SlideShare a Scribd company logo

AI4Cyber-SAGE-slides.pdf

Ahmed Mohamed
Ahmed Mohamed

AI4Cyber

Internet
1 of 23
Download to read offline
1 SAGE: Intrusion Alert-driven Attack Graph Extractor Azqa Nadeem*, Sicco Verwer*, Stephen Moskal^, Shanchieh Jay Yang^ *Delft University of Technology, The Netherlands ^Rochester Institute of Technology, USA 1st KDD Workshop on AI-enabled Cybersecurity Analytics (AI4Cyber) 15 August 2021
2 Background • Security analysts receive > 1M intrusion alerts/day* * https://www.imperva.com/blog/27-percent-of-it-professionals-receive-more-than-1-million-security-alerts-daily/
3 Background • Security analysts receive > 1M intrusion alerts/day* • Attacker strategy identification – How? – Multiple attackers? – Strategies similar? • Often represented as Attack graphs * https://www.imperva.com/blog/27-percent-of-it-professionals-receive-more-than-1-million-security-alerts-daily/ https://www.researchgate.net/publication/220202986_Measuring_Security_Risk_of_Networks_Using_Attack_Graphs Local buffer overflow remote shell sshd_bof() ssh ftp_rhosts() ftp
4 Existing approaches • Expert-crafted attack graphs – NetSPA by ML Artz (MIT ‘02) – MulVAL by X Ou et al. (USENIX ‘05) • Alert-driven attack scenario modelling – Ning et al. (Ning ‘02) – De Alvarenga et al. (Computers & Security ‘18) – Moskal et al. (ISI ‘18)
5 Research aim RQ: How to construct attack graphs directly from intrusion alerts? • For extracting intelligence about attacker strategies • Preferably without network dependence
6 Anatomy of an Alert-driven Attack Graph Objective Attacker actions First action Attacker host Timestamp
7 Key design challenges
8 Key design challenges 1. Alert-type imbalance
9 Key design challenges 1. Alert-type imbalance 2. Context modelling
10 SAGE: IntruSion alert-driven Attack Graph Extractor
11 Alert → Episode sequences
12 SAGE: IntruSion alert-driven Attack Graph Extractor
13 Suffix-based PDFA Start End • Summarizes attack paths • Brings infrequent episodes to the top – Red → Severe | Blue → Medium severity • States → milestones with context
14 SAGE: IntruSion alert-driven Attack Graph Extractor
15 Adding context to sequences Episode sequences State sequences On a per-victim, per-objective basis
16 • Suricata alerts from Collegiate Penetration Testing Competition1 – 6 multi-attacker teams – 1 fictitious network – 330,270 alerts • Moskal’s Action-Intent framework2 – Alert signature → Attack stage – Based on MITRE ATT&CK Experimental dataset 1. CPTC dataset: https://www.globalcptc.org/ 2. S. Moskal and S. J. Yang, “Framework to describe intentions of a cyber attack action,” arXiv preprint arXiv:2002.07838, 2020. Occurrence percentage Attack stages
17 [1] Alert triaging • 330,270 alerts → 93 alert-driven AGs • ~500 alerts in < 25 vertices
18 [2] Attacker strategy visualization • Shows how the attack transpired • 3 teams, 5 attempts • 3 ways to reach objective
19 [3] Attacker strategy comparison • T5 and T8 share a common strategy • Some paths are shorter than others • Attackers follow shorter paths to re- exploit an objective in 84.5% cases
20 [4] Ranking interesting attackers • Rank on the uniqueness and severity of actions • 𝑆𝑐𝑜𝑟𝑒 = 2∗𝑠𝑒𝑣 +(1∗𝑚𝑒𝑑) 3
21 Take aways • SAGE uses sequence learning to extract attacker strategies – Builds attack graphs from intrusion alerts without expert input • The S-PDFA is critical for – Accentuating infrequent severe actions, – Identifying contextually different actions • Alert-driven attack graphs – Compress millions of alerts in a few AGs – Provide insights into attacker strategies – Capture attackers’ behavior dynamics
22 Thank you! Questions? Icons courtesy of Eucalyp, Freepik, Monkik, Pixel perfect, and Surang from www.flaticon.com ► SAGE uses sequence learning to extract attacker strategies Builds attack graphs from intrusion alerts without expert input ► The S-PDFA is critical for Accentuating infrequent severe actions, Identifying contextually different actions ► Alert-driven attack graphs Compress millions of alerts in a few AGs Provide insights into attacker strategies Capture attackers’ behavior dynamics SAGE is open-source! azqa.nadeem@tudelft.nl @azqa_nadeem https://cyber-analytics.nl/
23 VulnD HostD Exfil ServD Suffix Tree (Merged) InfoD Surf DoS ACExec VulnD HostD Exfil ACExec Root infoD ACE net DoS surf ACE hostD serD exfil vulnD

