Randomized Anagram Revisited

When compared to signature-based Intrusion Detection Systems (IDS), anomaly detectors present the potential advantage of detecting previously unseen attacks, which makes them an attractive solution against zero-day exploits and other attacks for which a signature is unavailable. Most anomaly detectors rely on machine learning algorithms to derive a model of normality that is later used to detect suspicious events. Such algorithms, however, are generally susceptible to evasion by means of carefully constructed attacks that are not recognized as anomalous. Different strategies to thwart evasion have been proposed over the last years, including the use of randomization to make somewhat uncertain how each packet will be processed. In this paper we analyze the strength of the randomization strategy suggested for Anagram, a well-known anomaly detector based on n-gram models. We show that an adversary who can interact with the system for a short period of time with inputs of his choosing will be able to recover the secret mask used to process packets. We describe and discuss an efficient algorithm to do this and report our experiences with a prototype implementation. Furthermore, we show that the specific form of randomization suggested for Anagram is a double-edged sword, as knowledge of the mask makes evasion easier than in the non-randomized case. We finally discuss a simple countermeasure to prevent our attacks.Publicad

The Inhibition-Deficit Hypothesis: A Possible Neurological Mechanism for Age-Related Changes in the Formation of Problem-Solving Set

In the process of problem-solving, a limiting of possible solutions often occurs which causes subjects to prematurely narrow their problem-solving options. This tendency is called problem-solving set. It is possible that there is an underlying neurological mechanism which regulates this process. It has been shown that the frontal lobes play a role in the inhibition of irrelevant information, suggesting that they may be involved in the formation of set. Because the frontal lobes are suspected to degenerate somewhat with age, the elderly may have less of a tendency towards problem-solving set than young adults. In the current study, set was induced trough the use of anagrams (tasks which require the subject to unscramble a scrambled word to produce a common word). Young adults were compared to elderly adults. Set-forming anagrams were all solvable by the same strategy, and a target anagram (which appeared after the set-forming anagrams) was solvable by a different strategy. The number of set-forming anagrams given was varied, and problem-solving set was measured by comparing latencies between set-forming anagrams and the target anagram. It was found that anagrams are effective at inducing problem-solving set, that the intensity of problem-solving set increases with set size, and that there may indeed be a neurological explanation for age-related differences in the formation of problem-solving set

Key-recovery attacks on KIDS, a keyed anomaly detection system

Most anomaly detection systems rely on machine learning algorithms to derive a model of normality that is later used to detect suspicious events. Some works conducted over the last years have pointed out that such algorithms are generally susceptible to deception, notably in the form of attacks carefully constructed to evade detection. Various learning schemes have been proposed to overcome this weakness. One such system is Keyed IDS (KIDS), introduced at DIMVA "10. KIDS" core idea is akin to the functioning of some cryptographic primitives, namely to introduce a secret element (the key) into the scheme so that some operations are infeasible without knowing it. In KIDS the learned model and the computation of the anomaly score are both key-dependent, a fact which presumably prevents an attacker from creating evasion attacks. In this work we show that recovering the key is extremely simple provided that the attacker can interact with KIDS and get feedback about probing requests. We present realistic attacks for two different adversarial settings and show that recovering the key requires only a small amount of queries, which indicates that KIDS does not meet the claimed security properties. We finally revisit KIDS' central idea and provide heuristic arguments about its suitability and limitations

Reducing False Recognition in the Deese-Roediger/McDermott Paradigm: Related Lures Reveal How Distinctive Encoding Improves Encoding and Monitoring Processes

In the Deese-Roediger/McDermott (DRM) paradigm, distinctive encoding of list items typically reduces false recognition of critical lures relative to a read-only control. This reduction can be due to enhanced item-specific processing, reduced relational processing, and/or increased test-based monitoring. However, it is unclear whether distinctive encoding reduces false recognition in a selective or global manner. To examine this question, participants studied DRM lists using a distinctive item-specific anagram generation task and then completed a recognition test which included both DRM critical lures and either strongly related lures (Experiment 1) or weakly related lures (Experiment 2). Compared to a read-control group, the generate groups showed increased correct recognition and decreased false recognition of all lure types. We then estimated the separate contributions of encoding and retrieval processes using signal-detection indices. Generation improved correct recognition by both increasing encoding of memory information for list words and by increasing memory monitoring at test. Generation reduced false recognition by reducing the encoding of memory information and by increasing memory monitoring at test. The reduction in false recognition was equivalent for critical lures and related lures, indicating that generation globally reduces the encoding of related non-presented items at study (not just critical lures), while globally increasing list-theme-based monitoring at test

