Attack Projection

  • Shanchieh Jay YangEmail author
  • Haitao Du
  • Jared Holsopple
  • Moises Sudit
Part of the Advances in Information Security book series (ADIS, volume 62)


Having dedicated the previous chapter to the second level of SA, we now proceed to the third level. The highest level of SA—projection—involves envisioning how the current situation may evolve into the future situation and the anticipation of the future elements of the situation. In the context of CSA, particularly important is the projection of future cyber attacks, or future phases of an ongoing cyber attack. Attacks often take a long time and involve multitudes of reconnaissance, exploitations, and obfuscation activities to achieve the goal of cyber espionage or sabotage. The anticipation of future attack actions is generally derived from the presently observed malicious activities. This chapter reviews the existing state-of-the-art techniques for network attack projection, and then explains how the estimates of ongoing attack strategies can then be used to provide a prediction of likely upcoming threats to critical assets of the network.


Dynamic Bayesian Network Attack Model Attack Strategy Attack Behavior Network Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. Aben, E. et al. The CAIDA UCSD Network Telescope Two Days in November 2008 Dataset. (Access Date: Dec. 2013).Google Scholar
  2. Bell, T. C., Cleary, J. G., and Witten, I. H. Text Compression. Prentice Hall, 1990.Google Scholar
  3. Chakrabarti, A., and Manimaran, G. Internet infrastructure security: a taxonomy. IEEE Network, 16(6):13–21, Nov/Dec 2002.Google Scholar
  4. Cheng, B.-C., Liao, G.-T., Huang, C.-C., and Yu, M.-T. A novel probabilistic matching algorithm for multi-stage attack forecasts. IEEE Transactions on Selected Areas in Communications, 29(7):1438–1448, 2011.CrossRefGoogle Scholar
  5. Cheung, S., Lindqvist, U., and Fong, M. W. Modeling multistep cyber attacks for scenario recognition. In Proceedings of DARPA Information Survivability Conference and Exposition, volume 1, pages 284–292, April 2003.Google Scholar
  6. Cipriano, C., Zand, A., Houmansadr, A., Kruegel, C., and Vigna, G. Nexat: A history-based approach to predict attacker actions. In Proceedings of the 27th Annual Computer Security Applications Conference, pages 383–392. ACM, 2011.Google Scholar
  7. Cohen, F. Information system defences: A preliminary classification scheme. Computers & Security, 16(2):94–114, 1997.CrossRefGoogle Scholar
  8. Cohen, F. Simulating cyber attacks, defences, and consequences. Computers & Security, 18(6):479–518, 1999.CrossRefGoogle Scholar
  9. Daley, K., Larson, R., and Dawkins, J. A structural framework for modeling multi-stage network attacks. In Proceedings of International Conference on Parallel Processing, pages 5–10, 2002.Google Scholar
  10. Debar, H., Dacier, M., and Wespi, A. Towards a taxonomy of intrusion-detection systems. Computer Networks, 31(8):805–822, 1999.CrossRefGoogle Scholar
  11. DSheild. Internet Storm Center. (Access Date: Dec. 2013).
  12. Du, H., and Yang, S. J. Characterizing transition behaviors in internet attack sequences. In Proceedings of the 20th International Conference on Computer Communications and Networks (ICCCN), Maui HI, USA, August 1–4 2011.Google Scholar
  13. Du, H., and Yang, S. J. Discovering collaborative cyber attack patterns using social network analysis. In Proceedings of International Conference on Social Computing, Behavioral-Cultural Modeling and Prediction, pages 129–136, College Park MD, USA, March 29–21 2011. Springer.Google Scholar
  14. Du, H., and Yang, S. J. Temporal and spatial analyses for large-scale cyber attacks. In V.S. Subrahmanian, editor, Handbook of Computational Approaches to Counterterrorism, pages 559–578. Springer New York, 2013.Google Scholar
  15. Du, H., and Yang, S. J. Probabilistic inference for obfuscated network attack sequences. In Proceedings of IEEE/ISIF International Conference on Dependable Systems and Networks, Atlanta, GA, June 23–26 2014.Google Scholar
  16. Du, H., Liu, D. F., Holsopple, J., and Yang, S. J. Toward Ensemble Characterization and Projection of Multistage Cyber Attacks. In Proceedings of the 19th International Conference on Computer Communications and Networks (ICCCN), Zurich, Switzerland, August 2–5 2010. IEEE.Google Scholar