Recommended

Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfssuser4237d4
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfssuser4237d4
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Massif cluster meeting
Massif cluster meetingMassif cluster meeting
Massif cluster meetingfcleary
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defenceOWASP EEE
 
Role of data mining in cyber security
Role of data mining in cyber securityRole of data mining in cyber security
Role of data mining in cyber securityKhaled Al-Khalili
 
Presentazione tesi magistrale procentese.pptx
Presentazione tesi magistrale procentese.pptxPresentazione tesi magistrale procentese.pptx
Presentazione tesi magistrale procentese.pptxAntonioProcentese1
 
Sdl deployment in ics
Sdl deployment in icsSdl deployment in ics
Sdl deployment in icsMayur Mehta
 

Recommended

Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfssuser4237d4
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfssuser4237d4
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Massif cluster meeting
Massif cluster meetingMassif cluster meeting
Massif cluster meetingfcleary
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defenceOWASP EEE
 
Role of data mining in cyber security
Role of data mining in cyber securityRole of data mining in cyber security
Role of data mining in cyber securityKhaled Al-Khalili
 
Presentazione tesi magistrale procentese.pptx
Presentazione tesi magistrale procentese.pptxPresentazione tesi magistrale procentese.pptx
Presentazione tesi magistrale procentese.pptxAntonioProcentese1
 
Sdl deployment in ics
Sdl deployment in icsSdl deployment in ics
Sdl deployment in icsMayur Mehta
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
CyberOps.pptx
CyberOps.pptxCyberOps.pptx
CyberOps.pptxAhmedRobaid1
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Modeling and Utilizing Security Knowledge for Eliciting Security Requirements
Modeling and Utilizing Security Knowledge for Eliciting Security RequirementsModeling and Utilizing Security Knowledge for Eliciting Security Requirements
Modeling and Utilizing Security Knowledge for Eliciting Security RequirementsShinpei Hayashi
 
GSA calls out Cyber Hunt skills in final Cybersecurity Contract Orals
GSA calls out Cyber Hunt skills in final Cybersecurity Contract OralsGSA calls out Cyber Hunt skills in final Cybersecurity Contract Orals
GSA calls out Cyber Hunt skills in final Cybersecurity Contract OralsDavid Sweigert
 
Implementation of Secured Network Based Intrusion Detection System Using SVM ...
Implementation of Secured Network Based Intrusion Detection System Using SVM ...Implementation of Secured Network Based Intrusion Detection System Using SVM ...
Implementation of Secured Network Based Intrusion Detection System Using SVM ...IRJET Journal
 
MAD: A Middleware Framework for Multi-Step Attack Detection
MAD: A Middleware Framework for Multi-Step Attack DetectionMAD: A Middleware Framework for Multi-Step Attack Detection
MAD: A Middleware Framework for Multi-Step Attack DetectionPanagiotis Papadopoulos
 
Network Threat Characterization in Multiple Intrusion Perspectives using Data...
Network Threat Characterization in Multiple Intrusion Perspectives using Data...Network Threat Characterization in Multiple Intrusion Perspectives using Data...
Network Threat Characterization in Multiple Intrusion Perspectives using Data...IJNSA Journal
 
