Abstract

Cyber attackers often use passive reconnaissance to collect information about target networks. This technique can be used to identify systems and plan attacks, making it an increasingly challenging task for security analysts to detect. Adversaries can recover statistical information from the information collected from compromised nodes, revealing target identities such as operating systems, software and servers. A comprehensive analysis of the collected data can aid in understanding what information an adversary can deduce from this technique. With this analysis, the defender can examine the methods of inferring a target used by adversaries and model adversaries’ inference techniques and belief formation. For this purpose, we propose a model-driven decision support system (DSS) based on a Bayesian belief network (BBN) to depict adversary node-based inference techniques from passively collected data and belief formation. BBN provides a compact representation of probabilistic data and allows the formalization of adversary beliefs. We demonstrate this approach with a case study based on the passively observed operating system (OS) fingerprinting data, which is evaluated utilizing $p$-value significance level and compared against the model generated from local networks and predictive accuracy. We also show that our methods produce models with high predictive accuracy surpassing a sequential artificial neural network (ANN).