Showing papers by "Charles A. Kamhoua published in 2023"

Adversarial Technique Validation & Defense Selection Using Attack Graph & ATT&CK Matrix

Abstract: Today cyber adversaries utilize advanced techniques to victimize target assets. To tackle the adversaries, it is of utmost importance to understand potential techniques they may use to exploit network vulnerabilities. Attack graph has always been a crucial tool for network vulnerability analysis. However, the current state-of-the-art attack graph can not predict adversarial techniques. To overcome the gap, we utilize the MITRE ATT&CK matrix in this work and map the techniques with the attack graph node descriptions. We first formulate a comprehensive dataset from ATT&CK consisting of all the adversarial strategies, subtechniques, associated tactics, and mitigation for the enterprise network. We then capture the attack graph node descriptions and apply the term frequency-inverse document frequency (TF-IDF) algorithm to map the attack techniques with the available node descriptions. Next, we generate the cosine similarity to determine an adversary’s top methods to attack a network. We then map those techniques with the associated tactics and mitigation strategies as enumerated in the ATT&CK matrix. Finally, we illustrate the analysis using a networked system’s attack graph. This proposed method would help identify and validate adversarial techniques and guide in selecting mitigation mechanisms for security enhancement.

Optimal Decoy Resource Allocation for Proactive Defense in Probabilistic Attack Graphs

Abstract: This paper investigates the problem of synthesizing proactive defense systems in which the defender can allocate deceptive targets and modify the cost of actions for the attacker who aims to compromise security assets in this system. We model the interaction of the attacker and the system using a formal security model -- a probabilistic attack graph. By allocating fake targets/decoys, the defender aims to distract the attacker from compromising true targets. By increasing the cost of some attack actions, the defender aims to discourage the attacker from committing to certain policies and thereby improve the defense. To optimize the defense given limited decoy resources and operational constraints, we formulate the synthesis problem as a bi-level optimization problem, while the defender designs the system, in anticipation of the attacker's best response given that the attacker has disinformation about the system due to the use of deception. Though the general formulation with bi-level optimization is NP-hard, we show that under certain assumptions, the problem can be transformed into a constrained optimization problem. We proposed an algorithm to approximately solve this constrained optimization problem using a novel incentive-design method for projected gradient ascent. We demonstrate the effectiveness of the proposed method using extensive numerical experiments.

IoTFlowGenerator: Crafting Synthetic IoT Device Traffic Flows for Cyber Deception

Abstract: Over the years, honeypots emerged as an important security tool to understand attacker intent and deceive attackers to spend time and resources. Recently, honeypots are being deployed for Internet of things (IoT) devices to lure attackers, and learn their behavior. However, most of the existing IoT honeypots, even the high interaction ones, are easily detected by an attacker who can observe honeypot traffic due to lack of real network traffic originating from the honeypot. This implies that, to build better honeypots and enhance cyber deception capabilities, IoT honeypots need to generate realistic network traffic flows. To achieve this goal, we propose a novel deep learning based approach for generating traffic flows that mimic real network traffic due to user and IoT device interactions.A key technical challenge that our approach overcomes is scarcity of device-specific IoT traffic data to effectively train a generator.We address this challenge by leveraging a core generative adversarial learning algorithm for sequences along with domain specific knowledge common to IoT devices.Through an extensive experimental evaluation with 18 IoT devices, we demonstrate that the proposed synthetic IoT traffic generation tool significantly outperforms state of the art sequence and packet generators in remaining indistinguishable from real traffic even to an adaptive attacker.

Optimizing Sensor Allocation against Attackers with Uncertain Intentions: A Worst-Case Regret Minimization Approach

Abstract: This paper is concerned with the optimal allocation of detection resources (sensors) to mitigate multi-stage attacks, in the presence of the defender's uncertainty in the attacker's intention. We model the attack planning problem using a Markov decision process and characterize the uncertainty in the attacker's intention using a finite set of reward functions -- each reward represents a type of the attacker. Based on this modeling framework, we employ the paradigm of the worst-case absolute regret minimization from robust game theory and develop mixed-integer linear program (MILP) formulations for solving the worst-case regret minimizing sensor allocation strategies for two classes of attack-defend interactions: one where the defender and attacker engage in a zero-sum game, and another where they engage in a non-zero-sum game. We demonstrate the effectiveness of our framework using a stochastic gridworld example.

AIIPot: Adaptive Intelligent-Interaction Honeypot for IoT Devices

Abstract: The proliferation of the Internet of Things (IoT) has raised concerns about the security of connected devices. There is a need to develop suitable and cost-efficient methods to identify vulnerabilities in IoT devices in order to address them before attackers seize opportunities to compromise them. The deception technique is a prominent approach to improving the security posture of IoT systems. Honeypot is a popular deception technique that mimics interaction in real fashion and encourages unauthorised users (attackers) to launch attacks. Due to the large number and the heterogeneity of IoT devices, manually crafting the low and high-interaction honeypots is not affordable. This has forced researchers to seek innovative ways to build honeypots for IoT devices. In this paper, we propose a honeypot for IoT devices that uses machine learning techniques to learn and interact with attackers automatically. The evaluation of the proposed model indicates that our system can improve the session length with attackers and capture more attacks on the IoT network.

Game and Prospect Theoretic Hardware Trojan Testing

Abstract: In this paper, we address the problem of hardware Trojan testing with the buyer of an Integrated Circuit (IC), who is referred to as the defender, and the malicious manufacturer of the IC, who is referred to as the attacker, strategically acting against each other. Our developed model accounts for both imperfections in the testing process as well as costs incurred for performing testing. First, we analytically characterize Nash Equilibrium (NE) strategies for Trojan insertion and testing from the attacker's and the defender's perspectives, respectively, considering them to be fully rational in nature. Further, we also characterize NE-based Trojan insertion-testing strategies considering the attacker and the defender to have cognitive biases which make them exhibit irrationalities in their behaviors. Numerous simulation results are presented throughout the paper to provide important insights.