Feb 24, 2016 - threat detection software utilized by University of North Florida's IT department ... gain better business insight and speed up decision-making [2], ...
IEEE Xplore Full-Text HTML : GIS mapping and spatial analysis of cyb...
http://ieeexplore.ieee.org/xpls/icp.jsp?arnumber=7378714#article
IEEE.org | IEEE Xplore Digital Library | IEEE-SA | IEEE Spectrum | More Sites
Cart (0) | Create Account | Personal Sign In Access provided by:
University of North Florida Sign Out
Abstract
Authors
Figures
Multimedia
References
Cited By
Keywords
GIS mapping and spatial analysis of cybersecurity attacks on a florida university As the centers of knowledge, discovery, and intellectual exploration, US universities provide appealing cybersecurity targets. Cyberattack origin patterns and relationships are not evident until data is visualized in maps and tested with statistical models. The current cybersecurity threat detection software utilized by University of North Florida's IT department records large amounts of attacks and attempted intrusions by the minute. This paper presents GIS mapping and spatial analysis of cybersecurity attacks on UNF. First, locations of cyberattack origins were detected by geographic Internet Protocol (GEO-IP) software. Second, GIS was used to map the cyberattack origin locations. Third, we used advanced spatial statistical analysis functions (exploratory spatial data analysis and spatial point pattern analysis) and R software to explore cyberattack patterns. The spatial perspective we promote is novel because there are few studies employing location analytics and spatial statistics in cyberattack detection and prevention research.
This paper appears in: Geoinformatics, 2015 23rd International Conference on, Issue Date: 19-21 June 2015, Written by: Zhiyong Hu; Baynard, Chris W.; Hongda Hu; Fazio, Michael © 2015 IEEE
SECTION I
INTRODUCTION American higher education institutions are centers of knowledge, discovery, and intellectual exploration. The United States is a society of openness and freedom, values especially central to campuses of higher education. Foreign adversaries and competitors have been taking advantage of that openness for many years. Information is a valuable asset on campuses, and most of it is shared liberally; however, some information is private or restricted. Not all campus information is for public consumption. There are a variety of people and organizations within and outside the United States who may seek to improperly or illegally obtain information from US universities: foreign and domestic businesses, individual entrepreneurs, competing academics, terrorist organizations, and foreign intelligence services. One method that is used to target information at US universities is conducting cyber-attacks (or computer intrusions). Cyber-attack is any type of offensive maneuver that targets computer information systems, infrastructures, computer networks, and/or personal computer devices by various means of malicious acts usually originating from an anonymous source that either steals, alters, or destroys a specified target by hacking into a susceptible system. Today's computer-connected world provides abundant access for criminals, terrorists, opportunists, and intelligence services to exploit the access cyber networks afford. They can hack into a system and steal research and other information, send phishing email with malware attached, and exploit social networking sites. They search for restricted information, people who have access to the information, and information that can be used to coerce or entice people with access to share restricted data. There have been computer intrusions into US universities from numerous countries. US universities receive large numbers of unsolicited requests for information and millions of hits on their Web servers each day. Computer hackers, especially those funded by a foreign government, are capable of breaching firewalls and exploiting vulnerabilities in software. They are also skilled at deceiving trusting or unassuming individuals through scams. Though cyber-attacks targeting large corporations or federal government agencies receive the spotlight, universities, as centers of knowledge and research, are also prime targets. For example, US universities that engage in substantial amounts of funded research have yielded novel and valuable discoveries that can create attractive targets to cyber data thieves. This information can prove lucrative and result in a competitive advantage to those possessing it, while also disrupting operations for those who are attacked. In fact, in the wake of massive data breaches in the private sector, financial firms plan to increase cybersecurity spending by $2 billion in the next two years [1]. Just as businesses are beginning to embrace geo-analytics into their operations in order to gain better business insight and speed up decision-making [2], university IT departments should geo-enrich their threat assessment data by incorporating location analytics in order to improve the analysis and better deal with outside threats.
1 of 8
2/24/2016 7:10 PM
IEEE Xplore Full-Text HTML : GIS mapping and spatial analysis of cyb...
http://ieeexplore.ieee.org/xpls/icp.jsp?arnumber=7378714#article
The current cybersecurity threat detection software utilized by University of North Florida's IT department records large amounts of attacks and attempted intrusions by the minute. This paper presents GIS mapping and spatial analysis of cybersecurity attacks on UNF.