Evaluative priming reveals dissociable effects of cognitive vs. physiological anxiety on action monitoring

Performance monitoring enables the rapid detection of mismatches between goals or intentions and actions, as well as subsequent behavioral adjustment by means of enhanced attention control. These processes are not encapsulated, but they are readily influenced by affective or motivational variables, including negative affect. Here we tested the prediction that worry, the cognitive component of anxiety, and arousal, its physiological counterpart, can each influence specific processes during performance monitoring. In 2 experiments, participants were asked to discriminate the valence of emotional words that were preceded by either correct (good) or incorrect (bad) actions, serving as primes in a standard evaluative priming procedure. In Experiment 1 (n = 36) we examined the influence of trait worry and arousal. Additionally, we included a face priming task to examine the specificity of this effect. Stepwise linear regression analyses showed that increased worry, but not arousal, weakened the evaluative priming effect and therefore the rapid and automatic processing of actions as good or bad. By contrast, arousal, but not worry, increased posterror slowing. In Experiment 2 (n = 30) state worry was induced using an anagram task. Effects of worry on action monitoring were trait but not state dependent, and only evidenced when actions were directly used as primes. These results suggest a double dissociation between worry and arousal during performance monitoring

The diagnostic value of cues in memory recall within retrieval-induced forgetting

The present study investigated if the diagnostic value of cues could reduce the need for inhibition operating within the retrieval-practice paradigm, which is part of the retrieval-induced forgetting (RIF). The results of 32 participants (female: 20, age: M = 24.97 years, range: 20 – 32 years) were reported. The method used was a standard RIF procedure with an added manipulation. The category-item pairs were presented with an image in the background that was either specific to the item of the category and in this way the diagnostic value of cues were manipulated. Half of the category-item pairs had unique images associated to them while the other half did not. With the use of unique images as potential cues, a unique memory trace can be established which increases the diagnostic value of the cue. It was hypothesized that with unique images there would not be a RIF effect while there would be with non-unique images. Contrary to the hypotheses, there was a statistically significant RIF-effect with large effect size with the unique cues but not a statistically significant RIF-effect with non-unique cues. The results are discussed in relation to the integration of items that improves recall

Attentional Deployment in Emotion Regulation

Attentional deployment is a primary strategy individuals employ to regulate emotion. Study 1 investigated whether visuo-spatial, goal-directed, attentional deployment to emotional faces serves as an effective mechanism for emotion regulation and whether individual differences in this ability predicts more effective emotion regulation. Participants given a goal to focus on positively valenced faces reported nearly three times less frustration in reaction to a stressful anagram task compared to those not given this goal. In addition, those with a greater ability to focus on happy faces and avoid angry faces persisted significantly longer on a stressful anagram task. In Study 2, a measure of an individual's ability to deploy attention toward and away from emotional mental representations was developed. This measure of attentional control capacity for emotion (ACCE) adapted an explicit-cuing task switching paradigm where participants had to shift between emotional and neutral mental sets. Results showed that those higher in trait anxiety and worrisome thoughts took longer to switch from a neutral to an emotional mental set. In Study 3, participants were given a stressful anagram task and those who switched more efficiently from a neutral set to an emotional set were more frustrated by the stressful task. In addition, those who switched more efficiently from an emotional set to a neutral set persisted longer on the stressful task. These studies demonstrated that both visuo-spatial attentional deployment and attentional deployment to emotional mental representations are important to an individual's ability to regulate emotion

Cognitive recovery in acute stroke: Measurement and facilitation of change

Strokes can affect any part of the brain and therefore have a wide range of potential outcomes including an array of cognitive deficits such as memory problems, neglect, problem solving difficulties and decision making errors. From a biological perspective, recovery from stroke can be categorized into two time phases, acute (up until 3 months) and chronic (3+ months), with most changes occurring in the actue phase. In the motor and speech areas, it is recognised that early intervention during the acute phase leads to the best long-term outcomes. The research into recovery of cognitive function is less well developed than in the motor and speech areas, however, there is a literature that explores the prevalence of cognitive impairments and recovery in the chronic phase. Such research is based upon patients with stroke’ performance on batteries of standardised neuropsychological tests. This literature consistently demonstrates only small improvements over time. Training programs aimed at directly facilitating the recovery process, as opposed to developing compensatory behaviours to circumvent the effects of the impairment, have been implemented during the chronic phase. Many of these programs are based upon cognitive theories and employ commonly used cognitive psychology paradigms. These training programs have resulted in substantial improvements in the impaired functions. However, there are no studies that attempt to track changes in behaviour during the acute phase of stroke despite this being consistently demonstrated as a crucial period of recovery. The intent of the current research is to address this gap in the literature by exploring behaviour change in patients with stroke who are in hospital in the early stages of recovery from their first stroke

