The Markov multi-phase transferable belief model: A data fusion theory for enhancing cyber situational awareness

Abstract

eXfiltration Advanced Persistent Threats (XAPTs) increasingly account for incidents concerned with critical information exfiltration from High Valued Targets (HVT's) by terrorists, cyber criminals or enemy states. Existing Cyber Defence frameworks and data fusion models do not adequately address (i) the multi-stage nature of XAPTs and (ii) the uncertainty and conflicting information associated with XAPTs. A new data fusion theory, called the Markov Multi-phase Transferable Belief Model (MM-TBM) is developed, for tracking and predicting XAPTs. MM-TBM expands the attack kill-chain model to attack trees and introduces a novel approach for combining various sources of cyber evidence, which takes into account the multi-phased nature of XAPTs and the characteristics of the cyberspace. As a data fusion theory, MM-TBM constitutes a novel approach for performing hypothesis assessment and evidence combination across phases, by means of a new combination rule, called the Multi-phase Combination Rule with conflict Reset (MCR2). This is the first combination rule in the field of data fusion that formalises a new method for combining evidence from multiple, causally connected hypotheses spaces and eliminating the bias from preceding phases of the kill-chain. Moreover, this is the first time a data fusion theory utilises the conflict mass m(Ø) for identifying paradoxes. In addition, a diagnostic formula for managing missing pieces of evidence within attack trees is presented. MM-TBM is designed, developed and evaluated using a Design Science Research approach within two iterations. Evaluation is conducted in a relevant computer network environment using scenario-based testing. The experimental design has been reviewed and approved by Cyber Security Subject Matter Experts from MoD’s Defence Science Technology Laboratory and Airbus Group. The experimental results validate the novel capabilities introduced by the new MM-TBM theory to Cyber Defence in the presence of information clutter, conflict and congestion. Furthermore, the results underpin the importance of selecting an optimal sampling policy to effectively track and predict XAPTs. This PhD bridges the gaps in the body of knowledge concerned with multi-phase fusion under uncertainty and Cyber SA against XAPTs. MM-TBM is a novel mathematical fusion theory for managing applications that existing fusion models do not address. This research has demonstrated MM-TBM enables the successful Tracking and Prediction of XAPTs to deliver an enhanced Cyber SA capability.