Title Keywords and Abstract Article Critique

Title Keywords and Abstract Article Critique Title Keywords and Abstract Article Critique The intuition behind the paper reviews is to look at existing scientific research and critique what has been done. This will enable you to appreciate what has been done and identify how that work can be improved or extended. I have also provided a short article on reviewing scientific papers to assist you. For the subsequent paper reviews and presentations, you can use the CTI product or platform to compliment your findings on how the research in the provided readings can be extended. This is because cyber threat intelligence continues to evolve as new threat actors and techniques continue to change the attack landscape. All the paper reviews should be 2 papers long and to avoid plagiarism, you have to critique the paper in your words based on how you understood it. Below is the rubric for the paper reviews and presentations. # A. Grading Elements for Paper Review Points 1 Paper Review structure 5 2 Research Problem, Research question(s), Hypotheses and methodology. Title Keywords and Abstract Article Critique 5 3 Dataset Description and Sampling Techniques 5 4 Explanation of Results, Analysis and Ground Truth 10 5 Generalizability of results/models and research contributions 10 6 Research limitations 5 7 Identification of research gap(s) 5 8 Well written critique (no spelling or grammatical errors, have a storyboard) 5 9 Coherent and clear writing 5 10 Can the paper be extended? Provide suggestions, How about future work? 5 Total points 60 taxonomy_model_for_cti_info_exhange.pdf how_tocritique_a_paper.pdf The intuition behind the paper reviews is to look at existing scientific research and critique what has been done. This will enable you to appreciate what has been done and identify how that work can be improved or extended. I have also provided a short article on reviewing scientific papers to assist you. For the subsequent paper reviews and presentations, you can use the CTI product or platform to compliment your findings on how the research in the provided readings can be extended. This is because cyber threat intelligence continues to evolve as new threat actors and techniques continue to change the attack landscape. All the paper reviews should be 2 papers long and to avoid plagiarism, you have to critique the paper in your words based on how you understood it. Below is the rubric for the paper reviews and presentations. # A. Grading Elements for Paper Review Points 1 Paper Review structure 5 2 Research Problem, Research question(s), Hypotheses and methodology 5 3 Dataset Description and Sampling Techniques 5 4 Explanation of Results, Analysis and Ground Truth 10 5 Generalizability of results/models and research contributions 10 6 Research limitations 5 7 Identification of research gap(s) 5 8 Well written critique (no spelling or grammatical errors, have a storyboard) 5 9 Coherent and clear writing 5 10 Can the paper be extended? Provide suggestions, How about future work? 5 Total points 60 Texas Woman University Title Keywords and Abstract Article Critique taxonomy_model_for_cti_info_exhange.pdf how_tocritique_a_paper.pdf ORDER NOW FOR CUSTOMIZED AND ORIGINAL ESSAY PAPERS Taxonomy Model for Cyber Threat Intelligence Information Exchange Technologies Eric W. Burger Michael D. Goodman Georgetown University Washington, DC, USA Panos Kampanakis Kevin A. Zhu Cisco Systems, USA University of California Los Angeles, CA, USA [email protected] [email protected] [email protected] [email protected] ABSTRACT hacked and personally identifiable information (PII), intellectual property, and proprietary information stolen and used by various threat actors for monetary, personal or political gains. There is no single profile on threat actors. These actors can have many different motivations and are not bound by any specific tool or tools to accomplish their goals. In addition to threat actor profiles, there are different stakeholders in organizations including CEO’s, CTO’s, CISO’s, Information Systems Security Managers, System/Network Administrators, System Architects, and System Users. Each of these stakeholders has a different role and consumes different forms or types of threat data in order to perform their duties and heighten the security posture of their organization. Different organizations and agencies have different structures and different individuals with a need to know the threat data. This creates a need for addressing security concerns and vetting of users and authorization to compartmentalized data, as well as formatting threat information for different uses. The cyber threat intelligence information exchange ecosystem is a holistic approach to the automated sharing of threat intelligence. For automation to succeed, it must handle tomorrow’s attacks, not just yesterday’s. There are numerous ontologies that attempt to enable the sharing of cyber threats, such as OpenIOC, STIX, and IODEF. To date, most ontologies are based on various use cases. Ontology developers collect threat indicators that through experience seem to be useful for exchange. This approach is pragmatic and offers a collection of useful threat indicators in real-world scenarios. However, such a selection method is episodic. What is useful today may not be useful tomorrow. What we consider to be chaff or too hard to share today might become a critically important piece of information. Therefore, in addition to use casebased ontology, ontologies need to be based on first principles. In this document we propose taxonomy for classifying threatsharing technologies. The purpose of this taxonomy is to classify existing technologies using an agnostic framework, identify gaps in existing technologies, and explain their differences from a scientific perspective. We are currently working