasoning provides real-time situational awareness and actionable intelligence on network hardening to prevent attacks, to perform real-time attack-event correlation during attacks, and to formulate post-attack responses as well.
Once an attack is correlated, the attack notification service retrieves the correlated alerts that comprise the attack scenario and uses it to instantiate an attack node, binding formal parameters to arguments. The attack node is then shipped to the RSF hierarchy visualization system where it can be analyzed and, potentially, placed within a highlighted attack hierarchy to capture its role in a multi-stage or coordinated attack. The visualization and analytical functions implement and render vulnerability assessment and attack predication so that a real-time attack notification is possible. Since the proposed hierarchy visualization system is interactive, users can easily manipulate the view to accommodate their interests when then wish to focus their attention on particular objects. Analytical functions within the attack notification service provide several capabilities vulnerability assessment, hierarchy construction, and attack prediction.
As shown in Figure 1, we utilize dynamic game-theory for graph-based attack awareness and response analysis since the integration of attack graphs and alert correlation graphs provide ‘perfect’ knowledge about the attacker's strategy space. Game-theoretic analysis computes (Nash) equilibriums out of any mathematical game.18 In terms of which types of dynamic games are most suitable for graph-based multi-step attack response, our initial studies show two things. First, if the attacker can clearly recognize each defense action and wants to see the effects of the current defense action against his latest attack action before choosing a new action, a dynamic observe-then-act game can be used to compute the optimal defense strategies. Second, if the attacker has substantial uncertainty in recognizing a defense action but is good at identifying an attack state, multistage dynamic games with simultaneous moves can be used. Further research will be conducted to investigate dynamic games in detail for attack analysis.
Dr Genshe Chen is the Program Manager in Networks, Systems and Control at Intelligent Automation, Inc. He has been the technical lead/Principal Investigator for 15 different projects, including maneuvering target detection, cooperative control for teamed unmanned arial vehicles, a differential pursuit-evasion game with multiple players, asymmetric threat detection and prediction, space and cyber situation awareness, etc.
Dr Hongda Chen received his BA and MS degrees in Electrical Engineering from Beijing Institute of Technology, Beijing, China, in 1987 and 1990 respectively, and his PhD in Information Technology from George Mason University, Fairfax, VA, in 1999. From 1998 to 2002, he was a senior member of technical stuff in Mobile Satellite Communication, Hughes Network Systems, MD. In 2003, he joined Intelligent Automation as a senior research engineer. His research interests include signal processing, communications, and fault diagnosis/prognosis in industry applications. He has published more than 20 papers in the areas of signal processing and communications.
Dr Erik Blasch is a Information Fusion Evaluation Lead for the AFRL Comprehensive Performance Assessment of Sensor Exploitation Center, Adjunct Electrical Engineering/Biomedical Engineering Professor at Wright State University and Air Force Institute of Technology, and a reserve Major with the Air Force Office of Scientific Research.
Martin Kruger is currently serving as the Intelligence, Surveillance, and Reconnaissance Thrust Area Manager for the Expeditionary Warfare Maneuver Warfare and Combating Terrorism Science and Technology Department at the ONR. In that capacity, he is responsible for maturing and transitioning applicable technology. Research interests include sensing, data fusion and visualization, resource management, and information dissemination.
Prof Jose B. Cruz, Jr. is a Distinguished Professor of Engineering, and Professor of Electrical and Computer Engineering. Dr Cruz was elected as a member of the National Academy of Engineering in 1980, and a corresponding member of the National Academy of Science and Technology (Philippines) in 2003. He is a Fellow, Institute of Electrical and Electronics Engineers (IEEE); Recipient, Curtis W. McGraw Research Award of the American Society for Engineering Education (ASEE) 1972; Recipient, Halliburton Engineering Education Leadership Award, 1981; Recipient, IEEE Centennial Medal, 1984; Recipient, IEEE Richard M. Emberson Award, 1989; Fellow, American Association for the Advancement of Science elected 1989; Recipient, ASEE Centennial Medal, 1993; Recipient, Richard E. Bellman Control Heritage Award, American Automatic Control Council, 1994; and Fellow, ASEE 2004.