Qualifying exam-2015-final
Qualifying exam-2015-finalQualifying exam-2015-final
Qualifying exam-2015-finalOpen Networking Perú (Opennetsoft)
 
Cybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesCybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesWAJAHAT IQBAL
 
HARDWARE ATTACK MITIGATION TECHNIQUES ANALYSIS
HARDWARE ATTACK MITIGATION TECHNIQUES ANALYSIS HARDWARE ATTACK MITIGATION TECHNIQUES ANALYSIS
HARDWARE ATTACK MITIGATION TECHNIQUES ANALYSIS JonesSmith7
 
HARDWARE ATTACK MITIGATION TECHNIQUES ANALYSIS
HARDWARE ATTACK MITIGATION TECHNIQUES ANALYSISHARDWARE ATTACK MITIGATION TECHNIQUES ANALYSIS
HARDWARE ATTACK MITIGATION TECHNIQUES ANALYSISijcisjournal
 
Hardware Attack Mitigation Techniques AnalysisFull Text
Hardware Attack Mitigation Techniques AnalysisFull Text Hardware Attack Mitigation Techniques AnalysisFull Text
Hardware Attack Mitigation Techniques AnalysisFull Text ijcisjournal
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
 
FALCON.pptx
FALCON.pptxFALCON.pptx
FALCON.pptxAvinashRanjan80
 
cb-EDR-V7_a4_Digital
cb-EDR-V7_a4_Digitalcb-EDR-V7_a4_Digital
cb-EDR-V7_a4_DigitalOscar Williams
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principlesOWASP
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustrySolving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustryDragos, Inc.
 
endpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdfendpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdfOlufemi37
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsDemetrio Milea
 
Dan Quinn Commanders Feather Dad Hat Hoodie
Dan Quinn Commanders Feather Dad Hat HoodieDan Quinn Commanders Feather Dad Hat Hoodie
Dan Quinn Commanders Feather Dad Hat Hoodierahman018755
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理A
 

More Related Content

Similar to AI4Cyber-SAGE-slides.pdf

How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Modeling and Utilizing Security Knowledge for Eliciting Security Requirements
Modeling and Utilizing Security Knowledge for Eliciting Security RequirementsModeling and Utilizing Security Knowledge for Eliciting Security Requirements
Modeling and Utilizing Security Knowledge for Eliciting Security RequirementsShinpei Hayashi
 
GSA calls out Cyber Hunt skills in final Cybersecurity Contract Orals
GSA calls out Cyber Hunt skills in final Cybersecurity Contract OralsGSA calls out Cyber Hunt skills in final Cybersecurity Contract Orals
GSA calls out Cyber Hunt skills in final Cybersecurity Contract OralsDavid Sweigert
 
Implementation of Secured Network Based Intrusion Detection System Using SVM ...
Implementation of Secured Network Based Intrusion Detection System Using SVM ...Implementation of Secured Network Based Intrusion Detection System Using SVM ...
Implementation of Secured Network Based Intrusion Detection System Using SVM ...IRJET Journal
 
MAD: A Middleware Framework for Multi-Step Attack Detection
MAD: A Middleware Framework for Multi-Step Attack DetectionMAD: A Middleware Framework for Multi-Step Attack Detection
MAD: A Middleware Framework for Multi-Step Attack DetectionPanagiotis Papadopoulos
 
Network Threat Characterization in Multiple Intrusion Perspectives using Data...
Network Threat Characterization in Multiple Intrusion Perspectives using Data...Network Threat Characterization in Multiple Intrusion Perspectives using Data...
Network Threat Characterization in Multiple Intrusion Perspectives using Data...IJNSA Journal
 
Cybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesCybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesWAJAHAT IQBAL
 
HARDWARE ATTACK MITIGATION TECHNIQUES ANALYSIS
HARDWARE ATTACK MITIGATION TECHNIQUES ANALYSIS HARDWARE ATTACK MITIGATION TECHNIQUES ANALYSIS
HARDWARE ATTACK MITIGATION TECHNIQUES ANALYSIS JonesSmith7
 
