cyber security

Optimization Algorithms for Cyber Security

My first foray into cyber security was a study of how to control virus outbreaks within a network. There has been a considerable amount of work done on how contagion spreads through a network; however, there is been much less work on how to design control strategies based on a network’s topology.

Botnet Detection Using Graph-Based Feature Clustering

Detecting botnets in a network is crucial because bots impact numerous areas such as cyber security, finance, health care, law enforcement, and more. Botnets are becoming more sophisticated and dangerous day-by-day, and most of the existing rule based and flow based detection methods may not be capable of detecting bot activities in an efficient and effective manner. Hence, designing a robust and fast botnet detection method is of high significance. In this study, we propose a novel botnet detection methodology based on topological features of nodes within a graph: in degree, out degree, in degree weight, out degree weight, clustering coefficient, node betweenness, and eigenvector centrality. A self-organizing map clustering method is applied to establish clusters of nodes in the network based on these features. Our method is capable of isolating bots in clusters of small sizes while containing the majority of normal nodes in the same big cluster. Thus, bots can be detected by searching a limited number of nodes. A filtering procedure is also developed to further enhance the algorithm efficiency by removing inactive nodes from consideration. The methodology is verified using the CTU-13 datasets, and benchmarked against a classification-based detection method. The results show that our proposed method can efficiently detect the bots despite their varying behaviors.

Jamming Attacks on Wireless Networks: A Taxonomic Survey

Defense against jamming attacks has been an increasing concern for the military and disaster response authorities. The military uses jamming attacks as a tool to attack and disrupt terrorist׳s communications, because the open nature of wireless networks makes them vulnerable to various attacks. Many studies and a few survey papers are available in the literature, but none of these papers classify the attacks or the defense strategies by the type of wireless network affected, the attacker or defender׳s perspective, the type of game used to model the problem, such as Bayesian game, Stackelberg game, or the type of solution methodology, such as mathematical programming model and algorithm. This paper provides a comprehensive survey and a taxonomic classification to help interested researchers find the gaps in the literature and guide them to research areas that need to be explored.

Interdicting Attack Graphs to Protect Organizations from Cyber Attacks: A Bi-Level Attacker-Defender Model

Today’s organizations are inherently open and connected, sharing knowledge and ideas in order to remain innovative. As a result, these organizations are also more vulnerable to information theft through different forms of security breaches caused by hackers and competitors. One way of understanding the vulnerability of an information system is to build and analyze the attack graph of that system. The attack graph of an information system contains all the paths that can be used to penetrate the system in order to breach critical assets. Although existing literature provides an abundance of attack graph generation algorithms, more methods are required to help analyze the attack graphs. In this paper, we study how best to deploy security countermeasures to protect an organization by analyzing the vulnerability of the organization through the use of its attack graph. In particular, we present an approach to find an optimal affordable subset of arcs, called an interdiction plan, on an attack graph that should be protected from attack to minimize the loss due to security breaches. We formulate this problem as a bi-level mixed-integer linear program and develop an exact algorithm to solve it. Experiments show that the algorithm is able to solve relatively large problems. Two heuristic methods, one with and the other without a heuristic to solve the master problem and both limiting the master problem branch-and-bound tree to only one node solve the large problems remarkably well. Experiments also reveal that the quality of an interdiction plan is relatively insensitive with respect to the error in the estimate of the attacker’s budget, and that the breach loss drops sharply at the beginning, then levels off before finally dropping sharply again with increases in the security budget.

Models for Removing Links in a Network to Minimize the Spread of Infections

Minimizing the spread of infections is a challenging problem, and it is the subject matter in many different fields such as epidemiology and cyber-security. In this paper, we investigate link removal as an intervention strategy and study the relative effectiveness of different link removal methods in minimizing the spread of infections in a network. With that in mind, we develop four connectivity-based network interdiction models and formulate these models as mixed integer linear programs. The first model minimizes the number of connections between infected and susceptible nodes; the second the number of susceptible nodes having one or more connections with infected nodes; the third the total number of paths between infected and susceptible nodes; and the fourth the total weight of the paths between infected and susceptible nodes. We also propose heuristic algorithms to solve the models. The network interdiction models act as link removal methods, i.e., each return a solution consisting of a set of links to remove in the network. We compare the effectiveness of these four methods with the effectiveness of an existing link removal method, a method based on link betweenness centrality, and random link removal method. Our results show that complete isolation of susceptible nodes from infected nodes is the most effective method in reducing the average number of new infections (reduce occurrence) under most scenarios, and the relative effectiveness of the complete isolation method increases with transmission probability. In contrast, removing the highest probability transmission paths is the most effective method in increasing the average time to infect half of the susceptible nodes (reduce speed) under most scenarios, and the relative effectiveness of this method decreases with transmission probability.