Visible to the public Multimodal Graph Analysis of Cyber Attacks

TitleMultimodal Graph Analysis of Cyber Attacks
Publication TypeConference Paper
Year of Publication2019
AuthorsGhose, N., Lazos, L., Rozenblit, J., Breiger, R.
Conference Name2019 Spring Simulation Conference (SpringSim)
Date PublishedMay 2019
ISBN Number978-1-5108-8388-8
KeywordsAnalytical models, attack stages, attacker, autonomous systems, Centrality, centrality analysis, community analysis, Computational modeling, Cyber Attacks, cyber-attacks, cyberattack, cyberattack victims, data mining, graph theory, Human Behavior, IP networks, Malware, malware analysis, Metrics, multimodal graph, multimodal graph analysis, multimodal graph approach, multimodal graph nodes, nodes classification, observed cyber events, privacy, pubcrawl, resilience, Resiliency, security of data, single-modality graphs, strong inter-modal ties, targeted nodes, unclassified regime

The limited information on the cyberattacks available in the unclassified regime, hardens standardizing the analysis. We address the problem of modeling and analyzing cyberattacks using a multimodal graph approach. We formulate the stages, actors, and outcomes of cyberattacks as a multimodal graph. Multimodal graph nodes include cyberattack victims, adversaries, autonomous systems, and the observed cyber events. In multimodal graphs, single-modality graphs are interconnected according to their interaction. We apply community and centrality analysis on the graph to obtain in-depth insights into the attack. In community analysis, we cluster those nodes that exhibit "strong" inter-modal ties. We further use centrality to rank the nodes according to their importance. Classifying nodes according to centrality provides the progression of the attack from the attacker to the targeted nodes. We apply our methods to two popular case studies, namely GhostNet and Putter Panda and demonstrate a clear distinction in the attack stages.

Citation Keyghose_multimodal_2019