A Particle Swarm Model for Agile Cyber Attack Prediction

A Particle Swarm Model for Agile Cyber AttackPrediction

Dr. Andrew J. C. Blyth, PhD.1

ADISA Research Centre (ARC), ADISA, Thrales End Business Centre, Thrales EndLane, Harpenden, AL5 3NS

[email protected]

Table of Contents

A Particle Swarm Model for Agile Cyber Attack Prediction . . . . . . . . . . . . 1Dr. Andrew J. C. Blyth, PhD.

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Swarm Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Swarm Case Studies for Defence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3.1 Black Core Network Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 63.2 Ad-Hoc Network Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63.3 Swarm Intelligence for Logistics and Production Planning . . . . . . 7

4 State of the Art in Swarm Intelligence for cyber-defence . . . . . . . . . . . . 75 Ayber-Attack Prediction and Technical Challenge Validation . . . . . . . . 96 Swarm Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Literature Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 The Formal Particle Swarm Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 The Technical Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1910 The Technical Design Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2011 The Design Walkthrough . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

11.1 The STIX Vulnerability Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2211.2 The Observed Event/Particle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2311.3 The Data Particle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2411.4 The Design Walkthrough in Detail . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

12 The Detailed Technical Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2813 HADOOP, HBASE, JanusGraph and the Enterprise Service Bus . . . . . 3114 Artificial Life Synthetic Engine (ALSE) . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

14.1 Utility/Force Duality and Option/Particle Duality . . . . . . . . . . . . . 3214.2 Artificial Life Synthetic Engine (ALSE) . . . . . . . . . . . . . . . . . . . . . . 3214.3 The update Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3614.4 The filter Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3614.5 The decay Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3614.6 The action Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3614.7 The utility Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3714.8 The maxUtility Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

15 Particle Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4016 Threat Intelligence Engine (TIE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

16.1 Structured Threat Information Expression . . . . . . . . . . . . . . . . . . . . 4316.2 TAXII . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

17 Particle Visualisation Engine (PVE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4618 Event Collector Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

18.1 Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4918.2 IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4918.3 TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4918.4 HTTP-Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Table of Contents Table of Contents

18.5 UDP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5018.6 ICMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5018.7 SYSLOG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5018.8 TCPD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5018.9 SNORT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5018.10NCSA Common Log Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5118.11DNS Bind Log Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5118.12Common Event Format (CEF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5118.13SSHD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5118.14Windows-Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5118.15VSFTPD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5218.16Firewall/Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5218.17FTPD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

19 Evaluation Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5220 Summary and Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

20.1 Achievements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5720.2 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5920.3 Feasibility Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

21 Summary and Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6022 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

3

1. INTRODUCTION Table of Contents

1 Introduction

The UK National Cyber Security Strategy [1] outlines a growing sophisticationin threat adversaries and hence a need to defend UK interests, and deter adver-saries, in cyberspace. The ability to protect UK interests in cyberspace (such asCNI) is prefixed on the ability to build a more secure internet. At the heart ofUK MOD doctrine is the ability to operate in cyberspace for military effect, thusa key objective for the MOD in terms of cyberspace is the ability to Operateand Defend. This objective gives rise to the following requirements:

– To mitigate complex cyber threats. Potential attacks against the MOD net-works can originate from external or internal sources. A “Defence in Depth”approach is in place to impede the majority of external threats. However, thefast-paced nature of adversary activity in cyberspace means it is impossiblewith current technology to monitor against all likely threats in all scenarios.

– Real-time monitoring and active defence of the MOD networks. A “Defend”watch-keeping team maintains continual watch against known cyber threatsand is authorised to take defensive action, in real-time, against these threats.However, the changing nature of cyber threats makes it difficult to detectand mitigate the unknown.

– To understand what is legitimate MOD network activity and what is an at-tack. It is not possible to defend a network adequately unless the defenderunderstands the network topology and “Operate” activity. Whilst moderntools can give both the operator and the defender a good understandingof the topology, the defender can easily misread normal and routine opera-tor/network activity as potential attacks on the network. Therefore there isa need to understand and capture patterns of life so as to understand normalbehaviour.

2 Swarm Intelligence

The term Swarm Intelligence was firstly used in 1989 [67], in context of the ‘in-telligent’ behaviour in the cellular robotics system. Over the following years theterm has matured and developed into a distinct research field covering a num-ber of biological and autonomous system areas. The term primarily applies toalgorithms for problem-solving and solution optimisation. It also covers the areaof emergent behaviour and the creation of super-organisms. Originally SwarmIntelligence draw its inspiration from the behaviour of birds, insects and fishes,and their ability to work as a group of agents and behave as super-organisms thatexhibit intelligent behaviour. Research has shown that when Swarm Intelligencemodels are developed that are socially aware and have a basic understanding oftheir environment they are able to perform difficult tasks without the presenceof a centralised authority. Swarm Intelligence algorithms have been successfully

4

Table of Contents 2. SWARM INTELLIGENCE

applied in areas of network routing and anomaly detection. Research has shownthat Swarm Intelligence works on two basic principles [7]: self-organisation andstigmergy.

– Self Organisation: this is denoted by three parameters: structure, multi-stability and state transitions. Self-Organisation as a fundamental principlewithin SwarmIntelligence can be understood through four characteristics:

• Positive Feedback;• Negative Feedback;• Fluctuations;• Multiple Interactions.

– Stigmergy: It means stimulation by work. Stigmergy is based on threeprinciples:

• Work as a behavioural response to the environmental state;• An environment that serves as a work state memory;• Work that does not depend on specific agents.

Five principles have to be satisfied by a swarm in order for it to be used in anyoptimisation/prediction problem [9].

– The Proximity Principle: The swarm should be able to do simple spaceand time computations to understand the conceptualised information morequickly;

– The Quality Principle: The swarm should be able to respond to qualityfactors in the environment such as the quality of items in the environment;

– The Principle of Diverse Response: The swarm should not allocate allof its resources along excessively narrow channels and it should distributeresources into many nodes;

– The Principle of Stability: The swarm should not change its mode ofbehaviour upon every fluctuation of the environment;

– The Principle of Adapability: The swarm must be able to change be-haviour mode when the investment in energy is worth the computationalprice.

The basic model is that each particle in a swarm at each iteration of a clockmust calculate a solution over a set of decision variables [15, 71]:

– Ant Colony Optimization (ACO) [10, 70]: Artificial ’ants’ (e.g. simula-tion agents) locate optimal solutions by moving through a parameter spacerepresenting all possible solutions.

5

3. SWARM CASE STUDIES FOR DEFENCE Table of Contents

– Artificial Bee Colony (ABC) [12, 68]: An Artificial Bee Colony simu-lates the behaviour of real bees and contains three groups of bees for solvingmultimodal optimisation and multidimensional problems [68].

– Bacteria/Cells [32]. Bacteria identify the direction to food based on chem-ical trains in their environment [32].

– Bat [16]: The Bat algorithm is a meta-heuristic algorithm for global optimi-sation. It was inspired by the echolocation behaviour of bats, with varyingpulse rates of emission and loudness.

– Flock of Birds/Fish [11]: Flocking behaviour can be described as the be-haviour exhibited when a group of birds, called a flock, are in flight [11].

– Gravitational Particles [38]. In this swarm model, particles are attractedor repelled from each other based upon Newtonian laws of gravitational forceand motion. Each particle in the swarm has a velocity (expressed as a vector)and a mass, and these two parameters are used to calculate the position anddirection of the swarm.

– Termite and Wasp [14, 15]; The basic algorithm for termite and wasp intel-ligence is as follows; each termite or wasp creates a ball from its environment,suffuses the ball with pheromones, and deposits it on the environment. Thelocation within which the ball is deposited is based upon the pheromonetraits of other deposited balls within the environment.

3 Swarm Case Studies for Defence

3.1 Black Core Network Management

The main application of Swarm Intelligence for defence has been in the area ofnetwork management. A major challenge when operating a black core network(fully encrypted end-to-end network) is the delivery of a fixed quality of ser-vice (QOS) regime. To address this, Ant-Colony optimisation models have beenutilised [105]. The ants function to identify and reinforce bandwidth constraintswithin a network.

3.2 Ad-Hoc Network Discovery

The requirement to route of an ad-hoc network is critical for the MOD as wellas all mobile phone network operators. Swarm research in this area has focusedupon the use of ant colony models to perform network and node discovery [106].

6

Table of Contents4. STATE OF THE ART IN SWARM INTELLIGENCE FOR

CYBER-DEFENCE

3.3 Swarm Intelligence for Logistics and Production Planning

The ability for a defence force to perform logistics is critical to success [108], asit is for any commercial organisation [107]. Ant colony optimisation models havebeen utilised in [108] to perform logistic management and resource scheduling.

4 State of the Art in Swarm Intelligence for cyber-defence

Past approaches to cyber-defence have traditionally been reactive, relying onblack/white lists, known (virus/malware) signatures, and more recently on broadermachine-learning anomaly-detection methods. We can classify Computer Net-work Defence (CND) technology as follows:

– Statistically model cyber-defence and attack prediction via a Bayesian Net-work [3]. The problem with using Bayesian Networks for attack graph analy-sis and prediction is that the computation of probabilities across a BayesianAttack Graph (BAG) is known to be an NP-Hard problem [5,22].

– Machine/Deep Learning suffers from the problem that if used in a) unsu-pervised mode it can be taught to tolerate a cyberattack [4], b) supervisedmode it can falsely identify a new user’s behaviour as malicious [4]. The ma-jor challenge with Deep Learning approaches when applied to cyber-attackprediction is the selection of training data and its labelling. In addition, thecommon pitfalls when using unsupervised learning methods for the analysisof data have been traced to the inability to separate clean data from dirtydata when operating in a real-time learning mode [72, 78].

– Rule based models to cyber-defence and attack prediction have focused uponthe use of Attack Graphs to model and reason about an attacker’s behaviour.Traditional logical inference-based approaches to Attack Graph analysis suf-fer from computational explosion [6,7,22].

We can summarise the technical challenges for the traditional approaches tocyber-attack prediction as being either: a) a NP-Hard problem [5,22], b) suffer-ing from a lack of training data or being made to learn using dirty/contaminateddata [4], or c) suffering from a computational explosion of the search space[76].Thus we can say that none of the above solutions offer us the ability to developan optimal solution.

Swarm Intelligence offers us the ability to use many of the techniques listedabove with none of the drawbacks. This lack of drawbacks stems from the abil-ity of Swarm Intelligence to utilise a variety of techniques, such as rule-basedand statistical. This mixture of techniques allows for the weakness of any singletechnique listed above to be mitigated.

7

4. STATE OF THE ART IN SWARM INTELLIGENCE FORCYBER-DEFENCE Table of Contents

The concept of applying distributed co-operating agents to system securityis not new [17]. Swarm Intelligence has only recently been applied in the areasof intrusion detection and cyber prediction [18,19,40, 82, 84]. Traditional ap-plications of Swarm Intelligence have focused upon Network Routing and theIdentification of Clusters in big data sets [21]. Studies have been undertakenlooking at the effectiveness of Swarm Intelligence to cyber-defence and the func-tions that they can perform in the detection and analysis of cyber-attacks [39,49].

– A prediction was made in [73, 75] that highly destructive and self-learningswarms will be developed in the future to aid in cyber-attacks. Attacks likeWannaCry and NotPetya can be said to foreshadow the massive disrup-tions and economic impacts possible in the future using intelligence swarms.The closest thing to a swarm that can be said to exist at the moment inoffensive cyber space are the sophisticated bot nets currently being used bycyber criminals [74].

– Ant Colony Optimisation (ACO) model and a Particle Swarm Optimisation(PSO) model have both been applied to intrusion detection and not cyber-attack prediction [39,40 ]. These methods are listed below:

• BPSO/SPSO - A Real-Time Intrusion Detection System Based on PSO-SVM [50].

• BPSO/SVM - A New Intrusion Detection Method Based on BPSO-SVM[51].

• QPSO - A New QPSO Based Network Intrusion Detection System usingFeature Selection [52].

• PSO/SVM - A Novel Intrusion Detection Method Based on ImprovedSVM by Combining PCA and PSO [53].

• GA/ACO - A Hybridisation of Evolutionary Fuzzy Systems and AntColony Optimisation for Intrusion Detection [54, 55].

• ACO/SVM - Ant Colony Optimisation Based Network Intrusion FeatureSelection and Detection [56].

• Multiple Ant Colony - An Improved Ant-Based Classifier for IntrusionDetection [57].

It should be noted that:

• All of the methods listed above do not operate to provide real-time alerts.

8

Table of Contents5. AYBER-ATTACK PREDICTION AND TECHNICAL CHALLENGE

VALIDATION

• All of the algorithms are developed and used to identify outlines in datasets.

• All of the swarm methods developed for intrusion detection use food for-aging models for attack identification.

The main industrial application of swarm technology has focused upon thefollowing:

• Ant Colony Optimisation for Network Routing [63, 64, 65]. This work hasfocused upon mobile & ad-hoc networking along with network routingand traffic management. The potential application within the militarycontext applies to ad-hoc networking and routing over a black-core net-work.

• Medical Imaging [62]. This application has focused upon image analysisand the potential application within the military domain applies to im-age analysis in the C4ISR domain.

• Protection of Industrial Process Control Systems [60, 61]. This approachfocuses upon the identification of cyber-attacks across SCADA basedIndustrial Process Control Systems (IPCS) via the application of a Flockof Birds Optimisation (FBO) model. The potential application withinthe military context focuses upon intrusion detection within the cyberdomain.

Various commercial applications have developed swarm intelligence [89, 103].The commercial applications seek to use various types of swarm technology.These systems utilise biological models of swarm intelligence such as Predator-Prey and Food-Foraging models to help people make business decisions. Whilemany of the Swarm Intelligence Method discussed above have been applied to theproblem of intrusion detection, none of them have been applied to the problem ofcyber-attack prediction across complex networks. In general terms the researchin the area of swarm intelligence is focusing upon the development of novelalgorithms that address particular domains/problems. For example, areas whereswarm intelligence is being developed include: logistics, networking, medical andindustrial process control systems. Research is also applying swarm intelligenceto the area of big data and data science.