  17. Fava, D. S., Byers, S. R., and Yang, S. J. Projecting cyberattacks through variable-length markov models. IEEE Transactions on Information Forensics and Security, 3(3):359–369, September 2008.CrossRefGoogle Scholar
  18. Holsopple, J., Sudit, M., Nusinov, M., Liu, D., Du, H., and Yang, S. Enhancing Situation Awareness via Automated Situation Assessment. IEEE Communications Magazine, pages 146–152, March 2010.Google Scholar
  19. Howard, J., and Longstaff, T. A common language for computer security incidents. Technical report, Sandia National Laboratories, 1998.CrossRefGoogle Scholar
  20. Jacquet, P., Szpankowski, W., and Apostol, I. A universal predictor based on pattern matching. IEEE Transactions on Information Theory, 48(6):1462–1472, June 2002.CrossRefzbMATHMathSciNetGoogle Scholar
  21. King, S. T., Mao, Z. M., Lucchetti, D. G., and Chen, P. M. Enriching intrusion alerts through multi-host causality. In Proceedings of the 2005 Network and Distributed System Security Symposium (NDSS’05), Washington D.C., February 2005.Google Scholar
  22. Kotenko, I., and Man’kov, E. Experiments with simulation of attacks against computer networks. In Vladimir Gorodetsky, Leonard Popyack, and Victor Skormin, editors, Computer Network Security, volume 2776 of Lecture Notes in Computer Science, pages 183–194. Springer Berlin Heidelberg, 2003.Google Scholar
  23. Kuhl, M. E., Kistner, J., Costantini, K., and Sudit, M. Cyber attack modeling and simulation for network security analysis. In Proceedings of the 39th Conference on Winter Simulation, pages 1180–1188. IEEE Press, 2007.Google Scholar
  24. Lane, T., and Brodley, C. Temporal sequence learning and data reduction for anomaly detection. ACM Transactions on Information and System Security, 2:295–331, 1999.CrossRefGoogle Scholar
  25. Latora, V., and Marchiori, M. Efficient behavior of small-world networks. Phys. Rev. Lett., 87:198701, Oct 2001.CrossRefGoogle Scholar
  26. Lee, W., Stolfo, S. J., and Chan, P. K. Learning patterns from Unix process execution traces for intrusion detection. In Proceedings of the workshop on AI Approaches to Fraud Detection and Risk Management, pages 50–56, 1997.Google Scholar
  27. MIT Lincoln Laboratory. DARPA intrusion detection data set (1998, 1999, 2000). (Access Date: Dec. 2013).
  28. Moskal, S., Kreider, D., Hays, L., Wheeler, B., Yang, S. J., and Kuhl, M. Simulating attack behaviors in enterprise networks. In Proceedings of IEEE Communications and Network Security, Washington, DC, 2013.Google Scholar
  29. Moskal, S., Wheeler, B., Kreider, D., and Kuhl, M., and Yang, S. J. Context model fusion for multistage network attack simulation. In Proceedings of IEEE MILCOM, Baltimore, MD, 2014.Google Scholar
  30. Newman, M. E. J. Scientific collaboration networks. I. network construction and fundamental results. Phys Rev E, 64(1), July 2001.Google Scholar
  31. Ning, P., Cui, Y., and Reeves, D. S. Analyzing intensive intrusion alerts via correlation. In Lecture notes in computer science, pages 74–94. Springer, 2002.Google Scholar
  32. Ning, P., Xu, D., Healey, C. G., and Amant, R. S. Building attack scenarios through integration of complementary alert correlation methods. In Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS’04), pages 97–111, 2004.Google Scholar
  33. Noel, S., and Jajodia, S. Advanced vulnerability analysis and intrusion detection through predictive attack graphs. Critical Issues in C4I, Armed Forces Communications and Electronics Association (AFCEA) Solutions Series. International Journal of Command and Control, 2009.Google Scholar
  34. Noel, S., Robertson, E., and Jajodia, S. Correlating intrusion events and building attack scenarios through attack graph distances. In Proceedings of 20th Annual Computer Security Applications Conference, December 2004.Google Scholar
  35. Park, J. S., Lee, J.-S., Kim, H. K., Jeong, J.-R., Yeom, D.-B., and Chi, S.-D. Secusim: A tool for the cyber-attack simulation. In Information and Communications Security, pages 471–475. Springer, 2001.Google Scholar
  36. Phillips, C., and Swiler, L. P. A graph-based system for network-vulnerability analysis. In Proceedings of the 1998 workshop on New security paradigms, pages 71–79, Charlottesville, Virginia, United States, 1998.Google Scholar
