This document discusses a proactive approach to cybersecurity called cyber-attack forecasting. It involves using machine learning and game theory to model a cyber system and analyze interactions between attackers and defenders to predict future attacks. The approach includes using hierarchical clustering to group similar systems, detecting anomalies, and formulating interactions as games to determine optimal defense strategies like probing frequencies. This proactive approach aims to address limitations of reactive security by enabling preemptive countermeasures against sophisticated threats.

1. Cyber-Attack Forecasting:
A Proactive Approach to Defensive Cyberwarfare
Malachi Jones, PhD
Cyber Security Technologist

2. About Me(Cyber-security Background)
4
• Georgia Tech (2007-2013)
– Security research collaboration between Georgia Tech (GT) and University of
California Santa Barbara (UCSB)
– PhD thesis topic: “Cyber-Attack Forecasting” [1]
• Harris Corporation (2013 – Present)
– (2014) Crypto-system software development and security consultant
– (2015) Cyber Security Vulnerability Researcher
Giovanni Vigna, PhD
Security Researcher
Joao Hespana, PhD
Game Theorist
Jeff Shamma, PhD
Game Theorist
Georgios Kotsalis, PhD
Game Theorist
Malachi Jones, PhD
Security Researcher

3. Outline
5
• Motivation: Reactive vs. Proactive
• Background
– Game Theory
– Machine Learning
• Cyber-Attack Forecasting
– Modeling a Cyber System
– Analyzing the Model
• Conclusion
• Questions
• Additional Resources

4. Motivation: Reactive vs Proactive
• Reactive Security
– Backward looking: Addressing
yesterday’s security threats today
– Status quo in Cyber-Security
Community
– Effective against novice hackers
– Inadequate for
• Advanced Persistent Threats (APTs)
• Sophisticated cyberweapons
Teen Hacker in Basement
State Sponsored Hacking

5. Motivation: Reactive vs Proactive
• Reactive Cyber-Security Process
Hacker
Develops New
Technique
Technique
tested against
security
systems
Technique
adopted by
other hackers
Security
community
eventually
responds

6. Motivation: Proactive Approach (Healthcare)
• Forecasting Infections/diseases
– Reliably Predict the next outbreak
of an infection or disease
– Learn/Estimate the capabilities of
the disease (i.e. Highly contagious)
– Proactive Countermeasures
• Provide vaccinations
• Quarantine infected individuals
• Set up medical facilities near
areas where outbreak likely to be
worst

7. Motivation: Proactive Approach (Cyber Security)
• Forecasting a cyber attack
– Reliably predict a cyber-attack
– Learn/estimate attacker and/or
malware capabilities
– Launch proactive countermeasures
• Take infected systems offline
• Scrub and reinstall system
• Repressive actions (i.e. sandbox
databases/datastores)
• Perform more invasive “checkups” on
systems likely to be infected

8. Motivation: Cyber Attack Forecasting
• Forecasting Challenges
– Modeling attacker and cyber system in
an analytical framework
– Computational complexity of analyzing
model to predict future attacks

9. Background: Game Theory
• Cyber Security
– At least two decision makers (i.e. Cyber
Defender and Attacker)
– Want to predict likely behavior of attacker
– Objective to make “good” decisions to
defend against cyber-attacks
• Game Theory
– Mathematical decision framework
– Provides methods to analyze interactions
among decision makers
– Can allow us to predict the likely actions
of an adversary and recommend
appropriate actions for the defender

10. Background: Game Theory
• Prisoner‟s Dilemma
– Police arrest two suspects
– Suspects interrogated in separate rooms
– Each suspect can choose an action:
• Cooperate: Stay silent (Not Guilty)
• Defect: Confess and “rat out” the other
suspect (Guilty)
• Analysis of likely behavior of decision maker
– Best outcome for the group is to Cooperate
– Best outcome for the individual is to Defect and rat
out the other person
– Outcome is defect for each decision maker
2,2 5,1
1,5 3,3
C D
D
C

11. Background: Machine Learning
• Machine Learning:
– Discovering/learning from patterns in
collected data
– Can be useful to group „like‟ objects
• Hierarchical Clustering
– Clusters are a group of „like‟ objects
– Builds a hierarchy of clusters
• Agglomerative Clustering
– Bottom up approach to building cluster
– Initially, each object is its own cluster
– Pairs of clusters are merged based on
„likeness‟
– Performance: O(n2)
Example of Agglomerative Clustering

12. Actionable Cyber-Attack Forecasting
14
• Two components of forecasting we will focus on:
Analyzing the Model Using
Game Theoretic Methods
Modeling a Cyber System

13. Actionable Cyber-Attack Forecasting
15
Analyzing the Model Using
Game Theoretic Methods
Modeling a Cyber System

14. Modeling a Cyber System: A Simple Model
16
• Decision makers: Defender and Attacker
• Actions
– Defender: Rate (xi) to check up on the cyber-health of Host hi
– Attacker: Rate (yi) to attack (e.g. exfiltrate info) from Host hi
• Utility function for Host hi:
where is the cyber-health of hi
• Global Utility:
• Defender objective: Maximize the global utility function
• Zero-sum assumption: Attacker objective inverse of defender
,

15. Modeling a Cyber System: A Simple Model
17
• A closer inspection of the local utility function of host hi:
• Feasible constraints on the parameters:
• How do we obtain the following information to input into utility function?
– Cyber health of a node
– Parameters: cinfo, rdetect , and cprobe
Information leakage cost.
Cost for probing that includes
bandwidth and processing
Reward for detecting malware
and/or a cyber-attack

