Artificial Intelligence an Essential Expected Computer World Surveillance

A position paper toward an important and urgent discussion on how best uses the potential of Artificial Intelligence in the context of Computer World surveillance. AI is often cited in papers on Computer World surveillance. But what is meant is using pre-existing AI techniques in Computer World surveillance. AI techniques are established around applications. Computer World surveillance has never been an area of deliberation in AI. In this paper we argue that Computer World surveillance calls for new and specific AI techniques developed with that kind of application in mind. In practice, this paper is based on a broad overview of different slants, which have the budding to be game changers in Computer World surveillance. This paper focuses on web solicitation security and supporters the use of Knowledge Based Systems, probabilistic reasoning and Bayesian apprising to control the probability of false positives and false denials

SafeCandy: un sistema para seguridad, análisis y validación en Android

Android is an operating system which currently has over one billion active users for all their mobile devices, a market impact that is influencing an increase in the amount of information that can be obtained from different users, facts that have motivated the development of malicious software by cybercriminals. To solve the problems caused by malware, Android implements a different architecture and security controls, such as a unique user ID (UID) for each application, while an API permits its distribution platform, Google Play applications. It has been shown that there are ways to violate that protection, so the developer community has been developing alternatives aimed at improving the level of safety. This paper presents: the latest information on the various trends and security solutions for Android, and SafeCandy, an app proposed as a new system for analysis, validation and configuration of Android applications that implements static and dynamic analysis with improved ASEF. Finally, a study is included to evaluate the effectiveness in threat detection of different malware antivirus software for Android.Android es un sistema operativo para dispositivos móviles con más de un billón de usuarios activos. Su creciente peso en el mercado y la cantidad de información que, gracias a ello, puede ser obtenida de diferentes usuarios, ha motivado el desarrollo de software malicioso por parte de cibercriminales. Para resolver los problemas causados por el malware, Android implementa una arquitectura diferente y controles de seguridad, como un ID único de usuario (UID – Unique User ID) para cada aplicación, mientras que un API permite la distribución en la plataforma de aplicaciones Google Play. Sin embargo, está demostrado que hay formas de violar esta protección, por lo que la comunidad de desarrolladores viene implementando alternativas dirigidas a mejorar los niveles de seguridad. Este artículo presenta: la más reciente información sobre tendencias y soluciones de seguridad para Android; SafeCandy,  un nuevo sistema para el análisis, la validación y configuración de aplicaciones Android, el cual implementa análisis estáticos y dinámicos y un ASEF [Android Security Evaluation Framework] mejorado; y la evaluación de efectividad en la detección de amenazas por parte de diferentes antivirus para malware en Android, incluido SafeCandy.

Exploiting Execution Context for the Detection of Anomalous System Calls

Abstract. Attacks against privileged applications can be detected by analyzing the stream of system calls issued during process execution. In the last few years, several approaches have been proposed to detect anomalous system calls. These approaches are mostly based on modeling acceptable system call sequences. Unfortunately, the techniques proposed so far are either vulnerable to certain evasion attacks or are too expensive to be practical. This paper presents a novel approach to the analysis of system calls that uses a composition of dynamic analysis and learning techniques to characterize anomalous system call invocations in terms of both the invocation context and the parameters passed to the system calls. Our technique provides a more precise detection model with respect to solutions proposed previously, and, in addition, it is able to detect data modification attacks, which cannot be detected using only system call sequence analysis

Analyse de vulnérabilités et évaluation de systèmes de détection d'intrusions pour les applications Web.

