TY - GEN
T1 - Multimodal graph analysis of cyber attacks
AU - Ghose, Nirnimesh
AU - Lazos, Loukas
AU - Rozenblit, Jerzy
AU - Breiger, Ronald
N1 - Funding Information:
We thank the anonymous reviewers for their insightful comments. This research was supported in part by the NSF under grants CNS-1347075 and CNS-1409172. Any opinions, findings, conclusions, or recommendations expressed in this paper are those of the author(s) and do not necessarily reflect the views of the NSF.
Publisher Copyright:
© 2019 SCS.
PY - 2019/4
Y1 - 2019/4
N2 - The limited information on the cyberattacks available in the unclassified regime, hardens standardizing the analysis. We address the problem of modeling and analyzing cyberattacks using a multimodal graph approach. We formulate the stages, actors, and outcomes of cyberattacks as a multimodal graph. Multimodal graph nodes include cyberattack victims, adversaries, autonomous systems, and the observed cyber events. In multimodal graphs, single-modality graphs are interconnected according to their interaction. We apply community and centrality analysis on the graph to obtain in-depth insights into the attack. In community analysis, we cluster those nodes that exhibit 'strong' inter-modal ties. We further use centrality to rank the nodes according to their importance. Classifying nodes according to centrality provides the progression of the attack from the attacker to the targeted nodes. We apply our methods to two popular case studies, namely GhostNet and Putter Panda and demonstrate a clear distinction in the attack stages.
AB - The limited information on the cyberattacks available in the unclassified regime, hardens standardizing the analysis. We address the problem of modeling and analyzing cyberattacks using a multimodal graph approach. We formulate the stages, actors, and outcomes of cyberattacks as a multimodal graph. Multimodal graph nodes include cyberattack victims, adversaries, autonomous systems, and the observed cyber events. In multimodal graphs, single-modality graphs are interconnected according to their interaction. We apply community and centrality analysis on the graph to obtain in-depth insights into the attack. In community analysis, we cluster those nodes that exhibit 'strong' inter-modal ties. We further use centrality to rank the nodes according to their importance. Classifying nodes according to centrality provides the progression of the attack from the attacker to the targeted nodes. We apply our methods to two popular case studies, namely GhostNet and Putter Panda and demonstrate a clear distinction in the attack stages.
KW - Centrality analysis
KW - Community analysis
KW - Cyber-attacks
KW - Multimodal graph
UR - http://www.scopus.com/inward/record.url?scp=85068600447&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85068600447&partnerID=8YFLogxK
U2 - 10.23919/SpringSim.2019.8732851
DO - 10.23919/SpringSim.2019.8732851
M3 - Conference contribution
AN - SCOPUS:85073697256
T3 - 2019 Spring Simulation Conference, SpringSim 2019
BT - 2019 Spring Simulation Conference, SpringSim 2019
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2019 Spring Simulation Conference, SpringSim 2019
Y2 - 29 April 2019 through 2 May 2019
ER -