Affiliations: Arizona State University, Tempe, Arizona, USA
Note: [] Corresponding author: Nong Ye, Professor of Industrial
Engineering and affiliated Professor of Computer Science and Engineering,
Arizona State University, Information and Systems Assurance Laboratory, Box
875906, Tempe, Arizona 85287-5906, USA. Tel.: +1 480 965 7812; Fax: +1 480 965
8692; E-mail: nongye@asu.edu
Abstract: Existing techniques for cyber attack detection rely mainly on
activity data from computers and networks. Little consideration has been given
to other kinds of data in the cause-effect chains of attacks. Adding state and
performance data may reveal elements on computers and networks that are
affected by a cyber attack, thus providing a more accurate, complete picture of
an attack. This paper presents a System-Fault-Risk framework that defines
elements involved in the cause-effect chain of an attack. The SFR framework
combines system and fault modeling, and risk assessment methods. It is employed
to analyze known cyber attacks and derive profiles that define activity, state
and performance data in cause-effect chains, features of those data, and
characteristics of those features that enable attack detection. The profiles
derived from specific attacks are generalized and compared with those reported
in other studies to illustrate a set of novel data, features and
characteristics.