Vivin Paliath

Darknet and deepnet mining for proactive cybersecurity threat intelligence

In this paper, we present an operational system for cyber threat intelligence gathering from various social platforms on the Internet particularly sites on the darknet and deepnet. We focus our attention to collecting information from hacker forum discussions and marketplaces offering products and services focusing on malicious hacking. We have developed an operational system for obtaining information from these sites for the purposes of identifying emerging cyber threats. Currently, this system collects on average 305 high-quality cyber threat warnings each week. These threat warnings include information on newly developed malware and exploits that have not yet been deployed in a cyber-attack. This provides a significant service to cyber-defenders. The system is significantly augmented through the use of various data mining and machine learning techniques. With the use of machine learning models, we are able to recall 92% of products in marketplaces and 80% of discussions on forums relating to malicious hacking with high precision. We perform preliminary analysis on the data collected, demonstrating its application to aid a security expert for better threat analysis.

Modeling cyber-attacks on industrial control systems

Despite the prevalence of markets for malware and exploits and their potential threat to industrial control systems (ICS), existing paradigms for modeling of such cyber-adversarial behavior do not account for the complex nature of ICS systems consisting of multiple interconnected components. This paper takes the first steps toward addressing this need. Here, we introduce a framework that allows for modeling of ICS systems with highly interconnected components and study this model through the lens of lattice theory. We then turn our attention to the problem of determining the optimal/most dangerous for a cyber-adversary with respect to this model and find it to be an NP-Complete problem. To address this complexity, we utilize an A*-based approach and develop admissible heuristics. We provide an implementation and show through a suite of experiments using both simulated and actual vulnerability data that this method performs well in practice for identifying adversarial courses of action in this domain.

Defending Against Chained Cyber-Attacks by Adversarial Agents

Cyber adversaries employ a variety of malware and exploit to attack computer systems. Despite the prevalence of markets for malware and exploit kits, existing paradigms that model such cyber-adversarial behaviour do not account for sequential application or “chaining” of attacks, that take advantage of the complex and interdependent nature of exploits and vulnerabilities. As a result, it is challenging for security professionals to develop defensive-strategies against threats of this nature. This chapter takes the first steps toward addressing this need, based on a framework that allows for the modelling of sequential cyber-attacks on computer systems, taking into account complex interdependencies between vulnerabilities and exploits. The framework identifies the overall set of capabilities gained by an attacker through the convergence of a simple fixed-point operator. We then turn our attention to the problem of determining the optimal/most effective strategy (with respect to this model) that the defender can use to block the attacker from gaining certain capabilities and find it to be an NP-complete problem. To address this complexity, we utilize an A*-based approach and develop an admissible heuristic. We provide an implementation and show through a suite of experiments using actual vulnerability data that this method performs well in practice for identifying defensive courses of action in this domain.

Automatic Mining of Cyber Intelligence from the Darkweb

Introduction Now that we have a better understanding of the hacker communities present on both the darknet and the clearnet, which were discussed in the previous chapter, we can begin to use data-mining and machine-learning techniques to aggregate and analyze the data from these communities, with a goal of providing valuable cyber threat intelligence. This chapter is an extension of the work in [80]. We present a system for cyber threat intelligence gathering, built on top of the data from communities similar to those presented in Chapter 3. At the time of writing, this system collects, on average, 305 high-quality cyber threat warnings each week. These threat warnings contain information regarding malware and exploits, many of which are newly developed and have not yet been deployed in a cyber-attack. This information can be particularly useful for cyberdefenders. Significantly augmented through the use of various data-mining and machine-learning techniques, this system is able to recall 92% of products in marketplaces and 80% of discussions on forums relating to malicious hacking, as labeled by a security analyst, with high precision. Additionally, we will present a model based on topic modeling used for automatic identification of new hacker forums and exploit marketplaces for data collection. In succeeding sections, we will introduce a machine-learning-based scraping infrastructure to gather such intelligence from these online communities. We will also discuss the challenges associated with constructing such a system and how we addressed them. Figure 4.1 shows the number of detected threats for five weeks and Table 4.1 shows the database statistics at the time of writing, which indicates that only a small fraction of the data collected is hacking related. The vendor and user statistics cited only consider those individuals associated in the discussion or sale of malicious hacking-related material, as identified by the system. Specific contributions of this chapter include: • Description of a system for cyber threat intelligence gathering from various social platforms from the Internet such as deepnet and darknet websites. • The implementation and evaluation of learning models to separate relevant information from noise in the data collected from these online platforms. • A machine-learning approach to aid security experts in the discovery of new relevant deepnet and darknet websites of interest using topic modeling—this reduces the time and cost associated with identifying new deepnet and darknet sites.