A Framework for Characterizing Cyber Attack Reconnaissance Behaviors

Sophisticated cyber attacks often start with a reconnaissance phase, which may expose useful information about the attacks that will be waged later. It is therefore important to systematically understand and characterize cyber attack reconnaissance behaviors. However, little research on this matter has been reported in the literature. The present dissertation aims to fill the void by proposing and investigating the first systematic framework for characterizing cyber attack reconnaissance behaviors. The framework consists of three levels of abstractions: macroscopic, mesoscopic, and microscopic. Correspondingly, the dissertation makes the following three contributions. First, in order to characterize cyber attack reconnaissance behaviors at the macroscopic level, we propose a novel abstraction, dubbed dynamic attacker-victim relation graphs, to represent cyber attack reconnaissance behaviors. This abstraction leads to a time series of graphs and allows us to characterize the evolution of the attacker-victim relation over time. We present a case study with a focus on identifying the number of time resolutions that need to be considered in order to obtain a comprehensive characterization of these dynamic attacker-victim relation graphs. Second, in order to characterize cyber attack reconnaissance behaviors at the mesoscopic level, we propose clustering cyber attackers based on their reconnaissance behaviors over time. We propose a novel abstraction, dubbed multi-resolution clustering, to characterize the evolution of attackers' reconnaissance behaviors in adjacent time windows as well as the evolution of persistent attackers' reconnaissance behaviors over multiple adjacent time windows. Third, in order to characterize cyber attack reconnaissance behaviors at the microscopic level, we propose the novel notion of attacker reconnaissance trajectory hierarchy tree for representing temporal and spatial behaviors of cyber attack reconnaissance.