16. Estimating Cyber Health: High Level Overview
18
• Machine Learning:
– Use agglomerative clustering algorithm to cluster hosts based on the similarity of
the top 10 active processes with respect to CPU time
– Caution: We need to protect against malicious clusters from forming. We don‟t
want a subset of bad nodes to form their own cluster
– Example stopping criteria to help prevent malicious clusters:
– Since we are using hierarchical clustering, the algorithm will terminate once all
clusters are at least the minimum cluster size

17. Estimating Cyber Health: High Level Overview
19
• Anomaly Detection:
– Let the health of a node be a function of how far away it is from the center of
mass of its assigned cluster
– Example:
• Let Pi be the set of processes running on host hi
• We will measure the similarity of nodes i and j by using the Jaccard index as follows
below:
• Let be the set of processes that are at least on 75% of machines in the cluster
that host hi is in
• Then

18. Estimating Utility Function Parameters
20
• Information leakage cost for host hi
– We can borrow an idea from sophisticated cyperweapons like Regin
– Assign higher costs to hosts that are accessed by people that have higher
privileges in an organization (IT admins, CEO, CTO, etc…)
• Probing cost for host hi
– Another idea borrowed from sophisticated malware
– Self monitor process cpu/memory/bandwidth usage at different probe rates to
derive costs for each host
• Reward for detecting malware
– Determine organizations attribution risk appetite for unknowingly hosting
botnets/zombies
– The reward can be proportionate to the resources available for use on a host by
a botmaster and/or hacker

19. Actionable Cyber-Attack Forecasting
21
Analyzing the Model Using
Game Theoretic Methods
Modeling a Cyber System

20. • Suppose the following:
– Defender: Actions are always probe and never probe (i.e. xi = 1 or xi = 0)
– Attacker : Actions are always attack and never attack (i.e. yi= 1 or xi = 0)
• The zero-sum 2X2 matrix game representation for host hi
Analysis with Game Theory
22
NA
P
A
NP
P
NP
NAA
....
P
NP
NAA

21. Analysis with Game Theory
23
• Formulation of game as a general optimization problem:
where s* is the optimal mixed strategy for the defender
• Note: s* is the probability that the defender should always probe
• Key Point: This problem can be formulated as a linear program, which
is computationally more efficient
• Linear Programming Formulation:

22. Conclusion: Q&A
• Can you really forecast a cyber attack in a real, non-trivial system?
– Yes…Forecasting isn‟t necessarily binary (i.e. either it will happen or not happen)
– The predictiveness can be about intensity/frequency/distribution of an attack in a
system (e.g. Will it get worse? How often will it occur? Where will it spread next? )
– Example: I have a cough. Will this turn into a flu? Can it spread to others?
– All models are wrong, but some models can be useful
• How far in advance could you predict an attack (Lead-time)?
– You don‟t have to predict an event days or weeks in advance for the prediction to
be useful
– Even a 20 minute warning could be the difference between 1,000 users sensitive
information being exfiltrated and 1,000,0000
24

23. Conclusion: Q&A
• If you can forecast, what approaches/methodologies will you use to
predict cyber attacks in a real world system?
– Machine Learning: Hierarchical clustering of groups of hosts in a system based
on the similarity of processes/services running on each host
– Anomaly Detection: Amongst hosts in a cluster, determining which hosts
behaviors are significantly different and deriving cyber-health for each host
– Game Theory: Mathematical decision framework that can allow us to predict the
likely actions of an adversary and recommend appropriate action for the defender
• What are examples of „actionable‟ decisions in the context of a
defender of a cyber system?
– Probing frequency/intensity: How often should we „check up‟ on a host and how
invasive should the checkup be?
– Should a host stay online, be taken offline, or wiped and reinstalled
25

24. Conclusion: Q&A
• Are there any connections with healthcare (i.e. modeling/forecasting
infectious diseases like malaria and ebola)?
– There may be a lot of ideas from the medical field that we can borrow that are
relevant and useful in predicting/detecting/treating cyber infections.
– Example: When you go to the doctor for a checkup, they compare your vitals (i.e.
blood pressure, pulse, and body temperature) to what is „normal‟ for someone in
your respective demographic
– We explicitly borrow this concept of deriving cyber-health of a node based on what
is „normal‟ for the cluster.
26

25. Questions?
27

26. Additional Resources
28
1. M. Jones, G. Kotsalis, and J. Shamma, “Cyber-attack forecast modeling and
complexity reduction using a game-theoretic framework,” in Control of Cyber-
Physical Systems (D. C. Tarraf, ed.), vol. 449 of Lecture Notes in Control and
Information Sciences, pp. 65–84, Springer International Publishing, 2013.
2. Singer, P.W. & Friedman, A. (2014). Cybersecurity: What Everyone Needs to
Know. OUP USA.
3. Zetter, Kim (2014). Countdown to Zero Day: Stuxnet and the Launch of the
World's First Digital Weapon. Crown Publishing Group
4. Jacobs, Jay & Rudis, Bob (2014). Data-Driven Security: Analysis,
Visualization and Dashboards. Wiley Publishing
5. Kleidermacher, D. & Kleidermacher, M. (2012). Embedded Systems Security:
Practical Methods for Safe and Secure Software and Systems Development.

27. Additional Resources
29
6. Ferguson, Niels, Schneier, Bruce & Kohno, Tadayoshi (2010). Cryptography
Engineering: Design Principles and Practical Applications. Wiley Publishing
7. Gebotys, C.H. (2009). Security in Embedded Devices. Springer
8. Anderson, R., "Why information security is hard - an economic perspective,"
Computer Security Applications Conference, 2001. ACSAC 2001.
Proceedings 17th Annual , vol., no., pp.358,365, 10-14 Dec. 2001