5 Ayber-Attack Prediction and Technical ChallengeValidation

It is important to understand to what extent, and in what perspectives, cyber-attacks can be predicted. Over the years Swarm Intelligence has been developedto perform performance prediction. Domains where this has been deployed in-clude:

9

5. AYBER-ATTACK PREDICTION AND TECHNICAL CHALLENGEVALIDATION Table of Contents

– Student performance for online education [79].

– Supply and consumption of electrical power [80].

– Seasonal time series forecasting[81].

– Smart City Traffic flow forecasting and optimisation[84].

Figure 1 shows the taxonomic structure we will use to analyse and classify suchcapabilities. The following outlines recent research in this area.

Fig. 1. cyber-attack Prediction Taxonomy

In addition the concept of Swarm Intelligence and neuromorphic computinghas been applied to the design of integrated circuits via ”System on a Chip”.Such an approach to Swarm Intelligence for cyber prediction suffers form beingresource bound and limited to the resources located on a single integrated circuit.Research into neuromorphic computing has shown that as the size and complex-ity of the neuromorphic computing algorithm grow, so the resources required toexecute such an algorithm grow exponentially [87].

– Extreme Value Theory [23]. Extreme value theory or extreme value analysis(EVA) is a branch of statistics dealing with the extreme deviations fromthe median of probability distributions. When applied to cyber predictionit seeks to identify future attacks via the identification of deviation fromnormal patterns of behaviour.

• Strengths∗ This is a mature field of research that has been well studied over the

years [90] and applied to a number of domains.

10


VALIDATION

• Weaknesses∗ The prediction is based upon the statistical analysis of the data anal-

ysed across a large population size. Thus a large population of knownevents needs to be analysed and all events to be predicted must existin the same data set.

– Contextual Semantics [26, 29]. These approaches seek to use semantic infor-mation about related/similar cyber-attacks to make a logical inference aboutthe current attack and thus make a prediction about the next stage in thecyber-attack.

• Strengths∗ The logical inference engines used to perform this type of analysis

are very efficient at identifying known, previously identified, cyber-attacks [91].

• Weaknesses∗ The logical inference engines used to perform this type of analysis

can only follow a set of defined rules.

∗ Logical inference as a vehicle for identifying the unknown is con-strained by the deterministic nature of the logical engine.

– Attack Graphs[30, 31, 76]. Attack graph modelling makes use of rules and/orprobabilistic metrics to predict the next stage in an attack. Both of theseapproaches draw upon the analysis of training data containing known attackpatterns [6,7].

• Strengths∗ The application of both rules-based inference and probabilistic in-

duction allows for the identification of known attacks, and a limitedset of unknown attacks.

• Weaknesses∗ The creation of attack graphs functions using automated tools and

lacks scalability [92].

∗ There is a lack of training data that can be used, and current opensource training data sets are often dated.

∗ All training sets are based on a set of a-priori knowledge, and thuslack the ability to predict new attacks [93, 94].

∗ Attacks graphs used known-events and therefore have a limited ex-pressive power [95].

11

5. AYBER-ATTACK PREDICTION AND TECHNICAL CHALLENGEVALIDATION Table of Contents

– Bayesian Network [24]. These approaches to cyber-attack prediction makeuse of known values within attacks and various patterns of behaviour toconstruct a Markov model and this model is then used to calculate the prob-ability of the next stage in a cyber-attack.

• Strengths∗ The ability to reason with probabilities and manage uncertainty al-

low for the identification of the unknown.

• Weaknesses∗ These types of analysis engine can be very noisy and generate a lot

of false positives [97, 98].

– Temporal Analysis [25]. This work attempts to exploit temporal correlationsbetween the number of attacks per day in order to predict the future inten-sity of cyber incidents.

• Strengths∗ This model uses temporal correlation to predict the intensity of the

attack rather than the next event and thus the larger the data setanalysed the greater the accuracy of the intensity prediction.

• Weaknesses∗ This model predicts the intensity of the next stage of the cyber-attack

based upon known events and thus cannot predict an unknown eventor the actual next event in the attack.

– Artificial Immune System (AIS) [36]. Artificial Immune System (AIS) is afamily of techniques originating from the community of human immunol-ogy. In essence a set of software agents functions to mimic the role of thehuman immune system. This model was first applied to cyber security in [37].

• Strengths∗ These types of system can be seen as Swarms that function to mimic

the role of the human immune system.

• Weaknesses∗ Each element in the swarm has a very limited communication capa-

bility with other particles in the swarm.

∗ The behaviour of each particle in the Artificial Immune System istightly specified and limited to a set of known patterns.

∗ While an Artificial Immune System is technically a swarm, it fails tofunction as super-organism and exhibit any emergent properties.

12


VALIDATION

– Neural Nets [27, 28, 41, 81]. These approaches use labelled and unlabelledtraining data to extract a set of features that can be used to predict thenext stage in a cyber-attack. Some of these approaches use Neural Nets asthe decision algorithm in a PSO [82, 83, 85, 86]. Research in this area hasfocused upon the prediction of cyber network in terms of network event [83,85, 86]. The strengths and weaknesses of this approach to cyber predictionare outlined below:

• Strengths∗ The neural net has the ability to classify large volumes of indexed

data into a single decision algorithm/tree.

∗ The scope and scale of the number of variables analysed and used bya neural net allows for complex problem-solving on incomplete data[102].

∗ The ability to operate across domains ranging from the technical tothe social [99].

• Weaknesses∗ In the cyber-defence domain these approaches have mainly focused

upon the analysis of TCP/IP network traffic and the security char-acteristics of that traffic. They have failed to take a more holisticapproach to cyber security by not considering the systems that areconnected to a network and how they interact at the application level[100, 101].

∗ These types of approaches to prediction are very dependant on thetraining data used to construct an attack classifier [4].

∗ These approaches are deterministic in nature and while the numberof attributes used to analyse a problem can be huge, a neural netremains nothing more than a large decision table. [88]

∗ As a neural net grows so the computational power to analyse andrun the neural net grows exponentially [87.88].

– Support Vector Machine (SVM). These types of algorithms are learning al-gorithms that analyse data used for classification and statistical regressionanalysis [96. 104].

• Strengths∗ This is a learning algorithm that has the ability to classify and op-

timise large volumes of data into a single decision structure.

• Weaknesses

13

6. SWARM MODELS Table of Contents

∗ These types of approaches to prediction are very dependant on thetraining data used to construct an attack classifier [4].

We can summarise the weaknesses of traditional approaches to cyber-predictionas follows and thus view them as technical challenge validation:

– The explosion of computation requirements.

– The lack of training data focused upon a-priori knowledge.

– The lack of scalability across large heterogeneous systems.

– The focus upon predicting known/observed attacks.

6 Swarm Models

The basic model is that each particle in a swarm at each iteration of a clock mustcalculate a solution over a set of decision variables [15, 71]. The basic types ofswarm models are as follows:

– Ant Colony Optimization (ACO) [10, 70]: In an ant colony optimisa-tion (ACO) model a set of ants move through an information model. Asthey move through the information space they lay down pheromones direct-ing other ants to possible resources while exploring their environment. Basedon the success, or failure, of an ant to locate a solution (resource), successivepheromone trails are deposited. The strength of the pheromones trails leadsto the identification of an optimal solution for a given problem[10].

Ant Colony Optimisation is a meta-heuristic method to solve optimisationproblems. This is achieved via the simulation of food foraging behaviourwithin a biological ant colony [70]. In the biological world ants deposit apheromone into the ground through their trip searching for food [70]. Thedeposited pheromone will attract other ants to follow the same food foragingpaths over time. Based upon the success of the ants good sources of foodwill develop strong pheromone trails and weak sources of food will developpoor pheromone trails. The Ant Colony Optimisation meta-heuristic trans-formed this natural optimisation into a computational optimisation processfor problem solving.

The Ant Colony Optimisation based clustering method is used to detect theoutliers [69]; it performs a data preprocessing that leads to detection. Eachant compares the property value with the initial point set, checks data pointsimportance and updates the values of the pheromones of other ants. Finally,the data points are selected and the final clustering matrix is obtained. All

14

Table of Contents 6. SWARM MODELS

the remaining data points (unselected) are considered as outlier. ACO-basedclustering has an acceptable correctness rate without initialising the centresand the number of clusters.

– Flock of Birds/Fish [11]: Flocking behaviour can be described as the be-haviour demonstrated when a flock are in flight and seeking to avoid a set ofpredators.[11] Birds and fish adjust their physical movement to avoid preda-tors, seek food and mates, and optimise environmental parameters such astemperature [13]. The co-ordination between fish and birds via the executionof a simple rule set such as to maintain optimal distance between themselvesand their neighbours allows the flock to behave as a single super-organism.The four basic rules governing the behaviour agents within a flock are: Col-lision Prevention, Speed Adjustment, Herd Centering and Predator Avoid-ance.

– Artificial Bee Colony (ABC) [12,13 , 68]: An Artificial Bee Colony mod-els the behaviour of real bees and makes use of three groups of bees forsolving optimisation and multidimensional problems [68]. The three groupsare onlookers, scouts and employed bees. The bee is described as an on-looker if they are waiting in the dance area and are ready to make a decisionrelating to the direction of a possible food source. If the bee revisited the per-vious food source it is named as an employed bee; and a scout bee is whereindividual bees search randomly without prior information for the locationof food [68]. In the Artificial Bee Colony algorithm, the roles of employedbees, onlookers and scout bees are interchangeable among the bee agents;an employed bee’s role is to gather the required information, while scoutsexploit for new food sources, and onlookers are in charge of sharing infor-mation with scouts and employed bees by communicating in the dance area.The dance area is modelled as a set of communication structures that beesat the entrance to the colony share. When searching, different bee agentswork collaboratively to explore and exploit food sources[12,13,68]. It is thissharing of information and re-enforcement of successful food source identifi-cation that leads to the development of an optimisation solution.

– Termite and Wasp [14]; The basic algorithm for termite and wasp intel-ligence is as follows; each termite or wasp creates a ball or similar materialfrom its environment, invests the ball with pheromones, and deposits it onthe environment. Termites and Wasps are attracted to their nest-mates’pheromones and are therefore more likely to drop/link their own balls neartheir neighbours. Over time this leads to the construction of pillars, arches,tunnels and chambers [15].

– Bat [16]: The Bat algorithm is a meta-heuristic algorithm for global opti-misation. That algorithm simulates the echolocation behaviour of bats asa mechanism to identify food and other objects within their environment.In simple terms we can summarise the behaviour of a bat as follows: each

15

7. LITERATURE SUMMARY Table of Contents

virtual bat flies randomly with: a) a velocity vector, b) a position, and c) anecholocation capability. Search is intensified by a local random walk. Goodfood sources will attract bats, thus when searching for food the bat usesthe location of other bats as an indicator of possible food locations. Tuningthe echolocation capability allows for a balance between exploration and ex-ploitation to be controlled.

– Bacteria/Cells [32]. Bacteria identify the direction to food based on chem-ical trains in their environment [32]. Bacteria will also make use of chemicalsto attract and repel other bacteria in their environment; these chemicals canalso be used to allow bacteria to perceive each other. Bacteria can movearound their environment using a simple locomotion mechanism. Dependingon the cell-cell interactions, cells may swarm a food source, and may ag-gressively repel or ignore each other [32]. It is this swarming behaviour thatallows for the identification of an optimal solution.

– Gravitational Particles [38]. In this swarm model, particles are attractedor repelled from each other based upon a gravitational force. Each particlein the swarm has a velocity and a mass, and these two parameters are usedto calculate the position and direction of the swarm.

7 Literature Summary

– In [39] an Ant Colony Optimisation (ACO) model and a Particle SwarmOptimisation (PSO) model are examined as vehicles through which an in-trusion detection system could be developed. The paper explores the reasonsthat led to the application of Swarm Intelligence (SI) in intrusion detection,and present SI methods that have been used for constructing an IntrusionDetection System. A major contribution of this work is also a detailed com-parison of several SI-based IDS in terms of efficiency. The paper [39]outlinesthe current weaknesses of ACO when applied to classifications of events.

– In [40] a review is performed of various Swarm Intelligence methods andhow they relate to intrusion detection. This paper only considers ParticleSwarm Optimisation (PSO) and Ant Colony Optimisation (ACO) SwarmIntelligence methods. The PSO methods examined are listed below:

• BPSO/SPSO - A Real-Time Intrusion Detection System Based on PSO-SVM [50].

• BPSO/SVM - A New Intrusion Detection Method Based on BPSO-SVM[51].

• QPSO - A New QPSO Based Network Intrusion Detection System usingFeature Selection [52].

16

Table of Contents 7. LITERATURE SUMMARY

• PSO/SVM - A Novel Intrusion Detection Method Based on ImprovedSVM by Combining PCA and PSO [53].

The ACO methods examined are listed below:

• GA/ACO - A Hybridisation of Evolutionary Fuzzy Systems and AntColony Optimisation for Intrusion Detection [54, 55].

• ACO/SVM - Ant Colony Optimisation Based Network Intrusion FeatureSelection and Detection [56].

• Multiple Ant Colony - An Improved Ant-Based Classifier for IntrusionDetection [57].

– The paper [41] functions as a high level review of the various technologiesand concepts that have been developed and deployed in the intrusion detec-tion area.

– In [42], after identifying various issues on cyber intrusion detection and se-curity, various Machine Language and Data Mining approaches that havebeen developed for intrusion detection and security are examined.

– In [43] a broad study is undertaken of Swarm Intelligence algorithms andtheir application to intrusion detection. The paper mainly focuses uponParticle Swarm Optimisation (PSO) and Ant Colony Optimisation (ACO)Swarm Intelligence methods.

– In [44] a comprehensive survey of the technologies that are used for detectingintrusions is presented. It analyses the positive and negative aspects of eachtechnology and the literature works that utilised these technologies. Atten-tion is paid to various swarm intelligence approaches to intrusion detection.Challenges faced by current intrusion detection systems and the require-ments for intrusion detection systems in the current network scenario arediscussed in detail.

– In [45] an overview of these techniques is presented along with related litera-ture on intrusion detection, analyses their research contributions, comparestheir approaches and discusses new research directions which will provideuseful insights for intrusion detection researchers and practitioners.

– In [46] Ant Colony Optimisation (ACO), Bee Colony Optimisation (BCO)and Particle Swarm Optimisation (PSO) models are developed and fused tocreate a single model for Abnormal Data Detection. All of the algorithms aredeveloped and used to identify outlines in data sets. These data sets includeintrusion detection data sets.