HARDWARE ATTACK MITIGATION TECHNIQUES ANALYSIS
HARDWARE ATTACK MITIGATION TECHNIQUES ANALYSISHARDWARE ATTACK MITIGATION TECHNIQUES ANALYSIS
HARDWARE ATTACK MITIGATION TECHNIQUES ANALYSISijcisjournal
 
Hardware Attack Mitigation Techniques AnalysisFull Text
Hardware Attack Mitigation Techniques AnalysisFull Text Hardware Attack Mitigation Techniques AnalysisFull Text
Hardware Attack Mitigation Techniques AnalysisFull Text ijcisjournal
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principlesOWASP
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustrySolving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustryDragos, Inc.
 
endpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdfendpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdfOlufemi37
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsDemetrio Milea
 

Similar to AI4Cyber-SAGE-slides.pdf (20)

How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
CyberOps.pptx
CyberOps.pptxCyberOps.pptx
CyberOps.pptx
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Modeling and Utilizing Security Knowledge for Eliciting Security Requirements
Modeling and Utilizing Security Knowledge for Eliciting Security RequirementsModeling and Utilizing Security Knowledge for Eliciting Security Requirements
Modeling and Utilizing Security Knowledge for Eliciting Security Requirements
 
GSA calls out Cyber Hunt skills in final Cybersecurity Contract Orals
GSA calls out Cyber Hunt skills in final Cybersecurity Contract OralsGSA calls out Cyber Hunt skills in final Cybersecurity Contract Orals
GSA calls out Cyber Hunt skills in final Cybersecurity Contract Orals
 
Implementation of Secured Network Based Intrusion Detection System Using SVM ...
Implementation of Secured Network Based Intrusion Detection System Using SVM ...Implementation of Secured Network Based Intrusion Detection System Using SVM ...
Implementation of Secured Network Based Intrusion Detection System Using SVM ...
 
MAD: A Middleware Framework for Multi-Step Attack Detection
MAD: A Middleware Framework for Multi-Step Attack DetectionMAD: A Middleware Framework for Multi-Step Attack Detection
MAD: A Middleware Framework for Multi-Step Attack Detection
 
Network Threat Characterization in Multiple Intrusion Perspectives using Data...
Network Threat Characterization in Multiple Intrusion Perspectives using Data...Network Threat Characterization in Multiple Intrusion Perspectives using Data...
Network Threat Characterization in Multiple Intrusion Perspectives using Data...
 
Qualifying exam-2015-final
Qualifying exam-2015-finalQualifying exam-2015-final
Qualifying exam-2015-final
 
Cybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesCybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practises
 
HARDWARE ATTACK MITIGATION TECHNIQUES ANALYSIS
HARDWARE ATTACK MITIGATION TECHNIQUES ANALYSIS HARDWARE ATTACK MITIGATION TECHNIQUES ANALYSIS
HARDWARE ATTACK MITIGATION TECHNIQUES ANALYSIS
 
HARDWARE ATTACK MITIGATION TECHNIQUES ANALYSIS
HARDWARE ATTACK MITIGATION TECHNIQUES ANALYSISHARDWARE ATTACK MITIGATION TECHNIQUES ANALYSIS
HARDWARE ATTACK MITIGATION TECHNIQUES ANALYSIS
 
Hardware Attack Mitigation Techniques AnalysisFull Text
Hardware Attack Mitigation Techniques AnalysisFull Text Hardware Attack Mitigation Techniques AnalysisFull Text
Hardware Attack Mitigation Techniques AnalysisFull Text
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS Environments
 
FALCON.pptx
FALCON.pptxFALCON.pptx
FALCON.pptx
 
cb-EDR-V7_a4_Digital
cb-EDR-V7_a4_Digitalcb-EDR-V7_a4_Digital
cb-EDR-V7_a4_Digital
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustrySolving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric Industry
 
endpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdfendpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdf
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
 

