Gustavo Gonzalez Granadillo

Decisive Heuristics to Differentiate Legitimate from Phishing Sites

Phishing attacks are a major concern for preserving Internet users privacy, especially when most of them lead to financial data theft by combining both social engineering and spoofing techniques. As blacklists are not the most effective in detecting phishing sites because of their short lifetime, heuristics appears as a privileged way at time 0. Several previous studies discussed the different types of phishing characteristics that can help defining heuristics tests, as well as comparing them to blacklists. In our paper, we studied heuristics using a different approach. Based on the characteristics of phishing URLs and webpages, we defined 20 heuristics tests and implemented them in our own active anti-phishing toolbar (Phishark). Then, we tested the heuristics effectiveness and determined which heuristics are decisive to differentiate legitimate from phishing sites.

RORI-based countermeasure selection using the OrBAC formalism

Attacks against information systems have grown in sophistication and complexity, making the detection and reaction process a challenging task for security administrators. In reaction to these attacks, the definition of security policies is an effective way to protect information systems from further damages, but it requires a great expertise and knowledge. If stronger security policies can constitute powerful countermeasures, inappropriate policies, on the other hand, may result in disastrous consequences for the organization. The implementation of stronger security policies requires in many cases the evaluation and analysis of multiple countermeasures. Current research promotes the implementation of multiple countermeasures as a strategy to react over complex attacks; however, the methodology is either hardly explained or very complicated to implement. This paper introduces a well-structured approach to evaluate and select optimal countermeasures based on the return on response investment (RORI) index. An implementation of a real case study is provided at the end of the document to show the applicability of the model over a mobile money transfer service. The service, security policies and countermeasures are expressed using the OrBAC formalism.

Individual countermeasure selection based on the return on response investment index

As the number of attacks, and thus the number of alerts received by Security Information and Event Management Systems (SIEMs) increases, the need for appropriate treatment of these alerts has become essential. The new generation of SIEMs focuses on the response ability to automate the process of selecting and deploying countermeasures. However, current response systems select and deploy security measures without performing a comprehensive impact analysis of attacks and response scenarios. This paper addresses this limitation by proposing a model for the automated selection of optimal security countermeasures. In addition, the paper compares previous mathematical models and studies their limitations, which lead to the creation of a new model that evaluates, ranks and selects optimal countermeasures. The model relies on the optimization of cost sensitive metrics based on the Return On Response Investment (RORI) index. The optimization compares the expected impact of the attacks when doing nothing with the expected impact after applying countermeasures. A case study of a real infrastructure is deployed at the end of the document to show the applicability of the model over a Mobile Money Transfer Service.

An ontology-driven approach to model SIEM information and operations using the SWRL formalism

The management of security events, from the risk analysis to the selection of appropriate countermeasures, has become a major concern for security analysts and IT administrators. Furthermore, the fact that network and system devices are heterogeneous, increases the difficulty of these administrative tasks. This paper introduces an ontology-driven approach to address the aforementioned problems. The proposed model takes into account two aspects: the information and the operations that are manipulated by SIEM environments in order to reach the desired goals. The model uses ontologies to provide simplicity on the description of concepts, relationships and instances of the security domain. The semantics web rule languages are used to describe the logic rules needed to infer relationships among individuals and classes. A case study on Botnets is presented at the end of this paper to illustrate a concrete utilisation of our model.

Using a 3D Geometrical Model to Improve Accuracy in the Evaluation and Selection of Countermeasures Against Complex Cyber Attacks

The selection of security countermeasures against current cyber attacks does not generally perform appropriate assessments of the attack and countermeasure impact over the system. In addition, the methodologies used to evaluate and select countermeasures are generally based on assumptions, estimations, and expert knowledge. A great level of subjectivity is considered while estimating parameters such as benefits and importance of the investment in cost sensitive models. We propose in this paper a decision support tool that uses a Return On Response Investment (RORI) metric, and a 3D geometrical model to simulate the impact of attacks and countermeasures on the system. The former is a cost sensitive model used to evaluate, rank and select security countermeasures against complex cyber attacks. The latter, is a tool that represents the impact of attacks and countermeasures in a three dimensional coordinate system. As a result, we are able to automatically select mitigation strategies addressing multiple and complex cyber attacks, that are efficient in stopping the attack and preserve, at the same time, the best service to legitimate users. The implementation of the tool and main results are detailed at the end of the paper to show the applicability of our model.