on a thesaurus that will describe, compare, and classify detailed cyber security terms. This paper focuses on the classification of the ontologies themselves. As an example of different yet similar systems, the Department of Homeland Security (DHS) and the Department of Defense (DoD) both have vulnerability management systems that categorize and encapsulate threat data vulnerabilities cataloged in their own threat management systems. In addition there are different stakeholders within these organizations who need to know different pieces of the overall information or data. For example, the Information Security Vulnerability Management System (ISVM) [5] is a public threat data and remediation database that references the MITRE Common Vulnerabilities and Exposures (CVE) [14] for vulnerability and exposure information for operating systems, hardware, software, etc. Operating on this information, a CEO may only care if the threat and exposure is relevant to their operation. All they want is a binary yes or no answer. They are not concerned with the particulars of how to remediate the threat. An Information System Security Officer, on the other hand, or an Information System Security Manager needs to know more specifics: Is the threat relevant to the current infrastructure or operation? Has the operation been secured from the threat? If not, when will the remediation take place and what are the operational risks? System administrators need to understand the underlying remediation and potential operational risks such as testing and insuring remediation does not pose any downtime or additional operational risks. Texas Woman University Title Keywords and Abstract Article Critique The roles and concerns are essentially the same in the DoD/DISA Vulnerability Management System (VMS) that maps the same MITRE CVE’s to DISA IAVA’s to U.S. Defense Information Agency’s (DISA) Information Assurance Vulnerability Alerts (IAVA’s) in the DISA Vulnerability Management system [22]. Categories and Subject Descriptors K.6.5 [Management Of Computing And Information Systems]: Security and Protection H.3.5 [Information Storage and Retrieval]: Data Sharing D.3.0 [Programming Languages]: Standards General Terms Security, Standardization, Languages, and Management. Keywords Information Sharing; Taxonomy; Ontology 1. INTRODUCTION Security vulnerabilities and breaches occur at an alarming rate with no signs of slowing down. On an almost daily basis educational, financial, private and government institutions have been Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. WISCS’14, November 3, 2014, Scottsdale, AZ, USA Copyright 2014 ACM 978-1-4503-3151-7/14/11…$15.00 http://dx.doi.org/10.1145/2663876.2663883 The threat landscape itself is constantly changing with known old vulnerabilities and exploits, phishing attacks, zero day attacks, denial of service, and other attacks. The characteristics and signa- 51 delivery, they do not know when or if the receiver will receive the message. Most asynchronous message protocols have provisions for positive notification of delivery. Examples of push transport are SMTP (Internet email), XMPP (Internet instant messaging), SIMPLE (Internet/3G multimedia instant messaging), and RSS feeds (Web/HTTP site update notification). tures of these attacks differ as to the carefully crafted responses offered by organizations, vendors and the community. The ultimate goal is to protect and secure consumer and organizational data from the loss of their assets, property, PII, and other data. A common need among heterogeneous organizations and entities is to share different types of threat information about adversaries, targets and vulnerabilities. A major goal is to solve and distribute solutions to these threats in a timely manner and ultimately decrease the time between a zero day threat or vulnerability is discovered and when an action against that threat is initiated. A problem is there are multiple efforts underway for threat information sharing that use different data ontologies. These ontologies often overlap and do not offer a unified solution to the entire community. Typically they only address subsets of these communities. Thus, there could be duplications and gaps in the threat information sharing ontologies in different communities. This leads to a duplication of effort, and collaboration is not achieved or not achieved economically. There is a need for entities to have a common language and toolset to facilitate sharing. These different types of data, formats, roles, the need to know and privacy concerns creates a many-to-many Cartesian Product where a relationship that exists one day may not exist the next and new relationships are created using a mix of both old and new threat data. The taxonomy model presented here does not propose to solve these problems but provides an agnostic framework in which ontologies can be evaluated and assessed. Currently there are gaps and shortcomings in the Cyber Threat Intelligence Information Exchange Ecosystem. The goal is to identify these gaps and shortcomings for users, vendors, agencies and communities of interest to enable and provide scalable, robust and secure cyber threat information sharing. Figure 1 – Layered Model Raw byte stream: One can always roll one’s own message transport protocol. Push transport can emulate a pull transport by having the sender ‘request’ the receiver to request the message from the sender. 