Data Science for Cyber-Security

The following sections are included:

• Preface
• Contents

The lack of data sets derived from operational enterprise networks continues to be a critical deficiency in the cyber-security research community. Unfortunately, releasing viable data sets to the larger community is challenging for a number of reasons, primarily the difficulty of balancing security and privacy concerns against the fidelity and utility of the data. This chapter discusses the importance of cyber-security research data sets and introduces a large data set derived from the operational network environment at Los Alamos National Laboratory (LANL). The hope is that this data set and associated discussion will act as a catalyst for both new research in cyber-security as well as motivation for other organisations to release similar data sets to the community.

Computer and network security relies on many different tools, such as secure programming practices, firewalls, virus scanners and various algorithms to detect attacks and malicious software. The latter require the analysis of complex and varied data such as packet streams, emails, potential malicious binary executable files and user activity on a computer and on the network. Modern data analytics has a number of tools to analyse these data streams and to design detection algorithms. This chapter discusses several such tools that come from the computational statistics literature and from pure mathematics: nonparametric probability density estimation, graph-based manifold learning, topological data analysis. These ideas are illustrated on a problem of malware classification and on network data.

Sophisticated cyber attackers often move through their targeted network by creating a hierarchical chain of controlled computers and thereby create a strong correlation between the activity on two different computers. To detect such connected activities, an accurate model of network traffic that distinguishes between automated computer traffic and different user activity states is necessary. In this chapter, we propose a novel Bayesian model that identifies different states of activity in the arrival times of network flow events on individual computers. Our model is based on the well-known Markov-modulated Poisson process, but overcomes its drawbacks with the modelling of network data. Our model is embedded in a fast and scalable Bayesian inference framework. We validate the relation of our results to actual user activity through a controlled experiment.

Network traffic analysis presents a number of key challenges including concept drift, noisy ground truth and noisy features introduced by endpoint and network level artefacts. In this chapter, we demonstrate current applications of machine learning to this domain, and then provide an overview of common problems and how they manifest themselves in our data sets. Specifically, we demonstrate the changing popularity of different protocols and services, pitfalls in assuming ground truth for sandbox data and how different operating systems and collection points affect commonly used data features. Given this enhanced understanding of the network domain, we show how to develop machine learning solutions that can address each of these challenges to provide generalisable threat detection. While the themes of this chapter are applicable to many application layer protocols, our focus will be on identifying malware in TLS-encrypted traffic.

An effective cyber early warning system (CEWS) should pick up threat activity at an early stage, with an emphasis on establishing hypotheses and predictions as well as generating alerts on (unclassified) situations based on preliminary indications. The design and implementation of such early warning systems involve numerous challenges such as generic set of indicators, intelligence gathering, uncertainty reasoning and information fusion. This chapter begins with an understanding of the behaviours of intruders and then related literature is followed by the proposed methodology using a Bayesian inference-based system. It also includes a carefully deployed empirical analysis on a data set labelled for reconnaissance activity. Finally, the chapter concludes with a discussion on results, research challenges and necessary suggestions to move forward in this research line.

Malicious software often uses HTTP traffic to penetrate an organisation or communicate with its command and control centre. This type of traffic is hidden in vast amounts of legitimate HTTP traffic, often remaining undetected. Signature-based techniques for detecting such traffic are only useful for known malware types. Anomaly detection techniques attempt instead to understand how HTTP traffic typically looks like, and flag any abnormal behaviour for further scrutiny. One aspect of HTTP traffic is captured by the user-agent string (UAS), a field of the HTTP header containing information about the application and operating system used by the client. Typically corresponding to a browser, it allows servers to determine which type of content to deliver to the client so that it is properly rendered. Malware will sometimes masquerade as a browser, which requires them to fake the UAS, making it an interesting feature to consider when looking for suspicious activity in HTTP traffic. In this chapter, we present an anomaly detection method for UASs that relies on a novel and efficient approach for computing distances between UASs on large amounts of data.

Many Twitter users are bots. They can be used for spamming, opinion manipulation and online fraud. Recently, we discovered the Star Wars botnet, consisting of more than 350,000 bots tweeting random quotations exclusively from Star Wars novels. The bots were exposed because they tweeted uniformly from any location within two rectangle-shaped geographic zones covering Europe and the USA, including sea and desert areas in the zones. In this chapter, we report another unusual behaviour of the Star Wars bots, that the bots were created in bursts or batches, and they only tweeted in their first few minutes since creation. Inspired by this observation, we discovered an even larger Twitter botnet, the Bursty botnet with more than 500,000 bots. Our preliminary study showed that the Bursty botnet was directly responsible for a large-scale online spamming attack in 2012. Most bot detection algorithms have been based on assumptions of “common” features that were supposedly shared by all bots. Our discovered botnets, however, do not show many of those features; instead, they were detected by their distinct, unusual tweeting behaviours that were unknown until now.

