Data analytics for Cyber Security

Chapter One and introduction

Senait Desalegn
School of Information Technology and Engineering
Addis Ababa Institute of Technology
Addis Ababa University
Oct 2024
Course Introduction
Know Each Other
Name

What do you got from

previous cyber security
course

What do you expect from this course?

3
Course content
Chapter One: Introduction
Chapter Two: understanding sources of cyber security data
Chapter Three: Introduction to data mining
Chapter Four: Big data analytics and its need for cyber security
Chapter Five: Anomaly detection methods for cyber security
Chapter Six: Cyber security through Time series and spatial data
Chapter Seven: cyber security through network and graph data
Chapter Eight: human centered data analytics for cyber security
Chapter Nine:. Future directions in data analytics for cyber security
 What is Cybersecurity?

Assets Affected

• Personal assets
• Public assets
• Corporate assets at risk

Motivation, Risks and Security

• Why do we have security risks?

Outli • What is the level of damage that can occur?

ne Handling Cyber Attacks

• Sub areas of Cybersecurity

Data Analytics

• Why Data Analytics is important for cybersecurity: A case study of

understanding the anatomy of an attack

5
16/10/2024 Data Analytics for Cyber security, 2024.
What is
Cybersecurity?
Cybersecurity refers to securing valuable electronic assets and
physical assets, which have electronic access, against unauthorized
access. These assets may include personal devices, networked
devices, information assets, and infrastructural assets, among others.

Cybersecurity deals with security against threats also referred to as

cyber threats or cyberattacks. Cyberattacks are the mechanism by
which security is breached to gain access to assets of value.

10/2/2022 6
Data Analytics for Cyber security.
Aims of Cybersecurity: prevent,
detect, and respond to threats
Prevention of cyberattacks against critical assets

Detection of threats

Respond to threats in the event that they penetrate access to critical assets

Recover and restore the normal state of the system in the event that an attack
is successful
10/2/2022 7
Data Analytics for Cyber security.
Assets Affected
Personal Public Corporate
• Phones (home and
• Smart meters, • Customer database,
mobile),
• Tablets , • Power grid, • Websites,
• Personal computers • Sewage controls, • Business applications,
(desktop and laptops), • Nuclear power plant, • Business network,
• External physical hard • Rail lines, • Emails,
drive, • Airplanes and air traffic, • Off the shelf software,
• Cloud drive, • Traffic lights, • Intellectual property
• Email accounts, • Citizen databases,
• Fitness trackers, • Websites (county, state
• Smart watches, and federal),
• Smart glasses, • Space travel programs
• Media devices (TIVO, • Satellites
apple TV, cable box),
• Bank accounts,
• Credit cards,
• Personal gaming
systems 10/2/2022 8
Data Analytics for Cyber security
Motivation behind Cyber
Threats

1 2 3 4 5
Stealing intellectual Gaining access to Making a political Performing cyber Damaging reputation,
property customer data statement espionage Making a splash/ for
fun, Impedeing access
to data and applications

10/2/2022 9
Data Analytics for Cyber security.
Why do we have security
risks?
Organizational risks
(multiple partners, such as
Applications with several Logical errors in software in cyber-attacks at Target
dependencies, code (such as Heartbleed), and the Pacific Northwest
National Laboratories
[PNNL]),

Lack of user awareness of

Personality traits of Inherent issues in the
cybersecurity risks (such as
individuals using the Internet protocol being
in social engineering and
systems (phishing), and used.
phishing),

10/2/2022 10
Data Analytics for Cyber security
 Summary of Motivation, Risks and
Security Motivation Risks
• To steal Intellectual property • Internet protocol which is inherently not secure
• To damage reputation • Applications with several dependencies
• Gain access to data , which can then be sold • Logical errors in software code (ex. Heartbleed)
• Gain access to information, which is not • Organizational risks (multiple partners ex. Target,
generally available PNNL)
• To make a political statement • Lack of User awareness of cybersecurity risks (ex.
• To impede access to critical data and Social engineering, phishing)
applications • Personality traits of individuals using the systems
• To make a splash/ for fun
Attaining Security

