Attack profiles to derive data observations, features, and characteristics of cyber attacks

Article type: Research Article

Authors: Ye, Nong | Harish, Bashettihalli | Farley, Toni

Affiliations: Arizona State University, Tempe, Arizona, USA

Note: [] Corresponding author: Nong Ye, Professor of Industrial Engineering and affiliated Professor of Computer Science and Engineering, Arizona State University, Information and Systems Assurance Laboratory, Box 875906, Tempe, Arizona 85287-5906, USA. Tel.: +1 480 965 7812; Fax: +1 480 965 8692; E-mail: [email protected]

Abstract: Existing techniques for cyber attack detection rely mainly on activity data from computers and networks. Little consideration has been given to other kinds of data in the cause-effect chains of attacks. Adding state and performance data may reveal elements on computers and networks that are affected by a cyber attack, thus providing a more accurate, complete picture of an attack. This paper presents a System-Fault-Risk framework that defines elements involved in the cause-effect chain of an attack. The SFR framework combines system and fault modeling, and risk assessment methods. It is employed to analyze known cyber attacks and derive profiles that define activity, state and performance data in cause-effect chains, features of those data, and characteristics of those features that enable attack detection. The profiles derived from specific attacks are generalized and compared with those reported in other studies to illustrate a set of novel data, features and characteristics.

Journal: Information Knowledge Systems Management, vol. 5, no. 1, pp. 23-47, 2006