cyberattack detection & mitigation: a goal-oriented and
TRANSCRIPT
CYBERATTACK DETECTION & MITIGATION:
A GOAL-ORIENTED AND PATTERN-BASED APPROACH
by
Sang-woo Moon
APPROVED BY SUPERVISORY COMMITTEE:
Lawrence Chung, Chair
Vincent Ng
Lingming Zhang
Copyright c© 2017
Sang-woo Moon
All rights reserved
For all who believe in the journey of education
CYBERATTACK DETECTION & MITIGATION:
A GOAL-ORIENTED AND PATTERN-BASED APPROACH
by
SANG-WOO MOON, BS
THESIS
Presented to the Faculty of
The University of Texas at Dallas
in Partial Fulfillment
of the Requirements
for the Degree of
MASTER OF SCIENCE IN
COMPUTER SCIENCE
THE UNIVERSITY OF TEXAS AT DALLAS
May 2017
ACKNOWLEDGMENTS
I thank all who made this humble journey a worthwhile adventure. I set a foot in the field
of research thanks to my supervisor, Dr. Lawrence Chung. I extend my sincere thanks to
my supervisory committee members, Dr. Vincent Ng and Dr. Lingming Zhang. Also, I
appreciate my senior in our lab, Dr. Thomas L. Hill, Eunjung Park, Sungsoo An and Haan
mo Johng and I appreciate my friends, Gon-soo Moon, Kwang hoon An and Jun-jae Lee. I
also thank the financial support/grant from the Korea Army and Korea Military Academy.
Needless to say, my foremost appreciation goes to my parents for their support and endless
love, my syster and brother.
April 2017
v
CYBERATTACK DETECTION & MITIGATION:
A GOAL-ORIENTED AND PATTERN-BASED APPROACH
Sang-woo Moon, MSCSThe University of Texas at Dallas, 2017
Supervising Professor: Lawrence Chung, Chair
Concerns for computer-related security seem real and are increasingly becoming important
just about everywhere. In particular, cyberattack — not necessarily attack through a phys-
ical means — has been drawing serious attention from the media, government, academia,
etc.
However, detecting some suspicious behavior of computer-related systems as a phenomenon
of a cyberattack has been challenging. Detection helps but should be followed by some actions
towards rectifying any undesirable behavior. A complete set of actions that can absolutely
eliminate all the undesirable behaviors seems extremely difficult, if not impossible. In this
thesis, we propose a goal-oriented and pattern-based approach to detecting and mitigating
cyber attacks. Using a pattern-based approach, knowledge and experience about similar
cyber attacks are categorized into different classes of patterns, which essentially consist of a
set of conditions for determining if a suspicious incident belongs to a particular cyber attack
pattern class and a set of actions for mitigating the cyber attack incident. Using a goal-
oriented approach, together with case-based reasoning, options are explored for detecting
and mitigating cyber attacks, tradeoffs among the options analyzed, and selection are made.
In this thesis, one application is studied for illustrating, as well as for demonstrating the
potential benefits of, our approach. The application has to do with cyber attacks from North
vi
Korea to South Korea. We feel our studies show the potential benefits for our approach — for
more precisely characterizing a cyber attack (more finer-grained) and taking more surgical
mitigating actions.
