Doctorate thesis defense of Yosra Lakhdhar

Doctorate thesis defense on March 26^th 2021 at 09H00 ,in Sup’Com Amphitheater Ibn Khaldoun.

Committee

Abstract

Active Cyber Defense (ACD) has emerged as a branch of security capable of proactively and predictively fighting against cyber security attacks, while calling for the use of advanced analytics and cyber intelligence approaches and models.

The main objective of this thesis is to provide active cyber defense models, designs, and analytics to proactively detect and react to cyber attacks. Four contributions are achieved. First, we propose graph-based active cyber defense models and analytics that ensure the proactive attack detection and reaction, as well as the sustainability of critical systems’ missions. Semantically rich graphs are proposed to describe cyber systems and study the cyber attacks’ impact on critical mission accomplishment. To predict damage occurrence starting from incomplete collected data, and proactively react to malicious detected events, an observation-based technique is proposed. Second, we develop a context-based ACD model that allows the generation of both known and unknown attack scenarios starting from the formal description of cyber system, and assesses the system' ability in defending against their execution under a predefined context. We also develop Global and Observed Local Scenario to ensure a step-by-step assessment of a system’s ability to defend against executed attacks and identify the step at which the scenario can be blocked. Third, we develop a Visibility-based ACD model to prove system compromise in proactive (before damage occurrence), instantaneous (at the moment of damage occurrence), or reactive (after damage occurrence) way, even if the security solutions are unable to straightforwardly assess the damage property. Fourth, we develop a game theoretic active cyber defense model for deploying forensic ready systems. The proposed game is a non-cooperative two-player game between: (a) an adaptive cyber defender that deploys a cognitive security solution to increase the investigation readiness and reduce the attackers’ untraceability while spending a reasonable cost; and (b) a strategic cyber attacker that tries to execute non-provable attacks with a low cost. The model is used to design a cognitive security solution that takes strategic decisions, based on its ability to make forensic experts able to differentiate between provable identifiable, provable non-identifiable, and non-provable attack scenarios, starting from the expected evidence to be generated.

Keywords :

Active Cyber Defense, Attacks and Observations, Contextualization, Game Theory, Sustainability, Visibility.