=Paper=
{{Paper
|id=Vol-2656/paper8
|storemode=property
|title=New Approaches to the Investigations and Classification of Cyber Threats Challenged by the Application of Artificial Intelligence Methods
|pdfUrl=https://ceur-ws.org/Vol-2656/paper8.pdf
|volume=Vol-2656
|authors=Roumen Trifonov,Ognian Nakov,Slavcho Manolov,Georgi Tsochev,Galya Pavlova
}}
==New Approaches to the Investigations and Classification of Cyber Threats Challenged by the Application of Artificial Intelligence Methods==
https://ceur-ws.org/Vol-2656/paper8.pdf
New Approaches to the Investigations and Classification
of Cyber Threats Challenged by the Application of
Artificial Intelligence Methods
Roumen Trifonov, Ognian Nakov, Slavcho Manolov, Georgi Tsochev and
Galya Pavlova
Technical University of Sofia, Sofia 1000, Bulgaria
r_trifonov@tu-sofia.bg
Abstract. The investigations of Cyber Threats on a global scale has, in recent
years, taken on a new dimension related to the unprecedented growth of Cyber
Crime, Cyber Terrorism and Cyber war, as well as the introduction of Artificial
Intelligence methods in the field of Cyber Defense. The research and practice of this
implementation shows that there is no universal method effective enough to protect
against various types of Cyber Attacks. It turns out that the choice of Artificial
Intelligence methods that are best suited to counteract certain classes of threats
depends on the systematization, unification and classification of Cyber Security
Threats and the sources of those threats. This paper examines the new approaches
for identification and analysis of Cyber Threats, as well as the tools used by the
various so-called “Threat Agents”. These analyses and classification schemes can
serve to create criteria for selecting appropriate Artificial Intelligence methods to
counteract concrete classes of Cyber Threats.
Keywords: cyber threats, taxonomy, threat agents, threat vector, threat matrix, kill
chain, cyber threat intelligence.
1 Introduction
The Special Publication SP 800-30 Revision 1 of the National Institute of
Standards and Technology (NIST) [1] in USA defined the Cyber Threats as
“Any circumstance or event with the potential to adversely impact organizational
operations (including mission, functions, image, or reputation), organizational
assets, individuals, other organizations, or the Nation through an information
system via unauthorized access, destruction, disclosure, modification of
information, and/or denial of service.”
The investigations of Cyber Threats have been going on for many years
[10, 11]. The first attempt for their classification was implemented in the
Copyright © 2020 for this paper by
82 its authors. Use permitted under
Creative Commons License Attribution 4.0 International (CC BY 4.0).
�International Standard ISO / IEC TR 13335-1:1996 [2]. Nevertheless, in recent
years, this activity has acquired entirely new goals and characteristics, due to
two fundamental factors triggered by the unprecedented rise in cybercrime and
the emergence of elements of cyber terrorism and cyber war. These factors are
as follows:
a) The adoption in Cyber Defense of important military technologies and
methods, such as the Cyber Intelligence (Strategic, Operational and Tactical) and
the concept of the so-called “Kill Chain”;
b) The widespread introduction into the practice of Cyber Defense of
Artificial Intelligence methods.
Thus, on the one hand, different aspects of Cyber Threats are essential for the
different phases and varieties of military methods; on the other hand, the research
and practice of the implementation of Artificial Intelligence methods shows that
there is no universal method effective enough to protect against various types of
Cyber Attacks.
The motivation of the present research is based on the belief that the new
approaches to identification, classification and analysis of Cyber Security Threats
and the sources of those threats will be useful in choosing the appropriate method
for counteraction to certain classes of threats.