• Protecting resources
• Hardening defenses
• Capturing data logs
• Monitoring systems
• Tracing the attacks
• Predicting risks
• Predicting attacks
• Identifying vulnerabilities
8
Data Analytics for Cyber security
 • According to a McAfee report, the monetary loss resulting
from cybercrime costs about $600 billion, which that is
about 0.8% of the world Gross Domestic Product (GDP)
(McAfee–-Cybercrime Impact 2018), with malicious
What is the actors becoming more and more sophisticated.
• The loss due to cyber-attacks is not simply based on direct
level of financial loss but also based on several indirect factors,
which that may lead to a major financial impact.
damage • Example: Target cyber-attack (RSkariachan and
Finkleeuters-Target
• Target reported $61 2014)million in expenses related to
that can the cyber- attack out of which $44 million were
covered by insurance.
occur? • The direct financial impact to Target was $17
million.
• A 46 % drop in net profit in the holiday quarter,
• 5.5% drop in transactions during the quarter,
• share price fluctuations led to further losses,
• cards had to be reissued for to several customers,
• All these
and losses amount to much more than the total $61
million loss. In addition, the trust of the customers was
• Target
lost, had
which is toaoffer
not identity protection
quantifiable to long-term
loss and has affected
customers.
impacts.

10/2/2022 12
 • Protecting resources,
• Hardening defenses,
• Capturing data logs,
Handli • Monitoring systems,
• Tracing the attacks,
ng Cyber • Predicting risks,
Attacks • Predicting attacks, and
• Identifying
vulnerabilities

13
Overall Areas of Cybersecurity
• Network Security

• Cyberphysical Security

•Data and Information Security Application Security

Data Analytics for Cyber security

11
 Sub areas of Cybersecurity
Application security: incorporating security
in the software development process.
Data and information security: securing
data from the risk of unauthorized access
and misuse
Network security: securing the traditional
computer networks and security measures
adopted to secure, prevent unauthorized
access and misuse of either the public or
the private network.
15
 • Emerging challenges due to the coupling of the
cyber systems with the physical systems.
• The power plants being controlled by a cyber
system,
Sub areas of • risk of disruption of the cyber component or
Cybersecurity • risk of unauthorized control of the cyber
system,
• gaining unauthorized control of the physical
systems.
Cyber physical
security
10/2/2022 16
 • Cross cutting across areas to learn from existing
threats and develop solutions for novel and
unknown threats towards networks,
infrastructure, data, and information
Sub areas of
• Example: Threat hunting proactively looks for
Cybersecurity malicious players across the myriad data
sources in an organization
• Does not necessarily have to be a completely
machine-driven process and should account
for user behaviors
• Must look at the operational context.
• Provide security analysts a much focused field
of vision to security analysts to zero in on
Data analytics solutions for potential threats

17
 • Multiple types of networks and devices
• computer networks, Cyber Physical Systems (CPS), Internet of
Things (IoT), sensor networks, smart grids, and wired or wireless
networks.
Hardware • Computer networks - Traditional type of networks
• Groups of computers are connected in pre-specified
and configurations. These configurations can be designed using
security policy deciding who has access to what areas of
Network networks. Another way networks form is by determining patterns
of use over a period of time. In both cases, zones can be created
Landscap for access and connectivity where each computer in the network
and sub-networks can be monitored.
e • Cyber Physical Systems - an amalgamation of two interacting sub-
systems, cyber and physical
• used to monitor and perform the day- to- day functions of the
many automated systems that we rely on, including power
stations, chemical factories, and nuclear power plants, to name a
few.
• Ubiquitous connected technology - “smart” things - Internet of Things

10/2/2022
 • Data analytics deals with analyzing large amounts of
data from disparate sources to discover actionable
information leading to gains for an organization.
• Includes techniques from data mining, statistics,
and business management, among other fields.
• Bigdata
Data Massive datasets (volume)
Generated at a rapid rate (velocity)
•
Analyti
Heterogeneous nature (variety)
•

Can provide valid findings or patterns in this

•
cs
complex environment (veracity)
•

• Changing by location (venue)

• Every device, action, transaction, and event generates
data. Cyber threats leave a series of such data pieces
in different environments and domains. Sifting through
these data can lead to novel insight not why a certain
event occurred and potentially allow the identification
of the responsible parties and lead to knowledge for
preventing such attacks in the future.