SECTION II
EXTRACT LOCATIONS OF CYBERSECURITY ATTACK ORIGINS Cybersecurity defense includes two central aspects: intrusion detection and intrusion prevention. The former records, classifies and notifies security personnel of an event. The latter automatically responds to an event by taking appropriate actions such as blocking traffic, quarantining or sending reset packets. Our primary focus for this project is on the intrusion detection side. The long-term objective is for this information to nourish intrusion prevention. Cybersecurity attacks on UNF's computer networks are monitored with TippingPoint intrusion prevention software [3] that provides minute by minute lists of attacks and unwanted intrusions into the campus IT network. It can provide information as to what type of system is being targeted (e.g., printers, workstations, desktops, web servers, tablets, and phones). It provides the time of day and filters attacks by attack methods. We determine the origin locations of these attacks by geocoding selected, filtered data by using freeware GEO2 Lite software which detects the general location of internet users based on IP addresses [4]. It allows us to map the distribution of attacks within and between countries and examine these patterns. Through a filtering system we were able to exclude duplications, unimportant events and other unnecessary data, while still ending up with large datasets. The tabular information contains geographic Internet-protocol IP addresses that can be converted to geographic coordinates and therefore mapped as points and analyzed in a GIS (based on a variety of measures in terms of data attributes). This paper reports mapping and analysis results based on intrusion detection data from January to March, 2014.
SECTION III
GIS MAPPING Knowing where these intrusions originate allows for a more targeted defense, particularly if certain types of attacks can be found to come from a few particular locations or countries. In such cases, an entire country can be blocked from accessing a university network, thus greatly enhancing security. GIS was used to separate the data between category of threat and location (using multiple filters from TippingPoint) and to explore and visualize this information to help determine: Where—inside and outside the US—do threats originate? Which types of threats are most prevalent and from which locations? What days/times appear related to the country/location of origination for the most common attacks? From January to March, 2014, there were 1,300,000 attacks on UNF, among which there were 72 filtered categories. Main attacks are exploits, spyware, virus, vulnerabilities, DDoS, and reconnaissance (Table I). Table I shows cyberattack counts by category for a 3-day period in January 2014. Fig. 1 shows origin locations of cyberattacks on UNF. Our findings showed that 20% of locations had questionable (null) locations. Furthermore, they were almost entirely located outside the US, predominantly in Western Europe, but also throughout Russia, Southeast Asia, the African Continent and Latin America and the Caribbean. Table II shows cyberattack counts by country for a 3-day period in January 2014. In some cases, they originated in very remote locations, such as the middle of eastern Russia, away from any urban areas. Where locational information appeared more reliable, we found that US allies were actually the countries with the highest number of originating attacks. These occurrences also varied by day of the week. Meanwhile, inside the US, about 15 cities showed the highest level of attacks, encompassing 13 states (Fig. 2). In Florida, at the state level, most of the attacks appeared to originate within 10 miles of colleges and universities. Of course these locations coincided with urban areas, but nevertheless, these types of patterns provide interesting research questions that we want to further explore.
2 of 8
2/24/2016 7:10 PM
IEEE Xplore Full-Text HTML : GIS mapping and spatial analysis of cyb...
http://ieeexplore.ieee.org/xpls/icp.jsp?arnumber=7378714#article
Table I. Main cyberattack categories
Figure 1. Orogin locations of cyberattack on UNF, january-march, 2014
Figure 2. Hot-spot cyberattack origins within contermimous USA
SECTION IV
SPATIAL STATISTICAL ANALYSIS OF CYBER ATTACKS The R software [5] was used to run spatial statistical analysis of cyber-attacks on UNF over a three-month period from January-March, 2014. Using the program R-studio, a script was developed to perform multiple analyses via the spatstat package. It first turned out that R cannot handle over a million data points. Our spatial statistical analysis was limited to cyberattacks originated from conterminous USA. It should be noted that points and corresponding IP addresses inside USA do not necessarily mean they are originated from within USA. Many attacks from outside USA could use proxy computer servers in the USA. In order to perform the data analysis, the original points had to first be condensed or thinned to accommodate the maximum data sizes spatstat can handle and also computational hardware capabilities. In order to do this ESRI's ArcMap 10.3 was used to first clip the data to include only those points that fall within the contiguous 48 states. Next, the frequency tool was used to join all points that had the same “Source_Encoded_IP” values. These would be points that originated from the same point in the geographic space. The output provides an additional field in the attribute table with the frequency count. In other words, the frequency count would represent the number of points that originally had the same source location but all condensed into one point. Because the analysis was spatial, it was deemed that doing this would not alter the pattern of point distribution. After the data was processed it was then
3 of 8
2/24/2016 7:10 PM
IEEE Xplore Full-Text HTML : GIS mapping and spatial analysis of cyb...
http://ieeexplore.ieee.org/xpls/icp.jsp?arnumber=7378714#article
exported as a shapefile (.shp) to be used within the spatstat package. What is interesting is that the frequency calculation has revealed an outstanding attack location in a rural area in Clarks Summit, Pennsylvania. There is no way for us to know what is going on there, who are there and who owns the property. Our finding of this exceptional location could direct law enforcement agencies and counterattack intelligence agencies to that location for further investigation.