vii
TABLE OF CONTENTS
ACKNOWLEDGMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
ABSTRACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi
LIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
LIST OF TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
CHAPTER 1 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
CHAPTER 2 RELATED WORK . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1 Cyberattack Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2 Case-Based Reasoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.3 Requirement Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
CHAPTER 3 A GOAL-ORIENTED AND PATTERN-BASED APPROACH . . . . 7
3.1 Goals and Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.2 Overall Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.3 Preparation: Cyberattack Pattern Classification . . . . . . . . . . . . . . . . 9
3.4 Detection: Pattern Matching . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.5 Mitigation: Rational Mitigating Action Selection . . . . . . . . . . . . . . . 14
CHAPTER 4 STUDIES: NORTH KOREA CYBERATTACK DETECTION AND MIT-IGATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.1 Preparation Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.2 Detection Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.3 Mitigation Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.4 Observation and Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.4.1 Observation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.4.2 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
CHAPTER 5 CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.1 Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
BIOGRAPHICAL SKETCH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
CURRICULUM VITAE
viii
LIST OF FIGURES
1.1 Comparison between medical clinic’s diagnosis-treatment and cyberattack detection-mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.1 AVOIDIT: A Cyber Attack Taxonomy . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 Case-Based Intrusion Detection System . . . . . . . . . . . . . . . . . . . . . . . 5
2.3 A Visual Meta-Pattern for the Security Mitigation Patterns . . . . . . . . . . . 6
3.1 Cyberattack Detection & Mitigation: Overall Process . . . . . . . . . . . . . . . 8
3.2 Preparation: Cyberattack Pattern Classification . . . . . . . . . . . . . . . . . . 9
3.3 Example: North Korea Cyberattack Class . . . . . . . . . . . . . . . . . . . . . 10
3.4 Example: North Korea Cyberattack Case (Lee, Y. (2016, December)) . . . . . . 11
3.5 A Visual Meta-Pattern For Cyberattack Mitigation Pattern . . . . . . . . . . . 12
3.6 Detection: Pattern Matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.1 Study: North Korea Cyberattack Class . . . . . . . . . . . . . . . . . . . . . . . 15
4.2 Study: Probe Class Mitigating Actions . . . . . . . . . . . . . . . . . . . . . . . 16
4.3 Study: Military Intranet Accessing Case (Lee, Y. (2016, December)) . . . . . . . 17
4.4 Study: F-15 Fighter Jet Blueprints Stealing Case (Cuthbertson, A. (2016, June)) 17
4.5 Study: 3.20. Cyberattack Case (Pearson, M (2013, March)) . . . . . . . . . . . 17
4.6 Study: July 2009 Cyberattack Case (Sudworth, J. (2009, July)) . . . . . . . . . 18
4.7 Study: Class Detecting Conditions . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.8 Study: Observation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.9 Study: Pattern Matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.10 Study: Data’s Influence Driven Mitigation . . . . . . . . . . . . . . . . . . . . . 20
4.11 Study: Interact Task Driven Mitigation . . . . . . . . . . . . . . . . . . . . . . . 21
ix
LIST OF TABLES
3.1 Detecting Patterns from Figure 3.4 . . . . . . . . . . . . . . . . . . . . . . . . . 11
x
CHAPTER 1
INTRODUCTION
Concerns for computer-related security seem real and are increasingly becoming important
just about everywhere. In particular, cyberattack — not necessarily attack through a phys-
ical means — has been drawing serious attention from the media, government, academia,
etc.
As the importance of security is increasing, the cyberattack defense is also studied more.
But attackers (or hackers) always exploit physical (like human resources, and devices) or
non-physical (like logical) vulnerabilities by detouring defensive measures and by finding
new attack techniques. As a result, not only the number of cyberattack attempts but also
the number of ”successful” cyberattack is increased (Ponemon Institute (2016)). Like the
famous proverb, there is no perfect security. Therefore detecting and mitigating against
success cyberattack is important as well as preventing cyberattack.
However, detecting some suspicious behavior of computer-related systems as a phe-
nomenon of a cyberattack has been challenging. Detection helps but should be followed
by some actions towards rectifying any undesirable behavior. A complete set of actions
that can absolutely eliminate all the undesirable behaviors seems extremely difficult, if not
impossible.
Now, let’s think about medical clinics. When people feel the mysterious pain or strange
symptom, what should they do? They should go to doctor, and doctor will check their body
conditions, for example, blood pressure, heart rate, body temperature, X-Ray photograph,
and so on. Based on observations which doctor observed, and disease patterns which doctor
made before, he will diagnose patient. After all, doctor will say, ”Symptoms are similar to
an earlier disease pattern.” Finally, based on previous treatments, doctor will say what to
do. Dealing with cyberattack is very similar with this process (see Figure 1.1).
1
Figure 1.1. Comparison between medical clinic’s diagnosis-treatment and cyberattackdetection-mitigation
In this thesis, we propose a goal-oriented and pattern-based approach to detecting and
mitigating cyber attacks based on this analogy. Using a pattern-based approach, knowledge
and experience about similar cyber attacks are categorized into different classes of patterns,
which essentially consist of a set of conditions for determining if a suspicious incident belongs
to a particular cyber attack pattern class and a set of actions for mitigating the cyber attack
incident. Using a goal-oriented approach, together with case-based reasoning, options are
explored for detecting and mitigating cyber attacks, tradeoffs among the options analyzed,
and selection are made.
