Logo des Repositoriums
 

Extracting network based attack narratives through use of the cyber kill chain: A replication study

dc.contributor.authorWeathersby, Aaron
dc.contributor.authorWashington, Mark
dc.date.accessioned2022-11-22T09:48:32Z
dc.date.available2022-11-22T09:48:32Z
dc.date.issued2022
dc.description.abstractThe defense of a computer network requires defenders to both understand when an attack is taking place and understand the larger strategic goals of their attackers. In this paper we explore this topic through the replication of a prior study “Extracting Attack Narratives from Traffic Datasets” by Mireles et al. [Athanasiades, N., et al., Intrusion detection testing and benchmarking methodologies, in First IEEE International Workshop on Information Assurance. 2003, IEEE: Darmstadt, Germany]. In their original research Mireles et al. proposed a framework linking a particular cyber-attack model (the Mandiant Life Cycle Model) and identification of individual attack signatures into a process as to provide a higher-level insight of an attacker in what they termed as attack narratives. In our study we both replicate the original authors work while also moving the research forward by integrating many of the suggestions Mireles et al. provided that would have improved their study. Through our analysis, we confirm the concept that attack narratives can provide additional insight beyond the review of individual cyber-attacks. We also built upon one of their suggested areas by exploring their framework through the lens of Lockheed Martin Cyber Kill Chain. While we found the concept to be novel and potentially useful, we found challenges replicating the clarity Mireles et al. described. In our research we identify the need for additional research into describing additional components of an attack narrative including the nonlinear nature of cyber-attacks and issues of identity and attribution.en
dc.identifier.doi10.1515/itit-2021-0059
dc.identifier.pissn2196-7032
dc.identifier.urihttps://dl.gi.de/handle/20.500.12116/39750
dc.language.isoen
dc.publisherDe Gruyter
dc.relation.ispartofit - Information Technology: Vol. 64, No. 1-2
dc.subjectreplication study
dc.subjectcyber security
dc.subjectIDS
dc.subjectattack signatures
dc.subjectattack narratives
dc.subjectSnort
dc.subjectCyber Kill Chain
dc.subjectattribution
dc.titleExtracting network based attack narratives through use of the cyber kill chain: A replication studyen
dc.typeText/Journal Article
gi.citation.endPage42
gi.citation.publisherPlaceBerlin
gi.citation.startPage29
gi.conference.sessiontitleArticle

Dateien