11-01-2014, 11:08 AM
Anonymous and Distributed Community Cyber Incident Detection
Distributed Community.pdf (Size: 170.81 KB / Downloads: 45)
Abstract
Communities are under attack from a variety of threat agents. The repercussions from these attacks will
grow more severe as communities become increasingly reliant upon cyberspace. Communities must be prepared to
prevent, detect, respond to, and recover from a wide variety of cyber incidents. The timely and useful detection of
cyber attacks is a first step towards a fast and effective response and recovery. Centralized community cyber incident
detection scales poorly. Additionally, community members are understandably hesitant to share sensitive security
information. Anonymity is vital to protecting the privacy of participants, and thereby encouraging their participation.
We present a useful community cyber incident detection framework based upon an anonymous, distributed, and
scalable information sharing architecture.
INTRODUCTION
Motivation
Cyber attacks on a community can have a devastating impact on the individuals, organizations, and governmental
entities within the community. Throughout this paper, when we refer to a community we do so from a geographic
perspective rather than from a sector-based perspective.
The Northeast Blackout of 2003 cut off electricity to 50 million people in the United States and Canada. The
blackout was due to a variety of reasons, including poor maintenance and flawed monitoring software [1]. Although
this incident is assumed to be accidental, research has been published on how to deliberately cause a similar cascading
power failure [2].
Additionally, the Central Intelligence Agency has confirmed that cyber attacks have been
responsible for multiple power disruptions in foreign countries [3]. Furthermore, the United States government has
publically admitted that its power grid has been infiltrated by entities in foreign countries [4].
INFORMATION SHARING FRAMEWORK
Useful information sharing
Recall that the previously discussed detection methods rely on counting the number of times specific
combinations of attribute value pairs occur throughout the community. Therefore, in order to be most useful,
community cyber incident detection schemes should consider all possible combinations of important attribute-value
pairs. This strategy is useful because, for a specific incident, some of the attribute-value pairs will be consistent,
while others will change.
Statistical testing
The first analysis used to detect statistically significant differences is Welch’s t-test, a variation of Student’s t-test.
However, if the second moving window has no variance, a more appropriate analysis is the z-test. The null
hypothesis is the mean of the first window is less than the mean of the second window. The alternative hypothesis is
the mean of the first window is greater than the mean of the second window. A p-value is calculated using the t
Cumulative Distribution Function (CDF). A smaller p-value indicates a larger significance. If the p-value is less than
a predefined significance level, then the null hypothesis is rejected and the alternative hypothesis is accepted.
CONCLUSION
The need for a community cyber incident detection system is great, and will only grow as communities continue
to become more reliant upon cyberspace. Community cyber incident detection is only part of a defense in depth
strategy including prevention, detection, response, and recovery. Our focus is the timely and useful detection of
community cyber incidents as a first step towards a fast and effective response and recovery.