In this thesis, one application is studied for illustrating, as well as for demonstrating the
potential benefits of, our approach. The application has to do with cyber attacks from North
Korea to South Korea. We feel our studies show the potential benefits for our approach — for
more precisely characterizing a cyber attack (more finer-grained) and taking more surgical
mitigating actions.
2
CHAPTER 2
RELATED WORK
2.1 Cyberattack Classification
To select effective and surgical mitigating attacks against occurred cyberattack, we need
to detect and classify them certainly, and specifically. Subsequently, to detect and classify
cyberattacks certainly and specifically, we need appropriate method for cyberattack class
modeling. Existing researches suggest a variety of modeling method for cyberattack class.
AVOIDIOT taxonomy is the one of the latest one in this field. It suggests five features
to classify cyberattacks. Features are attack vector (AV), operational impact (OI), defense
(D), informational impact (I) and target (T). Figure 2.1 shows specific structure and values.
According to Simmons et al. (2009), this taxonomy can classify cyberattacks more specifi-
cally than existing classification models. But it still has limitations to classify cyberattack
specifically as we want. For example, AVOIDIT taxonomy cant classify cyberattack in view
of the cyberattacks access point or targeted operational organization. Existing researches
to classify cyberattacks, including AVOIDIT taxonomy, they are limited, in the numbering
characteristics, hence rather coarse-grained. Consequently, it is hard to decide on the most
specific mitigation actions.
2.2 Case-Based Reasoning
Intrusion detection system using case-based reasoning is suggested in Esmaili et al. (1996,
December) as Case-Based Intrusion Detection System (CBIDS). CBIDS is proposed to mit-
igate limitations in terms of obtaining and expressing in exsting intrusion detection system,
for example, rule-based expert intrusion detection system. The overall structure of the
CBIDS is shown in Figure 2.2 . The system using audit records (after audit translating
phase) as input to the IDS module, and they will be classified into similar case in case-based
3
Figure 2.1. AVOIDIT: A Cyber Attack Taxonomy
4
reasoning module. And actions will be taken from Action table module, based on the sim-
ilar case. CBIDS helps find some common elements about general intrusion detection, and
geneal mitigating actions based on certain cases. But, when CBIDS acquires knowledge (or
information) from audit records, it doesnt classify case into class. It just classifies cases into
similar case. So, sometimes it is hard to decide adequate mitigation actions for cyberattacks.
Figure 2.2. Case-Based Intrusion Detection System
2.3 Requirement Engineering
After we detect cyberattack correctly, certainly, and specifically, some problems are still ex-
isting in terms of making cyberattack mitigating actions correctly and broadly, and selecting
several appropriate, surgical actions among them. The difficulties come from that there are
5
many limitations to have enough background knowledge of mitigating actions, especially
regarding to specific application and organization.
One of the research paper on this difficulty is Supakkul et al. (2009, August). It sug-
gest ”A Visual Meta-Pattern for the Security Mitigation Patterns” (see Figure 2.3). To
make/explore mitigating actions, it captures three kind of problems, undesirable outcome,
threat, and vulnerability. Alternative mitigating solutions/actions are explored in terms of
each problem. The optional mitigating actions are identified with relationshiop on other
non-functional requirements. These requirements are used as criterion when we decide our
selection which we take into actions. It suggests some appropriate strategies for some general
types of security vulnerability mitigation. But It focuses on proactive/preventive mitigation
patterns about general security vulnerabilities, without concern for reactive/curative cyber-
attack mitigation patterns.
Figure 2.3. A Visual Meta-Pattern for the Security Mitigation Patterns
6
CHAPTER 3
A GOAL-ORIENTED AND PATTERN-BASED APPROACH
3.1 Goals and Problems
There are a variety of researches on the cyberattack detection and mitigation strategy. But,
as mentioned earlier, existing works have weakness partially. Synthetically, we materialize
the problems like below. During detecting cyberattack, existing cyberattack detection mech-
anisms are coarse-grained, and even then, its difficult to find information about them. As
we discussed earlier, former mechanisms, for example, AVOIDIT cyberattack taxonomy and
Case-Based Intrusion Detection System can be examples. Consequently, during mitigating
cyberattack, some actions which are taken by stakeholders can be overly general, unneces-
sary, or even harmful. So, we need a better way to more precisely characterize a cyber attack
(more finer-grained) and take more surgical mitigating actions.
