DOCTORAL THESIS Automating Defences against Cyber Operations in Computer Networks Mauno Pihelgas TALLINNA TEHNIKAÜLIKOOL TALLINN UNIVERSITY OF TECHNOLOGY TALLINN 2021 TALLINN UNIVERSITY OF TECHNOLOGY DOCTORAL THESIS 36/2021 Automating Defences against Cyber Operations in Computer Networks MAUNO PIHELGAS TALLINN UNIVERSITY OF TECHNOLOGY School of Information Technologies Department of Software Science The dissertation was accepted for the defence of the degree of Doctor of Philosophy in Computer Science on 10 June 2021 Supervisor: Dr. Risto Vaarandi, Department of Software Science, School of Information Technologies, Tallinn University of Technology, Tallinn, Estonia Co-supervisor: Professor Dr. Olaf Manuel Maennel, Department of Software Science, School of Information Technologies, Tallinn University of Technology, Tallinn, Estonia Opponents: Professor Dr. Anja Feldmann, Max Planck Institute for Informatics, Saarbrücken, Germany Professor Dr. Jan Vykopal, Masaryk University, Brno, Czechia Defence of the thesis: 11 August 2021, Tallinn Declaration: Hereby I declare that this doctoral thesis, my original investigation and achievement, submitted for the doctoral degree at Tallinn University of Technology, has not been submitted for any academic degree elsewhere. Mauno Pihelgas signature Copyright: Mauno Pihelgas, 2021 ISSN 2585-6898 (publication) ISBN 978-9949-83-718-2 (publication) ISSN 2585-6901 (PDF) ISBN 978-9949-83-719-9 (PDF) Printed by Koopia Niini & Rauam TALLINNA TEHNIKAÜLIKOOL DOKTORITÖÖ 36/2021 Arvutivõrkude kaitse automatiseerimine küberoperatsioonide vastu MAUNO PIHELGAS Contents List of Publications ..................................................................... 8 Author’s Contributions to the Publications ............................................ 9 List of Abbreviations.................................................................... 11 1 Introduction ........................................................................ 13 1.1 Research questions ............................................................. 14 1.2 Contributions .................................................................... 16 1.3 Thesis structure ................................................................. 17 2 Related work ....................................................................... 18 2.1 Security metrics, situation awareness systems, and cyber security exercises 18 2.1.1 Security metrics research and general-purpose SA systems ......... 18 2.1.2 CSX-specific SA systems and the use of CSXs as a proving ground for novel research ...................................................... 20 2.1.3 CSX background ........................................................ 23 2.2 Detection capability improvement and validation............................. 24 2.2.1 Event log analysis and knowledge discovery .......................... 24 2.2.2 Network security and anomaly detection ............................. 25 2.3 AI and autonomy in cyber security ............................................. 27 2.3.1 Autonomous systems research ........................................ 28 2.3.2 Autonomous systems’ tournament.................................... 28 3 Security metrics and situation awareness systems................................. 31 3.1 Production framework architecture ............................................ 32 3.1.1 Extracting security metrics from IDS/IPS alert logs ................... 32 3.1.2 Extracting security metrics from NetFlow data ....................... 33 3.1.3 Extracting security metrics from workstation logs .................... 34 3.1.4 Extracting security metrics from other event logs .................... 35 3.2 Discussion of open-source SA system capabilities ............................. 35 3.3 Verifying system capabilities.................................................... 36 3.4 Comparison with related work ................................................. 37 4 Situation awareness systems for cyber security exercises ......................... 38 4.1 Author’s involvement with CSXs................................................ 38 4.2 Enhancing operator training quality during CSXs .............................. 38 4.2.1 Crossed Swords ......................................................... 39 4.2.2 Locked Shields .......................................................... 39 4.3 CSX network layout ............................................................. 40 4.4 Frankenstack .................................................................... 40 4.4.1 Input data sources...................................................... 40 4.4.2 Data processing components .......................................... 42 4.4.3 Visualisation components.............................................. 43 4.4.4 Frankenstack developments since 2017 ............................... 44 4.5 CSX Availability Scoring system ................................................. 47 4.5.1 Basics of availability scoring ........................................... 47 4.5.2 Availability calculation ................................................. 48 4.5.3 CSX-specific challenges ................................................. 49 5 4.5.4 Community contributions.............................................. 51 4.5.5 Availability Scoring system developments since 2018 ................ 52 4.6 Comparison with related work ................................................. 52 4.6.1 Cyber Conflict Exercise ................................................. 53 4.6.2 Cyber Czech............................................................. 53 5 Event log analysis and knowledge discovery ....................................... 55 5.1 Description of LogCluster ....................................................... 55 5.2 Discussion of related work...................................................... 58 5.3 Comparison with newer log mining algorithm implementations ............. 60 5.3.1 Experiment setup....................................................... 60 5.3.2 LogCluster results ...................................................... 61 5.3.3 Comparison with Drain................................................. 62 5.3.4 Comparison with LogMine ............................................. 64 5.3.5 Comparison with Spell ................................................. 65 5.3.6 Summary................................................................ 66 6 Covert data exfiltration and network anomaly detection .......................... 68 6.1 Covert channel data exfiltration detection..................................... 68 6.1.1 Comparison with related work ........................................ 72 6.2 Network anomaly detection .................................................... 73 6.2.1 Ensemble of anomaly detectors ....................................... 73 6.2.2 Flow pattern mining with LogCluster .................................. 76 6.2.3 Evaluation............................................................... 77 6.2.4 Comparison with related work ........................................ 78 7 Towards autonomous cyber defence ............................................... 80 7.1 Autonomous intelligent cyber-defence agents ................................ 80 7.1.1 Rationale of AICA ....................................................... 80 7.1.2 AICA Reference Architecture........................................... 81 7.2 Author’s contributions .......................................................... 82 7.2.1 Agent’s sensing and World State Identification ....................... 83 7.2.2 Use case of AICA........................................................ 85 7.3 Conclusion ....................................................................... 87 8 Thesis conclusions and future work discussion .................................... 89 8.1 Summary and conclusions ...................................................... 89 8.2 Future work ..................................................................... 90 List of Figures ........................................................................... 91 List of Tables ............................................................................ 92 References .............................................................................. 93 Acknowledgements .................................................................... 105 Abstract................................................................................. 106 Kokkuvõte .............................................................................. 107 6 Appendix 1 .............................................................................. 109 Appendix 2 ............................................................................. 117 Appendix 3 ............................................................................. 127 Appendix 4 ............................................................................. 135 Appendix 5 ............................................................................. 155 Appendix 6 ............................................................................. 163 Appendix 7.............................................................................. 175 Appendix 8 ............................................................................. 185 Appendix 9 ............................................................................. 209 Appendix 10 ............................................................................ 215 Appendix 11 ............................................................................