2.2 Session After we present the taxonomy below, we examine two protocols and data representations, RID/IODEF and TAXII/STIX, using our model. Texas Woman University Title Keywords and Abstract Article Critique and TAXII are the transport protocols for IODEF and STIX respectively. We also briefly examine YARA and NMSG. There are various services provided by the session layer. They include: Authentication services: authenticating the sender as well as the receiver 2. Taxonomy Model for Cyber Threat Intelligence Sharing Authorization services: given an authenticated identity, is the receiver trusted to receive and appropriately handle the information? Is the sender an authoritative source? Taxonomy is a classification into ordered categories. We propose a layered taxonomy model for cyber threat intelligence sharing technologies. We use a layered model, as opposed to a traditional hierarchical (taxa) model. This model, from a Computer Science perspective, better follows potential technology options and instantiations than a strict hierarchical model. This paper will not review the literature on separation of concerns or layered architectures. We refer interested readers to [24], [23], and [10]. Permissions: Permissions on the entire content of the message Authentication identifies the sender or receiver. However, authentication does not provide authorization. Just knowing who a sender or receiver is does not mean the sender is allowed to send the information, the information is authoritative, or that the receiver is allowed to receive it. The layers, shown in Figure 1, somewhat follow the ISO OSI protocol model. They are transport, session, indicators, intelligence, and 5W’s (who, what, where, when, and why). The following sections describe these layers in more detail. Some transports build in some level of authentication. For example, HTTPS identifies the server (host) by enabling the client to receive the server’s X.509 certificate during TLS negotiation. HTTP can have the client identify the user using digest authentication. SMTP using S/MIME can identify the user or entity sending the message by signing the message and can cryptographically restrict access to the specified user or entity that is entitled to receive the message by encrypting the message with the recipient’s public key (S/MIME or PGP) or via an application-level shared secret (password or key). 2.1 Transport The transport layer is what moves the bytes representing the cyber threat intelligence between enterprises. There are three taxa in the transport layer. They are: Pull Transport: Pull transport is a (potentially unbounded or unframed) stream of bytes requested by a client. An example of pull transport is HTTPS. A receiver polls for a message. The receiver knows they are receiving the message as they asked for it. One can build authentication into the transport protocol. For example, if one has a VPN established, one can know with reasonable certainty the tunnel’s endpoint, whether it is a network or specific host. For a number of use cases, such as point-to-point bilateral sharing, this is sufficient authentication for the sharing enterprises. Push Transport: An asynchronous atomic message is a bounded message sent to a subscribing client. A sender packages a message and sends it to the receiver. The sender knows they are sending the message, but because of the asynchronous nature of message 52 since Windows computers are compromised by this malware. One may even take this a further step: the infection of a Windows machine might be considered just an indicator, unless the virus terminates your anti-virus programs. However, even this could still be considered just an indicator (the machine is now running faster!), until the lack of anti-virus protection results in the installation of a backdoor that allows for massive exfiltration of one’s data. Other use cases do not require symmetric authentication. For example, take a CSIRT (Computer Security Incident Response Teams) that wants to publish information to the general public. In this case, only the CSIRT needs to present credentials. It is important for clients to be able to authenticate the CSIRT, as the CSIRT presumably is authorized to be the authoritative source of information. Since we are in the cyber threat environment, masquerading as a CSIRT can be a high value exercise. On the other 1 hand, there is little technical value in the CSIRT collecting strong identities of the clients. Texas Woman University Title Keywords and Abstract Article Critique As the information is publically available, there is little technical value in encrypting the data between the server and the client, so long as there are ways of validating the information itself, such as through a cryptographic signature. For the purposes of the taxonomy, we do not distinguish any ‘incident’ terms from ‘indicators.’ The Indicators layer of the taxonomy provides a separation between the action layer of the taxonomy (Intelligence) and the attribution layer of the taxonomy (5W’s). In the taxonomy indicators need only have a secure transport and may operate independently from the Intelligence and 5W’s layers. Also of note is that indicators are observable and are also a part of the ‘H’ for how in the 5W’s Layer. 2.3 Indicators The Indicators layer of the taxonomy is the first layer of the taxonomy that contains a cyber intelligence payload. There may be indicators that could require portion marking or encryption. The focus of much of the cyber threat intelligence exchange efforts to date is indicators. Indicators are patterns or behaviors that indicate, or show the likelihood and possibly predictability, of a cyber threat. Indicators can also be derived from incidents. If an incident occurs at some point in time there may be an observable pattern or behavior that indicates an incidence has occurred. Incidents can be considered as a set of indicators. As an example, in a distributed denial of service (DDoS) attack a service is unavailable. An Indicator of the attack could be a flood of packets from a certain region, identified by IP addresses, saturating perimeter routers. 