3.2 Overall Process
In this paper, to solve problems which are mentioned previous section, we propose A Goal-
Oriented and Pattern-Based Approach to Detect and mitigate Cyberattack. Our method-
ology consists of three phases, preparation, detection, mitigation phase. Preparation phase
is needed to set up knowledge base of our methodology. When we observed strange sighs,
we try to find suspicious cyberattack during detection phase. After find suspicious cyber-
attack, we will select appropriate mitigation actions among alternatives. Overall process is
illustrated in Figure 3.1.
7
Figure 3.1. Cyberattack Detection & Mitigation: Overall Process
First, during preparation phase, our goal is building cyberattack pattern classes. In this
phase, we will construct cyberattack classes by using some domain knowledge (for example,
general cyberattack taxonomy, suspicious attackers, and applying field). Next, for each
class, we will find detecting conditions by classifying, initiatingand patterning cyberattack
cases which happend before. And then, for each class, we will explore cyberattack mitigating
actions by using a goal-oriented approach. Second, during detection phase, our goal is finding
most suspicious cyberattack pattern class. Based on our observation, find most pattern-
matched cyberattack class. And we call it as most suspicious cyberattack class. Thrid,
during mitigation phase, our goal is selecting most effective, surgical mitigating actions on
most suspicious cyberattack pattern class. On a goal-oriented approach, we need to consider
goals. Based on most susficious cyberattack class’s mitigating actions, and the goal which
the stakeholders pursue, we will select more effective and surgical mitigating actions and put
them into action.
8
3.3 Preparation: Cyberattack Pattern Classification
The goal that we want to achieve during preparation phase is building cyberattack pattern
classes. After this phase, we will have the cyberattack pattern classes including detecting
conditions and mitigating actions for each classes. The overall process is Figure 3.2.
Figure 3.2. Preparation: Cyberattack Pattern Classification
First, we will build cyberattack classes without detecting conditions and mitigating pat-
terns. Cyberattack pattern classes are classification structures to distinguish cyberattacks.
In very general, cyberattack can be classified based on latest research like AVOIDIT a cy-
berattack taxonomy (Simmons et al. (2009)). Although this taxonomy classifies cyberattack
based on diverse characters (attack vector, operational impact, defense, informational im-
pact, and target), but it doesn’t reflect the specialities on the specific domain (for example,
characters of specific attackers and attacked organizations). And also it is hard to extend to
finer-grained cyberattack classes because it is static. So, to build our cyberattack class model,
we will use domain knowledge as much as we want. Figure 3.3 shows one of the example cy-
9
berattack classes when we use characters, NorthKorea’s Cyberattack, PhysicalNon-physical
and Operational Impacts. We can make general classes by using existing standard like in-
formation impact, and we can also make more ”finer-grained” classes based on the adjusted
field’s characters.
Figure 3.3. Example: North Korea Cyberattack Class
Next, we will find detecting conditions of each class by using existing cyberattack cases.
Figure 3.4 is the one of the example of North Korea cyberattack. Actually, in the majority of
cases, causes of cyberattack cases are in behind of veil before we spent a lot of times to inves-
tigate it. Because it is hard to exploit from well-known vulnerabilities, by using well-known
skills, and techniques, attackers usually use un-known vulnerabilities, skills, techniques, and
so on. Thus, as we can see in the article above, there are few informations about cyberattack
case. Now what we will do is finding any informations from that case and make them into
detecting patterns. In this case, we can find these patterns (see Table 3.1).