19
Anatomy of
an
attack

17
vulnerability in one of the lab's public-facing web servers
PCs of site visitors
Drive by attack
(lab employees)

Compromised Workstations

PNNL's network scouting from the compromised

workstations for weeks

Shared Network
resources Spear Phishing attack

Business Partners

root domain controller

compromised Obtained a privileged account

recreate and elevate Raise alert

account privileges 18
 • The three aspects are temporal, spatial, and data -driven
understanding of human behavioral aspects (particularly of attackers)
Why Data • Firstly, computer networks evolve over time, and communication
Analytics is patterns change over time. Can we identify these key changes, which
important for deviateare deviant from the normal changes in a communication
cybersecurity: A pattern, and associate them with anomalies in the network traffic?
case study of • Secondly, attacks may have a spatial pattern. Sources and destinations
in certain key geo locations are more important for monitoring and
understanding the preventing an attack. Can key geo locations, which are sources or
anatomy of an destinations of attacks, be identified?
attack • Thirdly, any type of an attack has common underpinnings of how it is
carried out; this has not changed from physical security breaches to
computer security breaches. Can this knowledge be leveraged to
identify anomalies in the data where we can see certain patterns of
misuse?
• Utilizing the temporal, spatial, and human behavioral aspects of
learning new knowledge from the vast amount of cyber data can lead
to new insights of understanding the challenges faced in this important
domain of cybersecurity

19
Multi-dimensional view of  Events become relevant when they
Threats occur
together
These events become relevant with
proximities rather than causation
 The two items are in close Proximity, based
Spatial
on
Distance
• Source Proximity
N • Destination Proximity
1 • Temporal proximity
N1 or Delay
N 2
2 N
8

N N N
3 5 4

N N N N1 N1 N
4 6 9 0 1 3

0 4 8 12
Tim
16
e
Goal : to identify potential “collusions” among the entities responsible for these two events

20
 • Looking at one dimension of
the data is not enough in such
prolonged attack scenarios.
Why Data Analytics is
• For such a multipronged
important for attacks, we need a multilevel
cybersecurity: A framework
case • Brings together data
from several different
study of databases.
understanding the • Events of interest can be
identified using a
anatomy of an attack combination of factors
such as proximity of
events in time, in terms
of series of
communications and
even in terms of the
geographic origin or
destination of the
communication.

10/2/2022 24
 • Intruder Detection System (IDS) logs such as
Understanding SNORT

the Anatomy • A keyword matrix and a word frequency

matrix
of an attack: • Perform alarm clustering and alarm data
fusion
Clustering • Identify critical alerts (a combination of log
based on entries)
• Perform clustering based on a combination of
feature features

combinations

25
Understandin
• Extract associations to identify potentially
g the repeated or targeted communications

Anatomy of • Utilize network mapping

• Determine attacks consistently targeted to specific
an attack: types of machines or individuals

Collusions
and
associations

10/2/2022 26
 • Time intervals accounts for time proximity
Understanding • Allows mining the data in proximity of time

the Anatomy • Evaluating how the networks evolve over time

• Identify which time interval may be critical: for
of an attack: example, Identify repeated events of interest in certain
time periods
Time • Clustering in different segments of time
• Mining for possible attack paths based on variations in
proximity and cluster content and cluster cohesion

network
evolution

27
How Can Data Analytics Help?

Data from multiple

sources can be used Supports the defense
to glean novel Tracing Attacks, Predicting risks
of cyber systems
information

Identifying critical predicting attacks Identifying Understanding user

systems in a network based on prior vulnerabilities by behavior by
flow, or similar mining software code, mining network
attacks, logs, and

Creating robust access

control rules by
evaluating prior usage
and security policies.
1/2/2022 28
 Focus of this
Course

What this course is not about: This course does not address the traditional views of security
configurations and shoring up the defenses, including, setting up computer networks, setting
up firewalls, web server management, and patching of vulnerabilities.

What this course is about: This course addresses the challenges in cybersecurity that data
analytics can helpja address, including analytics for threat hunting or threat detection,
discovering knowledge ne for attack prevention or mitigation, discovering knowledge about
Ja
2 2
vulnerabilities,y, ©
20 and performing retrospective and prospective analysis for understanding the
rit
mechanics
er
se
c of attacks to help prevent for preventing them in the future.
u
b
r Cy
o
s f ved.
c
ti r 10/2/2022 29
n aly rese
a A ts
at igh
https://www.threatintelligence.com/blog/cyber-tabletop-
exercise-example-scenarios

Thank you!

10/2/2022 30