Abstract
The cyber terrain contains devices, network services, cyber personas, and other network entities involved in network operations. Designing a method that automatically identifies key network entities to network operations is challenging. However, such a method is essential for determining which cyber assets should the cyber defense focus on. In this paper, we propose an approach for the classification of IP addresses belonging to cyber key terrain according to their network position using the PageRank centrality computation adjusted by machine learning. We used hill climbing and random walk algorithms to distinguish PageRank’s damping factors based on source and destination ports captured in IP flows. The one-time learning phase on a static data sample allows near-real-time stream-based classification of key hosts from IP flow data in operational conditions without maintaining a complete network graph. We evaluated the approach on a dataset from a cyber defense exercise and on data from the campus network. The results show that cyber key terrain identification using the adjusted computation of centrality is more precise than its original version.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Barreto, A.B., Costa, P.C.: Cyber-ARGUS - a mission assurance framework. J. Netw. Comput. Appl. 133, 86–108 (2019). https://doi.org/10.1016/j.jnca.2019.02.001
Brin, S., Page, L.: The anatomy of a large-scale hypertextual web search engine. Comput. Netw. ISDN Syst. 30(1), 107–117 (1998). https://doi.org/10.1016/S0169-7552(98)00110-X
Caralli, R.A., Allen, J.H., White, D.W.: CERT Resilience Management Model - CERT-RMM. Addison-Wesley Educational Publishers Inc. (2016)
Gartner Unveils the Top Eight Cybersecurity Predictions for 2022-23. Gartner, Inc. https://www.gartner.com/en/newsroom/press-releases/2022-06-21-gartner-unveils-the-top-eight-cybersecurity-predictio. Accessed 3 Feb 2023
Goodall, J.R., D’Amico, A., Kopylec, J.K.: Camus: automatically mapping cyber assets to missions and users. In: MILCOM 2009-2009 IEEE Military Communications Conference, pp. 1–7. IEEE (2009). https://doi.org/10.1109/MILCOM.2009.5380096
Guion, J., Reith, M.: Cyber terrain mission mapping: tools and methodologies. In: 2017 International Conference on Cyber Conflict (CyCon US), pp. 105–111. IEEE (2017). https://doi.org/10.1109/CYCONUS.2017.8167504
Hofstede, R., et al.: Flow monitoring explained: from packet capture to data analysis with NetFlow and IPFIX. IEEE Commun. Surv. Tutor. 16(4), 2037–2064 (2014). https://doi.org/10.1109/COMST.2014.2321898
Jacobson, S.H., Yücesan, E.: Analyzing the performance of generalized hill climbing algorithms. J. Heuristics 10, 387–405 (2004). https://doi.org/10.1023/B:HEUR.0000034712.48917.a9
Kay, B., Lu, H., Devineni, P., Tabassum, A., Chintavali, S., Lee, S.M.: Identification of critical infrastructure via PageRank. In: 2021 IEEE International Conference on Big Data (Big Data), pp. 3685–3690 (2021). https://doi.org/10.1109/BigData52589.2021.9671620
Kim, A., Kang, M.H.: Determining asset criticality for cyber defense. Technical report, Naval Research Laboratory (2011). https://apps.dtic.mil/sti/pdfs/ADA550373.pdf
Motzek, A., Möller, R.: Context- and bias-free probabilistic mission impact assessment. Comput. Secur. 65, 166–186 (2017). https://doi.org/10.1016/j.cose.2016.11.005
Musman, S., Tanner, M., Temin, A., Elsaesser, E., Loren, L.: A systems engineering approach for crown jewels estimation and mission assurance decision making. In: 2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS), pp. 210–216. IEEE (2011). https://doi.org/10.1109/CICYBS.2011.5949403
Netbox documentation (2022). https://netbox.readthedocs.io/en/stable/. Accessed 15 Dec 2022