10
Figure 3.4. Example: North Korea Cyberattack Case (Lee, Y. (2016, December))
Table 3.1. Detecting Patterns from Figure 3.4
Pattern Value NoteSeverity Unknown -
Organization Government Defense MinistryNetwork Type Intranet, Internet -
Date 2017, August -Access Point Shenyang, China Key operation points for N.Korea hackers
Similar Malware Used N.Korea -
Identified patterns of this case (for example, organization, network type, access point, and
so on) are detecting conditions of classified cyberattack pattern class. This case is classified
into <Probe isA Non-physical isA North Korea Cyberattack>, and each value become de-
tecting condition of this class. Next step, we will make miticating actions for each class based
on a goal-oriented approach. One of the important point is that we will focus on reactive mit-
igating actions. Because, there are a lot of researches which are focused on preventive actions,
11
Figure 3.5. A Visual Meta-Pattern For Cyberattack Mitigation Pattern
including Supakkul et al. (2009, August). But in real world, when we detect the cyberattack
which infiltrates through proactive/preventive defense, we need to focus on reactive/curative
mitigating actions. In the result, our methodology is focused on mitigating cyberattack af-
ter detecting it, we will suggest A Visual Meta-Pattern for Cyberattack Mitigation Pattern
which is focused on reacitve mitigating actions (see Figure 3.5). Figure 3.5 is derived from
Supakkul et al. (2009, August). I will simply explain Figure 3.5, if you want to study further,
look Supakkul et al. (2009, August). Figure 3.5 consists of three parts, a context, a problem,
and its solutions. There are cyber security context which is located on the outer area (left,
right, top side on graph). Problems consist of undesirable outcome, threat, and vulnerability.
And there are mitigating actions related to problems. Each problems/mitigating actions has
contribution to context. The meaningful difference between our visual meta-pattern and Su-
pakkul et al. (2009, August)’s visual meta-pattern is solution part. Unlikely existing one, our
visual meta-pattern is focused on recovery/control/contain/prevent-re-use mitigating actions
against undesirable outcome, threat and vulnerability. By using a visual meta-pattern for
cyberattack mitigation pattern, we can broadly and deeply explore on specific cyberattack
mitigating actions with considering valuable goals.
12
3.4 Detection: Pattern Matching
In detection phase, our goal is finding most suspicious cyberattack class based on observations
and detecting conditions of each cyberattack pattern classes. We will find most suspicious
cyberattack class by using pattern-matching. In other words, we defind most suspicious
cyberattack class is most pattern-matched one compared to observations. In this paper, we
suggest the one of the simplest way to do pattern-matching process. We give values to each
pattern as the one of <Matched, Similar, Unmatched, No information>. <Matched> means
that in terms of this pattern, observation and this case totally agree. <Similar> means that
both don’t agree but almost similar, and <Unmatched> means that totally different, <No
information> means that one of them has no value on this pattern. First, we try to find
the case which has highest number of <Matched> pattern. If there are cases which have
same number of it, next we search the case which has highest number of <Similar> valued
pattern, and if some cases have same number again, try to find the case which has lowest
number of <Unmatched> pattern. If there are same number of pattern again, we treat
them as same degree of similarity. For example, in Figure 3.6, Probe pattern class has
more matched detecting condition patterns than DoS pattern class. In this situation, most
suspicious cyberattack class (as known as most pattern-matched cyberattack class) is Probe
pattern class.
13
Figure 3.6. Detection: Pattern Matching
3.5 Mitigation: Rational Mitigating Action Selection
When we reached this phase, we already detected most suspicious cyberattack basd on
cyberattack pattern classes and observations. In this phase, stakeholders can prioritize
and select cyberattack mitigation actions based on explored mitigation actions which is
made during preparation phase, detected during detection phase. To prioritize, stakeholders
should decide which goal they pursue, and based on that goal, they can check whole explored
mitigation actions and compare each alternatives, and select some of them. I will show this
process in the study.
14
CHAPTER 4
STUDIES: NORTH KOREA CYBERATTACK DETECTION AND
MITIGATION
4.1 Preparation Phase
In this chapter, we will apply our overall methodology in specific subject, North Korea
Cyberattack. As we mentioned earlier, our methodology consists of three phases, and starts
with preparation phase. First, during preparation phase, we will classify cyberattack patterns
with detecting conditions and mitigating actions. First of all, we should make cyberattack
class. To simplify our work, we will use North Korea cyberattack class as we mentioned
earlier in Section 3.3 (see Figure 4.1).
Figure 4.1. Study: North Korea Cyberattack Class
Next, we will make mitigation pattern by using a visual meta-pattern for cyberattack
mitigation pattern. Figure 4.2 is example of mitigating actions which is related to Probe
class. Probe cyberattack’s undesirable outcome is disclosure of data. Threat of this unde-
sirable outcome is Probe cyberattack on intranet, and this threat can be decomposed into
malicious use on intranet and external data transfer from intranet. This external data tranfer
from intranet is exploit vulnerability like external access on intranet.
