A Cognitive and Concurrent Cyber Kill Chain Model

  • Muhammad Salman KhanEmail author
  • Sana Siddiqui
  • Ken Ferens


A cyber kill chain is a traditional model to analyze cyber security threats, whether there is a malware inside a computer system, covert and illegitimate channels found on a network, or an insider threat. This model has been used by cyber security professionals extensively, however, has found little attention in the academic domain. Further, with the evolution of the threat landscape into more advanced and persistent threats, this model has been challenged due to its weakness to incorporate advanced threats that are able to change their signatures, behaviors and can hide inside a computing node and remain undetected by masquerading their true nature. This chapter describes the traditional kill chain model in detail; discusses weaknesses of this model; proposes a new kill chain analytical model that supports concurrent analysis of threat stages, as opposed to sequential analysis of the existing kill chain model; and explains how the new model mimics the human mental process of threat analysis with examples. The proposed cyber kill chain model strengthens the analysis model of cyber security experts and enriches cyber professionals’ understanding of threats and attacks holistically.


Cyber kill chain Cognitive cyber security Advanced persistent threats (APT) Intrusion Computer security Cognitive analysis Malware Malicious activity Threat intelligence 


  1. 1.
    Hutchins, E., Cloppert, M., & Amin, R. (2011). Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. In Proceedings of leading issues in information warfare and security research.Google Scholar
  2. 2.
    NTT Group Security. (2016). 2016 NTT Group–Global threat intelligence report (Online). Available: https://www.nttgroupsecurity.comGoogle Scholar
  3. 3.
    Achleitner, S., Porta, T. L., McDaniel, P., Sugrim, S., Krishnamurthy, S. V., & Chadha, R. (2016, October). Cyber deception: Virtual networks to defend insider reconnaissance. In Proceedings of the 8th ACM CCS international workshop on managing insider security threats.Google Scholar
  4. 4.
    PhishMe. (2016, June 4). Q1 2016 sees 93% of phishing emails contain ransomware (Online). Available:
  5. 5.
    Cobb, S., & Lee, A. (2014, October). Malware is called malicious for a reason: The risks of weaponizing code. In Proceedings of 6th IEEE international conference on cyber conflict (CyCon 2014).Google Scholar
  6. 6.
    Harbison, C. (2016, March 29). New ransomware installers can infect computers without users clicking anything, say researchers. iDigitalTimes (Online). Available:
  7. 7.
    Brandt, A. (2016, April 25). Android Towelroot Exploit used to deliver “Dogspectus” ransomware (Online). Available:
  8. 8.
    Rivlin, A., Mehra, D., Uyeno, H., & Pidathala, V. (2016, June). System and method of detecting delivery of malware using cross-customer data. U.S. Patent US9363280-B1, 7.Google Scholar
  9. 9.
    Mansoori, M., Hirose, Y., Welch, I., & Choo, K.-K. R. (2016, March). Empirical analysis of impact of HTTP referer on malicious website behaviour and delivery. In Proceedings of IEEE 30th international conference on advanced information networking and applications (AINA).Google Scholar
  10. 10.
    Taylor, T., Xin, H., Wang, T., Jang, J., Stoecklin, M. P., Monrose, F., & Sailer, R. (2016, March). Detecting malicious exploit kits using tree-based similarity searches. In Proceedings of the 6th ACM conference on data and application security and privacy (CODASPY).Google Scholar
  11. 11.
    Sood, A. K., & Enbody, R. J. (2011). Malvertising–exploiting web advertising. Computer Fraud and Security, 2011(4), 11–16.CrossRefGoogle Scholar
  12. 12.
    Sanzgiri, A., & Dasgupta, D. (2016). Classification of insider threat detection techniques. In Proceedings of the 11th annual cyber and information security research conference.Google Scholar
  13. 13.
    Fang, Y., & Tung, Y.-Y. (2014, January). Patcher: An online service for detecting, viewing and patching web. In Proceedings of IEEE 47th Hawaii international conference on system science.Google Scholar
