Probabilistic Modeling and Inference for Obfuscated Cyber Attack Sequences
This addresses the challenge of effective network defense against obfuscated attacks, but it is incremental as it builds on existing probabilistic modeling approaches.
The paper tackles the problem of recognizing cyber attacks when sequences are obfuscated, developing probabilistic models and polynomial-time algorithms to approximate Expected Classification Accuracy (ECA), with simulations showing impacts from obfuscation techniques like alteration, insertion, and removal.
A key element in defending computer networks is to recognize the types of cyber attacks based on the observed malicious activities. Obfuscation onto what could have been observed of an attack sequence may lead to mis-interpretation of its effect and intent, leading to ineffective defense or recovery deployments. This work develops probabilistic graphical models to generalize a few obfuscation techniques and to enable analyses of the Expected Classification Accuracy (ECA) as a result of these different obfuscation on various attack models. Determining the ECA is a NP-Hard problem due to the combinatorial number of possibilities. This paper presents several polynomial-time algorithms to find the theoretically bounded approximation of ECA under different attack obfuscation models. Comprehensive simulation shows the impact on ECA due to alteration, insertion and removal of attack action sequence, with increasing observation length, level of obfuscation and model complexity.