Dr Nicholas Kolokotronis from the University of Peloponnese and Dr Stavros Shiaeles, School of Computing, Faculty of Technology at the University of Portsmouth, impart their expert thoughts on effective response and mitigation of advanced cyber-attacks via an intelligent cyber–defence framework
Both authors have received funding from the EU’s Horizon 2020, under grant agreement 786698.
Cyber-threat intelligence (CTI) refers to the process of gathering and organising information that can help organisations identify, assess, monitor and respond to cyber-threats. A detection and mitigation platform that exploits the available CTI is crucial for tackling the grand challenges inherent in securing the ecosystem of the Internet of Things (IoT) devices. Such challenges rest with the structure of typical IoT networks that are comprised of heterogeneous connected devices whose flawed design allows the cyber–attackers to easily compromise them and form enormous IoT botnets(1).
Effective response and mitigation of sophisticated cyber-attacks are crucial and a systematic approach to model attack strategies needs to be developed so as to properly identify the possible weaknesses of a system, the relevant security risks in relation with the possibility of an attack being successful, as well as the countermeasures required for addressing these security issues, both proactively and reactively. This is a non–trivial task, taking into account the inherent complexity of IoT ecosystems, as well as the fact that new vulnerabilities – and thus relevant security risks – are constantly arising.
CTI tools are responsible for the efficient collection of information regarding emerging cyber–threats or possibly unknown vulnerabilities that are available from various sources and their ranking in terms of criteria like popularity and impact; the dissemination of CTI to the relevant cybersecurity controls is imperative for increasing an organisation’s defensive capabilities. Typical solutions should address key security aspects(2,3) like:
- Efficient identification and crawling of sources with valuable cybersecurity information to retrieve relevant (and time-varying) content on vulnerability, exploits, products, etc.
- Accurate extraction of site-specific content from the retrieved data (filtering out irrelevant content) to obtain information on vulnerabilities, affected platforms, exploits used, etc.
- Efficient storage, indexing, etc. of gathered CTI and dissemination amongst the cybersecurity experts, to rate the quality of the CTI and increase awareness.
In addition, CTI may be used to augment the knowledge that intelligent cyber-defence controls have in order to efficiently detect and prevent attacks. Such security controls – typical examples of which include host-based malware detection systems(4) and network-based intrusion detection systems(5,6) – typically utilise sophisticated machine learning (ML) algorithms having incremental learning abilities.
To this end, novel intrusion detection approaches have been proposed, relying on properly designed convolutional neural networks (CNN), that convert data (e.g. software binaries of IP packets’ payload) into 2D images to increase efficiency6; CNNs are particularly suited for the classification of images and can be easily retrained to learn quickly from updates to the neural network. Such methods may achieve high accuracy (more than 92%), which meets the accuracy needs for practical use, as well as high precision and recall (again more than 92%) showing the ability to differentiate malicious from benign data.
Intelligence may also come in the form of efficiently modelling the attack strategies and profiles that characterise the resources available to attackers (e.g. budget and tools) for exploiting vulnerabilities of any kind to attain their goals, such as privilege escalation, quality of service reduction, etc. Graphical cyber security models (GCSM) constitute important primitives for efficiently representing multi-stage attack strategies, thus, enhancing the capability of intrusion detection systems to respond to advanced cyber-attacks(7).
GCSMs need detailed information about software weaknesses, misconfigurations, network connectivity, firewall rules, etc., of the devices in a network in order to identify, via specialised algorithms, the possible attack paths a cyber–attacker might follow (possibly in an adaptive manner) towards achieving his goals and the associated impact. Many tools exist for detecting open ports and vulnerabilities on a network’s devices, but their limitation is that they identify vulnerabilities and plan any mitigation action on a per-host basis; therefore, they are unable to detect sophisticated multi-stage attacks, which usually occur in highly complex and dynamic environments as in the case of IoT, by correlating such information.