  14. 14.
    Salas, M. I. P., & Martins, E. (2015). A black-box approach to detect vulnerabilities in web services using penetration testing. IEEE Latin America Transactions, 13(3), 707–712.CrossRefGoogle Scholar
  15. 15.
    University of Maryland. (2015, October 28). Researchers find vulnerabilities in use of certificates for web security: Study finds website admins not revoking certificates, browsers not checking certificate revocation status (Online). Available:
  16. 16.
    Kwon, B. J., Srinivas, V., Deshpande, A., & Dumitras, T. (2017, November). Catching worms, Trojan horses and PUPs: Unsupervised detection of silent delivery campaigns. In Proceedings of network and distributed system security symposium.Google Scholar
  17. 17.
    Taylor, T., Snow, K. Z., Otterness, N., & Monrose, F. (2016, February). Cache, trigger, impersonate: Enabling context-sensitive honeyclient analysis on-the-wire. In Proceedings of network and distributed system security symposium (NDSS).Google Scholar
  18. 18.
    Jin, X., Xunchao, H., Ying, K., Wenliang, D., & Yin, H. (2014, November). Code injection attacks on HTML5-based mobile Apps: Characterization, detection and mitigation. In Proceedings of the 2014 ACM SIGSAC conference on computer and communications security.Google Scholar
  19. 19.
    Stringhini, G., Hohlfeld, O., Kruegel, C., & Vigna, G. (2014, June). The Harvester, the Botmaster, and the Spammer: On the relations between the different actors in the spam landscape. In Proceedings of the 9th ACM symposium on information, computer and communications security.Google Scholar
  20. 20.
    Khan, M. S., Ferens, K., & Kinsner, W. (2015). Multifractal singularity spectrum for cognitive cyber defence in internet time series. International Journal of Software Science and Computational Intelligence, 7(3), 17–45.CrossRefGoogle Scholar
  21. 21.
    Yadav, T., & Mallari, R. A. (2016, June). Technical aspects of cyber kill chain. In Proceedings of international symposium on security in computing and communication.Google Scholar
  22. 22.
    NIST. National Vulnerability Database, DHS/NCCIC/US-CERT (Online). Available: Accessed 29 December 2016.
  23. 23.
    Cabaj, K., & Mazurczyk, W. (2016). Using software-defined networking for ransomware mitigation: The case of CryptoWall. IEEE Network, 30(6), 14–20.CrossRefGoogle Scholar
  24. 24.
    Na, S., Kim, T., & Kim, H. (2016, November). A study on the classification of common vulnerabilities and exposures using Naive Bayes. In Proceedings of the international conference on broadband and wireless computing, communication and applications.Google Scholar
  25. 25.
    Zhang, N., Yuan, K., Naveed, M., Zhou, X., & Wang, X. (2015, May). Leave me alone: App-level protection against runtime information gathering on android. In Proceedings of 2015 IEEE symposium on security and privacy.Google Scholar
  26. 26.
    Muthuramalingam, S., Thangavel, M., & Sridhar, S. (2016). A review on digital sphere threats and vulnerabilities. Combating Security Breaches and Criminal Activity in the Digital Sphere, 1(21).Google Scholar
  27. 27.
    Durumeric, Z., Kasten, J., Adrian, D., Halderman, A. J., Bailey, M., Li, F., Weaver, N., Amann, J., Beekman, J., Payer, M., & Paxson, V. (2014, November). The matter of Heartbleed. In Proceedings of the 2014 conference on internet measurement conference.Google Scholar
  28. 28.
    Lee, R. P., Markantonakis, K., & Akram, R. N. (2016, May). Binding hardware and software to prevent firmware modification and device counterfeiting. In Proceedings of the 2nd ACM international workshop on cyber-physical system security.Google Scholar
  29. 29.
    Novotny, M. (2016, June). Cryptanalytical attacks on cyber-physical systems. In Proceedings of 5th IEEE mediterranean conference on embedded computing (MECO).Google Scholar
  30. 30.
    Ho, G., Leung, D., Mishra, P., Hosseini, A., Song, D., & Wagner, D. (2016, June). Smart locks: Lessons for securing commodity internet of things devices. In Proceedings of the 11th ACM on Asia conference on computer and communications security.Google Scholar
  31. 31.