Research by the team from Computer Systems and Technology Faculty at the
Technical University - Sofia in the field of application of Artificial Intelligence
methods in different phases of Cyber Defense (Operational Cyber Intelligence,
Tactical Cyber Intelligence, Incident Handling) shows that the typification,
unification and classification of Cyber Threats play an important role in achieving
the specific objectives for each phase. Thus, in Operational Cyber Intelligence,
where the primary task is to identify the behavior of a potential adversary, it is
important, among the vast information on the network activity of the alleged
adversary, to extract so-called “features” - characteristics that make it highly
likely to determine its behavior. Moreover, in the case of Incident Handling, it
is essential that the incident relate to a high degree of likelihood of a particular
element of the Cyber-Threat Classification scheme, for which a remedial
procedure has been developed, i.e. to solve a classification problem.
It should be noted that the present work is not just a “literature review” of sources
related to the analysis and classification of cyber threats, but also an attempt to show how
these classifications can influence the creation of criteria for adequate choice of methods
of Artificial Intelligence for different areas of application in Cyber Security.
2 A New Generation of Cyber-Security Threats
The most adequate analysis of the radical changes in Cyber Security in the
last few years has been carried out in the report of the European Network and
83
�Information Security Agency (ENISA) “Threat Landscape Report 2016” [3].
ENISA and other leading Cyber Security players have identified and formulated
the two main directions of these changes:
a) fifth-generation Cyber-Criminality, where threats are becoming more
complex and automated. Major Cybercrime schemes integrate into several tools
that perform different functions. One of the features of the fifth generation is
called “Advanced Persistent Threats” (APT) as the definition of targeted attacks
against specific organizations by some well-coordinated cybercriminals [4]. In
addition, such popular cloud computing services as SaaS (Software as a Service),
IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and so on in the
Cyber-Criminality world has been developed so called “Crimeware as a Service
(CaaS)” - a modern model that provides easy access to the tools and services
needed to commit Cyber Attacks [5]. This allows even novice Cyber Criminals to
perform attacks on a scale that disproportionate to their technical capacity.
b) the transition from the Cyber-Criminality phase to the Cyber-War
phase, where the most serious destructive effects are those of a hybrid nature
- a combination of cyberattack and physical attack, i.e. Cyber-attacks affecting
communications and information systems and violating physical, personal and
communication security. The complexity and extent of the impact can affect all
spheres of society and turn into a hybrid war against a state or group of states.
The military concept related to the structure of the attack and aimed at
creating effective prevention or counter-attack at the various stages of the attack,
known as the “Kill Chain”, was adapted to the Cyber Defense by IT experts
at Lockheed-Martin Corporation [6]. Gradually, this concept was accepted by
the expert community as a Cyber Defense tool that defines the stages of Cyber-
attacks and the respective counteraction at each stage. The “Lockheed-Martin”
model (Fig. 1) [7] includes the following seven steps:
84
� Fig. 1. “Lockheed-Martin” model of the Cyber Kill Chain.
a) Intelligence: selection of the target by attacker selects a target, examination
of resources and attempts to identify vulnerabilities in the target network;
b) Creation of the weapon: respective creates weapons for remote access,
such as a virus, adapted to specific vulnerabilities;
c) Delivery: dispatch of the weapon to the victim (via e-mail attachments,
websites, USB devices, etc.):
d) Exploitation: activation of the weapon program code aiming to exploit the
vulnerability;
e) Installation: implementation of unregulated access point (for example, a
“back door”) usable by the offender;
f) Command and control: obtaining so called “keyboard hands” - constant
access to the target network;
g) Action on the target: realization of malicious action, such as fishing, data
destruction, or ransom encryption.
The “Kill Chain” model can be used in the analysis of the most common and
important threats, differentiating them into the relevant phases of the chain. The
85
�analysis should focus on the dynamic development of Cyber Threat assessments
and aim to integrate different types of information and provide stakeholders with
interactive assessments of threats and related instruments.
By assessing the impact on asset groups at different stages of the chain, it
can be determined, which security measures are most appropriate for the different
phases, including the intelligence to prevent asset abuse?
3 Classifications of Cyber Threats and Their Important Attributes
In order to build a rational and consistent approach to the choice of Artificial
Intelligence methods best suited to counteract certain classes of threats, it is
necessary to enable systematization, unification and classification of Cyber-
Security Threats and the sources of these threats. The first step in this way can be
the identification and analysis of the new concepts in the classifications of Cyber
Threats.