15
To control the impact of this undesirable, we can change value to prevent attacker from
taking additional benefits by using data. If influence of data is strong, this mitigating
action is useful. And to prevent re-use the vulnerability, external access on intranet, we can
explore isolation of affected hosts or fully prohibition of external access. Former one hurts
the influence of data, but it some helps importance of interact task. And later one makes
influence of data, but it break importance of interact task.
Figure 4.2. Study: Probe Class Mitigating Actions
Next, we will investigate and classify some cyberattack cases. I will investigate North
Korea’s cyberattack cases (Figure 4.3, Figure 4.4, Figure 4.5, Figure 4.6) based on each
internet news. Each case is already classified into cyberattack class, therefore we can find
detecting conditions of classes (Figure 4.7) where those cases belong to.
16
Figure 4.3. Study: Military Intranet Accessing Case (Lee, Y. (2016, December))
Figure 4.4. Study: F-15 Fighter Jet Blueprints Stealing Case (Cuthbertson, A. (2016, June))
Figure 4.5. Study: 3.20. Cyberattack Case (Pearson, M (2013, March))
17
Figure 4.6. Study: July 2009 Cyberattack Case (Sudworth, J. (2009, July))
Figure 4.7. Study: Class Detecting Conditions
4.2 Detection Phase
As a result of the process so far, we finally have North Korea cyberattack pattern class
including detecting conditions and mitigating actions. Now, we assume that we observe
strange signs on our system. Assumed observation is Figure 4.8. This observation consists
of detecting patterns, suspect, information impact, severity and so on. During detection
phase, what we should do with this obervation is finding most suspicious cyberattack class.
In this study, we will compare Probe class and DoS class with the observation. As we can
18
see on Figure 4.9, Probe class has six matched conditions, DoS class has three matched
conditions. In other words, Probe class has more matched detecting conditions with the
observation. Consequently, Probe class is the most pattern-matched, and most suspicious
cyberattack class based on the observation.
Figure 4.8. Study: Observation
Figure 4.9. Study: Pattern Matching
4.3 Mitigation Phase
Lastly, we need to select appropriate, surgical mitigating actions among explored mitigating
actions. In this study, during detection phase, we found that Probe class is the most suspi-
19
cious cyberattack class. Now we will demonstrate how to select mitigating actions based on
Probe class’s mitigating actions and the goal which stakeholders pursue.
First, assume that stakeholders pursue data’s influence rather than importance of interact
task. Pursuing it means that stakeholders give more value on it than other one. In this
case, stakeholders select ”change data’s value to prevent attacker from taking additional
benefits” and ”fully prohibition of external access” because they help the data’s influence
goal, so this selection satisfies stakeholders purpose (see Figure 4.10). Second, on other
way, if stakeholders pursue importance of interact task, they will select other alternative
mitigiating action, ”isolation of affected hosts”. Because former actions break or hurt this
goal, but later action helps this goal. We can check this relationship on Figure 4.11.
Figure 4.10. Study: Data’s Influence Driven Mitigation
20
Figure 4.11. Study: Interact Task Driven Mitigation
4.4 Observation and Discussion
4.4.1 Observation
The two studies show both similarities and differences. The same mechanism is applied to
recognize a set of user observations as an instance of an existing cyber attack pattern class
and then to determine what kind of mitigating actions should be taken.
Due to the differences in the number and nature of detection conditions, including the
specificity, the effort and time taken to detect a cyber attack incident as an instance of a
cyber attack pattern class seem to vary.
Regardless of such differences, however, we feel that our proposed framework helps detect
a suspicious incident as a particular kind of cyber attack and decide what mitigating actions
to take. Our goal-oriented approach helps with exploration of what kinds of cyber attack a
suspicious behavior might be about. Our pattern-based approach helps organize and utilize
knowledge and experience about cyber attack detection and mitigation.
21
Perhaps most importantly, at least these studies, albeit limited in volume and variety,
show the potential for more precisely characterizing a cyber attack (more finer-grained) and
taking more surgical mitigating actions.
4.4.2 Discussion
We feel there are several fronts of uncertainties with our studies.
Due to the limited number and types of studies we have carried out, how generally and
broadly our proposed framework can help awaits more and a variety of studies. For one
thing, in addition to some focus on cyber attacks concerning national security, in particular,
North Korean cyber attack, more commercially-oriented cyber attacks would need to be
studied.
