Quantifying Covertness in Deceptive Cyber Operations
- 1.5k Downloads
A deception is often enabled by cloaking or disguising the true intent and corresponding actions of the perpetrating actor. In cyber deception, the degree to which actions are disguised or cloaked is typically called “covertness.” In this chapter, we describe a novel approach to quantifying cyber covertness, a specific attribute of malware relative to specific alert logic that the defender uses. We propose that the covertness of an offensive cyber operation in an adversarial environment is derived from the probability that the operation is detected by the defender. We show that this quantitative concept can be computed using Covertness Block Diagrams that are related to classical reliability block diagrams used for years in the reliability engineering community. This requires methods for modeling the malware and target network defenses that allow us to calculate a quantitative measure of covertness which is interpreted as the probability of detection. Called the Covertness Score, this measure can be used by attackers to design a stealthier method of completing their mission as well as by defenders to understand the detection limitations of their defenses before they are exploited.
KeywordsNetwork Traffic Intrusion Detection System Security Information Management Network Intrusion Detection System Reliability Block Diagram
This work was partially supported by Air Force Research Laboratory (AFRL) Contract FA8750-13-1-0070. The opinions expressed in this article belong solely to the article’s authors and do not reflect any opinion, policy statement, recommendation or position, expressed or implied, of the U.S. Department of Defense.
The authors thank the anonymous reviewers and the book editors for suggestions that significantly improved this chapter.
- 1.US Army. Joint technical coordinating group for munitions effectiveness program office.Google Scholar
- 2.David D Lynch and Institution of Electrical Engineers. Introduction to RF stealth. Scitech, 2004.Google Scholar
- 3.Dave MacEslin. Methodology for Determining EW JMEM. TECH TALK, page 32, 2006.Google Scholar
- 4.George Cybenko and Jason Syverson. Quantitative foundations for information operations, 2007.Google Scholar
- 5.David E. Sanger. Syria War Stirs New U.S. Debate on Cyberattacks. http://www.nytimes.com/2014/02/25/world/middleeast/obama-worried-about-effects-of-waging-cyberwar-in-syria.html, Feb 2014. Accessed: 2015-11-11.
- 6.US Department of Defense. The Department of Defense Cyber Strategy, 2015.Google Scholar
- 7.Mark A Gallagher and Michael Horta. Cyber Joint Munitions Effectiveness Manual (JMEM). M& SJ, 8:5e14, 2013.Google Scholar
- 8.US Army. Joint Publication 3–13: Information Operations, Nov 2014.Google Scholar
- 9.Molly B. Walker. New DoD program office to create cyber equivalent of the Joint Munitions Effectiveness Manual. http://www.fiercegovernmentit.com/story/new-dod-program-office-create-cyber-equivalent-joint-munitions-effectivenes/2015-10-14, Oct 2015. Accessed: 2015-11-20.
- 10.http://www.iseclab.org/projects/ttanalyze/. TTAnalyze: A tool for analyzing malware, 2015.
- 11.Clemens Kolbitsch, Paolo Milani Comparetti, Christopher Kruegel, Engin Kirda, Xiao-yong Zhou, and XiaoFeng Wang. Effective and efficient malware detection at the end host. In USENIX security symposium, pages 351–366, 2009.Google Scholar
- 12.Daniel Bilar et al. Statistical structures: Fingerprinting malware for classification and analysis. Proceedings of Black Hat Federal 2006, 2006.Google Scholar
- 13.Marko Čepin. Reliability block diagram. In Assessment of Power System Reliability, pages 119–123. Springer, 2011.Google Scholar
- 15.http://www8.hp.com/us/en/software-solutions/siem-security-information-eventmanagement/. HP ArcSight ESM, 2015.
- 16.http://www.splunk.com/. Splunk Operational Intelligence Platform, 2015.
- 17.http://www.flowtraq.com/. FlowTraq Network Security, Monitoring, Analysis, and Forensics, 2015.
- 18.http://www.snort.com/. Snort Intrusion Prevention System, 2015.
- 19.http://www.mcafee.com/us/. McAfee Intel Security Suite, 2015.
- 20.http://www.tripwire.com/. Tripwire Advanced Cyber Threat Detection, 2015.
- 21.HP Enterprise Security. HP ArcSight ESM: powered by CORR-Engine, September 2012.Google Scholar
- 22.Sandeep Yadav, Ashwath Kumar Krishna Reddy, a.L. Narasimha Reddy, and Supranamaya Ranjan. Detecting algorithmically generated malicious domain names. Proceedings of the 10th annual conference on Internet measurement - IMC ’10, page 48, 2010.Google Scholar
- 23.Open Malware. http://openmalware.org, 2014.
- 24.VirusShare. http://virusshare.com, 2014.
- 25.The VirusWatch Archives. http://lists.clean-mx.com/pipermail/viruswatch/, 2014.
- 26.Cuckoo Sandbox. http://www.cuckoosandbox.org/, 2014.
- 27.Microsoft Developer Network. http://msdn.microsoft.com/en-us/library/, 2014.
- 28.Nicole Perlroth. Intelligence Start-Up Goes Behind Enemy Lines to Get Ahead of Hackers. www.nytimes.com/2015/09/14/technology/intelligence-start-up-goes-behind-enemy-lines-to-get-ahead-of-hackers.html, Sep 2015. Accessed: 2015-11-11.
- 29.Ben Elgin, Dune Lawrence, and Michael Riley. Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data. http://www.bloomberg.com/bw/articles/2014-02-21/neiman-marcus-hackers-set-off-60-000-alerts-while-bagging-credit-card-data, Feb 2014. Accessed: 2015-11-11.
- 30.Elizabeth R DeLong, David M DeLong, and Daniel L Clarke-Pearson. Comparing the areas under two or more correlated receiver operating characteristic curves: a nonparametric approach. Biometrics, pages 837–845, 1988.Google Scholar
- 31.Michael O Ball. Computational complexity of network reliability analysis: An overview. Reliability, IEEE Transactions on, 35(3):230–239, 1986.Google Scholar
- 32.Thomas M Cover and Joy A Thomas. Elements of information theory. John Wiley & Sons, 2012.Google Scholar