5,550 research outputs found
Kairos: Practical Intrusion Detection and Investigation using Whole-system Provenance
Provenance graphs are structured audit logs that describe the history of a
system's execution. Recent studies have explored a variety of techniques to
analyze provenance graphs for automated host intrusion detection, focusing
particularly on advanced persistent threats. Sifting through their design
documents, we identify four common dimensions that drive the development of
provenance-based intrusion detection systems (PIDSes): scope (can PIDSes detect
modern attacks that infiltrate across application boundaries?), attack
agnosticity (can PIDSes detect novel attacks without a priori knowledge of
attack characteristics?), timeliness (can PIDSes efficiently monitor host
systems as they run?), and attack reconstruction (can PIDSes distill attack
activity from large provenance graphs so that sysadmins can easily understand
and quickly respond to system intrusion?). We present KAIROS, the first PIDS
that simultaneously satisfies the desiderata in all four dimensions, whereas
existing approaches sacrifice at least one and struggle to achieve comparable
detection performance.
Kairos leverages a novel graph neural network-based encoder-decoder
architecture that learns the temporal evolution of a provenance graph's
structural changes to quantify the degree of anomalousness for each system
event. Then, based on this fine-grained information, Kairos reconstructs attack
footprints, generating compact summary graphs that accurately describe
malicious activity over a stream of system audit logs. Using state-of-the-art
benchmark datasets, we demonstrate that Kairos outperforms previous approaches.Comment: 23 pages, 16 figures, to appear in the 45th IEEE Symposium on
Security and Privacy (S&P'24
Provenance of plumes in global convection models
In global convection models constrained by plume motions and subduction history over the last 230 Myr, plumes emerge preferentially from the edges of thermochemical structures that resemble present-day large low shear velocity provinces (LLSVPs) beneath Africa and the Pacific Ocean. It has been argued that large igneous provinces (LIPs) erupting since 200 Ma may originate from plumes that emerged from the edges of the LLSVPs and numerical models have been devised to validate this hypothesis. Although qualitative assessments that are broadly in agreement with this hypothesis have been derived from numerical models, a quantitative assessment has been lacking. We present a novel plume detection scheme and derive Monte Carlo-based statistical correlations of model plume eruption sites and reconstructed LIP eruption sites. We show that models with a chemically anomalous lower mantle are highly correlated to reconstructed LIP eruption sites, whereas the confidence level obtained for a model with purely thermal plumes falls just short of 95%. A network of embayments separated by steep ridges form in the deep lower mantle in models with a chemically anomalous lower mantle. Plumes become anchored to the peaks of the chemical ridges and the network of ridges acts as a floating anchor, adjusting to slab push forces through time. The network of ridges imposes a characteristic separation between conduits that can extend into the interior of the thermochemical structures. This may explain the observed clustering of reconstructed LIP eruption sites that mostly but not exclusively occur around the present-day LLSVPs
ATTACK2VEC: Leveraging Temporal Word Embeddings to Understand the Evolution of Cyberattacks
Despite the fact that cyberattacks are constantly growing in complexity, the
research community still lacks effective tools to easily monitor and understand
them. In particular, there is a need for techniques that are able to not only
track how prominently certain malicious actions, such as the exploitation of
specific vulnerabilities, are exploited in the wild, but also (and more
importantly) how these malicious actions factor in as attack steps in more
complex cyberattacks. In this paper we present ATTACK2VEC, a system that uses
temporal word embeddings to model how attack steps are exploited in the wild,
and track how they evolve. We test ATTACK2VEC on a dataset of billions of
security events collected from the customers of a commercial Intrusion
Prevention System over a period of two years, and show that our approach is
effective in monitoring the emergence of new attack strategies in the wild and
in flagging which attack steps are often used together by attackers (e.g.,
vulnerabilities that are frequently exploited together). ATTACK2VEC provides a
useful tool for researchers and practitioners to better understand cyberattacks
and their evolution, and use this knowledge to improve situational awareness
and develop proactive defenses
A baseline for unsupervised advanced persistent threat detection in system-level provenance
Advanced persistent threats (APT) are stealthy, sophisticated, and
unpredictable cyberattacks that can steal intellectual property, damage
critical infrastructure, or cause millions of dollars in damage. Detecting APTs
by monitoring system-level activity is difficult because manually inspecting
the high volume of normal system activity is overwhelming for security
analysts. We evaluate the effectiveness of unsupervised batch and streaming
anomaly detection algorithms over multiple gigabytes of provenance traces
recorded on four different operating systems to determine whether they can
detect realistic APT-like attacks reliably and efficiently. This report is the
first detailed study of the effectiveness of generic unsupervised anomaly
detection techniques in this setting
Knowledge will Propel Machine Understanding of Content: Extrapolating from Current Examples
Machine Learning has been a big success story during the AI resurgence. One
particular stand out success relates to learning from a massive amount of data.
In spite of early assertions of the unreasonable effectiveness of data, there
is increasing recognition for utilizing knowledge whenever it is available or
can be created purposefully. In this paper, we discuss the indispensable role
of knowledge for deeper understanding of content where (i) large amounts of
training data are unavailable, (ii) the objects to be recognized are complex,
(e.g., implicit entities and highly subjective content), and (iii) applications
need to use complementary or related data in multiple modalities/media. What
brings us to the cusp of rapid progress is our ability to (a) create relevant
and reliable knowledge and (b) carefully exploit knowledge to enhance ML/NLP
techniques. Using diverse examples, we seek to foretell unprecedented progress
in our ability for deeper understanding and exploitation of multimodal data and
continued incorporation of knowledge in learning techniques.Comment: Pre-print of the paper accepted at 2017 IEEE/WIC/ACM International
Conference on Web Intelligence (WI). arXiv admin note: substantial text
overlap with arXiv:1610.0770
Timing and Characterization of the Change in the Redox State of Uranium in Precambrian Surface Environments: A Proxy for the Oxidation State of the Atmosphere
The redox-sensitive geochemical behavior of uranium permits the use of Th/U ratios as a geochemical proxy for the oxidation state of the atmosphere and oceans during sedimentary processes. Due to the effects of post-depositional uranium mobility on Th/U ratios during events involving oxygenated fluids, direct measurements of Th/U ratios are often misleading, but the whole rock Pb isotope composition may be used to determine a sample¡¦s apparent time-integrated Th/U ratio (ƒÛa) and the timing associated with the onset of the U-Th-Pb geochemistry. Rare earth element (REE) concentrations were determined by isotope dilution mass spectrometry to evaluate the influence of multiple provenance components and potential mobility of Th, U, and Pb during post-depositional processes on the Th/U ratio. The Pb isotope compositions and REE concentrations were determined for six Paleoproterozoic sedimentary sequences, which were the focus of previous studies involving the timing of the rise of atmospheric oxygen. The Mount McRae Shale, Huronian Supergroup, and Zaonezhskaya Formation have been interpreted as experiencing post-depositional alteration (perhaps associated with orogenic events) due to Pb-Pb ages that are younger than the likely depositional age and observed fractionation of REE in chondrite normalized REE patterns and interelement REE ratios (e.g. La/Nd, La/Yb, Eu/Eu*). Similar geochemical proxies have been interpreted as sedimentary geochemical features of the Timeball Hill Formation, Hotazel Formation, and Sengoma Argillite Formation. This study of Paleoproterozoic sedimentary units constrains the onset of U-Th decoupling, most likely due to the onset of oxidative weathering conditions, began by 2.32 Ga, the latest
- …