Noel, S., Dudman, T., Trepagnier, P., Badesha, S.: Mission models for cyber-resilient military operations. Technical report, MIT Lincoln Laboratory Lexington United States (2018). https://apps.dtic.mil/sti/pdfs/AD1091410.pdf
Oliva, G., Esposito Amideo, A., Starita, S., Setola, R., Scaparra, M.P.: Aggregating centrality rankings: a novel approach to detect critical infrastructure vulnerabilities. In: Nadjm-Tehrani, S. (ed.) CRITIS 2019. LNCS, vol. 11777, pp. 57–68. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-37670-3_5
Orion Platform – Scalable IT Monitoring. SolarWinds (2022). https://www.solarwinds.com/solutions/orion. Accessed 15 Dec 2022
Raymond, D., Cross, T., Conti, G., Nowatkowski, M.: Key terrain in cyberspace: seeking the high ground. In: 2014 6th International Conference on Cyber Conflict (CyCon 2014), pp. 287–300 (2014). https://doi.org/10.1109/CYCON.2014.6916409
Rozenshtein, P., Gionis, A.: Temporal PageRank. In: Frasconi, P., Landwehr, N., Manco, G., Vreeken, J. (eds.) ECML PKDD 2016. LNCS, vol. 9852, pp. 674–689. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-46227-1_42
Sadlek, L., Čeleda, P.: Supplementary materials: cyber key terrain identification using adjusted PageRank centrality. Zenodo (2023). https://doi.org/10.5281/zenodo.7884228. Accessed 2 May 2023
Selman, B., Kautz, H.A., Cohen, B., et al.: Noise strategies for improving local search. In: AAAI, vol. 94, pp. 337–343 (1994). https://cdn.aaai.org/AAAI/1994/AAAI94-051.pdf
Silva, F.R.L., Jacob, P.: Mission-centric risk assessment to improve cyber situational awareness. In: Proceedings of the 13th International Conference on Availability, Reliability and Security. ARES 2018. Association for Computing Machinery, New York (2018). https://doi.org/10.1145/3230833.3233281
Stergiopoulos, G., Theocharidou, M., Kotzanikolaou, P., Gritzalis, D.: Using centrality measures in dependency risk graphs for efficient risk mitigation. In: Rice, M., Shenoi, S. (eds.) ICCIP 2015. IFIPAICT, vol. 466, pp. 299–314. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26567-4_18
Sun, X., Singhal, A., Liu, P.: Who touched my mission: towards probabilistic mission impact assessment. In: Proceedings of the 2015 Workshop on Automated Decision Making for Active Cyber Defense. SafeConfig 2015, pp. 21–26. Association for Computing Machinery, New York (2015). https://doi.org/10.1145/2809826.2809834
Tovarňák, D., Špaček, S., Vykopal, J.: Traffic and log data captured during a cyber defense exercise. Data Brief 31, 105784 (2020). https://doi.org/10.1016/j.dib.2020.105784
Tovarňák, D., Špaček, S., Vykopal, J.: Traffic and log data captured during a cyber defense exercise. Zenodo (2020). https://doi.org/10.5281/zenodo.3746129. Accessed 9 Mar 2023
Trammell, B., Boschi, E.: Bidirectional flow export using IP Flow Information Export (IPFIX). RFC 5103, Internet Engineering Task Force (2008). http://www.ietf.org/rfc/rfc5103.txt. Accessed 5 Mar 2023
Acknowledgement
This research was supported by ERDF project “CyberSecurity, CyberCrime and Critical Information Infrastructures Center of Excellence” (No. CZ.02.1.01/0.0/0.0/16_019/0000822).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 IFIP International Federation for Information Processing
About this paper
Cite this paper
Sadlek, L., Čeleda, P. (2024). Cyber Key Terrain Identification Using Adjusted PageRank Centrality. In: Meyer, N., Grocholewska-Czuryło, A. (eds) ICT Systems Security and Privacy Protection. SEC 2023. IFIP Advances in Information and Communication Technology, vol 679. Springer, Cham. https://doi.org/10.1007/978-3-031-56326-3_21
Download citation
DOI: https://doi.org/10.1007/978-3-031-56326-3_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-56325-6
Online ISBN: 978-3-031-56326-3
eBook Packages: Computer ScienceComputer Science (R0)