Botnets consist of devices connected to the internet, supervised by a botnet owner, performing malicious tasks. The significant impact of botnets on corporate, governmental and civilian operations has resulted in a lot of attention from the machine learning community. However, most studies to date do not respect the linked structure of network data and rely heavily on the availability of a labelled data set. This study applies Stochastic Block Models (SBM) to botnet data with the aim of identifying infected clusters without the need for a labelled data set…

In this chapter we explore two spectral embeddings, adjacency spectral embedding (ASE) and normalised Laplacian (NL), of the bipartite graph of authentication events from the first release of the Los Alamos Cyber-Security Events data (Kent, 2016). Both ASE and NL require the estimation of the principal singular vectors associated with the largest singular values of a matrix. For comparison, an ensemble of random projections (RP) are also used as a baseline as is the degree sequence of the nodes. The embeddings (spectral, random or degree sequence) are then used as features for a random forest classifier to classify nodes of the graph (computers) into one of two classes: those that have attacked and those that have not. The results indicate that the features produced by ASE are substantially stronger than those of NL, and surprisingly RP outperforms NL—which does outperform the baseline of degree sequence. Finally, the experiments are repeated without the red team events (authentication spoofing attacks) and while the performance degrades, the features still have significant ability to predict which computers will be attacked given a sample of those that would be attacked. Thus, the set of computers that would be attacked are related by their connectivity in the network even when the the edges corresponding to their attack are removed. In this sense, they form a sub-network which may be learned by the connections present in the network when the attacking (red team) events are removed.

Lack of labelled data is a well-known challenge in cyber-security research. Although confidentiality is often used to explain this scarcity, our experience shows that even within the closed walls of large enterprises with significant in-house expertise, it is not obvious how to turn threat intelligence into a labelled data set suitable for machine learning. This is due to a perfect storm of heavily imbalanced yet massive data sets, scarcity of time for performing manual labelling, and domain-specific idiosyncrasies as to label semantics that drive a wedge between expert know-how and statistical modelling. We hereby try to unpack these incompatibilities, and argue that recent research in weak supervision, wherein multiple heuristics are used in place of ground truth, is a more fertile framework for cyber-security research than the classical choices of supervised, semi-supervised and unsupervised learning. We also make a novel methodological contribution in recasting weak supervision as a weighted learning problem, thusly making it straightforward to implement weakly supervised learning using a large number of existing classifiers and software packages. We validate our proposal using a simulation study. An R package has been released in CRAN for weakly supervised learning.

All digital logic and data in a computing system are subject to compromise by an attacker. As a result, any security monitoring or analysis done within the same communications and computational fabric is also subject to compromise. Moreover, many embedded processors do not have the additional memory or computational resources to coexist with security solutions. As a result, there is interest in using out-of-band analogue side-channel measurements and their analyses to monitor expected programme execution. This chapter describes an approach to this problem that involves measuring external electromagnetic emanations from a commodity processor and analysing those measurements to estimate various aspects of application software execution. It is of particular importance to alert the user to deviations from the logically constrained execution paths determined by the programme structure. Our approach uses analogue RF measurements made in multiple bands at GHz rates which generate enormous amounts of data at high sampling rates. These measurements are used initially for developing the appropriate classification and analytics, and subsequently for implementing those classifiers and trackers operationally in real time. We describe our implementation of machine learning and information theory-based algorithms for identifying the most useful features for tracking an application’s control flow graph. Moreover, we describe a hierarchy of control flow graph models in which different models have different execution tracking performance properties.

Worldwide, billions of euros are lost every year due to credit card fraud. Increasingly, fraud has diversified to different digital channels, including mobile and online payments, creating new challenges as innovative new fraud patterns emerge. Hence, it remains challenging to find effective methods of mitigating fraud. Existing solutions include simple if-then rules and classical machine learning algorithms. Credit card fraud is by definition an example-dependent and cost-sensitive classification problem, in which the costs due to misclassification vary between examples and not only within classes, i.e., misclassifying a fraudulent transaction may have a financial impact ranging from a few to thousands of euros. In this chapter, we propose an extension to the cost-sensitive decision trees (CSDT) algorithm, by creating an ensemble of such trees, and combining them using a stacking approach with a cost-sensitive logistic regression (CSLR). We compare our method with standard machine learning algorithms and state-of-the-art cost-sensitive classification methods using a real credit card fraud data set provided by a large European card processing company. The results show that our method achieves savings of up to 73.3%, more than 2% points more than a single CSDT.

Businesses and government face a daunting option space of cyber-security improvements that could be made. However, resources are limited and improvements have direct costs and opportunity costs, and can impede other business objectives. Thus, deciding how much to invest and in which improvements is a key challenge for decision makers. The paucity of data-driven decision tools today results in decisions that are often based solely on regulatory requirements, product marketing claims and peer benchmarking. Given the role of adversary decision-making and adaptation in cyber-security, we pose new ways to quantitatively evaluate options based on factors like reachability, adversary delay time and adversary productivity. In the absence of sound decision-making, defenders can bankrupt themselves enacting “enhanced security” without actually thwarting an intruder. We demonstrate through quantitative analysis that well-intentioned actual policy decisions may be ineffective at thwarting the adversary.

The following section is included:

• Index