Recently uploaded

Dan Quinn Commanders Feather Dad Hat Hoodie
Dan Quinn Commanders Feather Dad Hat HoodieDan Quinn Commanders Feather Dad Hat Hoodie
Dan Quinn Commanders Feather Dad Hat Hoodierahman018755
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理A
 
Washington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers ShirtWashington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers Shirtrahman018755
 
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样AS
 
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样Fi
 
原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样A
 
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWebiThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWebJie Liau
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC
 
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书c6eb683559b3
 
一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书A
 
Subdomain enumeration is a crucial phase in cybersecurity, particularly durin...
Subdomain enumeration is a crucial phase in cybersecurity, particularly durin...Subdomain enumeration is a crucial phase in cybersecurity, particularly durin...
Subdomain enumeration is a crucial phase in cybersecurity, particularly durin...Varun Mithran
 
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样AS
 
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书B
 
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书Fir
 
一比一定制波士顿学院毕业证学位证书
一比一定制波士顿学院毕业证学位证书一比一定制波士顿学院毕业证学位证书
一比一定制波士顿学院毕业证学位证书A
 
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证hfkmxufye
 
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理Fir
 
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理apekaom
 
Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303Dewi Agency
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC
 

Recently uploaded (20)

Dan Quinn Commanders Feather Dad Hat Hoodie
Dan Quinn Commanders Feather Dad Hat HoodieDan Quinn Commanders Feather Dad Hat Hoodie
Dan Quinn Commanders Feather Dad Hat Hoodie
 
一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理一比一原版布兰迪斯大学毕业证如何办理
一比一原版布兰迪斯大学毕业证如何办理
 
Washington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers ShirtWashington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers Shirt
 
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
一比一原版(Wintec毕业证书)新西兰怀卡托理工学院毕业证原件一模一样
 
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
 
原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样原版定制美国加州大学河滨分校毕业证原件一模一样
原版定制美国加州大学河滨分校毕业证原件一模一样
 
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWebiThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
 
一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书一比一定制加州大学欧文分校毕业证学位证书
一比一定制加州大学欧文分校毕业证学位证书
 
Subdomain enumeration is a crucial phase in cybersecurity, particularly durin...
Subdomain enumeration is a crucial phase in cybersecurity, particularly durin...Subdomain enumeration is a crucial phase in cybersecurity, particularly durin...
Subdomain enumeration is a crucial phase in cybersecurity, particularly durin...
 
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
 
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
一比一定制(Temasek毕业证书)新加坡淡马锡理工学院毕业证学位证书
 
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
一比一定制(USC毕业证书)美国南加州大学毕业证学位证书
 
一比一定制波士顿学院毕业证学位证书
一比一定制波士顿学院毕业证学位证书一比一定制波士顿学院毕业证学位证书
一比一定制波士顿学院毕业证学位证书
 
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
 
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
一比一原版(TRU毕业证书)温哥华社区学院毕业证如何办理
 