    Xue, Y. L. (2014, March). Systems and methods for pre-installation detection of malware on mobile devices. Patent US9256738-B2.Google Scholar
  32. 32.
    Fraley, J. B., & Cannady, J. (2016, October). Enhanced detection of advanced malicious software. In Proceedings of IEEE annual conference on ubiquitous computing, electronics and mobile communication conference (UEMCON).Google Scholar
  33. 33.
    Alert Logic. (2016, December 30). The cyber kill chain: Understanding advanced persistent threats (Online). Available:
  34. 34.
    Payet, L. (2014, February 9). Hearthstone add-ons, cheating tools come with data-stealing malware. Symantec Corporation (Online). Available:
  35. 35.
    Khan, M. S., Ferens, K., & Kinsner, W. (2015, July). A cognitive multifractal approach to characterize complexity of non-stationary and malicious DNS data traffic using adaptive sliding window. In Proceedings of IEEE 14th international conference on cognitive informatics and cognitive computing (ICCI*CC).Google Scholar
  36. 36.
    Goel, V., & Perlroth, N. (2016, December). Yahoo says 1 billion user accounts were hacked (Online). Available:
  37. 37.
    Siddiqui, S., Khan, M. S., Ferens, K., & Kinsner, W. (2016). Detecting advanced persistent threats using fractal dimension based machine learning classification. In Proceedings of the 2016 ACM on international workshop on security and privacy analytics.Google Scholar
  38. 38.
    Ussath, M., Jaeger, D., Cheng, F., & Meinel, C. (2016, March). Advanced persistent threats: Behind the scenes. In Proceedings of IEEE 2016 annual conference on information science and systems (CISS).Google Scholar
  39. 39.
    Dell Secureworks. (2014). Understand the threat (Online). Available:
  40. 40.
    Greene, T. (2016, August). Why the ‘cyber kill chain’ needs an upgrade (Online). Available:
  41. 41.
    Laliberte, M. (2016, September). A new take on the cyber kill chain (Online). Available:
  42. 42.
    Happa, J., & Fairclough, G. (2016). A model to facilitate discussions about cyber attacks. In M. Taddeo & L. Glorioso (Eds.), Ethics and policies for cyber operations (Vol. 124, pp. 169–185).Google Scholar
  43. 43.
    Grahn, K., Westerlund, M., & Pulkkis, G. (2017). Analytics for network security: A survey and taxonomy. In I. M. Alsmadi, G. Karabatis, & A. Aleroud (Eds.), Information fusion for cyber-security analytics (Vol. 691, pp. 175–193). New York: Springer International Publishing.Google Scholar
  44. 44.
    Jasper, S. E. (2016, November). U.S. cyber threat intelligence sharing frameworks. International Journal of Intelligence and CounterIntelligence, 30, 53–65.CrossRefGoogle Scholar
  45. 45.
    Rashid, F. Y. (2016, November). How IBM’s Watson will change cybersecurity (Online). Available:
  46. 46.
    Wang, Y., Widrow, B., Zadeh, L. A., Howard, N., Wood, S., Bhavsar, V. C., Budin, G., Chan, C., Fiorini, R. A., Gavrilova, M. L., & Shell, D. F. (2016). Cognitive intelligence: Deep learning, thinking, and reasoning by brain-inspired systems. International Journal of Cognitive Informatics and Natural Intelligence (IJCINI), 10(4), 1–20.CrossRefGoogle Scholar
  47. 47.
    Thuraisingham, B., Kantarcioglu, M., Hamlen, K., Khan, L., Finin, T., Joshi, A., Oates, T., & Bertino, E. (2016, July). A data driven approach for the science of cyber security: Challenges and directions. In Proceedings of IEEE 17th international conference on information reuse and integration.Google Scholar
  48. 48.
    Ruefle, R., Dorofee, A., & Mundie, D. (2014). Computer security incident response team development and evolution. IEEE Security and Privacy, 12(5), 16–26.CrossRefGoogle Scholar
  49. 49.
    Sivaprasad, A., & Jangale, S. (2012, March). A complete study on tools and techniques for digital forensic analysis. In Proceedings of 2012 IEEE international conference on computing, electronics and electrical technologies (ICCEET).Google Scholar

Copyright information

© Springer International Publishing AG 2018

Authors and Affiliations

  • Muhammad Salman Khan
    • 1
    Email author
  • Sana Siddiqui
    • 1
  • Ken Ferens
    • 1
  1. 1.Electrical and Computer EngineeringUniversity of ManitobaWinnipegCanada

Personalised recommendations