Related to the above point, a more and diversified cyber attack instances should be
mined, e.g., from literature or newspaper articles, into forming classes. Then, classes should
be related, through classification, association, dependency, etc.
For the studies, we took somewhat simplying cases, where there is an exact match between
the symptoms of an incidence that users observe and the characteristics of some pattern class.
This, of course, is likely to be somewhat far-fetched. For example, information about some
detection conditions, which are defined in a cyber attack pattern class, may not be available,
due to various reasons. For another example, a spefic user observation may be close but
not quite the same as defined in any cyber attack pattern classes. We would need to the
notions of similarity between the symptoms of an incident and the definitions of the detection
conditions. Furthermore, it would also be helpful to bring in the notion of weight on different
detection conditions, since they may have different criticality values.
We also felt that manual detection and mitigation seems time-consuming and difficult.
22
CHAPTER 5
CONCLUSION
5.1 Contribution
This overall work will help stakeholders detect a suspicious incident as a cyber attack case
based on the pattern-based appoach and decide what mitigating action to take based on the
goal-oriented approach. Pattern-based approach helps organize and utilize knowledge and
experience about cyber attack detection and mitigation. Goal-oriented approach helps with
exploration of what kinds of cyber attack a suspicious behavior might be about. Studies
show the potential for more precisely characterizing a cyber attack (more finer-grained) and
taking more surgical mitigating actions.
5.2 Future Work
The accuracy and the possibility of detecting depend greatly on classes and patterns we
made. We know how much we can see, and we see how much we know. So, more pattern
classes have to be conducted in a study. And in this methodology, because different fields
have each characters, more studies in a variety of applications are needed. And also there
are needs for decrease time during each phase, and software support tools for each phases
are needed.
23
REFERENCES
Cuthbertson, A. (2016, June). NORTH KOREAN HACKERS STEAL F-15 FIGHTER JETBLUEPRINTS accessed April 18, 2017. http : //www.newsweek.com/north− korean−hackers− steal − f15 − fighter − jet− blueprints− 470135
Esmaili, M., Balachandran, B., Safavi-Naini, R., and Pieprzyk, J. (1996, December). Case-based reasoning for intrusion detection. Computer Security Applications Conference,1996., 12th Annual (pp. 214-223). IEEE.
Johng, H. (2016, May). Estimating performance and of cloud-based systems : a model driven,complementary approach.
Lee, Y. (2016, December). N.Korean Hackers Accessed Military Intranet accessed April 18,2017. http : //english.chosun.com/site/data/htmldir/2016/12/07/2016120701429.html
Pearson, M. (2013, March). Hacking attack on South Korea traced to China, officials sayaccessed April 18, 2017. http : //www.cnn.com/2013/03/20/world/asia/south− korea−computer − outage/
Ponemon Institute (2016). 2016 Cost of Cyber Crime Study & the Risk of Business Innova-tion. Ponemon Instituite.
Simmons, C., Ellis, C., Shiva, S., Dasgupta, D., and Wu, Q. (2009). AVOIDIT: A CyberAttack Taxonomy .
Sudworth, J. (2009, July). New ’cyber attacks’ hit S Korea accessed April 18, 2017. http ://news.bbc.co.uk/2/hi/asia− pacific/8142282.stm
Supakkul, S., Hill, T., Chung, L., and Oladimeji, E. A. (2009, August). Goal-oriented securitythreat mitigation patterns: A case of credit card theft mitigation. Proceedings of the 16thConference on Pattern Languages of Programs (p. 17). ACM.
24
BIOGRAPHICAL SKETCH
Sang-woo Moon received his Bachelor of Science and Art of Military degree from Korea
Military Academy at Seoul, South Korea in 2012. He continued his Master’s degree at The
University of Texas at Dallas in 2015. His research interests include Security, Non-Functional
Requirements, and Machine Learning.
25
CURRICULUM VITAE
Sang-woo MoonApril 21, 2017
Contact Information:
Apt 1026.800 W. Renner Rd.Richardson, TX 75080, U.S.A.
Voice: (469) 900-6177Email: [email protected]
Educational History:
B.S., Computer Science and Military Arts and Science, Korea Military Academy, 2012
Employment History:
Army Officer, Republic of Korea Army, March 2012 – present