2.4 Intelligence The Intelligence layer specifies action. It can be literally action, like “when you see this, do that.” This is the way, for example, antivirus patterns work. “When you see a code snippet that looks like MyDoom, delete the file”; “When you see a http request to a banned domain, block the stream”; and “When you see an application open fifty TCP connections within 100ms, raise an alarm” are all examples of Intelligence. The Intelligence layer also includes queries that are formulated from information accrued from the Indicator layer about a target or targets. For example, “What can you tell me about this IP address?” “What is known about this autonomous system?” “I am seeing this sort of behavior (indicators) – do you see anything like it?” are examples of queries. Individual indicators may need permissions on them for privacy protection. For example, if an indicator contains PII, the sender may tag that particular instance of an indicator as protected. However, one can also have a need for cryptographically locking the indicator itself. For example, an indicator may include secret or non-forensic materials. Forwarding such information beyond particular personnel may expose methods or assets. Queries can be either synchronous or asynchronous. Early query systems were synchronous. However, often the data is not readily accessible or collected yet. This resulted in complex polling or, worse yet, no support at all. Asynchronous query mechanisms enable information security broker operations and, if not instant results, timely results. These permissions can be quite complex. Moreover, the permissions often depend more on the indicator’s metadata than the indicator itself. That is, the permission is not dependent on the data element, but depends on data about the collection, provenance, ownership, source, use, and other factors not tied to the data element itself. This is a current area of research at Georgetown. 2.5 5W’s • Indicator: indicates you may be under attack The 5W’s go back to at least the fourth century and are so basic to in information gathering, they are often mentioned in journalism, research and police investigations and constitute a formula for getting the complete story on a subject. This goes back centuries Victorinus’ Diagram is an example (see Figure 2). [26] • Incident: the attack that happened 2.5.1 What are the 5W’s There is a distinction between an indicator and an incident: The 5W’s are: In the case of an incident we detect the indicators of the attack, so we can act proactively on the attack at the Intelligence layer. Observation of certain patterns does not necessarily imply one may be under attack; there can be false-positives. Texas Woman University Title Keywords and Abstract Article Critique A simple example might be that if I receive a copy of the VBMania@MM malware in an email, it does not affect me, as I am on a Mac computer. Thus, the indicator pattern will be a false positive for me. However, forwarding the email to someone with a Windows machine may turn the indicator for the presence of VBMania@MM, into an incident, 1 For this analysis we ignore the potential marketing value of counting truly unique visitors, where they come from, and so on. Given the new distrust of government surveillance, not cryptographically identifying clients may be considered a feature, as some clients may not wish to register with the government simply to protect themselves from criminal bad guys. 53 • Who is interested in this user or enterprise? • What are they trying to do? What are they exploiting? • When did it start? • Where did it come from? Where does it go? • Why are they attacking the enterprise or user? • How does it accomplish their goals? taking an action that could affect millions of customers based on questionable indicators. However, knowing those indicators would set the service provider to take different, and quicker action than if they did not have the context provided by the 5W’s layer or if they knew the indicators may be of low impact or value. 2.5.2 5W’s In the 5W’s layer, who could be a person, organization or state for which the action of an attack could be attributed. In a cyberattack, law enforcement officers are interested in who to arrest. In an enterprise, who could be used to incorporate into the Indicator layer as an indicator as a heuristic for what may be likely to happen. For example, it will help understand if the attack will be on economic assets, customer accounts, or designs, depending on whether the attacker (who) is doing blackmail, looking for cash, or a competing enterprise or state actor. Figure 2 – Victorinus’ Diagram of Cicero’s Circumstances to Questions The power of the taxonomy comes about when combining indicators with the 5W’s. This is where one moves from indicators of varying, enterprise situation-specific importance to actionable intelligence. “When you see this behavior (indicators), you are a target and bad things may be happening” is one of the goals of automated intelligence exchange. Better situational awareness can be achieved by combining the indicators and 5W’s of the taxonomy to promote more enhanced enterprise policies. An enterprise policy is a rule set that takes indicators and 5W’s and res … Purchase answer to see full attachment Student has agreed that all tutoring, explanations, and answers provided by the tutor will be used to help in the learning process and in accordance with Studypool’s honor code & terms of service . Student has agreed that all tutoring, explanations, and answers provided by the tutor will be used to help in the learning process and in accordance with Studypool’s honor code & terms of service . Get a 10 % discount on an order above $ 100 Use the following coupon code : NURSING10

Read more
Enjoy affordable prices and lifetime discounts
Use a coupon FIRST15 and enjoy expert help with any task at the most affordable price.
Order Now Order in Chat

We now help with PROCTORED EXAM. Chat with a support agent for more details