  37. Qin, X., and Lee, W. Attack plan recognition and prediction using causal networks. In Proceedings of 20th Annual Computer Security Applications Conference, pages 370–379. IEEE, December 2004.Google Scholar
  38. Serfling, R.J. Probability inequalities for the sum in sampling without replacement. The Annals of Statistics, 2(1):39–48, 1974.CrossRefzbMATHMathSciNetGoogle Scholar
  39. Shafer, G., editor. A Mathematical Theory of Evidence. Princeton University Press, 1976.Google Scholar
  40. Shalizi, C. R., and Shalizi, K. L. Blind construction of optimal nonlinear recursive predictors for discrete sequences. In Proceedings of the 20 th Conference on Uncertainty in Artificial Intelligence, pages 504–511, 2004.Google Scholar
  41. Shannon, C., and Moore, D. Network Telescopes: Remote Monitoring of Internet Worms and Denial-of-Service Attacks. Technical report, The Cooperative Association for Internet Data Analysis (CAIDA), 2004. (Technical Presentation - Access Date: Dec. 2013).Google Scholar
  42. Smets, P. The combination of evidence in the transferable belief model. IEEE Transactions on Pattern Analysis and Machine Intelligence, 12(5):447–458, May 1990.CrossRefGoogle Scholar
  43. Soldo, F., Le, A., and Markopoulou, A. Blacklisting Recommendation System: Using Spatio-Temporal Patterns to Predict Future Attacks. IEEE Journal on Selected Areas in Communications, 29(7):1423–1437, August 2011.CrossRefGoogle Scholar
  44. Steinberg, A. Open interaction network model for recognizing and predicting threat events. In Proceedings of Information, Decision and Control (IDC) ’07, pages 285–290, Febuary 2007.Google Scholar
  45. Stotz, A., and Sudit, M. INformation fusion engine for real-time decision-making (INFERD): A perceptual system for cyber attack tracking. In Proceedings of 10th International Conference on Information Fusion, July 2007.Google Scholar
  46. Strapp, S., and Yang, S. J. Segmentating large-scale cyber attacks for online behavior model generation. In Proceedings of International Conference on Social Computing, Behavioral-Cultural Modeling, and Prediction, Washington, DC, April 1–4 2014.Google Scholar
  47. Tidwell, T., Larson, R., Fitch, K., and Hale, J. Modeling internet attacks. In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, volume 59, 2001.Google Scholar
  48. Treurniet, J. A Network Activity Classification Schema and Its Application to Scan Detection. IEEE/ACM Tran. on Networking, 19(5):1396–1404, October 2011.CrossRefGoogle Scholar
  49. Valeur, F., Vigna, G., Kruegel, C., and Kemmerer, R.A. A comprehensive approach to intrusion detection alert correlation. IEEE Transactions on dependable and secure computing, 1(3):146–169, 2004.CrossRefGoogle Scholar
  50. Vidalis, S., and Jones, A. Using vulnerability trees for decision making in threat assessment. Technical Report CS-03-2, University of Glamorgan, School of Computing, June 2003.Google Scholar
  51. Vigna, G. et al. The iCTF Datasets from 2002 to 2010. (Access Date: Dec. 2013).
  52. Wang, L., Liu, A., and Jajodia, S. Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Computer Communications, 29(15):2917–2933, 2006.CrossRefGoogle Scholar
  53. Xu, K., Wang, F., and Gu, L. Network-aware behavior clustering of Internet end hosts. In Proceedings IEEE INFOCOM’11, pages 2078–2086. IEEE, April 2011.Google Scholar
  54. Yang, S. J., Stotz, A., Holsopple, J., Sudit, M., and Kuhl, M. High level information fusion for tracking and projection of multistage cyber attacks. Elsevier International Journal on Information Fusion, 10(1):107–121, 2009.CrossRefGoogle Scholar
  55. Ye, N., Zhang, Y., and Borror, C. M. Robustness of the markov-chain model for cyber-attack detection. IEEE Transactions on Reliability, 53:116–123, 2004.CrossRefGoogle Scholar
  56. Zseby, T. Comparable Metrics for IP Darkspace Analysis. In Proceedings of 1st International Workshop on Darkspace and UnSolicited Traffic Analysis, May 2012.Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Shanchieh Jay Yang
    • 1
    Email author
  • Haitao Du
    • 1
  • Jared Holsopple
    • 2
  • Moises Sudit
    • 2
  1. 1.Department of Computer EngineeringNetIP Lab, Rochester Institute of TechnologyNYUSA
  2. 2.Center for Multisource Information FusionUniversity of BuffaloBuffaloUSA

Personalised recommendations