Multimodal graph analysis of cyber attacks

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The limited information on the cyberattacks available in the unclassified regime, hardens standardizing the analysis. We address the problem of modeling and analyzing cyberattacks using a multimodal graph approach. We formulate the stages, actors, and outcomes of cyberattacks as a multimodal graph. Multimodal graph nodes include cyberattack victims, adversaries, autonomous systems, and the observed cyber events. In multimodal graphs, single-modality graphs are interconnected according to their interaction. We apply community and centrality analysis on the graph to obtain in-depth insights into the attack. In community analysis, we cluster those nodes that exhibit “strong” inter-modal ties. We further use centrality to rank the nodes according to their importance. Classifying nodes according to centrality provides the progression of the attack from the attacker to the targeted nodes. We apply our methods to two popular case studies, namely GhostNet and Putter Panda and demonstrate a clear distinction in the attack stages.

Original languageEnglish (US)
Title of host publicationSimulation Series
PublisherThe Society for Modeling and Simulation International
Edition1
ISBN (Electronic)9781510892521, 9781510892538, 9781510892545, 9781510892552, 9781510892569
DOIs
StatePublished - Jan 1 2019
Event2019 Annual Simulation Symposium, ANSS 2019, Part of the 2019 Spring Simulation Multi-Conference, SpringSim 2019 - Tucson, United States
Duration: Apr 29 2019May 2 2019

Publication series

NameSimulation Series
Number1
Volume51
ISSN (Print)0735-9276

Conference

Conference2019 Annual Simulation Symposium, ANSS 2019, Part of the 2019 Spring Simulation Multi-Conference, SpringSim 2019
CountryUnited States
CityTucson
Period4/29/195/2/19

Fingerprint

Cluster analysis

Keywords

  • Centrality analysis
  • Community analysis
  • Cyber-attacks
  • Multimodal graph

ASJC Scopus subject areas

  • Computer Networks and Communications

Cite this

Ghose, N., Lazos, L., Rozenblit, J., & Breiger, R. (2019). Multimodal graph analysis of cyber attacks. In Simulation Series (1 ed.). (Simulation Series; Vol. 51, No. 1). The Society for Modeling and Simulation International. https://doi.org/10.23919/SpringSim.2019.8732851

Multimodal graph analysis of cyber attacks. / Ghose, Nirnimesh; Lazos, Loukas; Rozenblit, Jerzy; Breiger, Ronald.

Simulation Series. 1. ed. The Society for Modeling and Simulation International, 2019. (Simulation Series; Vol. 51, No. 1).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Ghose, N, Lazos, L, Rozenblit, J & Breiger, R 2019, Multimodal graph analysis of cyber attacks. in Simulation Series. 1 edn, Simulation Series, no. 1, vol. 51, The Society for Modeling and Simulation International, 2019 Annual Simulation Symposium, ANSS 2019, Part of the 2019 Spring Simulation Multi-Conference, SpringSim 2019, Tucson, United States, 4/29/19. https://doi.org/10.23919/SpringSim.2019.8732851
Ghose N, Lazos L, Rozenblit J, Breiger R. Multimodal graph analysis of cyber attacks. In Simulation Series. 1 ed. The Society for Modeling and Simulation International. 2019. (Simulation Series; 1). https://doi.org/10.23919/SpringSim.2019.8732851
Ghose, Nirnimesh ; Lazos, Loukas ; Rozenblit, Jerzy ; Breiger, Ronald. / Multimodal graph analysis of cyber attacks. Simulation Series. 1. ed. The Society for Modeling and Simulation International, 2019. (Simulation Series; 1).
@inproceedings{caa5cc93831c4f429718e51b04094c8a,
title = "Multimodal graph analysis of cyber attacks",
abstract = "The limited information on the cyberattacks available in the unclassified regime, hardens standardizing the analysis. We address the problem of modeling and analyzing cyberattacks using a multimodal graph approach. We formulate the stages, actors, and outcomes of cyberattacks as a multimodal graph. Multimodal graph nodes include cyberattack victims, adversaries, autonomous systems, and the observed cyber events. In multimodal graphs, single-modality graphs are interconnected according to their interaction. We apply community and centrality analysis on the graph to obtain in-depth insights into the attack. In community analysis, we cluster those nodes that exhibit “strong” inter-modal ties. We further use centrality to rank the nodes according to their importance. Classifying nodes according to centrality provides the progression of the attack from the attacker to the targeted nodes. We apply our methods to two popular case studies, namely GhostNet and Putter Panda and demonstrate a clear distinction in the attack stages.",
keywords = "Centrality analysis, Community analysis, Cyber-attacks, Multimodal graph",
author = "Nirnimesh Ghose and Loukas Lazos and Jerzy Rozenblit and Ronald Breiger",
year = "2019",
month = "1",
day = "1",
doi = "10.23919/SpringSim.2019.8732851",
language = "English (US)",
series = "Simulation Series",
publisher = "The Society for Modeling and Simulation International",
number = "1",
booktitle = "Simulation Series",
edition = "1",

}

TY - GEN

T1 - Multimodal graph analysis of cyber attacks

AU - Ghose, Nirnimesh

AU - Lazos, Loukas

AU - Rozenblit, Jerzy

AU - Breiger, Ronald

PY - 2019/1/1

Y1 - 2019/1/1

N2 - The limited information on the cyberattacks available in the unclassified regime, hardens standardizing the analysis. We address the problem of modeling and analyzing cyberattacks using a multimodal graph approach. We formulate the stages, actors, and outcomes of cyberattacks as a multimodal graph. Multimodal graph nodes include cyberattack victims, adversaries, autonomous systems, and the observed cyber events. In multimodal graphs, single-modality graphs are interconnected according to their interaction. We apply community and centrality analysis on the graph to obtain in-depth insights into the attack. In community analysis, we cluster those nodes that exhibit “strong” inter-modal ties. We further use centrality to rank the nodes according to their importance. Classifying nodes according to centrality provides the progression of the attack from the attacker to the targeted nodes. We apply our methods to two popular case studies, namely GhostNet and Putter Panda and demonstrate a clear distinction in the attack stages.

AB - The limited information on the cyberattacks available in the unclassified regime, hardens standardizing the analysis. We address the problem of modeling and analyzing cyberattacks using a multimodal graph approach. We formulate the stages, actors, and outcomes of cyberattacks as a multimodal graph. Multimodal graph nodes include cyberattack victims, adversaries, autonomous systems, and the observed cyber events. In multimodal graphs, single-modality graphs are interconnected according to their interaction. We apply community and centrality analysis on the graph to obtain in-depth insights into the attack. In community analysis, we cluster those nodes that exhibit “strong” inter-modal ties. We further use centrality to rank the nodes according to their importance. Classifying nodes according to centrality provides the progression of the attack from the attacker to the targeted nodes. We apply our methods to two popular case studies, namely GhostNet and Putter Panda and demonstrate a clear distinction in the attack stages.

KW - Centrality analysis

KW - Community analysis

KW - Cyber-attacks

KW - Multimodal graph

UR - http://www.scopus.com/inward/record.url?scp=85073697256&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85073697256&partnerID=8YFLogxK

U2 - 10.23919/SpringSim.2019.8732851

DO - 10.23919/SpringSim.2019.8732851

M3 - Conference contribution

AN - SCOPUS:85068600447

T3 - Simulation Series

BT - Simulation Series

PB - The Society for Modeling and Simulation International

ER -