A. Currently, the most authoritative classification is so called „Cyber
Threats Taxonomy“ [8] published by ENISA on the basis of an analysis of
about 40 taxonomies developed by world-leading organizations (including
NIST and the US Department of Defense (USA), BSI (BRD), TERENA
(Netherlands), etc.).
This information structure is not just a classification by any selected attribute,
but a starting point for analysis, providing opportunities for combining, sorting,
modifying and refining the definitions of threats. Threat taxonomy is a living
structure that is used to maintain a consistent view of threats based on updated
information.
ENISA‘s taxonomy consists of the following sections:
a) threat category (including threat families);
b) the individual threats included in a category;
c) threat parameters - such as: specific type, method of attack, targeting a
specific IT asset, etc.;
d) additional features such as affected assets, threat agents, related sources,
URLs, etc.
B. The systematization of the sources of Cyber Threats is an important
element of their systematic analysis.
The mentioned above report of ENISA explained formation of groups of
sources with similar characteristics (motivations, level of capabilities, focus,
level of preparedness, striking power, etc.) and called „threat agents”:
a) Cyber-Criminals are the most active threat agent group in Cyber-space,
being responsible for at least two third of the registered incidents. This group has
set up networks to exchange tools for malicious action and hire assistants for the
various stages of the attack;
86
� b) Insiders are also the cause of a significant number of incidents. In addition
to malicious acts of all kinds, there are widespread violations of existing security
policies through negligence and user errors;
c) Hacktivists usually protest against environmental policy, discrimination,
corruption, pacifism, public health issues, support of minorities, etc. In the
majority of cases they cooperate on a group basis without any leadership schemes;
d) State-sponsored agents (including the cyber-spies) are the fourth most
active Threat Agent group. Due to the early maturity of military cyber-capabilities
it is not perfectly clear where is the differentiation between cyber-spying and
cyber-combating;
e) Others: cyber-fighters, cyber-terrorists, script-kiddies, etc. - their role is
less important.
Advanced intruders also use Cyber-Intelligence methods (mainly to look
for vulnerabilities and apply anonymization techniques). They are investing
significant amounts of their profits to improve and mature their infrastructure. In
addition, they use the dark web to exchange information between them.
C. Identifying a particular attacker’s affiliation with a respective group
of Threat Agents is too useful for Cyber Defense, as analyses show that each
group is distinguished by a specific set of instruments for Cyber Attacks. The
Table 1 visualize which threat agent groups are involving in which threats.
This information might be useful for all interested stakeholders in order
to identify the capability level can be assumed behind the top threats and thus
support in decisions concerning the strength of the security controls that are
implemented to protect valuable assets.
D. One of the new defined attributes of the Cyber Threats is so-called
“Attack Vector”, charactering methods and tools applied by the concrete
Threat Agent. A threat agent can abuse of weaknesses or vulnerabilities on
assets (including human) to achieve a specific outcome by this means. In
the correct context, the study of the different steps performed on an attack
vectors can provide valuable information about how Cyber Threats can be
materialized.
The description of the workflow of the attacks based on the „kill chain“
model, also has quite similar features within a particular group of Threat Agents.
This understanding creates additional opportunities for adequate planning of
Cyber Defense.
87
� Table 1. Threat agents in the deployment of the identified top cyber-threats.
E. One of the results of the newest Cyber Threat analyses is the so-called
“threat matrix” [8], which describes the identification of the adversary’s
abilities, the patterns of past and current behavior, and his specific tasks,
techniques and procedures. This matrix (Fig. 2) [8] is focused to those
who have already shown intent and ability to attack. It contain qualitative
and quantitative evaluation criteria. The matrix can be used for priority
allocation of resources to most likely opponents.
88
� Fig. 2 The “threat matrix”.