17

8. THE FORMAL PARTICLE SWARM MODEL Table of Contents

– In [47] a Particle Swarm is utilised to construct a Support Vector Machine(SVM) for the classification of attacks via feature augmentation. SVM is aform of supervised learning model and thus a non-probabilistic binary linearclassifier.

– In [48] a hybrid SVM/PSO model is developed that focuses upon the use ofSVM for feature extraction and machine learning.

– In [49] evaluation of an Ant Colony Optimisation, a Bee Colony Optimisationand a Particle Swarm Optimisation is performed. The focus of the evaluationis on the rate of detection and classification of attacks.

Algorithms such as the Ant Colony Optimisation (ACO), Bee Colony Optimi-sation (BCO) and Particle Swarm Optimisation (PSO) when applied to theproblem of intrusion detection have all been used as a vehicle through whichit is possible to classify and index attacks using a given set of attributes. Mostresearch in the area has focused upon the development of faster classificationalgorithms [12, 13, 15, 28, 46, 47, 48, 49]. Approaches such as [47, 48] have usedtraining data such as KDD 1999 Data Set and the DARPA IDS Training Data[66], while [58] has used the NSL-KDD. The NSL-KDD is a data set suggestedto solve some of the inherent problems of the KDD 1999 data set which arementioned in [59].

The main industrial application of swarm technology has focused upon thefollowing:

– Ant Colony Optimisation for Network Routing [63, 64, 65]. This work hasfocused upon mobile & ad-hoc networking along with network routing andtraffic management. The potential application within the military contextapplies to ad-hoc networking and routing over a black-core network.

– Medical Imaging [62]. This application has focused upon image analysis andthe potential application within the military domain applies to image anal-ysis in the C4ISR domain.

– Protection of Industrial Process Control Systems [60, 61]. This approachfocuses upon the identification of cyber-attacks across SCADA based Indus-trial Process Control Systems (IPCS) via the application of a Flock of BirdsOptimisation (FBO) model. The potential application within the militarycontext focuses upon intrusion detection within the cyber domain.

8 The Formal Particle Swarm Model

In the proposed swarm architecture, all observed events are converted to parti-cles. A particle exists within an n-dimensional space. So we can view a swarm

18

Table of Contents 9. THE TECHNICAL DESIGN

model as the following: < P, V, F >, where P is the set of particles, V is thedimensional space within which a particle is said to exist, and F , is the lineartime function that maps from < Pt, Vt >, at time t, to < Pt+1, Vt+1 > at timet + 1. The term Pt is used to denote the state of a particle at time t and theterm Vt is used to denote the state of the vector space at time t.

The use of a function to express the behaviour of a particle allows us toexpress a formal semantic model of a swarm in F-logic. F-logic is a frame basedlogic that supports object identity, complex objects, inheritance, polymorphism,query methods and encapsulation.

F-logic allows us to express the distinction between a class of object and aninstance of an object. Analysing the data dependancies in Figure 5 we can seethat Syslog is an Event via the expression Syslog :: Event. Due to the fact thatF-Logic utilises frames we can express the fact that an object contains attributes.For example:

syslog [datetime -> stdsystem -> nameprocess -> padidmessage -> ascii

].

It should be noted that due to the well-formed nature of F-logic all attributesare treated as functions. Thus in the above example we can see that the objectclass syslog has an attribute called datetime that maps into the domain std.

9 The Technical Design

The role and function of the conceptual architecture is to define the key ele-ments and their interfaces with the proposed Cyber Prediction capability. Theproposed architecture will make use of open standards and technology to en-sure interoperability across as wide an area as possible. It should be noted thatthe proposed architecture does not operate in true real-time. However, the ar-chitecture has been optimised to operate in as near real-time as is realisticallypossible. Limiting factors on achieving real-time include the use of a cloud basedarchitecture for the processing and storage of large volumes of data. Due to thefactor that any Cyber-Attack prediction capability is required to process largevolumes of data we would argue that any such capability can not be a truereal-time system. Also, given that Cyber-Attacks case-studies have shown thatcomplex sophisticated Cyber-Attacks can span months/years, we would arguethat true real-time processing and analysis for cyber attack prediction is not atrue requirement.

19

10. THE TECHNICAL DESIGN OUTLINE Table of Contents

10 The Technical Design Outline

The conceptual architecture is depicted in Figure 2. In this sectionwewill givean overview of how the system functions to provide a particle swarm simulation.The system functions to ingest data of various types into a repository. Withinthis project we are making use of a cloud environment (HADOOP and HBASE).The data collector collects data from a wide variety of sources and translatesthe data into a JSON structure. Then via a JSON RPC mechanism located onthe enterprise service bus, the data is inserted into the cloud environment.

When an observed event of a particular type is inserted into the cloud en-vironment it is converted into a particle of a particular type. The other type ofdata that can be inserted into the cloud environment as a particle are STIX ob-jects. The STIX objects are managed and inserted into the cloud via the ThreatIntelligence Engine. These particles are then used as the prediction particles,and it is these two types of particles that make up a swarm.

For the purposes of this project, we have adopted a gravitational model ofswarm behaviour. Mathematically, we represent the information space withinwhich a particle exists as a vector space. This means that every particle thathas been inserted into the cloud environment has a location in the vector space.Thus, using geometry it is possible to calculate the distance between any twoparticles. The visualisation of the swarm within the vector space is provided by asimple set of visualisations that represent the vector space as a two dimensionalplane.

The swarm is simulated via an Artificial Life Synthetic Engine. This enginefunctions to calculate the gravitational attraction between an event particle anda prediction particle. A multi-attribute utility model is used to calculate this.The artificial life engine then, for a given event particle, selects the predictionparticle with the strongest gravitational force (A.K.A. utility) and updates theposition of the event particle accordingly. Please note that event particles arethe events that have been observed and inserted into the cloud environment andthe prediction particles are STIX objects that have been inserted into the cloudvia the Threat Intelligence Engine.

The gravitational force that attracts two particles together is calculated usingthe Newtonian laws of gravity. The Newtonian laws of gravity is used to calcu-late the force between an event particle and a prediction particle. The distancebetween the two particles is calculated using simple laws of geometry. The massthat each event particle has in relation to a prediction particle is calculated viaa multi-attribute utility function.

The output of the swarm algorithm will generate predictions via the pre-diction particle with the strongest gravitational forces operating on it. As moreevents are observed and the associated particles are created so particles not relat-

20

Table of Contents 11. THE DESIGN WALKTHROUGH

ing to a prediction will decay and die and only particles relating to a predictionwill survive. The output of the swarm is observed via the visualisation tool.As particle events and prediction particles are part of a swarm, so predictionparticles can predict other prediction particles. Thus, a cyber kill-chain can bemodelled.

The key concepts to understand are:

– Observed events when ingested into the cloud become event particles;

– All prediction particles are STIX objects;

– The swarm is modelled as a gravitational swarm;

– The best gravitational force between an event particle and a prediction par-ticle is calculated and selected using utility theory.

Each prediction particle with a swarm of event particles around it is taken to bea valid prediction for the next stage in a Cyber Attack. A prediction takes theform of the prediction particle with the strongest gravitational forces operatingon it. Hence, we define the STIX Object with the strongest gravitational forcesoperating on it as the most likely next stage in a cyber campaign.

The types of event data being ingested are defined in Figure 5. Each particleis stored in the Janus Graph Database as a vertex with edges defining relation-ship properties. The output of the swarm algorithm will generate predictionsvia a set of event particles swarming around a prediction particle and exertinggravitational forces on the prediction particle.

11 The Design Walkthrough

We will now illustrate the design with a design walkthrough. We will make useof three types of particles to illustrate the design. In the design walk through wewill:

– Give a clear algorithmic example of how data in the following three particleswill be used within the swarm model;

– Give clear examples for a data type contained within all three particle types.

– Walk through the algorithms giving examples of how they will function todeliver a swarm.

The particles will be:

– STIX Particle: The STIX vulnerability object.

21

11. THE DESIGN WALKTHROUGH Table of Contents

– Observed Event/Particle: A SNORT event.

– Data Particle: PC definition.

11.1 The STIX Vulnerability Object

The JSON definition of a STIX object is as follows. For the purposes of thisdesign walkthrough we will refer to the following STIX object as the predic-tion particle epx. The STIX object is inserted into the database via the ThreatIntelligence Engine.

{"type": "vulnerability","id": "vulnerability--8356-7a0c4f7342f0","created": "2019-05-24T14:38:55.046Z","modified": "2019-05-24T14:38:55.046Z","name": "ADISA remote vulnerability ","description": "This is the ADISA remote

vulnerability for Windows 10.","external_references": [{

"source_name": "CVE","external_id": "CVE-2019-123456"

} ]}

The JSON STIX object defines the following attributes:

– Type• This is the type of the STIX object. In the above example it is an object

of type vulnerability.

– ID• This is the unique identifier of the STIX object.

– Created• This is the time the STIX object definition was created.

– Modified• This is the time the STIX object definition was last modified.

– Name• This is the name of the STIX object.

– Description• This is the text description of the STIX object.

22


– External References• This is a list of external references that define the nature of the STIX

object.

11.2 The Observed Event/Particle

The Observed Event/Particle that we will use for the design walk throughis a SNORT event. The following is a syslog message that is generated bySNORT. The event reports a possible Remote Execution Code targeted at thesystem 10.193.218.21. The Snort object is inserted into the database via theEventCollectorConnector.

May 27 18:22:05 10.193.218.21 snort[3115]: [1:122:1]Remote Execution Code Identified -0x12FD17[Classification: Remote Code Execution[Priority: 1]{TCP} 192.168.51.61:32786 -> 10.193.218.21:80

The following is the JSON definition of the SNORT event.

{"event": {

"syslog": {"snort": {

"datetime": {"_type": "std","__text": "May 27 18:22:05"

},"system": {

"_type": "name","__text": "10.193.218.21"

},"process": {

"_type": "papid","__text": "snort[3115]:"

},"version": "[1:122:1]","class": "Remote Execution Code

Identified -0x12FD17","priority": "1","message": {

"_type": "ascii","__text": "Remote Execution

Code Identified -0x12FD17"

},"protocol": "TCP",

23


"sourceip": {"_type": "ipv4","__text": "192.168.51.61"

},"sourceport": "32786","destinationip": {

"_type": "ipv4","__text": "10.193.218.21"

},"destinationport": "80"

},"_datetime": "May 27 18:22:05","_ident": "1029384756","_type": "snort"

},"_datetime": "May 27 18:22:05","_ident": "9078563412","_type": "syslog"

}}

11.3 The Data Particle

The JSON definition of a Data Particle is as follows. The data object is insertedinto the database via the Threat Intelligence Engine. The data particle is insertedinto the cloud via the Event Collector Connector.

{"id": "1029182fd172617fe283718cf91928ab00","created": "2019-05-23T14:38:55.046Z","name": "PC: Server-01","external_references": [{

"source_name": "IP Address","external_id": "10.193.218.21"

},{

"source_name": "Operating System","external_id": "Windows 10"

} ]}

The role and function of a Data Particle is to act as a container for a set ofexternal references that define the nature of the data particle. The JSON Dataparticle defines the following attributes:

– ID

24


• This is the unique identifier of the Data object.

– Created• This is the time the Data object definition was created.

– External References• This is a list of external references that define the nature of the STIX

object.

11.4 The Design Walkthrough in Detail

The event and data particles are inserted into the cloud via an JSON RPC on theEnterprise Service Bus. The RPC used to perform this is called addEventParticle.The Event Collector Connector executes a simple algorithm of reading data fromvarious sources and converting it into a JSON document and then inserting itinto the cloud.

STIX particles are inserted into the cloud via an JSON RPC on the Enter-prise Service Bus. The RPC used to perform this is called createSTIXObject.This function is used by the Threat Intelligence Engine.

The Artificial Life Synthetic Engine functions to update the location of bothevent and prediction particles in the Global Vector Space (matrix). For the pur-poses of simplicity we are assuming that the Global Vector Space is a simple3 dimensional matrix [x, y, z]. The data particles do not have a location in theGlobal Vector Space. All prediction particles orbit around the centre of the vec-tor matrix [0, 0, 0] at a fixed distance and with a fixed speed.

To start the Swarm Algorithm the Artificial Life Synthetic Engine makes useof the following JSON RPC functions:

– getAllPredictionParticles().

– getAllEventParticles().

Then for every particle returned by the function getAllEventParticles(), theSwarm Algorithm in the Artificial Life Synthetic Engine executes the following:

1. First it updates the location of every Prediction Particle in the Global Vec-tor Space via the function update.

2. Then it uses the function filter to select only those prediction particles thatrelate to the event particle. The set of prediction particles returned by thefunction filter is called Pl.

25


3. Then for each prediction particle in the set of prediction particles that relateto the event it uses the function utility to construct a matrix. The functionutility returns the gravitational force between the event particle and the pre-diction particle. The matrix stores a list of the gravitational forces for everyprediction particle that relates to the event particle. This matrix is called Ue.

4. The function maxUtility then selects the prediction particle(s) with thestrongest/maximum gravitational force from the matrix Ue, and returns theprediction particle and the gravitational force. It should be noted that thiscan be a list if two prediction particles have the same gravitational force.

5. Then for every item (predictionparticle, gravitationalforce) in the list re-turned by the function maxUtility the itupdates the Global Vector Spacefor the event particle via the function action.

6. The function II is then used to model the decay of particles and decide ifthe event particle needs to be removed from the Global Vector Space

At the heart of the Artificial Life Synthetic Engine and its ability to create andupdate a swarm is the function utility. This function takes an event particleee and prediction particle as input and produces a tuple (prediction-particle,gravitational-force) that is added to the matrix Ue. In this design walkthroughwe will now examine how the utility function is calculated. It should be notedthat the value returned by the information mass function can be used to indicatethe strength of the prediction.

The utility function is given below where there is a linear relationship be-tween the preference of an event particle e for a prediction particle epx and thegravitational force that can be said to exist between these two particles. In factwe can assert that utility(e, epx) = gravitational − force(e, epx).

utility(e, epx) = G

[IM (e, epx)

]r2

(1)

The variable r is the distance between the two particles in the 3 dimensionalspace (A.K.A.: Global Vector Space). The constant G is the gravitational con-stant. The function IM (e, epx) returns the production of the information mass ofthe event particle e and the information mass of the prediction particle epx. Theinformation mass of a prediction particle has a default value of 1. This value canbe defined by the user when the Artificial Life Synthetic Engine is configured.The Information Mass for the event particle is calculated for the specific predic-tion particle and may be different for different prediction particles.

