A Framework for Characterizing Cyber Attack Reconnaissance Behaviors

dc.contributor.advisorXu, Shouhuai
dc.contributor.authorGarcia-Lebron, Richard B.
dc.contributor.committeeMemberBoppana, Rajendra
dc.contributor.committeeMemberWhite, Greg B.
dc.contributor.committeeMemberZhang, Weining
dc.contributor.committeeMemberWu, Wenbo
dc.date.accessioned2024-02-09T21:11:03Z
dc.date.available2021-08-16
dc.date.available2024-02-09T21:11:03Z
dc.date.issued2019
dc.descriptionThis item is available only to currently enrolled UTSA students, faculty or staff. To download, navigate to Log In in the top right-hand corner of this screen, then select Log in with my UTSA ID.
dc.description.abstractSophisticated cyber attacks often start with a reconnaissance phase, which may expose useful information about the attacks that will be waged later. It is therefore important to systematically understand and characterize cyber attack reconnaissance behaviors. However, little research on this matter has been reported in the literature. The present dissertation aims to fill the void by proposing and investigating the first systematic framework for characterizing cyber attack reconnaissance behaviors. The framework consists of three levels of abstractions: macroscopic, mesoscopic, and microscopic. Correspondingly, the dissertation makes the following three contributions. First, in order to characterize cyber attack reconnaissance behaviors at the macroscopic level, we propose a novel abstraction, dubbed dynamic attacker-victim relation graphs, to represent cyber attack reconnaissance behaviors. This abstraction leads to a time series of graphs and allows us to characterize the evolution of the attacker-victim relation over time. We present a case study with a focus on identifying the number of time resolutions that need to be considered in order to obtain a comprehensive characterization of these dynamic attacker-victim relation graphs. Second, in order to characterize cyber attack reconnaissance behaviors at the mesoscopic level, we propose clustering cyber attackers based on their reconnaissance behaviors over time. We propose a novel abstraction, dubbed multi-resolution clustering, to characterize the evolution of attackers' reconnaissance behaviors in adjacent time windows as well as the evolution of persistent attackers' reconnaissance behaviors over multiple adjacent time windows. Third, in order to characterize cyber attack reconnaissance behaviors at the microscopic level, we propose the novel notion of attacker reconnaissance trajectory hierarchy tree for representing temporal and spatial behaviors of cyber attack reconnaissance.
dc.description.departmentComputer Science
dc.format.extent111 pages
dc.format.mimetypeapplication/pdf
dc.identifier.urihttps://hdl.handle.net/20.500.12588/3488
dc.languageen
dc.subjectcharacterization
dc.subjectclustering
dc.subjectcybersecurity
dc.subjectdata analytics
dc.subjectreconnaissance
dc.subjecttime series
dc.subject.classificationComputer science
dc.titleA Framework for Characterizing Cyber Attack Reconnaissance Behaviors
dc.typeThesis
dc.type.dcmiText
dcterms.accessRightspq_closed
thesis.degree.departmentComputer Science
thesis.degree.grantorUniversity of Texas at San Antonio
thesis.degree.levelDoctoral
thesis.degree.nameDoctor of Philosophy

Files

Original bundle

Now showing 1 - 1 of 1
No Thumbnail Available
Name:
GarciaLebron_utsa_1283D_12896.pdf
Size:
9.22 MB
Format:
Adobe Portable Document Format