Deterring Malicious Behavior in Cyberspace

Recent incidents reveal cyberattacks are being employed and honed in a systematic, coordinated fashion to achieve the objectives of malicious actors. Deterrence of the wide array of actors in cyberspace is difficult, since deterrence has to work in the mind of the attacker. Each attacker will weigh the effort of the attack against the expected benefit under their own criteria or rationality. This article analyzes whether the contemporary and complementary deterrence strategies of retaliation, denial, and entanglement are sufficient to deter malicious cyber actors or if the alternative of active cyberdefense is necessary and viable

Visualizing the outcome of dynamic analysis of Android malware with VizMal

Malware detection techniques based on signature extraction require security analysts to manually inspect samples to find evidences of malicious behavior. This time-consuming task received little attention by researchers and practitioners, as most of the effort is on the identification as malware or non-malware of an entire sample. There are no tools for supporting the analyst in identifying when the malicious behavior occurs, given a sample. In this paper we propose VizMal, a tool able to visualize the execution traces of Android applications and to highlight which portions of the traces correspond to a potentially malicious behavior. The aim of VizMal is twofold: assisting the malware analyst during the inspection of an application and pushing the research community to organize and focus its effort on the malicious behavior localization. VizMal is able to discern if the application behavior during each second of execution are legitimate or malicious and to show this information in a simple and understandable way. We validate VizMal experimentally and by means of a user study: the results are promising and confirm that the tool can be useful

Malicious Package Detection in NPM and PyPI using a Single Model of Malicious Behavior Sequence

Open-source software (OSS) supply chain enlarges the attack surface, which makes package registries attractive targets for attacks. Recently, package registries NPM and PyPI have been flooded with malicious packages. The effectiveness of existing malicious NPM and PyPI package detection approaches is hindered by two challenges. The first challenge is how to leverage the knowledge of malicious packages from different ecosystems in a unified way such that multi-lingual malicious package detection can be feasible. The second challenge is how to model malicious behavior in a sequential way such that maliciousness can be precisely captured. To address the two challenges, we propose and implement Cerebro to detect malicious packages in NPM and PyPI. We curate a feature set based on a high-level abstraction of malicious behavior to enable multi-lingual knowledge fusing. We organize extracted features into a behavior sequence to model sequential malicious behavior. We fine-tune the BERT model to understand the semantics of malicious behavior. Extensive evaluation has demonstrated the effectiveness of Cerebro over the state-of-the-art as well as the practically acceptable efficiency. Cerebro has successfully detected 306 and 196 new malicious packages in PyPI and NPM, and received 385 thank letters from the official PyPI and NPM teams

The Wireless Control Network: Monitoring for Malicious Behavior

We consider the problem of stabilizing a plant with a network of resource constrained wireless nodes. In a companion paper, we developed a protocol where each node repeatedly transmits an appropriate (stabilizing) linear combination of the values in its neighborhood. In this paper, we design an Intrusion Detection System (IDS) for this control scheme, which observes the transmissions of certain nodes and uses that information to (a) recover the plant outputs (for datalogging and diagnostic purposes) and (b) identify malicious behavior by any of the wireless nodes in the network. We show that if the connectivity of the network is sufficiently high, the IDS only needs to observe a subset of the nodes in the network in order to achieve this objective. Our approach provides a characterization of the set of nodes that should be observed, a systematic procedure for the IDS to use to identify the malicious nodes and recover the outputs of the plant, and an upper bound on the delay required to obtain the necessary information

A New Scheme for Minimizing Malicious Behavior of Mobile Nodes in Mobile Ad Hoc Networks

The performance of Mobile Ad hoc networks (MANET) depends on the cooperation of all active nodes. However, supporting a MANET is a cost-intensive activity for a mobile node. From a single mobile node perspective, the detection of routes as well as forwarding packets consume local CPU time, memory, network-bandwidth, and last but not least energy. We believe that this is one of the main factors that strongly motivate a mobile node to deny packet forwarding for others, while at the same time use their services to deliver its own data. This behavior of an independent mobile node is commonly known as misbehaving or selfishness. A vast amount of research has already been done for minimizing malicious behavior of mobile nodes. However, most of them focused on the methods/techniques/algorithms to remove such nodes from the MANET. We believe that the frequent elimination of such miss-behaving nodes never allowed a free and faster growth of MANET. This paper provides a critical analysis of the recent research wok and its impact on the overall performance of a MANET. In this paper, we clarify some of the misconceptions in the understating of selfishness and miss-behavior of nodes. Moreover, we propose a mathematical model that based on the time division technique to minimize the malicious behavior of mobile nodes by avoiding unnecessary elimination of bad nodes. Our proposed approach not only improves the resource sharing but also creates a consistent trust and cooperation (CTC) environment among the mobile nodes. The simulation results demonstrate the success of the proposed approach that significantly minimizes the malicious nodes and consequently maximizes the overall throughput of MANET than other well known schemes.Comment: 10 pages IEEE format, International Journal of Computer Science and Information Security, IJCSIS July 2009, ISSN 1947 5500, Impact Factor 0.42