Isolating Intrusions by Automatic Experiments

When dealing with malware infections, one of the first tasks is to find the processes that were involved in the attack. We introduce Malfor, a system that isolates those processes automatically. In contrast to other methods that help analyze attacks, Malfor works by experiments: first, we record the interaction of the system under attack; after the intrusion has been detected, we replay the recorded events in slightly different configurations to see which processes were relevant for the intrusion. This approach has three advantages over deductive approaches: first, the processes that are thus found have been experimentally shown to be relevant for the attack; second, the amount of evidence that must then be analyzed to find the attack vector is greatly reduced; and third, Malfor itself cannot make wrong deductions. In a first experiment, Malfor was able to extract the three processes responsible for an attack from 32 candidates in about six minutes

Comprehensive Security Framework for Global Threats Analysis

Cyber criminality activities are changing and becoming more and more professional. With the growth of financial flows through the Internet and the Information System (IS), new kinds of thread arise involving complex scenarios spread within multiple IS components. The IS information modeling and Behavioral Analysis are becoming new solutions to normalize the IS information and counter these new threads. This paper presents a framework which details the principal and necessary steps for monitoring an IS. We present the architecture of the framework, i.e. an ontology of activities carried out within an IS to model security information and User Behavioral analysis. The results of the performed experiments on real data show that the modeling is effective to reduce the amount of events by 91%. The User Behavioral Analysis on uniform modeled data is also effective, detecting more than 80% of legitimate actions of attack scenarios

Suppressing Unwanted Memories Reduces Their Unintended Influences

The ability to control unwanted memories is critical for maintaining cognitive function and mental health. Prior research has shown that suppressing the retrieval of unwanted memories impairs their retention, as measured on intentional (direct) memory tests. Here we review emerging evidence revealing that retrieval suppression can also reduce the unintended influence of suppressed traces. In particular, retrieval suppression (1) gradually diminishes the tendency for memories to intrude into awareness, and (2) reduces memories’ unintended expressions on indirect memory tests. We present a neural account in which, during suppression, retrieval cues elicit hippocampally-triggered neocortical activity that briefly reinstates features of the original event, which, in turn, are suppressed by targeted neocortical and hippocampal inhibition. This reactivation-dependent reinstatement principle could provide a broad mechanism by which suppressing retrieval of intrusive memories limits their indirect influences

Isolation of malicious external inputs in a security focused adaptive execution environment

pre-printReliable isolation of malicious application inputs is necessary for preventing the future success of an observed novel attack after the initial incident. In this paper we describe, measure and analyze, Input-Reduction, a technique that can quickly isolate malicious external inputs that embody unforeseen and potentially novel attacks, from other benign application inputs. The Input-Reduction technique is integrated into an advanced, security-focused, and adaptive execution environment that automates diagnosis and repair. In experiments we show that Input-Reduction is highly accurate and efficient in isolating attack inputs and determining casual relations between inputs. We also measure and show that the cost incurred by key services that support reliable reproduction and fast attack isolation is reasonable in the adaptive execution environment

HyBIS: Windows Guest Protection through Advanced Memory Introspection

Effectively protecting the Windows OS is a challenging task, since most implementation details are not publicly known. Windows has always been the main target of malwares that have exploited numerous bugs and vulnerabilities. Recent trusted boot and additional integrity checks have rendered the Windows OS less vulnerable to kernel-level rootkits. Nevertheless, guest Windows Virtual Machines are becoming an increasingly interesting attack target. In this work we introduce and analyze a novel Hypervisor-Based Introspection System (HyBIS) we developed for protecting Windows OSes from malware and rootkits. The HyBIS architecture is motivated and detailed, while targeted experimental results show its effectiveness. Comparison with related work highlights main HyBIS advantages such as: effective semantic introspection, support for 64-bit architectures and for latest Windows (8.x and 10), advanced malware disabling capabilities. We believe the research effort reported here will pave the way to further advances in the security of Windows OSes

Measuring Software Diversity, with Applications to Security

In this work, we briefly introduce and discuss some of the diversity measures used in Ecology. After a succinct description and analysis of the most relevant ones, we single out the Shannon-Weiner index. We justify why it is the most informative and relevant one for measuring software diversity. Then, we show how it can be used for effectively assessing the diversity of various real software ecosystems. We discover in the process a frequently overlooked software monopoly, and its key security implications. We finally extract some conclusions from the results obtained, focusing mostly on their security implications.Comment: 10 pages, 5 figure

From Cue to Recall : The Temporal Dynamics of Long-Term Memory Retrieval

A fundamental function of long-term memory is the ability to retrieve a specific memory when encountering a retrieval cue. The purpose of this dissertation was to further our understanding of such cued recall by investigating the temporal dynamics from the presentation of the retrieval cue until the target memory is recalled. Retrieval cues are often related with several memories. When such a retrieval cue is presented, the associated memories will compete for retrieval and this retrieval competition needs to be handled in order to retrieve the sought after target memory. Study 1 and Study 2 investigated the temporal dynamics of such competitive semantic cued recall. Interestingly, previous research has shown that the ability to retrieve the currently relevant target memory comes with a cost, namely retrieval-induced forgetting of the competing memories. These studies also investigated the role of competitor activation and target retrieval in this forgetting phenomenon. Study 1 investigated the electrophysiological correlates of reactivation of competing currently irrelevant memories and the role of such competitor activation in retrieval-induced forgetting. Competitor activation was related to an FN400 event-related potential (ERP) effect and this effect predicted increased levels of retrieval-induced forgetting, indicating that this forgetting effect is dependent on competitor activation. Study 2 examined processes involved in target retrieval in a similar competitive semantic cued recall task. The main finding in this study was that attempts to retrieve the target memory were related to a late posterior negativity ERP effect. Another important finding was that behavioural and ERP measures of target retrieval were unrelated to retrieval-induced forgetting. Retrieval cues can sometimes elicit involuntary retrieval of unwanted memories. Such memory intrusions are a core symptom of post-traumatic stress disorder. Study 3 investigated the temporal dynamics of such memory intrusions. One of the key findings was that memory intrusions were related to a negative slow wave ERP effect possibly reflecting the activation of the intruding memory in working memory. Taken together the findings in the dissertation indicate that cued recall involves several cognitive processes ranging from early automatic memory reactivation to conscious processes such as working memory activation and recollection. The findings have implications for cognitive theories of memory and have relevance for several clinical conditions including depression and post-traumatic stress disorder

Automatically bridging the semantic gap in machine introspection

Disclosed are various embodiments that facilitate automatically bridging the semantic gap in machine introspection. It may be determined that a program executed by a first virtual machine is requested to introspect a second virtual machine. A system call execution context of the program may be determined in response to determining that the program is requested to introspect the second virtual machine. Redirectable data in a memory of the second virtual machine may be identified based at least in part on the system call execution context of the program. The program may be configured to access the redirectable data. In various embodiments, the program may be able to modify the redirectable data, thereby facilitating configuration, reconfiguration, and recovery operations to be performed on the second virtual machine from within the first virtual machine.Board of Regents, University of Texas Syste