Abstract
A deception is often enabled by cloaking or disguising the true intent and corresponding actions of the perpetrating actor. In cyber deception, the degree to which actions are disguised or cloaked is typically called “covertness.” In this chapter, we describe a novel approach to quantifying cyber covertness, a specific attribute of malware relative to specific alert logic that the defender uses. We propose that the covertness of an offensive cyber operation in an adversarial environment is derived from the probability that the operation is detected by the defender. We show that this quantitative concept can be computed using Covertness Block Diagrams that are related to classical reliability block diagrams used for years in the reliability engineering community. This requires methods for modeling the malware and target network defenses that allow us to calculate a quantitative measure of covertness which is interpreted as the probability of detection. Called the Covertness Score, this measure can be used by attackers to design a stealthier method of completing their mission as well as by defenders to understand the detection limitations of their defenses before they are exploited.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
such as www.4shared.com.
References
US Army. Joint technical coordinating group for munitions effectiveness program office.
David D Lynch and Institution of Electrical Engineers. Introduction to RF stealth. Scitech, 2004.
Dave MacEslin. Methodology for Determining EW JMEM. TECH TALK, page 32, 2006.
George Cybenko and Jason Syverson. Quantitative foundations for information operations, 2007.
David E. Sanger. Syria War Stirs New U.S. Debate on Cyberattacks. http://www.nytimes.com/2014/02/25/world/middleeast/obama-worried-about-effects-of-waging-cyberwar-in-syria.html, Feb 2014. Accessed: 2015-11-11.
US Department of Defense. The Department of Defense Cyber Strategy, 2015.
Mark A Gallagher and Michael Horta. Cyber Joint Munitions Effectiveness Manual (JMEM). M& SJ, 8:5e14, 2013.
US Army. Joint Publication 3–13: Information Operations, Nov 2014.
Molly B. Walker. New DoD program office to create cyber equivalent of the Joint Munitions Effectiveness Manual. http://www.fiercegovernmentit.com/story/new-dod-program-office-create-cyber-equivalent-joint-munitions-effectivenes/2015-10-14, Oct 2015. Accessed: 2015-11-20.
http://www.iseclab.org/projects/ttanalyze/. TTAnalyze: A tool for analyzing malware, 2015.
Clemens Kolbitsch, Paolo Milani Comparetti, Christopher Kruegel, Engin Kirda, Xiao-yong Zhou, and XiaoFeng Wang. Effective and efficient malware detection at the end host. In USENIX security symposium, pages 351–366, 2009.
Daniel Bilar et al. Statistical structures: Fingerprinting malware for classification and analysis. Proceedings of Black Hat Federal 2006, 2006.
Marko Čepin. Reliability block diagram. In Assessment of Power System Reliability, pages 119–123. Springer, 2011.
RG Bennetts. Analysis of reliability block diagrams by boolean techniques. Reliability, IEEE Transactions on, 31(2):159–166, 1982.
http://www8.hp.com/us/en/software-solutions/siem-security-information-eventmanagement/. HP ArcSight ESM, 2015.
http://www.splunk.com/. Splunk Operational Intelligence Platform, 2015.
http://www.flowtraq.com/. FlowTraq Network Security, Monitoring, Analysis, and Forensics, 2015.
http://www.snort.com/. Snort Intrusion Prevention System, 2015.
http://www.mcafee.com/us/. McAfee Intel Security Suite, 2015.
http://www.tripwire.com/. Tripwire Advanced Cyber Threat Detection, 2015.
HP Enterprise Security. HP ArcSight ESM: powered by CORR-Engine, September 2012.
Sandeep Yadav, Ashwath Kumar Krishna Reddy, a.L. Narasimha Reddy, and Supranamaya Ranjan. Detecting algorithmically generated malicious domain names. Proceedings of the 10th annual conference on Internet measurement - IMC ’10, page 48, 2010.
Open Malware. http://openmalware.org, 2014.
VirusShare. http://virusshare.com, 2014.
The VirusWatch Archives. http://lists.clean-mx.com/pipermail/viruswatch/, 2014.
Cuckoo Sandbox. http://www.cuckoosandbox.org/, 2014.
Microsoft Developer Network. http://msdn.microsoft.com/en-us/library/, 2014.
Nicole Perlroth. Intelligence Start-Up Goes Behind Enemy Lines to Get Ahead of Hackers. www.nytimes.com/2015/09/14/technology/intelligence-start-up-goes-behind-enemy-lines-to-get-ahead-of-hackers.html, Sep 2015. Accessed: 2015-11-11.
Ben Elgin, Dune Lawrence, and Michael Riley. Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data. http://www.bloomberg.com/bw/articles/2014-02-21/neiman-marcus-hackers-set-off-60-000-alerts-while-bagging-credit-card-data, Feb 2014. Accessed: 2015-11-11.
Elizabeth R DeLong, David M DeLong, and Daniel L Clarke-Pearson. Comparing the areas under two or more correlated receiver operating characteristic curves: a nonparametric approach. Biometrics, pages 837–845, 1988.
Michael O Ball. Computational complexity of network reliability analysis: An overview. Reliability, IEEE Transactions on, 35(3):230–239, 1986.
Thomas M Cover and Joy A Thomas. Elements of information theory. John Wiley & Sons, 2012.
Acknowledgements
This work was partially supported by Air Force Research Laboratory (AFRL) Contract FA8750-13-1-0070. The opinions expressed in this article belong solely to the article’s authors and do not reflect any opinion, policy statement, recommendation or position, expressed or implied, of the U.S. Department of Defense.
The authors thank the anonymous reviewers and the book editors for suggestions that significantly improved this chapter.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Cybenko, G., Stocco, G., Sweeney, P. (2016). Quantifying Covertness in Deceptive Cyber Operations. In: Jajodia, S., Subrahmanian, V., Swarup, V., Wang, C. (eds) Cyber Deception. Springer, Cham. https://doi.org/10.1007/978-3-319-32699-3_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-32699-3_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-32697-9
Online ISBN: 978-3-319-32699-3
eBook Packages: Computer ScienceComputer Science (R0)