Framework to Describe Intentions of a Cyber Attack Action

by   Stephen Moskal, et al.

The techniques and tactics used by cyber adversaries are becoming more sophisticated, ironically, as defense getting stronger and the cost of a breach continuing to rise. Understanding the thought processes and behaviors of adversaries is extremely challenging as high profile or even amateur attackers have no incentive to share the trades associated with their illegal activities. One opportunity to observe the actions the adversaries perform is through the use of Intrusion Detection Systems (IDS) which generate alerts in the event that suspicious behavior was detected. The alerts raised by these systems typically describe the suspicious actions via the form of attack 'signature', which do not necessarily reveal the true intent of the attacker performing the action. Meanwhile, several high level frameworks exist to describe the sequence or chain of action types an adversary might perform. These frameworks, however, do not connect the action types to observables of standard intrusion detection systems, nor describing the plausible intents of the adversarial actions. To address these gaps, this work proposes the Action-Intent Framework (AIF) to complement existing Cyber Attack Kill Chains and Attack Taxonomies. The AIF defines a set of Action-Intent States (AIS) at two levels of description: the Macro-AIS describes 'what' the attacker is trying to achieve and the Micro-AIS describes "how" the intended goal is achieved. A full description of both the Macro is provided along with a set of guiding principals of how the AIS is derived and added to the framework.


Cyberattack Action-Intent-Framework for Mapping Intrusion Observables

The techniques and tactics used by cyber adversaries are becoming more s...

Intrusion Detection for Industrial Control Systems: Evaluation Analysis and Adversarial Attacks

Neural networks are increasingly used in security applications for intru...

Active Deception using Factored Interactive POMDPs to Recognize Cyber Attacker's Intent

This paper presents an intelligent and adaptive agent that employs decep...

Augmenting Zero Trust Architecture to Endpoints Using Blockchain: A Systematic Review

With the purpose of defending against lateral movement in todays borderl...

Probabilistic Modeling and Inference for Obfuscated Cyber Attack Sequences

A key element in defending computer networks is to recognize the types o...

ProblemChild: Discovering Anomalous Patterns based on Parent-Child Process Relationships

It is becoming more common that adversary attacks consist of more than a...

REGARD: Rules of EngaGement for Automated cybeR Defense to aid in Intrusion Response

Automated Intelligent Cyberdefense Agents (AICAs) that are part Intrusio...

Please sign up or login with your details

Forgot password? Click here to reset