Attack profiles to derive data observations, features, and characteristics of cyber attacks

Existing techniques for cyber attack detection rely mainly on activity data from computers and networks. Little consideration has been given to other kinds of data in the cause-effect chains of attacks. Adding state and performance data may reveal elements on computers and networks that are affected by a cyber attack, thus providing a more accurate, complete picture of an attack. This paper presents a System-Fault-Risk framework that defines elements involved in the cause-effect chain of an attack. The SFR framework combines system and fault modeling, and risk assessment methods. It is employed to analyze known cyber attacks and derive profiles that define activity, state and performance data in cause-effect chains, features of those data, and characteristics of those features that enable attack detection. The profiles derived from specific attacks are generalized and compared with those reported in other studies to illustrate a set of novel data, features and characteristics.