Table II. Cyberattack counts by country
Multiple spatial statistic functions were ran on the data to determine whether the cyberattack pattern was random or clustered. Fig. 3 shows results from F, G, J, K functions. Further analysis was done by adding in the U.S. interstate highway system to see if the pattern was clustered around interstate highways or not (Fig. 4 and Fig. 5). A spatial scan test was run assuming complete spatial randomness, this returned a p-value = 0.05, suggesting points are not random. Further spatial statistics were run to determine whether or not points were random with a quadrat test, in this case a grid of tiles was used and it was determined that p < 2.2e-16 (it is believed that this value is the closest that the program can get to zero, without calling it zero) suggesting the points are completely clustered. The grid size was altered from as low as up to with no change in results. A Monte Carlo Test was run and similarly agreed that the pattern was clustered (Fig. 6). Fig. 7 shows Morisita index of dispersion, which also demonstrates clustered pattern. For all statistics runs, none show any sort of spatial randomness, all suggesting that the points are clustered. More analysis needs to be done to better understand that pattern, as well as more research into the capabilities of the spatstat package could allow for much more in depth analysis.
4 of 8
2/24/2016 7:10 PM
IEEE Xplore Full-Text HTML : GIS mapping and spatial analysis of cyb...
http://ieeexplore.ieee.org/xpls/icp.jsp?arnumber=7378714#article
Figure 3. F,G,J,K functions
Figure 4. Cyberattack origin pattern clustered around interstate highways
Figure 5. Smoothed rate estamate of cyberattack origin clustering arounf interstate highways
5 of 8
2/24/2016 7:10 PM
IEEE Xplore Full-Text HTML : GIS mapping and spatial analysis of cyb...
http://ieeexplore.ieee.org/xpls/icp.jsp?arnumber=7378714#article
Figure 6. Monte carlo test
SECTION V
CONCLUSIONS By geo-locating the cyberattacks on UNF campus computer network based on source IPs, this study has revealed global spatial patterns of the attack origins, identified countries/regions with most attack origins and hot-spot attack origins in the conterminous USA. Multiple spatial statistical results have demonstrated that cyberattack pattern originated from conterminous USA is clustered. Findings from this project will be used to refine and automate data preparation for continued spatial analysis for monitoring and mapping ever-larger datasets incorporating longer periods of time. This will not only help better address cybersecurity threats to UNF, but can serve as a model for other state university systems and outside organizations. The research is aligned with the 2011 Executive Office of the
Figure 7. Morisita index of dispersion
President's Strategic Plan for the Federal Cybersecurity Research and Development Program (NSTC 2011). The spatial perspective we promote is novel because there are few studies employing location analytics and spatial statistics in cybersecurity detection and prevention research. Our future research will have to explore what is behind the spatial pattern of the cyberattacks. We will use R to perform point pattern analysis incorporating demograhic, social, economic, political, and geo-political covariates.
FOOTNOTES No Data Available
6 of 8
2/24/2016 7:10 PM
IEEE Xplore Full-Text HTML : GIS mapping and spatial analysis of cyb...
http://ieeexplore.ieee.org/xpls/icp.jsp?arnumber=7378714#article
REFERENCES 1. D. Huang, E. Glazer and D. Yadron “Financial firms boost cybersecurity funds” The Wall Street Journal, 2014 Show Context 2. Micro strategy 2014, Why does location analytics give you a competitive advantage? URL, [online] Available: http://www.microstrategy.com/Strategy/media/downloads/white-papers /FSI_location-analytics-give-you-a-competitive-advantage.pdf Show Context 3. 2014, Hewlett Packard, [online] Available: http://www8.hp.com/us/en/software-solutions/network-security/ Show Context 4. Geo2Lite2 legacy downloadable 2014, Maxmind, [online] Available: http://dev.maxmind.com/geoip/legacy/geolite/ Show Context 5. R Core Team 2013, R: A language and environment for statistical computing. R Foundation for Statistical Computing, Vienna, Austria, [online] Available: http://www.R-project.org/ Show Context
AUTHORS Zhiyong Hu No Bio Available
Chris W. Baynard No Bio Available
Hongda Hu No Bio Available
Michael Fazio No Bio Available
CITED BY None
KEYWORDS
7 of 8
2/24/2016 7:10 PM
IEEE Xplore Full-Text HTML : GIS mapping and spatial analysis of cyb...
http://ieeexplore.ieee.org/xpls/icp.jsp?arnumber=7378714#article
IEEE Keywords Computer crime, Grippers, Software, Visualization
Authors Keywords Geographic Information System (GIS), cyberattack, cybersecurity, point pattern analysis, spatial analysis, spatial statistics
CORRECTIONS None
Personal Sign In | Create Account
IEEE Account
Purchase Details
Profile Information
Need Help?
» Change Username/Password
» Payment Options
» Communications Preferences
» US & Canada: +1 800 678 4333
» Update Address
» Order History
» Profession and Education
» Worldwide: +1 732 981 0060
» View Purchased Documents
» Technical Interests
» Contact & Support
About IEEE Xplore | Contact Us | Help | Terms of Use | Nondiscrimination Policy | Sitemap | Privacy & Opting Out of Cookies A not-for-profit organization, IEEE is the world's largest professional association for the advancement of technology. © Copyright 2016 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.
8 of 8
2/24/2016 7:10 PM