The Information Mass function IM (e, epx) executes the following steps tocalculate a return value.

1: ET ← eventType(e)

26


2: [Uxml]← getUtilityFunction(ET )3: Mpx ← getInformationMass(epx)4: UMAX ← 05: for all u ∈ Uxml do6: EM ← executeXML(u, e, epx)7: if EM ≥ UMAX then8: UMAX ← EM

9: end if10: IM ← UMAX ∗Mpx

11: end for

A description of this algorithm is as follows:

– The function eventType returns the type of given event particle;

– The function getUtilityFunction returns the set of executable XML for aparticle of a given type;

– The function getInformationMass returns the information mass of a givenprediction particle;

– The maximum utility UMAX for the event particle e and the prediction par-ticle epx is set to zero;

– We then loop through the set of executable XML [Uxml].

• The executable XML is executed via the function executeXML() andthe resulting value is stored in the variable EM .

• If EM is greater than the current maximum utility for UMAX then UMAX

• Finally, the Information Mass of the particles e and epx is calculate bymultiplying the values UMAX and Mpx and returning the result.

The function executeXML is the function that executes an XML statement.This XML statement defines the multi-attribute utility function for the par-ticles e and epx. For the purposes of this design walkthrough we will refer tothe following vulnerability STIX objects as the prediction particle epx, and theSNORT Event as the event particle e. In the executable XML the predictionparticle epx is denoted by the term pred and the event particle e by the termevent. The function : − allows us to access attributes located in the associatedJSON documents. For example the operand event : −sourceport will return thesource port for the SNORT event. In the above example of the SNORT eventthis would return the value 32786.

The following is a sample of an executable XML statement that makes useof the particle defined above.

27

12. THE DETAILED TECHNICAL DESIGN Table of Contents

<clause><guard op=’and’>

<match oprand=’event:-destinationip’ op=’EQU’>10.193.218.21</>

<match oprand=’event:-sourceport’ op=’EQU’>32786</><match oprand=’pred:-external_id’ op=’EQU>

CVE-2019-123456</><data op=’and’>

<match oprand=’data:-external_id’ op=’EQU’>10.193.218.21</>

<match oprand=’data:-external_id’ op=’EQU’>Windows 10</>

</data></guard><action op=’RET’>30</action>

</clause>

In the above example we can see that to return a value the following conditionsmust all be true.

– The source port of the event particle must be 32786.

– The prediction particle must contain an external id with the value CVE-2019-123456.

– The Tag data returns true of the logical operator associated with the tag isevaluated to be true. In this case the data tag returns true if a data objectexists with an attribute externalid set to 10.193.218.21 and an attributeexternalid set to Windows10.

Each condition operates on an attribute of a particle of some type, and thus wemay say that the executable XML statement functions to define a multi-attributeutility function.

12 The Detailed Technical Design

All software developed as part of this project will be made available as opensource software under the MIT Software Licence.

28

Table of Contents 12. THE DETAILED TECHNICAL DESIGN

Fig. 2. The Conceptual Architecture

The conceptual architecture depicted in Figure 2 will function as follows withall events functioning as particles:

– HADOOP will function as the underlying data storage infrastructure. Theutilisation of a HADOOP infrastructure will support the storage and anal-ysis of large volumes of data. To facilitate complex data processing we willmake use of the Apache/YARN architecture . HADOOP is open source soft-ware available under the Apache Software License 2.0.

– HBASE will function as the data presentation and data storage layers, pro-viding the infrastructure into which events can be inserted and stored. Theinterface between HADOOP, HBASE and JanusGraph will all be providedvia standard open API, and documented by the applications. HBASE is opensource software available under the Apache Software License 2.0.

– The JanusGraph database will be used to process complex queries. Janus-Graph is open source software available under the Apache Software License2.0. The JanusGraph database will make use of the TinkerPop and Grem-lin Server interfaces that make use of the Gremlin Graph Query Language.

29

12. THE DETAILED TECHNICAL DESIGN Table of Contents

This software is also open source and is available under the Apache SoftwareLicense 2.0.

– JSON [6] will function as the Enterprise Service Bus providing a JSON RPCservice-oriented architecture (SOA) interface between the various compo-nents connected to the bus . For speed this Enterprise Service Bus makesuse of a cache to store and forward requests to/from the cloud.

– The Particle Generator functions to monitor the cloud environment so asto detect when data is ingested. Based upon the ingested data particles ofvarious types will be created and injected into the Artificial Life SyntheticEngine (ALSE). This project will make use of JSON standards to expressinformation about the various particle types. The base set of event particlesis as follows:

• Event Particles - This represents events that are being detected and re-ported. It covers items such as syslog, windows event logs, firewall, logs,TCP/IP packets, emails, Twitter and other social media.

• Data Particles - This represents the state of the environment withinwhich the Cyber Attack is taking place. This type of particle includesinformation relating to network topology, system information (such asIP address and host operating system), etc.

• Prediction Particles - These represents a possible future state of a CyberAttack and are derived from STIX objects.

– The Event Collector Connector is primarily responsible for collecting andinserting event particles. When an event is observed it is the Event CollectorConnector which encodes it in JSON and inserts it into the graph databaseas a particle of type: eventParticle. The Event Collector Connector willallow for multiple data sources to be ingested into the cloud environment.These data sources will include a wide variety of data types, including:

• Audit logs derived from distributed heterogeneous systems;

• Real-time monitoring data such as NetFlow and network traffic captures;

• Network vulnerability scans and software vulnerability databases;

• Intelligence on adversaries and their attack patterns.

– The Threat Intelligence Engine (TIE) is responsible for defining the natureof possible attacks that the swarm is attempting to predict.

30

Table of Contents13. HADOOP, HBASE, JANUSGRAPH AND THE ENTERPRISE SERVICE

BUS

– The Artificial Life Synthetic Engine (ALSE) is the synthetic environmentwithin which the swarm exists and the decision process of particles is exe-cuted.

– The Particle Visualisation Engine (PVE) will function to create a repre-sentation of a Cyber Attack and visualise the flow of particles through theattack. The PVE will make use of QT as the visualisation encoding language.

– The Enterprise Service Bus is a JSON RPC Version 2.0 interface that func-tions to map complex queries into a Gremlin Language structure that canbe executed on the JanusGraph database.

13 HADOOP, HBASE, JanusGraph and the EnterpriseService Bus

HADOOP functions as the distributed file store, and via YARN the distributedprocessing engine of the overall system. HBASE is a NOSQL database functionimplementing a single table structure. Tables are split into multiple tablets, andsegments of the table are split at certain row keys. HBASE functions as the un-derlying storage medium for the graph database JanusGraph. The JanusGraphdatabase makes use of the Gremlin Graph Query Language to express and querygraph structures.

The role and function of the Enterprise Service Bus is to provide a JSONRPC interface into JanusGraph for:

– Creating and updating graph structures that correspond to particles andswarms.

– Executing complex queries over graph structures that correspond to parti-cles and swarms.

The structure of the JSON RPC is as follows and makes use of name parameters:

--> {"jsonrpc": "2.0", "method": "subtract", "params": {"subtrahend": 123, "minuend": 456}, "id": 1}

<-- {"jsonrpc": "2.0", "result": 19, "id": 1}

On the above JSON RPC example we can see that the remote procedure callmethod that we require the server to execute is subtract and that we are makinguse of the JSON RPC version 2.0 specification. The RPC function takes a seriesof parameters and each parameter has a unique name.

In the above example there are two parameters named subtrahend and minu-end, with values 123 and 456. When making a JSON RPC request each function

31

14. ARTIFICIAL LIFE SYNTHETIC ENGINE (ALSE) Table of Contents

call must have a unique identifier; this allows the calling object to correctly iden-tify the reply. We denote the function call identifier by the parameter id. In theabove example the parameter id has the value 3.

14 Artificial Life Synthetic Engine (ALSE)

14.1 Utility/Force Duality and Option/Particle Duality

In utility theory a utility function is used to express a preference structure be-tween two alternatives [19, 20]. Mathematically we can express this via a functionutility, and the relation operator �.

utility(x) � utility(y) (2)

The above equation states that option x is preferred to option y, or the utilityof option x is greater than the utility of option y.

Within a swarm we view an option as a particle, and we use the utilityfunction as a measure of force between two particles. Thus we can say that utilityis a relationship which we can model as a function, i.e utility(x, y) = force(x, y).

force(a, x) � force(a, y) (3)

We cab interpret the above equation as meaning that for particle a the strongerforce between particle x and particle y is particle x.

14.2 Artificial Life Synthetic Engine (ALSE)

The role of the ALSE is to ingest particles into the swarm and to execute therules associated with each particle so as to perform Cyber Attack prediction. Theprediction will take the form of a gravitational model, with the utility functionbeing a relationship between a particle and a prediction particle that calculatesthe gravitational force between the two particles. The greater the gravitationalforce, the greater the strength of the prediction.

32

Table of Contents 14. ARTIFICIAL LIFE SYNTHETIC ENGINE (ALSE)

Fig. 3. The Particle Design

The baseParticle is the basic data structure used to define all other particlesin the swarm. Its basic structure in Python is as follows:

class baseParticle():def __init__(self, datetime, identifier, type):

self._datetime = datetimeself._ident = identifierself._type = type

The basic structure represents the fact that every particle has:

– A date and time when the event was observed - self. datetime

– A unique identifier - self. ident

– A type - self. type

The attributes for the baseParticle are supported by the following functions. Thevalues returned by these functions can only be set when a particle is created.

– The function getid() returns the unique identifier for an object;

– The function getdatetime() returns the date and time of the object;

– The function type() returns the type of the object.

The following sets/matrices are derived from data held in the cloud environment.

33


– GlobalVectorSpaceMatrix. This set is denoted VS ;

– SetofAllPredictionParticles. This set is denoted PP ;

– SetofAllEventParticles. This set is denoted PE ;

– SetofAllParticleTypes. This set is denoted PT .

Given the base sets used to perform a swarm particle simulation, we can definea set of invariants that exists between these base types. The first invariant statesthat all event particles, ∀pe ∈ PE , must be of a type contained in the set of allparticle types PT .

∀pe ∈ PE |pe.type() ∈ PT (4)

The second invariant states that all prediction particles, ∀pp ∈ PP , must be of atype contained in the set of all particle types PT .

∀pp ∈ PP |pe.type() ∈ PT (5)

With the Artificial Life Synthetic Engine, Figure 3 defines the four particle type-s/objects that exist. The first is a base object called baseParticle; this is a metaobject/type that is used by all other particle objects to inherit a set of baseattributes and functions. All particle types exist in the Artificial Life SyntheticEngine.

Figure 3 also shows that the classes of dataParticle, eventParticle and predic-tionParticle inherit the baseParticle class. We can decompose the eventParticletype into a set of subtypes

The UML class diagram shows that every particle is part of a swarm andthat a swarm consists of many particles. The base algorithm executed by theArtificial Life Synthetic Engine is defined as follows where [VS ] is the global vec-tor space matrix within which all particles exist. The swarm particle algorithmis derived from the standard gravitational swarm model. We opted for the grav-itational swarm model as the other swarm models function to define the optimalroute between two points. The gravitational swarm model functions to definethe optimal minimum proximity between two particles. This optimal minimumproximity is used to define a cyber prediction.

1: [Vs]← GlobalV ectorSpaceMatrix2: [Pp]← SetofAllPredictionParticles3: [Pe]← SetofAllEventParticles4: for all ep ∈ Pp do

34


5: [Vs]← update(ep)6: end for7: for all ee ∈ Pe do8: Pl ← filter(ee, Pp)9: [Ue]← []

10: [Me]← []11: for all ep ∈ Pl do12: [Ue]← [Ue] + utility(ee, ep)13: end for14: [Me]← maxUtility([Ue])15: for all (g, ep) ∈Me do16: [Vs]← action(g, ee, ep)17: end for18: [Vs]← decay(ee)19: end for

This algorithm begins by creating the Global Vector Space as a matrix withinwhich the particles are said to exist. It then constructs a set of all predictions,and a set of all event particles that exist. For all particles in the vector spacewe derive a set of predictions that relate to the particle and ask the particle toselect which prediction it prefers. For each particle and possible prediction weconstruct a utility relationship. Then for every prediction particle we update itslocation in the Global Vector Space Matrix GlobalV ectorSpaceMatrix via thefunction update. This function takes exactly one prediction particle as input ep.

We then construct a set of utility relationships for each particle where theutility is the maximum value from the set of defined utility values. Next we loopthrough the set of maximum utility relationships and with each maximum utilityrelationship we implement an action that updates the Global Vector Space. Theutility function defines the informational gravitational force that exists betweentwo particles. The following functions are contained and implemented within theArtificial Life Synthetic Engine:

– update(...).

– filter(...).

– decay(...).

– action(...).

– utility(...).

– maxUtility(...).

35


14.3 The update Function

The update function takes a prediction particle as input and updates its locationin the Global Vector Space Matrix Vs.

14.4 The filter Function

The rational for this function is that not all prediction particles relate to anevent particle. The filter function is used to select the set of Prediction Particlesthat relate to an Event Particle. Formally we can specify this function as follows:

filter(Pe)→ [Pp1, Pp2, Pp3, ..., Ppx] (6)

where Pe ∈ PE and Ppx ∈ PP . This function does not change the state of aparticle, it only returns a set of values. By reducing the number of predictionparticles that we have to process in the algorithm we are seeking to optimisethe performance of the algorithm. For example, a DNS event particle will onlyhave prediction particles returned to it by the filter function that relate to DNSqueries and will not have prediction particles returned to it that relate to URLrequests.

14.5 The decay Function

The decay function implements the fact that all event particles decay over time.The role of this function is to stop the database growing out of control as allevent particles have a half-life and decay over time. This function takes a particletype and returns a real number that corresponds to the number of seconds thatis the particles half-lime. The function decides if the particle decays and if so itremoves it from the Global Vector Space Matrix Vs. This function is defined asfollows:

decay(Pt)→ True|False (7)

where Pt ∈ PT . The value of decay for a particle of a given type is specified bythe user via configuration in the Artificial Life Synthetic Engine.