The combination of ML-based intrusion detection systems (IDS) and GCSMs can lead to an innovative class of intelligent intrusion response systems (iIRS) providing dynamic security risk assessment and intelligent mitigation strategies to defend against adaptive multi–stage cyber-attacks in an optimal and autonomous fashion(8). This can be achieved by building upon advanced game-theoretic security approaches that, given a GCSM for the IoT network under consideration, accurately model the players (attackers and defenders) and their interactions. This model includes what each player knows about the network, what attacking and defending actions can be performed, what goal (and the associated reward) is to be attained, etc. The key aspects that such solutions need to address include:
- The development of an ML-based IDS that can identify unknown (i.e. zero-day) attacks.
- Accurate modelling of cybersecurity aspects via game-theoretic frameworks and effective tackling of the complexity and efficiency issues arising in each case.
- Enhancement of defenders’ capabilities against multi-stage attacks by incorporating GCSMs into game-theoretic models specifically for intrusion prevention and response.
- Development of algorithms for solving the formulated games, in a centralised or decentralised manner, to yield the optimal defender’s response and minimise attackers’ success.
By achieving the above results, the designed iIRS will prove to be valuable as part of solutions offering built-in resilience, which will help stakeholders to better protect their assets against advanced large–scale cyber-attacks. Thus, to generate a positive impact for small and medium-sized enterprises, but also for critical infrastructures and industrial IoT facilities, further research and development on the following aspects is required: methods for the detection and mitigation of (unknown) sophisticated cyber-attacks, solutions for the acquisition of actionable CTI, the development of intelligent defense methods and most importantly, innovative tools for embedding cybersecurity in future autonomous intelligent products.
This project received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement 786698. The work reflects only the authors’ view, and the Agency is not responsible for any use that may be made of the information it contains.
 S. Boddy and J. Shattuck, “The hunt for IoT: the rise of thingbots,” F5 Labs Threat Analysis Report, vol. 3, July 2017.
 S. Shiaeles, N. Kolokotronis, and E. Bellini, “IoT vulnerability data crawling and analysis,” in IEEE World Congress on Services (IEEE SERVICES) — Workshop on Cyber–Security and Resilience in the Internet of Things (CSR 2019), July 8–13, 2019, Milan, Italy.
 T. Chantzios, P. Koloveas, S. Skiadopoulos, N. Kolokotronis, C. Tryfonopoulos, V.–G. Bilali, and D. Kavallieros, “The quest for the appropriate cyber–threat intelligence sharing platform,” in 8th International Conference on Data Science, Technology and Applications (DATA 2019), July 26–28, 2019, Prague, Czech Republic.
 I. Baptista, S. Shiaeles, and N. Kolokotronis, “A novel malware detection system based on machine learning and binary visualization,” in 2019 IEEE International Conference on Communications (IEEE ICC) —Workshop on Data Driven Intelligence for Networks and Systems (DDINS), May 20–24, 2019, Shanghai, China.
 C. Constantinides, S. Shiaeles, B. Ghita, and N. Kolokotronis, “A novel online incremental learning intrusion prevention system,” in 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS 2019), June 24–26, 2019, Canary Islands, Spain.
 R. Shire, S. Shiaeles, K. Bendiab, B. Ghita, and N. Kolokotronis, “Malware squid: a novel IoT malware traffic analysis framework using convolutional neural network and binary visualisation,” in 19th International Conference on Next Generation Wired/Wireless Advanced Networks and Systems (NEW2AN 2019), August 26–28, 2019, St. Petersburg, Russia.
 J. Hong, D. Kim, C. Chung, and D. Huang, “A survey on the usability and practical applications of graphical security models,” Computer Science Review, vol. 26, pp. 1–16, 2017.
 E. Miehling, M. Rasouli, and D. Teneketzis, “A POMDP approach to the dynamic defense of large-scale cyber networks,” IEEE Transactions on Information Forensics and Security, vol. 13, no. 10, pp. 2490–2505, Oct. 2018.
Dr Nicholas Kolokotronis
Department of Informatics and Telecommunications,
University of Peloponnese, Greece
Tel: +30 2710 372231
Dr Stavros Shiaeles
School of Computing, Faculty of Technology University of Portsmouth
Tel: +44 (0)2392 846 783