1 / 29

Multimodal Graph Analysis of Cyber Attacks

Multimodal Graph Analysis of Cyber Attacks. Nirnimesh Ghose , Loukas Lazos, and Jerzy Rozenblit Electrical and Computer Engineering, University of Arizona, Tucson. Ronald Breiger School of Sociology, University of Arizona, Tucson. 2019 Spring Simulation Conference Tucson, AZ.

Antony
Télécharger la présentation

Multimodal Graph Analysis of Cyber Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Multimodal Graph Analysis of Cyber Attacks Nirnimesh Ghose, Loukas Lazos, and Jerzy Rozenblit Electrical and Computer Engineering, University of Arizona, Tucson Ronald Breiger School of Sociology, University of Arizona, Tucson 2019 Spring Simulation Conference Tucson, AZ

  2. Cyber Attacks – Web Application Attacks Multimodal Graph Analysis of Cyber Attacks

  3. Cyber Attack – Ransomware Multimodal Graph Analysis of Cyber Attacks

  4. Cyber Attack – Espionage Multimodal Graph Analysis of Cyber Attacks

  5. Cyber Attack – Monetary Gain Multimodal Graph Analysis of Cyber Attacks

  6. Layered View of Cyber Attacks Cyber actions Internet Social actions Actors Require a method for analyzing the interaction between modalities. To help detection of existing threats Multimodal Graph Analysis of Cyber Attacks

  7. Challenges in Analyzing Cyber Attacks • Point-based analyzing approach • manually scrutinizing evidence • timeelapsed during analysis renders the results useless • State-of-the-art of cyber-analysis methods • have limitedpredictiveand attribution capabilities* • relies on evidence produced by post-event electronic traceanalysis** • As a result, cyber-attacksin most cases, are discovered well after the attack has terminated. • *Xie, Peng, et al. "Using Bayesian networks for cyber security analysis." 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN). IEEE, 2010. • *Michael, James Bret, Thomas C. Wingfield, and DumindaWijesekera. "Measured responses to cyber attacks using Schmitt analysis: a case study of attack scenarios for a software-intensive system." Proceedings 27th Annual International Computer Software and Applications Conference. COMPAC 2003. IEEE, 2003. • **Choo, Kim-Kwang Raymond. "The cyber threat landscape: Challenges and future research directions." Computers & Security 30.8 (2011): 719-731. • **Hutchings, Alice. "Crime from the keyboard: organised cybercrime, co-offending, initiation and knowledge transmission." Crime, Law and Social Change 62.1 (2014): 1-20. Multimodal Graph Analysis of Cyber Attacks

  8. Goals and Contributions • Goals: • Understand why a cyber-attack has occurred, whenit occuredand bywhom it was perpetrated • Determine the identities, values, incentives, and communicationmodes of the involved individuals • Contributions: • Developedcomprehensivemodels of cyber-attack features using feature-extraction techniques on diverse data sources • Classifiedadversarial groups based on their featuresimilarities • Enhanced the groupclassification using analytic techniques from socialnetworkscience Multimodal Graph Analysis of Cyber Attacks

  9. Multimodal Graph – Cyber Attack Cyber events Autonomous systems Users Multimodal Graph Analysis of Cyber Attacks

  10. User Modality Users are the hosts which either acts as the attacker or the target. Attacker Attacker Victim Control and Command server Data exfiltration server Botnets Hosts Multimodal Graph Analysis of Cyber Attacks

  11. Cyber Event Modality Events occurring between attacker and target users in the cyber domain. Social engineering Port scanning actions Malware infection Data exfiltration Multimodal Graph Analysis of Cyber Attacks

  12. Autonomous System Modality Autonomous systems (ASes) serves the IP addresses of the users. Multimodal Graph Analysis of Cyber Attacks

  13. Multimodal Graph – Adjacency Matrix Relation between users and cyberevents Relation between users and autonomoussystems Relation between cybereventsand autonomoussystems Observed matrix Multimodal Graph Analysis of Cyber Attacks

  14. Community Discovery – Method Observed matrix Expected matrix Eigen vectors 1st 2nd Community 1 : +ve 1st values Community 1 : +ve 1st values Community 2 : -ve 1st values and +ve 2nd values Community 2 : +ve 1st values Community 3 : -ve 1st values and -ve2nd values Community matrix Modularity Multimodal Graph Analysis of Cyber Attacks