14.6 The action Function

The action function is used to update the Global Vector Space Matrix (denotedVs). This can involve simply updating the location of the event particle in theGlobal Vector Space Matrix, or it can involve an action on the event particle.Actions on an event particle are implemented in the Particle Generator com-mencement of the technical architecture depicted in Figure 2. These functionsare implemented in the Particle Generator, and include:

– Particle Fusion;

36


– Particle Division;

– Particle Creation;

14.7 The utility Function

The utility function is used to calculate the gravitational force between twoparticles. In calculating the gravitational force between two particles we use atraditional model of Newtonian gravity and substitute the informational massof a particle with its physical mass. This function utility returns a value that isused to populate a two dimensional matrix [Ue], where epx is a prediction particleand utility(e, epx) is the gravitational force between the prediction particle epxand the event particle e.

[Ue] =

ep1, utility(e, ep1)ep2, utility(e, ep2)ep3, utility(e, ep3)

......

epx, utility(e, epx)

(8)

The variable [Ue] is a vector that is used to define the gravitational force be-tween a given event particle e and all prediction particles ep1, ep2, ep3, ..., epx.The invariants on the utility function are defined as follows:

– The event particle e must be a member of the set of event particles PE .

e ∈ PE (9)

– The type of the event particle e must be a valid type.

e.type() ∈ PT (10)

– The prediction particle epx must be a member of the set of prediction par-ticles PP .

epx ∈ PP (11)

– The type of the prediction particle epx must be a valid type.

epx.type() ∈ PT (12)

– The function utility must return a real number R.

utility(e, epx) = R (13)

The utility relation between particles ex and ey represents a gravitational force.This force is calculated via the following question.

utility(e, epx) = G

[IM (e, epx)

]r2

(14)

where:

37


– utility(ex, ey) is the force between two particles, and is directly proportionalto the strength of the prediction;

– G is the Newtonian gravitational constant (6.674 ∗ 1011);

– IM is the information mass function that calculates the mass of a given pairof particles, and thus:

• IM (e, epx) is the informational mass of the particle e and the informa-tional mass of the particle epx;

– r is the distance between the two particles in the vector space VS ;

The utility(e, epx) is calculated via the function IM (e, epx). This function re-turns informational mass as a product of the informational mass event particleand the informational mass prediction particle. Each type of event particle hasits own IM function. When invoking the utility(e, epx) the first parameter refersto the event particle e and the second refers to the prediction particle epx.

The information mass function IM (e, epx) is in in reality the multi-attributeutility functions that are specified in an executable form of XML and F-logic.For example:

<utf func=’MAX’ id=’201907-1.0’ defaultreturn=’0’><clause predictiontype=’vulnerability--8356-7a0c4f2f0’ ><guard op=’and’><match oprand=’event:-priority’ op=’EQU’>1</match><match oprand=’event:-sourceport’ op=’EQU’>80</match><match oprand=’pred:-external_id’ op=’EQU’>

CVE-2019-123456</match><data op=’and’>

<match oprand=’data:-external_id’ op=’EQU’>10.193.218.21</>

<match oprand=’data:-external_id’ op=’EQU’>Windows 10</>

</data></guard><action op=’RET’>event:-classification</action>

</clause><clause><guard op=’id’><match oprand=’event:-destinationport’ op=’LESS

’>130</match></guard><action op=’RET’>5</action>

38


</clause></utf>

The executable XML is a series of horned clauses specified by the tag < clause >.Each clause has a guard specified by the < guard > tag and an action specifiedby the < action > tag. Each clause refers to a specific prediction type specifiedas the unique identifier of a STIX object.

In the context of the XML tag < clause > the basic operators op are givenbelow and the operands are specified in F-logic.

– AND - this is the logical AND operator;– NAND - this is the logical NAND operator;– OR - this is the logical OR operator;– NOR - this is the logical NOR operator;– XOR - this is the logical XOR operator;

In the context of the XML tag match the basic operators op are given belowand the operands are specified in F-logic.

– EQU - is the equals operator;– LST - is the less than operator;– GST - is the greater than operator;– LSE - is the less than and equals to operator;– GSE - is the greater and equals to operator;– SUB - is the subset operator;– TUN - is a logical implication of operator;

The basic execution method of a specified utility function is as a Reverse PolishStack. The adopted method for calculating the Information Mass Function be-tween two particles has been designed to be efficient. The two key requirementsare:

– The ability to extract and make use of multiple attributes from the particles;

– The speed of calculation of the information mass function.

To support the speed of calculation a Reverse Polish Execution model wasadopted. This model of execution is faster when compared with tree optimi-sation execution models such as AVL trees and B-trees. An object orientatedapproach to the expression of objects (via JSON) supports the ability to accessmultiple attributes of an object in an efficient manner.

The value returned by the utility function indicates the strength of belief inthe prediction. For example, the greater the strength of belief of the prediction,the greater the Informational Mass of the event particle, and hence the greaterthe gravitational force between the event particle e and the prediction particleepx. This also means that the speed with which an event particle moves in the

39

15. PARTICLE GENERATOR Table of Contents

visualisation is directly related to the strength of belief of the prediction. Thegreater the strength of belief of the prediction the greater the speed of motion.Thus the speed of convergence of two particles in vector-space actually representsthe strength of the believe of a prediction for the event particle.

14.8 The maxUtility Function

The role of the maxUtility function is to return a set of maximum utility re-lationship values for the event particle. This function returns a value as a two-dimensional matrix where epx is a prediction particle and utility(e, epx) is themaximum utility relationship between the prediction particle epx and the eventparticle e. It should be noted that two prediction particles can have the samemaximum utility and that is why the maxUtility function returns a set/matrix.

[Me] =

ep1, utility(e, ep1)...

...epx, utility(e, epx)

(15)

15 Particle Generator

The Particle Generator is responsible for providing the swarm with a set of func-tions that allow for particles to be fused together to create new particles. Thebasic functions that the particle generator can perform are as follows and canbe invoked by the Artificial Life Synthetic Engine via JSON RPC:

– Fuse two particles together to create a new particle, specified by the functionfuseParticles(ex, ey)→ [ez].

– Split a single particle into two new particles. This is specified by the functionsplitParticle(ex)→ [ey, ez].

– Create a new particle, specified by the function createParticle()→ [ex].

For example, the event particle for a TCP three-way handshake can be used tocreate a new particle that correlates to a successful TCP connection betweentwo computers. The JSON RPC interface for the Particle Generator is definedas follows:

--> {"jsonrpc": "2.0", "method": "fuseParticle", "params": {"particle1": 123, "particle2": 456}, "id": 1}

--> {"jsonrpc": "2.0", "method": "splitParticle", "params": {"particle1": 123}, "id": 2}

40

Table of Contents 15. PARTICLE GENERATOR

--> {"jsonrpc": "2.0", "method": "createParticle", "params": {"particle": "particle description. . . ."},"id": 3}

The rationale behind the Particle Generator fusing or splitting particles is theability to create and fuse particles that are not directly observable. We canderive the existence of these particle from the existence of other particles. Thesenew particles can be used to strengthen the existence of other particles. ForExample, the TCP/IP particles and the TCP/IP three-way hand shake can beused to imply the existence of a TCP Connection between two computers. Thelatter could be expressed via the fuseParticle. So, let us assume the following:

– That the TCP particle for the first part of the TCP three-way handshake(The SYN Packet) is the particle identifier 00FF1231;

– That the TCP particle for the second part of the TCP three-way handshake(The SYN/ACK Packet) is the particle identifier 00FF1232;

– That the TCP particle for the third and final part of the TCP three-wayhandshake (The ACK Packet) is the particle identifier 00FF1233;

From the above assumption we can create a new CEF particle via the following:

--> {"jsonrpc": "2.0", "method": "createParticle", "params": {"particleType": "JSON CEF Description"}, "id": 3}

JSON CEF description for the new particle is as follows:

{"event": {

"syslog": {"cef": {

"datetime": {"_type": "std","__text": "Mar 28 19:23:07"

},"system": {

"_type": "name","__text": "server-01"

},"version": "CEF:0","deviceinfo": "Particle Fusion Engine Version

1.0 ","signature": "FFFFFFFF","name": {

"_type": "ascii","__text": "TCP Connection Event"

41

16. THREAT INTELLIGENCE ENGINE (TIE) Table of Contents

},"severity": "10","extensions": {

"_type": "ascii""__text": "src=10.0.0.1 dst

=192.168.103.168 spt=1232 dpt=10"}

},"_datetime": "Mar 27 18:22:05","_ident": "1029384756","_type": "cef"

},"_datetime": "Mar 27 18:22:05","_ident": "8765432190","_type": "syslog"

}}

16 Threat Intelligence Engine (TIE)

The role of the Threat Intelligence Engine is to define the attacks that the swarmis attempting to predict. The threat intelligence will be specified via the STIXlanguage. Structured Threat Information Expression is a language and seriali-sation format used to exchange Cyber Threat Intelligence (CTI).

The Threat Intelligence Engine makes use of the Enterprise Service Busand in particular the createSTIXObject JSON RPC function to add predic-tion particles to the Global Vector Space Matrix. Formally we can define thecreateSTIXObject as follows:

– Create a STIX Domain Object (SDO) given the unique reference numberfor the object. This is specified by the function createSTIXObject(so) →True|False, where so is the JSON definition of the STIX Object.

The above function is implemented via a JSON RPC as follows:

--> {"jsonrpc": "2.0", "method": "createSTIXObject", "params": {. . . . }, "id": 1}

The Threat Intelligence Engine provides the following JSON RCP to supportthe Particle Visualisation Engine:

– Query a STIX Domain Object (SDO) given the unique reference number forthe object. This is specified by the function querySTIXObject(ez)→ SDO,where ez is the unique identifier for a STIX Object.

The above function is implemented via a JSON RPC as follows:

42

Table of Contents 16. THREAT INTELLIGENCE ENGINE (TIE)

--> {"jsonrpc": "2.0", "method": "querySTIXObject", "params": {"objectID": 123}, "id": 1}

16.1 Structured Threat Information Expression

The Structured Threat Information Expression (STIX) language is designed tomake use of a serialisation format to facilitate the exchange Cyber Threat Intel-ligence (CTI). The role and function of STIX is to allow organisations to shareCTI in a consistent and machine readable manner. STIX has been engineeredto support the creation of an understanding of what Cyber Attacks communi-ties are likely to see. In addition, it facilitates the ability to respond to a CyberAttack in a more effective manner.

The STI language has been created to support: a) collaborative threat anal-ysis, b) automated threat exchange and, c) automated detection and response.The Cyber Observable eXpression (CyBox) has now been integrated into STIX.To define the nature and context of a cyber threat the STIX language makesuse of a set of abstractions expressed as objects. These objects are:

– Indicator Object• To describe an indicator the Indicator Object makes use of a set of at-

tributes. These attributes include the following:

∗ name - The name of the Indicator Object;

∗ pattern - A pattern that is used to detect an attack;

∗ labels - This is the list that specifies the type of indicator;

∗ valid from - This expresses the temporal parameters within whichthe indicator object is still considered valid intelligence;

– Malware Object• To describe a piece of malicious software the Malware Object makes use

of a set of attributes. These attributes include the following:

∗ name - This is the name of the malicious software;

∗ description - This describes the malicious software is greater detail;

∗ labels - This is used to express the characterisation of the type ofmalicious software, and can include Malware Attribute Enumerationand Characterisation (MAEC).

– Relationship Object

43

16. THREAT INTELLIGENCE ENGINE (TIE) Table of Contents

• To describe relationships between other STIX objects the StructuredThreat Information Expression language makes use of a RelationshipObject. The required attributes needed to define the relationship be-tween the two STIX objects include the following:

∗ name - The name of the relationship object;

∗ labels - This is the list that specifies the type of relationship;

∗ source re - This attribute is used to express the identifier of thesource object;

∗ target ref - This refers to the identifier of the target object;

∗ relationship type - This attribute is used to identify the type/natureof relationship.

– STIX Bundle• To express a collection of STIX objects we make use of the STID Bundle

object. This object is allowed to have any number of arbitrary, unrelatedobjects.

– Sighting Object• This type of STIX object is used to express the fact that some objec-

t/event has been observed. The only required attribute needed to definethe Sighting Object is the following:

∗ type - This defines the type of Sighting Object;

∗ name - This refers to the name of the Sighting Object;

∗ sighting of ref - This attribute contains a pointer to the observedobject.

– Threat Actor Object• A threat actor can be defined as an individual, group, or organisation

that is believed to be operating with malicious intent.

– Identity Object• To express actors such as individuals, organisations, or groups as well as

classes of individuals, organisations, or groups the STIX language makesuse of an Identity Object. This object allows for the expression of infor-mation relating to an actor’s identity, contact information and sector.The Identity Object can be used within the STIX language to expressconcepts such as the targets of attack, information sources, object cre-ators, and threat actor identities. The attributes needed to define the

44

Table of Contents 16. THREAT INTELLIGENCE ENGINE (TIE)

Identity Object include the following:

∗ type - This defines the type of Identity Object;

∗ name - This refers to the name of the Identity Object;

– Attack Patterns• The role and function of the Attack Patterns STIX object is to define

the Tools Techniques and Procedures that a threat actor can use to com-prise a target system. Attack Patterns allow for us to categorise attacks.In particular they allow for detailed information to be expressed abouthow an attack is performed. This STIX object allows for the expressionof textual descriptions of the pattern along with references to externallydefined taxonomies of attacks such as Common Attack Pattern Enumer-ation and Classification (CAPEC). The attributes needed to define theAttack Patterns include the following:

∗ type - This defines the type of the Attack Patterns object;

∗ name - The name of the Attack Patterns object;

∗ externalreferences - This is a reference to the Common Attack Pat-tern Enumeration and Classification (CAPEC).

– Campaign Object• The STIX Campaign Object is used to express the grouping of a threat

actor’s behaviour. These groupings function to define a series of activitiesthat occur over a period of time and target a specific target. Campaignsusually have a well defined set of goals/objectives and may be part ofan Intrusion Set. The attributes needed to define the Campaign Objectinclude the following:

∗ type - This defines the type of Campaign Object;

∗ name - This refers to the name of the Campaign Object.

