Files and links (1)
PDFOpen Access (License Unspecified), Open Access
Thesis
Security posture based incident forecasting
Master of Science (M.S.), Drexel University
Jun 2019
DOI:
https://doi.org/10.17918/e2xd-gw23
Abstract
The pervasiveness of technology (e.g., the internet) is coupled with an expansion of the threat landscape. The numerous network services, versions of these services, and possible configurations make it difficult to predict the likelihood of a security incident (e.g., data breach) for hosts on the public internet. We attempt to explore this problem by analyzing data from Censys, a database of internet-wide scans, to collect network configurations for organizations that reported security incidents in 2017-2018. We seek to determine which common patterns in network configurations are associated with likelihood of reporting a security incident by providing a comparison between victim and non-victim organizations' hosts. We design a data pipeline that extracts 1,386 features from each host machine, enabling us to build upon previous academic approaches by utilizing a more holistic feature space. We then use an Isolation Forest (Outlier Detection) algorithm, a novel addition to the problem domain, to identify outlying hosts in organizations' networks and effectively reduce the data space. We find that we can identify outlying hosts with 0.84±0.01 accuracy, 0.84±0.01 f1-score, and 0.18±0.04 fpr. We then present the important properties that make a host an outlier in the feature space. For example, we find that Diffie-Hellman on https protocol and presence of SSH protocol are important indicators of outlying machines. These representative liers (outliers and inliers) are then used to create risk vectors for the victim and non-victim organizations. Using these risk vectors, we are able to discriminate between organizations that report security incidents with an average 0.73 ± 0.06 accuracy, 0.73 ± 0.06 f1-score, and 0.25 ± 0.10 fpr. Through use of these techniques, we are able to correlate between certain features and the victim label, thus demonstrating the predictive power of specific features (e.g., SSH protocol and FREAK vulnerability). In short, we (1) introduce a novel approach to building a rich configuration-centric feature space within which we successfully (2) analyze network postures and their correlations with security incidents, while (3) reducing the data space, and simultaneously, the processing cost of this sort of analyses.
Metrics
56 File views/ downloads
26 Record Views
Details
- Title
- Security posture based incident forecasting
- Creators
- Dagmawi Mulugeta - DU
- Contributors
- Steven P. Weber (Advisor) - Drexel University, Electrical and Computer EngineeringBen Goodman (Advisor) - Drexel University (1970-)
- Awarding Institution
- Drexel University
- Degree Awarded
- Master of Science (M.S.)
- Publisher
- Drexel University; Philadelphia, Pennsylvania
- Number of pages
- viii, 144 pages
- Resource Type
- Thesis
- Language
- English
- Academic Unit
- College of Engineering (1970-2026); Electrical (and Computer) Engineering [Historical]; Drexel University
- Other Identifier
- 9488; 991014632447804721