F. The threat modelling [9] as another useful tool for the systematic
analysis of Cyber Threats realizes an iterative process consisting of five
major steps (Fig. 3) [9]:
a) identification / verification of security objectives – threat modelling aimed
at determining of the activities in subsequent steps;
b) creation of application overview - attempt to extract essential features and
identify the threat agent;
c) decomposition of application - a detailed description of the mechanics of
malicious action;
Fig. 3. The steps of threat modeling.
89
� d) threats identification - threat analysis such as so called “STRIDE -
Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service,
and Elevation of Privilege”, attack trees and a generic risk model;
e) vulnerabilities identification – reviewing the layers of application for
searching weaknesses related to these threats and using vulnerability categories
to focus on those areas where mistakes are most often made.
To adapt the model to specific needs, the key resources identified in threat
modelling need to be updated as research progresses.
4 Conclusions
As mentioned above, a comprehensive analysis of the most up-to-date approaches
to Cyber Threat investigations has been carried out by the team in order to solve
the problem of creating criteria for selection of the most suitable Artificial
Intelligence methods for the different phases of Cyber-Defense.
With the methods described above over 40 types of threats (some with
several subspecies) were examined in terms of their evolution, level of impact
and complexity, sophistication, availability, attribution, etc.
This analysis of the threats gives opportunity to evaluate possibility for
potential attack pattern recognition and to develop models for active Cyber
Defence. The process of modelling, experiments and selection of criteria is
described on the official website of the project [11] and in published articles that
are referenced on this website. In short, the results of this choice are formulated
in the project as follows:
a) basic criteria: maximum performance (i.e. detection efficiency coupled
with performance level) and a minimum percentage of false alarms;
b) additional criteria: flexibility for use in different environments; generic
methodology; the processing speed needed to analyze the contents of packets to
exclude lost packets.
The application of these criteria led to the following choice of Artificial
Intelligence methods:
a) in the case of Tactical Cyber Intelligence - a network of Self-Learning
Multi-Agent systems;
b) in the case of Operational Cyber Intelligence, the Echo State Network
(ESN) method with Reservoir Computing for training;
c) in the case of Incident Handling - so called Reinforcement Learning.
Acknowledgments
This research is realized under the national science program “Information and
Communication Technologies for common digital market in science, education
and security” financed by Ministry of Education and Science in Bulgaria
90
�References
1. NIST Special Publication 800-30 Revision 1 Guide for Conducting Risk Assessment September
2012
2. ISO/IEC TR 13335-1:1996 Information technology — Guidelines for the management of IT
Security — Part 1: Concepts and models for IT Security
3. Threat Landscape Report 2016 ENISA, 2017
4. State of Cybersecurity An ISACA and RSA Conference Survey ISACA, 2016
5. TrustWave Global Security Report TrustWave, 2016
6. www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/ LM-White-
Paper-Intel-Driven-Defense.pdf
7. Gaining the Advantage Applying Cyber Kill Chain Methodology to a Network Defense
Lockheed Martin Corporation, 2013
8. ENISA Threat Taxonomy A tool for structuring threat information Version1.0 January 2016
9. Duggan, D. P., Thomas, S. R., Veitch, C. K., & Woodard, L. Categorizing Threat: Building and
Using Generic Threat Matrix http://www.idart.sandia.gov/methodology/materials/Adversary_
Modeling/SAND2007-5791.pdf
10. Shostack, A. Threat Modelling designed for security, John Wiley & Sons, Inc., 2014.
11. Project Web site https://npict.bg/
12. Dimitrov, V., Semantics of Vulnerabilities and Intelligent Search, Computer and Communications
Engineering, Vol. 13, No. 2/2019, pp. 20-25, Workshop on Information Security 2019, 9th
Balkan Conference in Informatics, 26-28 September 2019, Sofia, Bulgaria
13. Kaloyanova, K., Exploring Cybersecurity Curricula Designation Requirements, Computer and
Communications Engineering, Vol. 13, No. 2/2019, pp. 64-68, WS on Information Security
2019, 9th Balkan Conference in Informatics, 26-28 September 2019, Sofia, Bulgaria
91