– Intrusion Set• An Intrusion Set is a grouped set of adversarial behaviours and resources

with common properties that is believed to be orchestrated by a singleorganisation. The attributes needed to define the Campaign Object in-clude the following:

∗ type - This defines the type of Intrusion Set;

∗ name - This refers to the name of the Intrusion Set.

45

17. PARTICLE VISUALISATION ENGINE (PVE) Table of Contents

Other option attributes of the STIX Intrusion Set object include:∗ description - This provides a more detailed account of the intrusion

set;

∗ goals - This defines at a high level the goals of the intrusion / CyberAttack;

∗ resources - This defines the resources required to mount an intrusion/ Cyber Attack;

∗ first seen - This defines the date and time when the intrusion setwas first observed;

∗ last seen - This defines the date and time when the intrusion setwas last observed.

16.2 TAXII

Trusted Automated Exchange of Intelligence Information (TAXII) is designedas an application layer protocol with the ISO network model. Its role is to sup-port the communication of Cyber Threat Information in a simple and scalablemanner.

TAXII consists of a set of message exchange formats and services that allowfor the sharing of Cyber Threat information/intelligence across boundaries suchas organisational, product line and service in a secure manner. The role andfunction of TAXII is to allow organisations to share information with whomeverthey choose.

17 Particle Visualisation Engine (PVE)

The role of the Particle Visualisation Engine (PVE) is to provide a real-timevisualisation of the state of the Global Vector Space Matrix. This is achieved viathe application of standard open source vector graphic libraries such as PyQT5.

A conceptual design of the near real-time visualisation provided by the Par-ticle Visualisation Engine is given in Figure 7. For speed and efficiency of proto-typing within the project technical demonstrator a 2 dimensional visualisationmodel has been adopted. Within later stages of the project a 3 dimensional vi-sualisation model will be developed and deployed. The greater the strength ofbelief in the prediction, the greater the informational mass of the event particle,and hence the greater the gravitational force between the event particle e and theprediction particle epx. This also means that the faster an event particle movesin the visualisation the greater the strength of belief in the prediction. Hence

46

Table of Contents 18. EVENT COLLECTOR CONNECTOR

the motion of the particles can be used by an analyst to indicate the strength ofa prediction.

We can also visualise the rate of arrival of particles - See Figure 4.

Fig. 4. The Conceptual Vizualisation of Particle Arrival Rate

18 Event Collector Connector

In the real world, the data EventCollectorConnector will be located on a seriesof computers on the clients network. Their function is to collect data in a widevariety of formats and via an Enterprise Service Bus, and a JSON RPC interface,to insert the data into a cloud environment.

Data is ingested into the system via the Event Collector Connector (ECC)- see Figure 2. At a semantic level for an event particle ex and the Global Vec-tor Space Vs the Event Collector Connector implements the function [Vs] ←addEventParticle([ex], [Vs]). This function is located on the Enterprise Service

47

18. EVENT COLLECTOR CONNECTOR Table of Contents

Bus as a JSON RPC. This function takes a particle and inserts it into theGlobalV ectorSpace. The GlobalV ectorSpace is stored in the cloud environment.

The parameter descriptionJSON is defined for each particle type in the fol-lowing section.

--> {"jsonrpc": "2.0", "method": "addEventParticle", "params": {. . . . }, "id": 1}

The role of the Event Collector Connector is to take data in various formatsand convert them into the JSON format that will be used by the Enterprise Ser-vice Bus. The Event Collector Connector (ECC) can collect data from a widevariety of sources located on: a) the organisation’s networks, b) across a sup-ply chain and c) on the Internet then a JSON RPC on the Enterprise ServiceBus, the data can then be ingested into the Graph Database. Figure 5 gives thestandard set of data types that will be developed for this phase of the project.However, it should be pointed out that the proposed data architecture can sup-port events of various types such as file access and social media posts and tweets.

The following rules are used to maintain consistency across the data collectedand to define the particles in a swarm:

– The name of every data type must be unique;

– The data type architecture can be represented as a tree structure;

– Every data type in the data type architecture can be mapped onto a particle.

The base object depicted in Figure 5 is that of an event and from this object allother object types are derived. The detailed breakdown of the data types andthe associated JSON RPC functions through which they are inserted into thedatabase is as follows:

48


Fig. 5. The Data Type Architecture

18.1 Event

The event object is a meta object and is used as a container for the other objectsthat form the data ontology.

18.2 IP

The IP object is used to express the data elements contained in an IP packet.The JSON encoding of an IP packet is performed via an application that listenson a network interface for IP packets and then, via a PCAP data structure,decodes the IP packet.

18.3 TCP

The TCP object is used to express the data elements contained in a TCP packet.The JSON encoding of a TCP packet is performed via an application that listenson a network interface.

49

18. EVENT COLLECTOR CONNECTOR Table of Contents

18.4 HTTP-Request

The HTTP-Request object is used to express the data elements contained inthe data elements of the TCP packet.The JSON encoding of a HTTP-Requestpacket is performed via an application that listens on a network interface.

18.5 UDP

The TCP object is used to express the data elements contained in a UDP packet.The JSON encoding of a UDP packet is performed via an application that listenson a network interface.

18.6 ICMP

The ICMP object is used to express the data elements contained in an ICMPpacket. The JSON encoding of a ICMP packet is performed via an applicationthat listens on a network interface.

18.7 SYSLOG

The Syslog functionality is a generic logging function provided on Unix/Linuxwith some commercial implementations for Microsoft Windows. The Syslog sys-tem is designed to observe and record events in a text format. An example ofthe syslog file format is given below.

Mar 27 18:22:00 server-01 sshd[1130]: Server listening on0.0.0.0 port 22

18.8 TCPD

The TCPD functionality is only available on Unix/Linux platforms. The TCPDsystem is designed to observe and record network service activation/invocationevents in a text format.An example of a TCPD log entry is given below.

Mar 28 19:23:07 server-01 in.telnetd[1140]: Connect from10.63.130.139

18.9 SNORT

SNORT is a standard open-source intrusion detection system [14] that can logattacks to a central server using a standard format. The two formats used bySnort are structured text (via syslog) or SNML. An example of the Snort struc-tured text format is given below.

Mar 27 18:22:05 sensor-01 snort[3115]: [1:122:1] TCPtraffic outbound [Classification: A TCP Connection wasDetected] [Priority: 4] {TCP} 192.168.51.61:80 ->192.168.51.59:1984

50


18.10 NCSA Common Log Format

The NCSA Common Log Format is a standardised text file format used by webservers when generating server log files. Because the format is standardised, thefiles can be readily parsed and analysed. An example of the NCSA Common LogFormat log entry is given below.

10.192.168.37 user-identifier frank [10/Oct/2000:13:55:36-0700] "GET /apache_pb.gif HTTP/1.0" 200 2326

18.11 DNS Bind Log Format

The DNS Bind Log Format functionality is a logging format available on a varietyof Unix and Linux platforms. The DNS Bind Log Format is designed to recordDNS query events in a text format. An example of the DNS Bind Log Formatentry is given below.

27-Mar-2019 17:00:36.097 XX /10.63.148.85/www.adisa.global/A

18.12 Common Event Format (CEF)

The CEF functionality is a logging format available on a variety of platforms.The Common Event Format (CEF) system is designed to record events in a textformat. An example of a CEF log entry is given below.

Mar 28 19:23:07 server-01 CEF:0|security|threatmanager|1.0|100|poison ivy trojan infection successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232

18.13 SSHD

The Secure Shell Server (SSHD) can be configured to log data relating to autho-risation events to Syslog on all Unix/Linux platforms [14]. An example of theSecure Shell Server log entry is given below.

Mar 28 19:23:08 server-01 sshd[18291]: Accepted passwordfor ajcblyth from 192.189.202.18 port 34496 ssh2

18.14 Windows-Event

Microsoft Windows Event Logging supports the encoding of information in aJSON format via the EVTX encoding standard.

51

19. EVALUATION CASE STUDY Table of Contents

18.15 VSFTPD

The VS File Transfer Protocol Daemon (VSFTPD) is a software daemon thatis used to transfer data from one location to another and it adheres to the FTP[18] standard. An example of the VSFTPD log entry is given below.

Thu Mar 28 19:52:00 2019 50 192.168.20.10 896242/home/ajcblyth/datalog.tar.gz b _ o r ajcblyth ftp 0 * c

18.16 Firewall/Router

The information format that will be used to capture and express information ona Firewall and/or Routers is NetFlow. NetFlow expresses IP traffic statistics foran information flow between two IP devices.

18.17 FTPD

The FTPD log format is the standard file transfer log format used to expressFTP requests and it adheres to the FTP [18] standard. An example of the FTPDlog format log entry is given below.

Thu Mar 28 19:52:00 2019 50 192.168.20.10 896242 /home/ajcblyth/datalog.tar.gz b _ o r ajcblyth ftp 0 * c

19 Evaluation Case Study

The evaluation case study will focus on a sophisticated advanced persistentthreat. This advanced persistent threat conducted Cyber Espionage campaigns.Within this case study we will define several Campaign, Threat Actor, Indicator,Attack Pattern and Malware objects, as well as an Intrusion Set object. Alongwith these objects, we will define multiple relationships linking these objectstogether. The evaluation and technical demonstration will be performed at TRL3, where TRL 3 is defined as:

Analytical studies and laboratory studies to physically validate ana-lytical predictions of separate elements of the technology are undertaken.Examples include components that are not yet integrated or representa-tive.

The STIX model will be used as the baseline and the resulting prediction madeby the system will be compared and contrasted to the STIX model. The STIXmodel that will be used is derived from and will focus on the deployment of aRemote Access Trojan (RAT) - see Figure 6.

The case-study used to perform the technical demonstration will make useof the following elements from the cyber kill chain.

52

Table of Contents 19. EVALUATION CASE STUDY

– Reconnaissance: This is when an adversary selects a specific target, andattempts to identify and validate vulnerabilities on the target’s network;

– Weaponisation: This is when an adversary creates a target piece of mali-cious software;

– Delivery: This is when an adversary transmits the malicious software;

– Exploitation: This is when an adversary’s malicious software is executed onthe target system;

– Installation: This is when an adversary’s malicious software create a accesspoint for the adversary;

– CommandandControl: This is when an adversary’s malicious software en-ables the adversary to have persistent access to the target’s network;

The gravitational model of Particle Swarm behaviour allows us to select themost suitable prediction for a Cyber Attack via the gravitational strength be-tween event particles and prediction particles. This is achieved via the executionof a multi-attribute utility model that allows us to select the preferred predic-tion particle for a given event. It should be noted that not all event particleswill have a preferred prediction particle, and that some event particles will haveno prediction particle associated with them. A prediction takes the form of aswarm around a prediction particle. As more event particles are ingested intothe system so the number of particles in a swarm will grow along with the grav-itational forces being exerted on the prediction particle.

53

19. EVALUATION CASE STUDY Table of Contents

Fig. 6. The STIX Cyber Attack Definition

The prediction particle with the strongest total gravitational forces workingon it is taken to be the most likely next stage in a Cyber Attack. Key elementsof the evaluation will demonstrate:

– The ability to express the strength of a prediction via the strength of gravi-tational forces that operate upon a prediction particle;

– The ability to express the strength of a prediction via the speed with whichan event particle moves towards a prediction particle;

– The ability to visualise a prediction via the strength of gravitational forcesthat operate on a prediction particle can be expressed as the size of the pre-diction particle. I.e. The greater the gravitational forces the large the size ofthe prediction particle in the 2 dimensional visualisation;

– The ability to express elements in a kill-chain and link predictions togetherto form a kill-chain.

The evaluation will take the following form:

54

Table of Contents 19. EVALUATION CASE STUDY

– A defined STIX campaign model with associated STIX objects being loadedinto the cloud environment;

– A defined set of intrusion sets and associated events along with a set of ran-dom non-related events;

– These events will then be inserted into the system in a time ordered sequence;

– The visualisation will be used to validate the prediction of the attack in ac-cordance with the STIX campaign model;

– The ability to predict the use of CVE-2011-3544. As this vulnerability canrelate to a specific operating system, a data particle will be used to validatethe existence of a system that is vulnerable to this attack.

The following are examples of the observed events / particle types that will beused within the evaluation of the simple proof-of-principle demonstrator thatrelate to the actions of a sophisticated advanced persistent threat:

– Syslog• This is the container event that will be used to report the observation

of the: a) Snort, and b) CEF events.

– Snort• The Snort object will be used to detect and report the toolset used

within the case-study. In addition, Snort will be used to detect the CVE-2011-3544. The ability to predict the use of this CVE will be used forvalidation purposes. The CVE-2011-3544 is a vulnerability in the JavaRuntime Environment component in Oracle Java SE JDK and JRE 7allowing remote untrusted Java Web Start applications and untrustedJava applets to affect confidentiality, integrity, and availability via un-known vectors related to Scripting.

– CEF• This particle is used to identify a number of the indicators relating to

the Cyber Attack. It will not be observed directly, but rather created viathe http− request particle.

– DNS (DNS Lookup Events)• This particle will be used to identify a number of DNS queries that relate

to the execution of Poison Ivy malicious software.

– HTTP Request• This event is a TCP/IP event particle that corresponds to the URL re-

quest. Within this case-study it will be used to create a CEF particlethat indicates the identification and validation of a vulnerability.

55

20. SUMMARY AND CONCLUSIONS Table of Contents

– NCSA• The NCSA particle will be used to create new particles such as CEF

that relate to the identification of the various tools used within the case-study. Both the identification and validation of the vulnerability takethe form of URL requests.

– The vector space within which the particles exist will be modelled in 2 di-mensional.

– The main STIX object that will be used to indicate a prediction is theIndicator STIX object.

– The Graph database will only support the functions: a) Create, c) Read,and c) Update. Please note that within the Graph database, particles arerepresented as Vertices.

20 Summary and Conclusions

In this report we have defined a formal model of Particle Swarms that supportsreasoning about swarms. We have also defined in detail a technical architecturefor the proposed Cyber Attack prediction capability. The technical architecturehas been constructed in UML and contains a detailed design for:

– Data and Control flows through the entire application from data ingestionto situational awareness via the definition of JSON RPC interfaces.

– The Artificial Life particles and rules, algorithms and scenarios governingtheir interaction and decision making.