Avec le développement croissant d Internet, les applications Web sont devenues de plus en plus vulnérables et exposées à des attaques malveillantes pouvant porter atteinte à des propriétés essentielles telles que la confidentialité, l intégrité ou la disponibilité des systèmes d information. Pour faire face à ces malveillances, il est nécessaire de développer des mécanismes de protection et de test (pare-feu, système de détection d intrusion, scanner Web, etc.) qui soient efficaces. La question qui se pose est comment évaluer l efficacité de tels mécanismes et quels moyens peut-on mettre en oeuvre pour analyser leur capacité à détecter correctement des attaques contre les applications web.Dans cette thèse nous proposons une nouvelle méthode, basée sur des techniques de clustering de pages Web, qui permet d identifier les vulnérabilités à partir de l analyse selon une approche boîte noire de l application cible. Chaque vulnérabilité identifiée est réellement exploitée ce qui permet de s assurer que la vulnérabilité identifiée ne correspond pas à un faux positif. L approche proposée permet également de mettre en évidence différents scénarios d attaque potentiels incluant l exploitation de plusieurs vulnérabilités successives en tenant compte explicitement des dépendances entre les vulnérabilités.Nous nous sommes intéressés plus particulièrement aux vulnérabilités de type injection de code, par exemple les injections SQL. Cette méthode s est concrétisée par la mise en oeuvre d un nouveau scanner de vulnérabilités et a été validée expérimentalement sur plusieurs exemples d applications vulnérables. Nous avons aussi développé une plateforme expérimentale intégrant le nouveau scanner de vulnérabilités, qui est destinée à évaluer l efficacité de systèmes de détection d intrusions pour des applications Web dans un contexte qui soit représentatif des menaces auxquelles ces applications seront confrontées en opération. Cette plateforme intègre plusieurs outils qui ont été conçus pour automatiser le plus possible les campagnes d évaluation. Cette plateforme a été utilisée en particulier pour évaluer deux techniques de détection d intrusions développées par nos partenaires dans le cadre d un projet de coopération financé par l ANR, le projet DALI.With the increasing development of Internet, Web applications have become increasingly vulnerable and exposed to malicious attacks that could affect essential properties such as confidentiality, integrity or availability of information systems. To cope with these threats, it is necessary to develop efficient security protection mechanisms and testing techniques (firewall, intrusion detection system,Web scanner, etc..). The question that arises is how to evaluate the effectiveness of such mechanisms and what means can be implemented to analyze their ability to correctly detect attacks against Webapplications.This thesis presents a new methodology, based on web pages clustering, that is aimed at identifying the vulnerabilities of a Web application following a black box analysis of the target application. Each identified vulnerability is actually exploited to ensure that the identified vulnerability does not correspond to a false positive. The proposed approach can also highlight different potential attack scenarios including the exploitation of several successive vulnerabilities, taking into account explicitly the dependencies between these vulnerabilities. We have focused in particular on code injection vulnerabilities, such asSQL injections. The proposed method led to the development of a new Web vulnerability scanner and has been validated experimentally based on various vulnerable applications.We have also developed an experimental platform integrating the new web vulnerability scanner, that is aimed at assessing the effectiveness of Web applications intrusion detection systems, in a context that is representative of the threats that such applications face in operation. This platform integrates several tools that are designed to automate as much as possible the evaluation campaigns. It has been used in particular to evaluate the effectiveness of two intrusion detection techniques that have been developed by our partners of the collaborative project DALI, funded by the ANR, the French National Research AgencyTOULOUSE-INSA-Bib. electronique (315559905) / SudocSudocFranceF

Measuring the Semantic Integrity of a Process Self

The focus of the thesis is the definition of a framework to protect a process from attacks against the process self, i.e. attacks that alter the expected behavior of the process, by integrating static analysis and run-time monitoring. The static analysis of the program returns a description of the process self that consists of a context-free grammar, which defines the legal system call traces, and a set of invariants on process variables that hold when a system call is issued. Run-time monitoring assures the semantic integrity of the process by checking that its behavior is coherent with the process self returned by the static analysis. The proposed framework can also cover kernel integrity to protect the process from attacks from the kernel-level. The implementation of the run-time monitoring is based upon introspection, a technique that analyzes the state of a computer to rebuild and check the consistency of kernel or user-level data structures. The ability of observing the run-time values of variables reduces the complexity of the static analysis and increases the amount of information that can be extracted on the run-time behavior of the process. To achieve transparency of the controls for the process while avoiding the introduction of special purpose hardware units that access the memory, the architecture of the run-time monitoring adopts virtualization technology and introduces two virtual machines, the monitored and the introspection virtual machines. This approach increases the overall robustness because a distinct virtual machine, the introspection virtual machine, applies introspection in a transparent way both to verify the kernel integrity and to retrieve the status of the process to check the process self. After presenting the framework and its implementation, the thesis discusses some of its applications to increase the security of a computer network. The first application of the proposed framework is the remote attestation of the semantic integrity of a process. Then, the thesis describes a set of extensions to the framework to protect a process from physical attacks by running an obfuscated version of the process code. Finally, the thesis generalizes the framework to support the efficient sharing of an information infrastructure among users and applications with distinct security and reliability requirements by introducing highly parallel overlays

Safe and automatic live update

Tanenbaum, A.S. [Promotor