Combination approach to select optimal countermeasures based on the RORI index

As new and more sophisticated computer attacks appear across the Internet, sometimes with unknown dimensions and criticality, the implementation of individual security solutions become less effective and in some cases useless. Instead, a combined approach is required to guarantee an appropriate and cost-effective mitigation of such attacks. Most of the current work suggests the deployment of multiple countermeasures as a single treatment to mitigate the effects of complex attacks. However, the methodology to analyze and evaluate combined solutions is either hardly explained or very complicated to implement. This paper, therefore proposes a simple and well-structured approach to select the optimal combination of countermeasures by maximizing the cost-effectiveness ratio of the countermeasures, this ratio being measured by the Return on Response Investment (RORI) index. A case study is provided at the end of the document to show the applicability of the model over a critical infrastructure process control.

Selection of Mitigation Actions Based on Financial and Operational Impact Assessments

Finding adequate responses to ongoing attacks on ICT systems is a pertinacious problem and requires assessments from different perpendicular viewpoints. However, current research focuses on reducing the impact of an attack irregardless of side-effects caused by responses. In order to achieve a comprehensive yet accurate response to possible and ongoing attacks on a managed ICT system, we propose an approach that relies on a response system that continuously quantifies risks, and decides how to respond to cyber-threats that target a monitored ICT system. Our Dynamic Risk Management Response (DRMR) model is composed of two main modules: a Response Financial Impact Assessor (RFIA), which provides an assessment concerning the potential financial impact that responses may cause to an organization, and a Response Operational Impact Assessor (ROIA), which assesses potential impacts that efficient mitigation actions may cause on the organization in an operational perspective. As a result, the DRMR model proposes response plans to mitigate identified risks, enable choice of the most suitable response possibilities to reduce identified risks below an admissible level while minimizing potential negative side effects of deliberately taken actions.

An Ontology-Based Model for SIEM Environments

The management of security events, from the analysis of attacks and risk to the selection of appropriate countermeasures, has become a major concern for security analysts and IT administrators. Furthermore, network and system devices are designed to be heterogeneous, with different characteristics and functionalities that increase the difficulty of these tasks. This paper introduces an ontology-driven approach to address the aforementioned problems. The proposed model takes into account the two main aspects of this field, the information that is manipulated by SIEM environments and the operations that are applied to this information, in order to reach the desired goals. We present a case study on Botnets to illustrate the utilization of our model.

Attack Volume Model: Geometrical Approach and Application

The sophistication and efficiency of current attacks makes the detection and mitigation process a very difficult task for security analysts. Research in information security has always focused on the effects of a given attack over a particular target and the methodologies to evaluate and select countermeasures accordingly. Multiple attack scenarios are hardly considered concurrently to assess the risk and propose security solutions. This paper proposes a geometrical model that represents the volume of attacks and countermeasures based on a three-dimensional coordinate system (i.e. user, channel, and resource). The CARVER methodology is used to give an appropriate weight to each entity composing the axes in the coordinate system. These weights represent the criticality of the different system entities. As a result, volumes are related to risks, making it possible to determine the magnitude and coverage of each attack and countermeasure within a given system.

New Types of Alert Correlation for Security Information and Event Management Systems

Current Security Information and Event Management systems (SIEMs) constitute the central platform of modern security operations centers. They gather events from multiple sensors (intrusion detection systems, anti-virus, firewalls, etc.), correlate these events, and deliver synthetic views of the alerts for threat handling and security reporting. However, as the number of security incidents, and thus the diversity of alerts received by SIEMs increases, the need for appropriate treatment of these alerts has become essential. Alert correlation has been proposed in order to alleviate this problem. Current alert correlation techniques provide a better description of the detected incident and a concise view of the generated alerts, reducing their volume and thus their processing time. Although such techniques support administrators in processing a huge number of alerts, they remain limited, since these solutions do not provide information about the attackers behavior and the defenders capability in reacting to detected attacks. In this paper, we propose two novel alert correlation approaches. The first is based on policy enforcement and defender capability models; and the second is based on information security indicators. We therefore enrich the current state of the art in alert correlation techniques with complementary approaches.