Antonio Piccolo

Advisor: Prof. Andrea Pugliese

Co-Advisor: Prof. Domenico Saccà

Topic: Models of cyber-security and assessment environments for the analysis of vulnerability and attack scenarios

Abstract: Internet and its underlying infrastructure are vulnerable to a wide range of risk resulting from both physical and software threats. Sophisticated cyber actors and nation-states exploit vulnerabilities to steal information and money and are developing capabilities to denial, destroy, or threaten the delivery of essential services. Many of traditional crimes are now being perpetrated through cyberspace. These include banking and financial fraud, intellectual property violations, and other crimes, all of which have substantial human and economic consequences. Cyberspace is particularly difficult to secure due to a number of factors: the ability of malicious actors to operate from anywhere in the world, the linkages between cyberspace and physical systems, and the difficulty of reducing vulnerabilities and consequences in complex computer networks. Intrusion detection systems (IDS) are capable of detecting many attacks, but cannot provide a clear idea to the analyst because of the huge number of false alerts generated by these systems. This weakness in the IDS has led to the emergence of many methods in which to deal with these alerts, minimize them and highlight the real attacks. Another problem is that current devices, software or systems (in general sensors) are relatively verbose. For a given attack, or anomalous phenomenon (such as a port scan), they can generate a large amount of alerts. This large volume of alerts can overwhelm the operators in charge of looking at suspicious events. In a not trivial computer network (a network with more than 2 nodes), an attack can generate several threads of alerts from various points and most of these alerts will represent false alarms. Furthermore, experience shows that the interpretation of the alerts usually requires more than the single messages provided by the sensors, so there is a need for techniques that can analyze the alerts within the context in which they have been generated. This might require the ability to correlate them with some other contextual information provided by other devices. Using synthetic data to design, implement and test these techniques it’s not proper and reliable because the variety, diversity and unpredictability of the real world data. On the other hand retrieve these information from real world networks is not easy (and sometimes impossible) due to privacy and confidential restrictions. Therefore, there is a need for an environments that could help to easily build real like network scenarios where reproduce real like attacks and from which extract logs and other information to train and to validate new correlation techniques.