An Observed event of a specific type is ingested as an event particle of a specifictype. Prediction particles are ingested as STIX objects. The artificial life systemfunctions to use a gravitational model of particles to model the behaviour of aswarm.

A prediction is defined as the prediction particle with the strongest gravi-tational forces operating on it. The behaviour of the swarms is visualised via agraphical user interface. To validate the applicability of particle swarms to cyberprediction at TRL 3, a case study has been defined and will be executed.

The expected limitations that we foresee upon implementation and evaluationof the Swarm solution to cyber prediction are as follows:

– The visualisation tool will only operate in two Dimensions, and will be rel-atively simplistic;

56

Table of Contents 20. SUMMARY AND CONCLUSIONS

– The JSON RPC mechanism is not state-full and only implements a ”Re-quest”, ”Response” model. This limits the volume of data that can be trans-mitted over a single RPC request;

– The cache will only support a limited set of functions into the EnterpriseService Bus and the Cloud Environment;

– The executable XML used to calculate the information masses between anevent particle e and a prediction particle epx will:

• Only support a limited set of operators;

• Not support the execution of graph based queries into the cloud envi-ronment. In particular. it will not support:

∗ Apache TinkerPop [25];

∗ SQL2Gremlin [24].

• Will not be fully optimised to operate in as near real-time as possible;

• Only support a limited set of 16 data types;

• Only use the STIX objects of Indicator and Vulnerability to make pre-dictions.

The key challenge that we for see in the creation of the capability is the integra-tion of the various components into a single functioning system.

20.1 Achievements

In Figure 7 we can see clear evidence of data of various types being ingestedinto the Graph Database cloud environment. In addition, we can also variouspredictions being made and the strength of those predictions being visualised.The following is a list of achievements made during the project:

57


Fig. 7. Cyber Attack Prediction Vizualisation

– The development of a novel cyber prediction capability that makes use ofutility theory to create a particle swarm optimisation (PSO) model. Analysisof the research literature shows that to date no other researcher has usedutility theory as a method for particles in a swarm to make decisions.

– The creation of an object-oriented particle type architecture that supportsmultiple inheritance and polymorphism, and so aids the easy adoption andintegration of future data types.

– The ability for a CND operator to create and execute their own utility func-tions so as to allow for the system to change in response to changing attackpatterns used by an adversary.

– The application of a Newtonian gravitational model to define the strengthof belief in a cyber attack prediction.

– The adoption and integration of STIX and TAXII into the developed archi-tecture to support the utilisation of threat intelligence.

– The creation of novel real-time visualisations that allow for the creation ofsituational awareness in relation to cyber attack prediction - Figure 7. Thisvisualisation shows the strength of prediction via the visualisation of thegravitational forces operating on a prediction.

– The utilisation of open standards to support the agile integration into exist-ing architectures and tools.

58

Table of Contents 20. SUMMARY AND CONCLUSIONS

– The adoption of a cloud environment to support the processing and storageof large volumes of heterogeneous data.

– The adoption of a real-life case-study for the technical demonstration prov-ing that the developed innovation is applicable to real-world situations.

– The successful demonstration of the developed innovation at TRL 3 and thedevelopment of a short power-point presentation and video. The Video canbe used for limited training and clearly demonstrates the applicability of thedevelopment capability.

20.2 Limitations

The following is a list of limitations that can constrain the project:

– The visualisations only operate in 2 dimensions.

– The simulation of particle behaviour in relation to the gravitational forcesonly operates in two dimensions.

– The language used to express multi-attribute utility functions is limited inits expressive ability and does not support probabilistic modelling.

– The RPC mechanism implemented in the Enterprise Service Bus (ESB) andthat functions as the interface into the cloud does not support atomic trans-actions or a Role Access Control (RAC) model.

– The cloud processes the events as a sequence of events rather than a tempo-rally ordered set.

20.3 Feasibility Assessment

The achievements of the project clearly and objectively demonstrate the tech-nical capability to ingest data, perform cyber attack prediction using a novelartificial intelligence algorithm, and visualise the results.

Software testing demonstrated that as the number of particles being ingestedinto the cloud/graph-database environment grew so the volume that could beprocessed within a given interval of time moved towards a constant value - seeFigure ??. The processing capability that this graph demonstrates is a functionof the processing/memory capability of the platform upon which the technicaldemonstrator was executed. Figure ?? clearly demonstrates that the processcapacity per ingestion node is finite. As the MOD would deploy a distributedcloud in an operational environment the number of ingestion nodes into thecloud would also be distributed. The number of data ingestion points required

59


to support an operational environment could be calculated based upon the vol-ume of data being ingested.

The ability of the capability to ingest any structures provides the MOD witha wide variety of application domains for this cyber attack prediction capabil-ity. These application domains include: a) the protection of standard COTSoffice processing capability used for operational intelligence (J2), current opera-tions (J3), logistics (J4), communication and information systems (J5), etc., andb) industrial process control systems such as those used for engine and systemsmanagement on the Type 45 Destroyer, Type 26 Frigate, Astute/Trafalgar ClassAttack Submarines, Vanguard Strategic Class Submarines and Queen ElizabethClass Aircraft Carriers.

The execution, and visualisation, of the swarm based algorithm is performedon top of the enterprise service bus with the Graph database functioning asan information repository. Future developments of the demonstrated capabil-ity would see key processing elements of the swarm algorithm moved into thecloud environment. This movement would enhance processing speed and allowthe algorithm to operate on extremely large volumes of data. At present the pro-cess capability is limited by the computing platform utilised by the technologydemonstrator.

The technology demonstrator clearly and objectively demonstrates the abil-ity of a swarm to predict a cyber attack and to visualise it - See Figure 7. Thevisualisations allow for the rates of data types being ingested to be visualisedalong with elements of the cyber-kill chain. The elements of the cyber kill chainfunction as the prediction particles, and a cyber attack prediction is made whenevent particles move towards and cluster/swarm round a prediction particle. Forease of use all elements within a cyber kill chain are specified as STIX objectsand the architecture supports the sharing of information via a TAXII interface.

The executable XML used to specify the swarm algorithm’s utility functionsat present makes use of a small set of functions and operators. However, thesefunctions/operators do allow for all data within the events ingested to be accessedand used within the utility function. In addition, the executable XML providesaccess to the STIX objects used within the cyber kill-chain. While in the currentphase of development the expressive power of the executable XML is limited, asthe technology demonstrator clearly shows it does not stop complex decisionsbeing made and cyber attacks being predicted.

21 Summary and Conclusions

This project has sought to achieve a cyber prediction capability at TRL 3 that iscapable of detecting and predicting complex cyber attacks. Within this projectwe have created an artificial life swarm algorithm that utilises utility theory to

60

Table of Contents 22. REFERENCES

define the behaviour of particles within the swarm. We have also created a setof visualisations that allow the CND operator to create situational awarenessregarding the prediction of a cyber attack. Together the visualisations and theswarm algorithm developed expand our capability to deter and disrupt cyber-attacks.

The technical demonstration used to validate this project makes use of theFireEye Poison Ivy case study. The technical demonstrator developed in thisproject clearly and objectively shows how a swarm algorithm and supporting vi-sualisations can be utilised to predict the progression of a cyber- attack. Withinthe technical demonstration data was ingested/inserted into the graph databaseenvironment and processed as event particles. was executed to make a set ofcyber attack predictions. These predictions were then visualised - see Figure 7.

22 References

1. UK National cyber-defence Strategy, Crown Copyright, Dec 2017.

2. Defence Information Strategy, Crown Copyright, Dec 2017.

3. P. Nagabhushan (Eds), D. S. Guru (Eds), B. H. Shekar (Eds), Y. H. SharathKumar (Eds), Data Analytics and Learning, Proceedings of DAL 2018,Springer 2018.

4. V. Kurkova (Eds), Y Manolopoulos (Eds), B Hammer (Eds), L Iliadis (Eds)abd L Maglogiannis (Eds), Artificial Neural Networks and MachineLearning,27th International Conference on Artificial Neural Networks, Springer,2018..

5. L. Munoz-Gonzalez, D Sgandurra, A Paudice and E C. Lupu, Efficient At-tack Graph Analysis through Approximate Inference, ACM Trans-actions on Privacy and Security (TOPS), Volume 20 Issue 3, August 2017

6. M. Albanese, S. Jajodia, and S. Noel, Time-Efficient and Cost-EffectiveNetwork Hardening using Attack Graphs. Conference on DependableSystems and Networks, pp. 1–12, 2012.

7. M. Albanese, S. Jajodia, A. Pugliese, and V.S. Subrahmanian. ScalableAnalysis of Attack Scenarios, European Symposium on Research in Com-puter Security, pp. 416–433, 2011.

8. E. Bonabeau, M. Dorigo and G. Thraulaz, Swarm Intelligence: FromNatural to Artifical Systems, Oxford University Press, 1999.

61

22. REFERENCES Table of Contents

9. M. Milonas, Swarms: Phase Transition and Collective Intelligence,In G. Langton (Eds), Artificial Life III, Addison Wesley, 1994.

10. M. Dorigo and C. Blum, An Ant Colony Optimization Theory: A Sur-vey, Theory of Computer Science, Vol 344, pp. 243-278, 2005.

11. J. Kennedy and R. C. Eberhart. Particle Swarm Optimization, Proceed-ings of the International Conference on Neural Networks, pp. 1942-1948,1995.

12. D. Karaboga and B. Akay, A Comparative Study of Artifical BeeColony Algorgithms , Applied Mathematical Computing, Vol 32, pp 108-132, 2009

13. A. Girdhar Swarm Intelligence and Flocking Behaviour, InternationalConference on Advancements in Engineering and Technology, 2015

14. P. Pinto, T .A. Runkler, J. M. Sousa, Wasp swarm optimization of lo-gistic systems, Adaptive and Natural Computing Algorithms, 2005

15. F. Huilia, Z. Yuanchang, Rough Set Approach to Feature SelectionBased on Wasp Swarm Optimization, Journal of Computational Infor-mation Systems, Vol: 8, No: 3. 2012.

16. X. Yang, A New Meta-Heuristic Bat-Inspired Algorithm, Studies inComputational Intelligence, Vol 284, pp. 65–74, 2010.

17. H. Roodabe and E. Mehdi , Security in Distributed Multi-Agent Sys-tems, International Research Journal of Applied and Basic Sciences, Vol6(6), 2013.

18. E. M. Holloway, Gary B. Lamont, Gilbert L. Peterson, Network securityusing self organized multi agent swarms, IEEE Symposium on Com-putational Intelligence in Cyber Security, 2009.

19. G. Lamont and M. Holloway, Military network security using self-organized multi-agent entangled hierarchies, Conference: Genetic andEvolutionary Computation Conference, 2009

20. C. Coello and S. Dehuri, Swarm Intelligence for Multi-objective Prob-lems in Data Mining, Springer Verlag, 2012.

21. A. Kott (Eds), C. Wang (Eds), R. F. Erbacher (EDs), Cyber Defense andSituational Awareness, Advances in Information Security, Spronger Ver-lag, 2015.

62


22. C. Wang (Eds), Z. Lu (Eds), Proactive and Dynamic Network De-fense, Advances in Information Security, Springer Verlag, 2019

23. Z. Zhenxin, X. Maochao and X. Shouhuai, Predicting cyber-attack RatesWith Extreme Values. IEEE Transactions on Information Forensics andSecurity, Vol 10, No 8, 2015.

24. J. Wu, L Yin and Y. Guo, cyber-attacks Prediction Model Based onBayesian Networks, 18th International Conference on Parallel and Dis-tributed Systems, IEEE Press 2012.

25. G. Werner, S. Yang and K. McConky, Time series forecasting of cyber-attack intensity, Proceedings of the 12th Annual Conference on Cyber andInformation Security Research, 2017.

26. A. Al-Eroud and G Karabatis, A System for cyber-attack DetectionUsing Contextual Semantics, 7th International Conference on Knowl-edge Management in Organizations: Service and Cloud Computing, 2012.

27. L. Portnoy, E. Eskin, and S. Stolfo, Intrusion detection with unlabeleddata using clustering, Proc. of ACM CSS Workshop on Data Mining Ap-plied to Security, 2001

28. T. Shon, and J. Moon, A Hybrid Machine Learning Approach to Net-work Anomaly Detection, Journal of Information Sciences, Vol. 177, No.18, 2007.

29. A. Al Eroud and G Karabatis, Methods and Techniques to Identify Se-curity Incidents Using Domain Knowledge and Contextual Infor-mation. IFIP/IEEE Symposium on Integrated Network and Service Man-agement, 2017.

30. K. Ingols, R Lippmann and K Piwowarski, Practical Attack Graph Gen-eration for Network Defense, Computer Security Application Confer-ence, pp. 121-130, 2006.

31. L. Munoz-Gonzalez, D. Sgandurra, A Paudice and E. C. Lupu, Efficient At-tack Graph Analysis Through Approximate Inference, ACM Trans-actions on Privacy and Security, Vol 20, No 3, 2017.

32. J. Brownlee, Clever Algorithms: Nature-Inspired Programming Recipes,Lulu Publishing, 2012

33. C. H. Heinl, Artificial (Intelligent) Agents and Active cyber-defence:Policy Implications. 6th International Conference on Cyber Conflict, NATO

63


Publication, 2014.

34. I. Kotenko, Agent-based modelling and simulation of network cyber-attacks and cooperative defence mechanisms, St. Petersburg Institutefor Informatics and Automation, Russian Academy of Sciences, 2010.

35. K. Kim and S. Cho, A Comprehensive Overview of the Applicationsof Artificial Life, Artificial Life, Vol 12, No 1, 2006.

36. S. A. Mohamed Elsayed, R. A. Ammar and S. Rajasekaran, Artificial Im-mune Systems: Models, Applications, and Challenges, 27th AnnualACM Symposium on Applied Computing, ACM Press, 2012.

37. J. Kim, W. O. Wilson, U. Aickelin, and J. McLeod. Cooperative Auto-mated Worm Response and Detection Immune Algorithm Inspiredby T-cell immunity and tolerance. 4th Internantional Conference on Ar-tificial Immune Systems, 2005.

