Date of Award

2024-08-01

Degree Name

Doctor of Philosophy

Department

Computer Science

Advisor(s)

Christopher Kiekintveld

Abstract

The continued success of cyber-attacks motivates the need for continued innovation in cyber defense. In particular, there is a need for novel methods to mitigate attacker reconnaissance, usually the first stage in planning an attack. One of the few general approaches in this stage is using deception and information manipulation to affect what the attacker can learn about a system or network. Existing work in moving target defense, game-theoretic models of cyber deception/camouflage, and adversarial learning has provided a framework for optimizing deception strategies. However, most of the current literature is based on limited models of how attackers actually perform reconnaissance and form beliefs about key information. These models lack the detail and realism necessary to make the best use of deception strategies and resources. I propose a framework for more targeted deception strategies to counter reconnaissance, based on developing more detailed Bayesian models of attacker reconnaissance and belief formation.

My proposed approach has three main components. First, I focus on the problem of detecting reconnaissance activities. I discuss difficulties in detection and introduce new techniques to improve the feasibility of detecting specific types of reconnaissance. Second, I address network traffic analysis and propose new methods for identifying the specific features of network traffic that are most useful for attackers in predicting specific network characteristics. I analyze how adversaries interpret and infer information from the collected features and propose a specific process to construct detailed Bayesian belief networks to model how attackers form specific beliefs based on available network observations. I demonstrate this approach on a case study using real network traffic data. Finally, I show how these models can be used to improve defense, specifically optimizing feature deception strategies that select specific targeted features and values for cyber deception. I propose a methodology using Bayesian Multinomial Logistic Regression (BMLR) and optimize feature deception for specific cases, and show an initial evaluation based on a case study using feature deception to mask operating system types.

The key findings of this study are multifaceted. First, the study observed a significant decline in the F1-score for identifying various operating systems such as Linux, Mac, Windows 10, and Windows Vista when these systems were mimicked to appear as different operating systems. The F1-scores dropped below 0.2, indicating a substantial impact of feature changes on operating system identification. This decline validates the algorithm's effectiveness in influencing and altering the perceived identity of different operating systems through targeted feature manipulation. Moreover, the time efficiency of the algorithm was assessed by measuring the time required to identify and modify feature values to achieve deception for larger datasets. The results underscore the computational efficiency of the deception algorithm in processing substantial data volumes. However, for extremely large datasets, the study suggests that there might be a need for more advanced and efficient processing techniques to maintain the algorithm's performance and effectiveness. This analysis demonstrates the algorithm's robust capability to effectively modify system appearances, making it a powerful tool in cyber defense strategies.

Language

en

Provenance

Received from ProQuest

File Size

142 p.

File Format

application/pdf

Rights Holder

Nazia Sharmin

Download

Share

COinS