当前位置: X-MOL 学术IEEE Trans. Inform. Forensics Secur. › 论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
Data-Driven Decision Support for Optimizing Cyber Forensic Investigations
IEEE Transactions on Information Forensics and Security ( IF 6.8 ) Pub Date : 2021-01-28 , DOI: 10.1109/tifs.2021.3054966
Antonia Nisioti , George Loukas , Aron Laszka , Emmanouil Panaousis

Cyber attacks consisting of several attack actions can present considerable challenge to forensic investigations. Consider the case where a cybersecurity breach is suspected following the discovery of one attack action, for example by observing the modification of sensitive registry keys, suspicious network traffic patterns, or the abuse of legitimate credentials. At this point, the investigator can have multiple options as to what to check next to discover the rest, and will likely pick one based on experience and training. This will be the case at each new step. We argue that the efficiency of this aspect of the job, which is the selection of what next step to take, can have significant impact on its overall cost (e.g., the duration) of the investigation and can be improved through the application of constrained optimization techniques. Here, we present DISCLOSE, the first data-driven decision support framework for optimizing forensic investigations of cybersecurity breaches. DISCLOSE benefits from a repository of known adversarial tactics, techniques, and procedures (TTPs), for each of which it harvests threat intelligence information to calculate its probabilistic relations with the rest. These relations, as well as a proximity parameter derived from the projection of quantitative data regarding the adversarial TTPs on an attack life cycle model, are both used as input to our optimization framework. We show the feasibility of this approach in a case study that consists of 31 adversarial TTPs, data collected from 6 interviews with experienced cybersecurity professionals and data extracted from the MITRE ATT&CK STIX repository and the Common Vulnerability Scoring System (CVSS).

中文翻译:

数据驱动的决策支持,可优化网络法医调查

由多个攻击动作组成的网络攻击可能对法医调查构成巨大挑战。考虑以下情况:在发现一种攻击行为之后,例如通过观察敏感注册表项的修改,可疑的网络流量模式或滥用合法凭据,怀疑网络安全受到破坏。在这一点上,研究人员可以选择下一步检查以发现其余部分,并且可能会根据经验和培训来选择一个。在每个新步骤中都是如此。我们认为,工作的这一方面的效率(即应采取的下一步措施)可能对其调查的总成本(例如持续时间)产生重大影响,并且可以通过应用约束优化来提高技术。这里,我们提出了DISCLOSE,这是第一个用于优化网络安全漏洞的法医调查的数据驱动决策支持框架。DISCLOSE受益于已知对抗策略,技术和规程(TTP)的存储库,针对每种存储库,它都会收集威胁情报信息以计算其与其他威胁的概率关系。这些关系,以及从有关攻击性生命周期模型上的对抗性TTP的定量数据的投影得出的接近性参数,都用作我们优化框架的输入。我们在一个案例研究中展示了这种方法的可行性,该案例研究由31个对抗性TTP,从经验丰富的网络安全专业人员进行的6次访谈中收集的数据以及从MITER ATT&CK STIX存储库和通用漏洞评分系统(CVSS)中提取的数据组成。
更新日期:2021-02-23
down
wechat
bug