  15. Community Discovery Cyber events Autonomous systems Users Multimodal Graph Analysis of Cyber Attacks

  16. Community Discovery Community 1 Community 3 Community 2 Multimodal Graph Analysis of Cyber Attacks

  17. Centrality Analysis – Method Observed matrix Identity matrix Column matrix of ones Normalization factor Positive: inverse of the largest eigenvalue Negative: inverse of the smallest eigenvalue Multimodal Graph Analysis of Cyber Attacks

  18. Centrality Analysis Positive centrality –Nodes ranked according to number of distinct shortest paths to all other nodes Negative centrality –Nodes rank nodes according to their role in interconnecting graph cliques Multimodal Graph Analysis of Cyber Attacks

  19. Implementation of community and centrality to real world cyber attacks. Multimodal Graph Analysis of Cyber Attacks

  20. Cyber Attack Case Study – GhostNet Phishing Control server OHHDL, TGIE – India Malware infection Data exfiltration CGI Script server OOT – London, NYC Multimodal Graph Analysis of Cyber Attacks

  21. GhostNet – Multimodal Graph Cyber events Autonomous systems Users Multimodal Graph Analysis of Cyber Attacks

  22. GhostNet – Community Analysis Modularity Multimodal Graph Analysis of Cyber Attacks

  23. GhostNet – Centrality Analysis Positive Centrality : Maximum Centrality Minimum Centrality Phishing TGIE OOHDL Malware infection Drewla OOT - London OOT - NYC Negative Centrality : Maximum Centrality Minimum Centrality Control Server TGIE OOHDL Drewla OOT - London OOT - NYC Multimodal Graph Analysis of Cyber Attacks

  24. Cyber Attack Case Study – Putter Panda Phishing US government sector, defense sector, research sector, and technology sector Control server, Chen Ping aka CPYY, Comment Panda, Vixen Panda RAT malware infection - 4H RAT, 3PARA RAT, pngdowner, httpclient malware European aerospace companies, Toulouse Space Centre, and telecommunication companies Japan Data exfiltration httpchen, pngdowner Multimodal Graph Analysis of Cyber Attacks

  25. Putter Panda – Multimodal Graph • Users – • Victims: US government sector, defense sector, the US research sector and technology sector, European aerospace companies, the Toulouse Space Centre, and telecommunication companies Japan • Attackers: C2 server, Chen Ping aka CPYY, httpchen, Comment Panda, Vixen Panda, and pngdowner • Cyber events – • RAT malware including 4H RAT, 3PARA RAT, pngdowner and httpclientmalware (39 event nodes) • Autonomous systems – • Victim:AS-USA, AS-Europe, and AS-Japan • Attackers: 15 ASes in the USA • 5 in the Taiwan • 4 in the Korean peninsula, • 2 in the Netherlands • 1 each in Denmark, Kazakhstan, Fiji, Thailand, China, Japan, Russia, Great Britain, and Indonesia Multimodal Graph Analysis of Cyber Attacks

  26. Putter Panda – Community Analysis • Community 1 – Victim hosts – users, cyber events (phishing and malware install) and ASes • httpclient malware - AS and C2 server (anomaly) • Community 2 –Adversaries (3PARA RAT, pngdowner and httpclient) - users, cyber events and ASes • Community 3 – Adversaries (3PARA RAT, pngdowner and httpclient) - users, cyber events and ASes • Modularity Multimodal Graph Analysis of Cyber Attacks

  27. Putter Panda – Centrality Analysis Positive Centrality : Victim – Malware infection > Users > ASes Negative Centrality : C2 server – Data exfiltration > Users > ASes Multimodal Graph Analysis of Cyber Attacks

  28. Summary • Modeledand analyzedcyberattacks using a tripartitegraph – users, cyber events and autonomous systems • Analyzed communityidentify nodes of different modalities that exhibited strong correlation and centrality to rank the nodes according to their importancein the attack • Findings demonstrated a cleardistinction between the victimhosts and the ASes that serve them, the C2servers that regulated the attack, and the data exfiltration process. • Centralityanalysis revealed the key nodes that facilitated the attack, a role assumed by the C2servers • Futurework - Propose to embed the derived properties as ground truth to generate synthetic data, and study the data to derive new techniques for detecting attacks in real-time. Multimodal Graph Analysis of Cyber Attacks

  29. Thank you!&Questions? Multimodal Graph Analysis of Cyber Attacks

More Related