38. I Rebollo-Ruiz and M Grana, An Empirical Evaluation of Gravita-tional Swarm Intelligence for Graph Colouring Algorithm, Journalof Neurocomputing, Vol 132, 2014

39. C. Kolias, G. Kambourakis and M. Maragoudakis, Swarm Intelligence inIntrusion Detection: A Survey, Computers & Security, Vol 20, No 8,2011, pp:625–642.

40. P. Amudha and H. Abdul Rauf, A Study on Swarm Intelligence Tech-niques in Intrusion Detection, IJCA Special Issue on ComputationalIntelligence & Information Security, 2012.

41. J. Raiyn, A Survey of cyber-attack Detection Strategies, Interna-tional Journal of Security Applications, Vol 8, No 1, 2018, pp 247–256.

42. A. Buczak and E. Guven, A Survey of Data Mining and MachineLearning Methods for Cyber Security Intrusion Detection, IEEECommunications Survey Tutorials, Vol 18, No 2, 2015, pp:1153–1176.

43. P. Amudha, H. A. Rauf, A Study on Swarm Intelligence Techniquesin Intrusion Detection, Proceedings of International Conference on Re-search Trends in Computer Technologies, 2012. p. 32–34.

44. S. J. S. Aaron and R. Balasubramanian, A Comprehensive Survey ofTechnologies for Building a Hybrid High Performance IntrusionDetection System, International Journal of Computer Applications, Vol113, No 15, 2015, pp:33–40.

64


45. S. M. Elsayed, R. Sarker and D. Essam, Survey of uses of Evolution-ary Computation Algorithms and Swarm Intelligence for NetworkIntrusion Detection, International Journal of Computational Intelligenceand Applications, Vol 14, No 4, 2015

46. B. Liu, M. Cai and J. Yu, Swarm Intelligence and its Application inAbnormal Data Detection, Informatica, Vol 39, No 1, 2015, pp: 63–69.

47. S. M. H. Bamakan , H. Wang, T. Yingjie and Y. Shi, Effective IntrusionDetection Framework Based on MCLP/SVM Optimized by Time-Varying Chaos Particle Swarm Optimization, Neurocomputing, Vol199, 2016, pp:90-102

48. S. Aljawarneh, M.Aldwairi and M. B. Yassein, Anomaly-Based IntrusionDetection System Through Feature Selection Analysis and Build-ing Hybrid Efficient Model, Journal of Computational Science, Volume25, 2016, pp: 152-160.

49. V. Praveena, M. Showmyaa and B. Sathya, A Survey on Intrusion De-tection Techniques, International Journal of Innovative Research in Com-puter and Communication Engineering, Vol. 5, No 9, 2017.

50. J. Wang, X. Hong, R Ren and T. Li, A Real-Time Intrusion DetectionSystem Based on PSO-SVM, Proceedings of the International Workshopon Information Security and Application. 2009, pp: 319-321.

51. J. Ma. X Liu and S. Li, A New Intrusion Detection Method Basedon BPSO-SVM, Proceedings of the International symposium on Compu-tational Intelligence and Design, 2008. pp: 473-477.

52. V. Attchara, K. Sujitha, S. Sayina, A New QPSO Based Network Intru-sion Detection System Using Feature Selection, International Journalof Advanced Research in Computer and Communication Engineering, Vol. 6,No 1, 2017.

53. H. Wang and G. Zhang and M. Na Sun, A Novel Intrusion Detec-tion Method Based on Improved SVM by Combining PCA andPSO,Journal of Natural Sciences, Vol 16, 2011.

54. H Alipour, E. Khosrowshahi, M. Esmaeili and M. Nourhossein, ACOFCR:applying ACO-based algorithms to induct FCR, In Proceedings of theWorld Congress on Engineering, 2008.

55. M. S. Abadeh and J. Habibi, A Hybridisation of Evolutionary FuzzySystems and Ant Colony Optimisation for Intrusion Detection, In-

65


ternational Journal of Information Security, Vol.2, No.1, 2010, pp: 33-46.

56. G. Hai-Hua, Y. Hui-Hua and W. Xing-Yu, Ant Colony OptimizationBased Network Intrusion Feature Selection and Detection, Pro-ceedings of the Fourth International Conference on Machine Learning andCybernetics, 2005, pp: 3871-3875.

57. H. Junbing, L. Dongyang and C.Chuan, An Improved Ant-Based Clas-sifier for Intrusion Detection, Proceedings of the Third InternationalConference on Natural Computation, 2007, pp:819-823.

58. H. Wang, J. Gu and S Wang, An Effective Intrusion Detection Frame-work Based on SVM and Feature Augmentation, Knowledge-BasedSystems, Vol 136, 2017, Pages 130-139

59. M. Tavallaee, E. Bagheri, W. Lu, and A. Ghorbani, A Detailed Analysisof the KDD CUP 99 Data Set, Second IEEE Symposium on Computa-tional Intelligence for Security and Defense Applications, 2009.

60. M. Okeke and A. Blyth, Emulating the Distributed Detection Ap-proach in Flocks of Birds for Securing SCADA Systems, 3rd Inter-national Conference on Electro-Technology for National Development, IEEEPress 2017.

61. M Okeke and A. Blyth, Prey Approach for Anomalies Detection onIndustrial Control Systems, 18th International Conference on IndustrialControl Systems, 2016.

62. P. M. Putora and J. Oldenburg, Swarm-Based Medicine, Journal MedicalInternet Research, Vol 15, No 9, 2013.

63. N. Goel, J. Senthilnath and S. N. Omkar, Location Management in Mo-bile Computing Using Swarm Intelligence Techniques, Proceedingsof the Second International Conference on Soft Computing for Problem Solv-ing, 2012, pp: 481-489.

64. S. K. Mong and W S Hong, Multiple Ant-Colony Optimisation forNetwork Routing, Proceeding of the First International Symposium onCyber Worlds, 2002.

65. Vijayalaxmi, S. A. Chandrashekhara and H. G. Joshi, Ant Colony Opti-misation Technique in Network Routing Problem - A SimulationStudy. International Conference on Innovations in Engineering and Tech-nology, 2013.

66


66. J. McHugh, Testing Intrusion Detection System: A Critique of the1998 and 1999 DARPA Intrusion Detection System Evaluations asPerformed by Lincoln Laboratory, ACM Transactions on Informationand System Security, 2000.

67. G. Beni, J Wang and J. Wang, Swarm Intelligence in Cellular RoboticSystems, NATO Advanced Workshop Robots Biological Systems, 1989.

68. D. Karaboga, An Idea Based on Honey Bee Swarm for NumericalOptimization, Erciyes University, Engineering Faculty, Computer Engi-neering Department; 2005.

69. M. F. Lima, L. D. H. Sampaio, E. B. Zarpelao, J J. P. C. Rodrigues, T Abraoand M L Proenca, Networking anomaly detection using DSNS andparticle swarm optimization with re-clustering, IEEE Global Telecom-munications Conference, 2010.

70. M. Dorigo M and T. Stutzle, Ant Colony Optimization, MIT Press, 2009.

71. S. Keerthi, K. Ashwini and M. V Vijaykumar, Survey Paper on SwarmIntelligence, Int. Journal of Computer Applications, Vol 115, No. 5, 2015.

72. T Ronan, Z Qi, and K M. Naegle, Avoiding common pitfalls when clus-tering biological data, Computational Biology, Vol 9, No. 432, 2016.

73. Fortinet, Fortinet Predicts Highly Destructive and Self-learning “Swarm”Cyberattacks in 2018 , Last Accessed April 2019. https://www.fortinet.com/corporate/about-us/newsroom/press-releases/2017/predicts-self-learning-swarm-cyberattacks-2018.html

74. Fortinet, Mid-year 2017 Predictions Update , Last Accessed April 2019,https://www.fortinet.com/blog/industry-trends/mid-year-predictions-update.html? ga=2.143096565.1933492328.1556718204-1857366124.1555582626

75. Symantec, Cyber Security Predictions: 2019 and Beyond , Last Ac-cessed April 2019, https://www.symantec.com/blogs/feature-stories/cyber-security-predictions-2019-and-beyond

76. B. Yuan, Z. Pan and F. Shi, A Review on Network Attack Graph Tech-nology. Transactions on Engineering and Technology Research, November2018. DOI: 10.12783/dtetr/ecar2018/26351

77. M. Husak, J. Komarkova, E. Bou-Harb and P. Celeda, Survey of AttackProjection, Prediction, and Forecasting in Cyber Security. IEEE

67


Communications Surveys & Tutorials, Vol 21, No 1, 2019.

78. P, Nevavuoriand, T Kokkonen, Requirements for Training and Eval-uation Dataset of Network and Host Intrusion Detection System.New Knowledge in Information Systems and Technologies, Springer, 2019,pp 534 - 546.

79. M. M. al-Rifaie, M. Yee-King and M. d’Inverno, Investigating SwarmIntelligence for Performance Prediction, The 9th International Con-ference on Educational Data Mining, 2016.

80. G. Zhang, Y. Chen, Y, Li. H. Yu, H. Hu and S. Wu, Intelligent swarmfirefly algorithm for the prediction of China’s national electricityconsumption, International Journal of Bio-Inspired Computation, Vol. 13,No. 2, 2019.

81. R. Adhikari, R. K. Agrawal and Laxmi Kant, PSO based Neural Net-works vs. Traditional Statistical Models for Seasonal Time Se-ries Forecasting , 3rd IEEE International Advance Computing Conference,IEEE Press, 2013.

82. S. Zhang, Y. Shen and G. Zhang, Network Security Situation Predic-tion Model Based on Multi-Swarm Chaotic Particle Optimisationand Optimised Grey Neural Network, EEE 9th International Confer-ence on Software Engineering and Service Science, IEEE Press, 2018.

83. Z. Lin, G. Chen, W. Guo and Y. Liu, PSO-BPNN-Based Prediction ofNetwork Security Situation, 3rd International Conference on InnovativeComputing Information and Control,, 2008.

84. Monian-Fa, Network Traffic Prediction Based on Particle SwarmOptimisation, International Conference on Intelligent Transportation, BigData and Smart City, 2015.

85. W. Feng, Y. Wu and Y. Fan, A new method for the prediction of net-work security situations based on recurrent neural network withgated recurrent unit, International Journal of Intelligent Computing andCybernetics, Vol. 11 No. 4, 2018.

86. S Liu, Application of BP Neural Network Model based on ParticleSwarm Optimization, Conference on Enterprise Network Information Se-curity, 2016.

87. V Tu, Advantages and disadvantages of using artificial neural net-works versus logistic regression for predicting medical outcomes,

68


Journal of Clinical Epidemiology, Vo 49, No 11, 1996.

88. C L Koo, M J Liew, M Saberi and A H M Salleh, A Review for De-tecting Gene-Gene Interactions Using Machine Learning Methodsin Genetic Epidemiology, BioMed Research International, Vol 2013, No432375, 2013.

89. CyberSwarm, CyberSwarm , Last accessed 1st May 2019, https://www.cyber-swarm.net/

90. L de de Haan and A Ferreira, Extreme Value Theory: An Introduction ,Springer 2010.

91. P Brezillon, P Blackburn and R Dapoigny, Modeling and Using Contex,8th International and Interdisciplinary Conference, CONTEXT, Springer2013.

92. S. Haque, M. Keffeler and T. Atkison, An Evolutionary Approach ofAttack Graphs and Attack Trees: A Survey of Attack Modeling,Int’l Conf. Security and Management, 2017.

93. X. Ou, W. F. Boyer, and M. A. McQueen, A scalable approach to attackgraph generation, Proceedings of the 13th ACM conference on Computerand communications security, ACM Press, 2006, pp. 336–345.

94. B. Zhu and A. A. Ghorbani, Alert correlation for extracting attackstrategies, International Journal of Network Security, vol. 3, no. 3, pp.244–258, 2006.

95. R Jhawar, B Kordy, S Mauw, A Radomirovic and R Trujillo-Rasua, AttackTrees with Sequential Conjunction, IFIP International Information Se-curity and Privacy Conference, Springer 2015.

96. M Gopal, Applied Machine Learning, MvGraw Hill, 2019.

97. Thomas Dyhre Nielsen and F V Jensen, Addressing the Problems ofBayesian Network Classification of Video Using High-Dimensional Features, Springer, 2001.

98. B. Cai, Y. Liu, J. Hu, Z. Liu, S. Wu and R. Ji, Bayesian Networks inFault Diagnosis:Practice and Application , World Scientific PublishingCompany, 2018.

99. A. Almeidaand G. Azkune, Predicting Human Behaviour with Recur-rent Neural Networks, Applied Sciences, Vol. 8 Issue 2, 2018.

69


100. D. Kwon, K. Natarajan, S. C. Suh, H. Kim and J. Kim, An EmpiricalStudy on Network Anomaly Detection Using Convolutional Neu-ral Networks, IEEE 38th International Conference on Distributed Com-puting Systems, IEEE Press, 2018.

101. M. U. Oney, and S. Peker, The Use of Artificial Neural Networks inNetwork Intrusion Detection: A Systematic Review, InternationalConference on Artificial Intelligence and Data Processing, 2018.

102. E. Reddy, Neural Networks for Intrusion Detection and Its Appli-cations, Proceedings of the World Congress on Engineering 2013.

103. Unanimous, Unanimous, Last Access 26th June 2019, https://unanimous.ai

104. S. Singh and S. Silakari, cyber-attack Detection System based on Im-proved Support Vector Machine, International Journal of Security andIts Applications, Vol 9, No 9, 2015.

105. F Ducatelle, G. Di Caro and L M. Gambardella, Principles and applica-tions of swarm intelligence for adaptive routing in telecommunica-tions networks, Swarm Intelligence, Volume 4, No 3, Springer, 2010.

106. N Mustary and S. Phanikumar, Self-Adaptive Intelligent Routing inDynamic WSN using Natural Inspired Computing, IOP Conference:Materials Science and Engineering, 2017.

107. T. Hanne, S. Deb and S. Fong, Swarm intelligence in logistics andproduction planning, Swarm Intelligence: Volume 3 - Applications, IETPress, 2018.

108. P. Svenson, C. Martenson, H. Sidenbladh and M. Malm, Swarm Intelli-gence for logistics, Swedish Defence Research Agency Report, ISSN 1650-1942, 2004.

70

A Particle Swarm Model for Agile Cyber Attack Prediction

Documents

Transcript of A Particle Swarm Model for Agile Cyber Attack Prediction