The threats, faced by government and military networks, have increased in such a way that regular perimeter defense and endpoint security solutions are no longer sufficient. Sooner or later one or more hosts in our networks will be the victim of a targeted attack and therefore it is essential that we have the capability of detecting these compromised hosts as quickly as possible so we can limit the impact of the incident.
In this study we will develop a prototype system that combines detection algorithms, found in scientific literature, with new detection algorithms, developed in the context of the study. The detectors, as well as the algorithms that aggregate the evidence provided by the individual detectors, will implement domain knowledge provided by network security specialists.
Furthermore, the system will not decide by itself which connections are suspicious and which are not. It will rather incorporate a human expert in the decision loop and provide the expert with a visual tool for exploring the available data, guided by the outputs of the detectors.
The constant stream of data produced daily, the complicated environment and the need for quick reaction to malicious attacks make the life of cyber defense analyst a living nightmare. Many wonder how are we supposed to be able to review the gigabytes of logs produced daily, how can we manage to analyze them all and extract valuable insight into what is happening in the network?Read
Defining cyber attacks is a difficult task. They vary in origins, goals and, at first glance, the techniques used might seem very different. Luckily a popular model was defined by Lockheed Martin, still used to this day, which illustrates very well the lifecycle of a typical cyber attack. The Cyber Kill Chain, popular but controversial, defines the 7 principal steps of an attack. There have been many advances, since its original conception, one of which is the wildly acclaimed ATT&CK Matrix for Enterprise.Read
Detecting suspicious or malicious activity in a network is not a trivial task. In recent years the attacks perpetrated have grown in sophistication and frequency. For this reason a new detection tool was developed, in the form of the Multi Agent Ranking framework (MARk). MARk sets the groundwork for the implementation of large scale detection and ranking systems through the implementation of a distributed storage in conjuncture with highly specialized, stand-alone detector agents. The detector agents are responsible for analyzing specific predefined characteristics and producing a report of any suspicious activity encountered.Read