6 research outputs found
A Survey on Malware Detection with Graph Representation Learning
Malware detection has become a major concern due to the increasing number and
complexity of malware. Traditional detection methods based on signatures and
heuristics are used for malware detection, but unfortunately, they suffer from
poor generalization to unknown attacks and can be easily circumvented using
obfuscation techniques. In recent years, Machine Learning (ML) and notably Deep
Learning (DL) achieved impressive results in malware detection by learning
useful representations from data and have become a solution preferred over
traditional methods. More recently, the application of such techniques on
graph-structured data has achieved state-of-the-art performance in various
domains and demonstrates promising results in learning more robust
representations from malware. Yet, no literature review focusing on graph-based
deep learning for malware detection exists. In this survey, we provide an
in-depth literature review to summarize and unify existing works under the
common approaches and architectures. We notably demonstrate that Graph Neural
Networks (GNNs) reach competitive results in learning robust embeddings from
malware represented as expressive graph structures, leading to an efficient
detection by downstream classifiers. This paper also reviews adversarial
attacks that are utilized to fool graph-based detection methods. Challenges and
future research directions are discussed at the end of the paper.Comment: Preprint, submitted to ACM Computing Surveys on March 2023. For any
suggestions or improvements, please contact me directly by e-mai
Modélisation formelle des systÚmes de détection d'intrusions
LâĂ©cosystĂšme de la cybersĂ©curitĂ© Ă©volue en permanence en termes du nombre, de la diversitĂ©, et de la complexitĂ© des attaques. De ce fait, les outils de dĂ©tection deviennent inefficaces face Ă certaines attaques. On distingue gĂ©nĂ©ralement trois types de systĂšmes de dĂ©tection dâintrusions : dĂ©tection par anomalies, dĂ©tection par signatures et dĂ©tection hybride. La dĂ©tection par anomalies est fondĂ©e sur la caractĂ©risation du comportement habituel du systĂšme, typiquement de maniĂšre statistique. Elle permet de dĂ©tecter des attaques connues ou inconnues, mais gĂ©nĂšre aussi un trĂšs grand nombre de faux positifs. La dĂ©tection par signatures permet de dĂ©tecter des attaques connues en dĂ©finissant des rĂšgles qui dĂ©crivent le comportement connu dâun attaquant. Cela demande une bonne connaissance du comportement de lâattaquant. La dĂ©tection hybride repose sur plusieurs mĂ©thodes de dĂ©tection incluant celles sus-citĂ©es. Elle prĂ©sente lâavantage dâĂȘtre plus prĂ©cise pendant la dĂ©tection. Des outils tels que Snort et Zeek offrent des langages de bas niveau pour lâexpression de rĂšgles de reconnaissance dâattaques. Le nombre dâattaques potentielles Ă©tant trĂšs grand, ces bases de rĂšgles deviennent rapidement difficiles Ă gĂ©rer et Ă maintenir. De plus, lâexpression de rĂšgles avec Ă©tat dit stateful est particuliĂšrement ardue pour reconnaĂźtre une sĂ©quence dâĂ©vĂ©nements. Dans cette thĂšse, nous proposons une approche stateful basĂ©e sur les diagrammes dâĂ©tat-transition algĂ©briques (ASTDs) afin dâidentifier des attaques complexes. Les ASTDs permettent de reprĂ©senter de façon graphique et modulaire une spĂ©cification, ce qui facilite la maintenance et la comprĂ©hension des rĂšgles. Nous Ă©tendons la notation ASTD avec de nouvelles fonctionnalitĂ©s pour reprĂ©senter des attaques complexes. Ensuite, nous spĂ©cifions plusieurs attaques avec la notation Ă©tendue et exĂ©cutons les spĂ©cifications obtenues sur des flots dâĂ©vĂ©nements Ă lâaide dâun interprĂ©teur pour identifier des attaques. Nous Ă©valuons aussi les performances de lâinterprĂ©teur avec des outils industriels tels que Snort et Zeek. Puis, nous rĂ©alisons un compilateur afin de gĂ©nĂ©rer du code exĂ©cutable Ă partir dâune spĂ©cification ASTD, capable dâidentifier de façon efficiente les sĂ©quences dâĂ©vĂ©nements.Abstract : The cybersecurity ecosystem continuously evolves with the number, the diversity,
and the complexity of cyber attacks. Generally, we have three types of Intrusion
Detection System (IDS) : anomaly-based detection, signature-based detection, and
hybrid detection. Anomaly detection is based on the usual behavior description of
the system, typically in a static manner. It enables detecting known or unknown attacks
but also generating a large number of false positives. Signature based detection
enables detecting known attacks by defining rules that describe known attackerâs behavior.
It needs a good knowledge of attacker behavior. Hybrid detection relies on
several detection methods including the previous ones. It has the advantage of being
more precise during detection. Tools like Snort and Zeek offer low level languages to
represent rules for detecting attacks. The number of potential attacks being large,
these rule bases become quickly hard to manage and maintain. Moreover, the representation
of stateful rules to recognize a sequence of events is particularly arduous. In this thesis, we propose a stateful approach based on algebraic state-transition
diagrams (ASTDs) to identify complex attacks. ASTDs allow a graphical and modular
representation of a specification, that facilitates maintenance and understanding of
rules. We extend the ASTD notation with new features to represent complex attacks.
Next, we specify several attacks with the extended notation and run the resulting specifications
on event streams using an interpreter to identify attacks. We also evaluate
the performance of the interpreter with industrial tools such as Snort and Zeek. Then,
we build a compiler in order to generate executable code from an ASTD specification,
able to efficiently identify sequences of events
A Celebration of West Point Authors, Jan-Jun 2019
Today we celebrate the more than 300 works of scholarship produced at the Academy between January and June 2019. This event highlights published and ongoing research into character and character development.https://digitalcommons.usmalibrary.org/books/1021/thumbnail.jp
Exploring RNNs for analyzing Zeek HTTP data
Cyber vulnerabilities pose a threat across systems in the Department of Defense. Finding ways to analyze network traffic and detect malicious behavior on a network will help keep these systems safe. This poster looks at the data collection techniques, model creation, and results of building a recurrent neural network to classify incoming traffic as normal or malicious. Additionally, it considers how the information will be best portrayed on a GUI to network administrators. The model\u27s initial accuracy is 83.45% when trained on 500,017 connections. With increased accuracy, this tool may be used by the Department of Defense to help defend its networks