One significant drawback to currently available security products is their inabilty to correlate diverse sensor input. For
instance, by only using network intrusion detection data, a root kit installed through a weak username-password combination
may go unnoticed. Similarly, an administrator may never make the link between deteriorating response times from the
database server and an attacker exfiltrating trusted data, if these facts aren't presented together.
Current Security Information Management Systems (SIMS) can collect and represent diverse data but lack sufficient
correlation algorithms. By using a Process Query System, we were able to quickly bring together data flowing from many
sources, including NIDS, HIDS, server logs, CPU load and memory usage, etc. We constructed PQS models that describe
dynamic behavior of complicated attacks and failures, allowing us to detect and differentiate simultaneous sophisticated
attacks on a target network.
In this paper, we discuss the benefits of implementing such a multistage cyber attack detection system using PQS. We
focus on how data from multiple sources can be combined and used to detect and track comprehensive network security
events that go unnoticed using conventional tools.
Within an organization, the possibility of a confidential information leak ranks among the highest fears of any executive. Detecting information leaks is a challenging problem, since most organizations depend on a broad and diverse communications network. It is not always straightforward to conclude which information is leaving the organization legitimately, and which communications are malicious data exfiltrations. Sometimes it is not even possible to tell that a communication is occurring at all. The set of all possible exfiltration methods contains, at a minimum, the set of all possible information communication methods, and possibly more. This article cannot possibly cover all such methods; however, several notable examples are given, and a taxonomy of data exfiltration is developed. Such a taxonomy cannot ever be exhaustive, but at the very least can offer a framework for organizing methods and developing defenses.
Hidden Discrete Event Systems Models (HDESM) are discrete event dynamical system models whose underlying internal state spaces are not directly observable. Observations on such systems are artifacts of the hidden, internal states and are not deterministically or uniquely associated with the hidden states. The distribution of an observation of a HDESM is typically given by a probability distribution conditioned on the hidden state of the system. Classical linear systems, Hidden Markov Models (HMM) and certain types of Petri Net models are examples of HDESM's.
A major challenge in working with this type of model is the
estimation of an HDESM's hidden states based on a sequence of
observations. In some cases, well-known algorithms can be used to
solve this problem. In many cases of practical interest, however,
the complexity of those algorithms is too high to be practical.
New ideas and algorithms are therefore needed for effective
solutions to the state estimation problem.
In this paper we will investigate sub-classes of HDESM's whose
structure would allow efficient state estimation algorithms to
exist. Such structures could be related to the sparsity and/or
equivalence class structure of transition dynamics within the
underlying discrete event system. Efficient algorithms that
compute approximate solutions will be investigated with the goal
of understanding the trade-offs between computational efficiency
and estimation accuracy. Ideas on how to implement such trade-offs
also are proposed.