Azqa Nadeem | Attacker Strategy Discovery

Description:

Practitioners in Security Operations Centers (SOC) struggle to keep up with the dramatic volumes of intrusion alerts. Once a network intrusion is detected, the process to identify and reverse engineer attacker strategies (attack campaigns) is largely manual and time-consuming. While existing alert correlation techniques reduce the volume of alerts to analyze, they do not show attack progression. Meanwhile, traditional attack graphs (AG) show attack progression, but rely heavily on expensive expert knowledge that is not always available, resulting in graphs that only show a static view of the network. Learning attack graphs from data is a longstanding open problemin cybersecurity and formal methods. It is challenging to discover sequential constraints within data while mitigating issues related to a state-space explosion. Existing efforts have so far managed to summarize alert datasets using sequential machine learning without explicitly extracting attack graphs (Nadeem et al., 2023).

This project explores unsupervised sequence learning techniques to construct attack graphs directly from intrusion alerts as a way of bridging the gap between dynamic alert management and static attack graphs (Nadeem et al., 2021). This is a challenging task since intrusion alerts are typically highly imbalanced, and the alerts can appear in different contexts even if they have the same signatures. We aim to develop alert-driven attack graphs that are capable of compressing thousands of alerts, and can enable analysts to triage critical alerts only (Nadeem et al., 2021). We also aim to develop a dashboard for the alert-driven AGs that provides additional prioritization and querying capabilities to security analysts (Nadeem et al., 2022).

Code repo: SAGE

References

AICA

Learning about the adversary

Nadeem, Azqa, Verwer, Sicco, and Yang, Shanchieh J

In Autonomous Intelligent Agents for Cyber Defense, 2023

Abstract PDF

The evolving nature of the tactics, techniques, and procedures used by cyber adversaries have made signature and template based methods of modeling adversary behavior almost infeasible. We are moving into an era of data-driven autonomous cyber defense agents that learn contextually meaningful adversary behaviors from observables. In this chapter, we explore what can be learnt about cyber adversaries from observable data, such as intrusion alerts, network traffic, and threat intelligence feeds. We describe the challenges of building autonomous cyber defense agents, such as learning from noisy observables with no ground truth, and the brittle nature of deep learning based agents that can be easily evaded by adversaries. We illustrate three state-of-the-art autonomous cyber defense agents that model adversary behavior from traffic induced observables without a priori expert knowledge or ground truth labels. We close with recommendations and directions for future work.
TDSC

Alert-driven Attack Graph Generation using S-PDFA

Nadeem, Azqa, Verwer, Sicco, Moskal, Stephen, and Yang, Shanchieh J

In IEEE Transcations on Dependable and Secure Computing, 2021

Abstract PDF Code Slides

Ideal cyber threat intelligence (CTI) includes insights into attacker strategies that are specific to a network under observation. Such CTI currently requires extensive expert input for obtaining, assessing, and correlating system vulnerabilities into a graphical representation, often referred to as an attack graph (AG). Instead of deriving AGs based on system vulnerabilities, this work advocates the direct use of intrusion alerts. We propose SAGE, an explainable sequence learning pipeline that automatically constructs AGs from intrusion alerts without a priori expert knowledge. SAGE exploits the temporal and probabilistic dependence between alerts in a suffix-based probabilistic deterministic finite automaton (S-PDFA) — a model that brings infrequent severe alerts into the spotlight and summarizes paths leading to them. Attack graphs are extracted from the model on a per-victim, per-objective basis. SAGE is thoroughly evaluated on three open-source intrusion alert datasets collected through security testing competitions in order to analyze distributed multi-stage attacks. SAGE compresses over 330k alerts into 93 AGs that show how specific attacks transpired. The AGs are succinct, interpretable, and provide directly relevant insights into strategic differences and fingerprintable paths. They even show that attackers tend to follow shorter paths after they have discovered a longer one in 84.5% of the cases.
CCS

Enabling Visual Analytics via Alert-driven Attack Graphs

Nadeem, Azqa, Verwer, Sicco, Moskal, Stephen, and Yang, Shanchieh J

In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, 2021

Abstract Poster

Attack graphs (AG) are a popular area of research that display all the paths an attacker can exploit to penetrate a network. Existing techniques for AG generation rely heavily on expert input regarding vulnerabilities and network topology. In this work, we advocate the use of AGs that are built directly using the actions observed through intrusion alerts, without prior expert input.We have developed an unsupervised visual analytics system, called SAGE, to learn alert-driven attack graphs.We show how these AGs (i) enable forensic analysis of prior attacks, and (ii) enable proactive defense by providing relevant threat intelligence regarding attacker strategies. We believe that alert-driven AGs can play a key role in AI-enabled cyber threat intelligence as they open up new avenues for attacker strategy analysis whilst reducing analyst workload.
VizSec

Critical Path Exploration Dashboard for Alert-driven Attack Graphs

Nadeem, Azqa, Leal Diaz, Sonia, and Verwer, Sicco

In VizSec, 2022

Poster