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
 
Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 

AI4Cyber-SAGE-slides.pdf

  • 1. 1 SAGE: Intrusion Alert-driven Attack Graph Extractor Azqa Nadeem*, Sicco Verwer*, Stephen Moskal^, Shanchieh Jay Yang^ *Delft University of Technology, The Netherlands ^Rochester Institute of Technology, USA 1st KDD Workshop on AI-enabled Cybersecurity Analytics (AI4Cyber) 15 August 2021
  • 2. 2 Background • Security analysts receive > 1M intrusion alerts/day* * https://www.imperva.com/blog/27-percent-of-it-professionals-receive-more-than-1-million-security-alerts-daily/
  • 3. 3 Background • Security analysts receive > 1M intrusion alerts/day* • Attacker strategy identification – How? – Multiple attackers? – Strategies similar? • Often represented as Attack graphs * https://www.imperva.com/blog/27-percent-of-it-professionals-receive-more-than-1-million-security-alerts-daily/ https://www.researchgate.net/publication/220202986_Measuring_Security_Risk_of_Networks_Using_Attack_Graphs Local buffer overflow remote shell sshd_bof() ssh ftp_rhosts() ftp
  • 4. 4 Existing approaches • Expert-crafted attack graphs – NetSPA by ML Artz (MIT ‘02) – MulVAL by X Ou et al. (USENIX ‘05) • Alert-driven attack scenario modelling – Ning et al. (Ning ‘02) – De Alvarenga et al. (Computers & Security ‘18) – Moskal et al. (ISI ‘18)
  • 5. 5 Research aim RQ: How to construct attack graphs directly from intrusion alerts? • For extracting intelligence about attacker strategies • Preferably without network dependence
  • 6. 6 Anatomy of an Alert-driven Attack Graph Objective Attacker actions First action Attacker host Timestamp
  • 8. 8 Key design challenges 1. Alert-type imbalance
  • 9. 9 Key design challenges 1. Alert-type imbalance 2. Context modelling
  • 10. 10 SAGE: IntruSion alert-driven Attack Graph Extractor
  • 11. 11 Alert → Episode sequences
  • 12. 12 SAGE: IntruSion alert-driven Attack Graph Extractor
  • 13. 13 Suffix-based PDFA Start End • Summarizes attack paths • Brings infrequent episodes to the top – Red → Severe | Blue → Medium severity • States → milestones with context
  • 14. 14 SAGE: IntruSion alert-driven Attack Graph Extractor
  • 15. 15 Adding context to sequences Episode sequences State sequences On a per-victim, per-objective basis
  • 16. 16 • Suricata alerts from Collegiate Penetration Testing Competition1 – 6 multi-attacker teams – 1 fictitious network – 330,270 alerts • Moskal’s Action-Intent framework2 – Alert signature → Attack stage – Based on MITRE ATT&CK Experimental dataset 1. CPTC dataset: https://www.globalcptc.org/ 2. S. Moskal and S. J. Yang, “Framework to describe intentions of a cyber attack action,” arXiv preprint arXiv:2002.07838, 2020. Occurrence percentage Attack stages
  • 17. 17 [1] Alert triaging • 330,270 alerts → 93 alert-driven AGs • ~500 alerts in < 25 vertices
  • 18. 18 [2] Attacker strategy visualization • Shows how the attack transpired • 3 teams, 5 attempts • 3 ways to reach objective
  • 19. 19 [3] Attacker strategy comparison • T5 and T8 share a common strategy • Some paths are shorter than others • Attackers follow shorter paths to re- exploit an objective in 84.5% cases
  • 20. 20 [4] Ranking interesting attackers • Rank on the uniqueness and severity of actions • 𝑆𝑐𝑜𝑟𝑒 = 2∗𝑠𝑒𝑣 +(1∗𝑚𝑒𝑑) 3
  • 21. 21 Take aways • SAGE uses sequence learning to extract attacker strategies – Builds attack graphs from intrusion alerts without expert input • The S-PDFA is critical for – Accentuating infrequent severe actions, – Identifying contextually different actions • Alert-driven attack graphs – Compress millions of alerts in a few AGs – Provide insights into attacker strategies – Capture attackers’ behavior dynamics
  • 22. 22 Thank you! Questions? Icons courtesy of Eucalyp, Freepik, Monkik, Pixel perfect, and Surang from www.flaticon.com ► SAGE uses sequence learning to extract attacker strategies Builds attack graphs from intrusion alerts without expert input ► The S-PDFA is critical for Accentuating infrequent severe actions, Identifying contextually different actions ► Alert-driven attack graphs Compress millions of alerts in a few AGs Provide insights into attacker strategies Capture attackers’ behavior dynamics SAGE is open-source! azqa.nadeem@tudelft.nl @azqa_nadeem https://cyber-analytics.nl/
  • 23. 23 VulnD HostD Exfil ServD Suffix Tree (Merged) InfoD Surf DoS ACExec VulnD HostD Exfil ACExec Root infoD ACE net DoS surf ACE hostD serD exfil vulnD