Attacks against intrusion detection networks: evasion, reverse engineering and optimal countermeasures

Intrusion Detection Networks (IDNs) constitute a primary element in current cyberdefense systems. IDNs are composed of different nodes distributed among a network infrastructure, performing functions such as local detection --mostly by Intrusion Detection Systems (IDS) --, information sharing with other nodes in the IDN, and aggregation and correlation of data from different sources. Overall, they are able to detect distributed attacks taking place at large scale or in different parts of the network simultaneously. IDNs have become themselves target of advanced cyberattacks aimed at bypassing the security barrier they offer and thus gaining control of the protected system. In order to guarantee the security and privacy of the systems being protected and the IDN itself, it is required to design resilient architectures for IDNs capable of maintaining a minimum level of functionality even when certain IDN nodes are bypassed, compromised, or rendered unusable. Research in this field has traditionally focused on designing robust detection algorithms for IDS. However, almost no attention has been paid to analyzing the security of the overall IDN and designing robust architectures for them. This Thesis provides various contributions in the research of resilient IDNs grouped into two main blocks. The first two contributions analyze the security of current proposals for IDS nodes against specific attacks, while the third and fourth contributions provide mechanisms to design IDN architectures that remain resilient in the presence of adversaries. In the first contribution, we propose evasion and reverse engineering attacks to anomaly detectors that use classification algorithms at the core of the detection engine. These algorithms have been widely studied in the anomaly detection field, as they generally are claimed to be both effective and efficient. However, such anomaly detectors do not consider potential behaviors incurred by adversaries to decrease the effectiveness and efficiency of the detection process. We demonstrate that using well-known classification algorithms for intrusion detection is vulnerable to reverse engineering and evasion attacks, which makes these algorithms inappropriate for real systems. The second contribution discusses the security of randomization as a countermeasure to evasion attacks against anomaly detectors. Recent works have proposed the use of secret (random) information to hide the detection surface, thus making evasion harder for an adversary. We propose a reverse engineering attack using a query-response analysis showing that randomization does not provide such security. We demonstrate our attack on Anagram, a popular application-layer anomaly detector based on randomized n-gram analysis. We show how an adversary can _rst discover the secret information used by the detector by querying it with carefully constructed payloads and then use this information to evade the detector. The difficulties found to properly address the security of nodes in an IDN motivate our research to protect cyberdefense systems globally, assuming the possibility of attacks against some nodes and devising ways of allocating countermeasures optimally. In order to do so, it is essential to model both IDN nodes and adversarial capabilities. In the third contribution of this Thesis, we provide a conceptual model for IDNs viewed as a network of nodes whose connections and internal components determine the architecture and functionality of the global defense network. Such a model is based on the analysis and abstraction of a number of existing proposals for IDNs. Furthermore, we also develop an adversarial model for IDNs that builds on classical attack capabilities for communication networks and allow to specify complex attacks against IDN nodes. Finally, the fourth contribution of this Thesis presents DEFIDNET, a framework to assess the vulnerabilities of IDNs, the threats to which they are exposed, and optimal countermeasures to minimize risk considering possible economic and operational constraints. The framework uses the system and adversarial models developed earlier in this Thesis, together with a risk rating procedure that evaluates the propagation of attacks against particular nodes throughout the entire IDN and estimates the impacts of such actions according to different attack strategies. This assessment is then used to search for countermeasures that are both optimal in terms of involved cost and amount of mitigated risk. This is done using multi-objective optimization algorithms, thus offering the analyst sets of solutions that could be applied in different operational scenarios. -------------------------------------------------------------Las Redes de Detección de Intrusiones (IDNs, por sus siglas en inglés) constituyen un elemento primordial de los actuales sistemas de ciberdefensa. Una IDN está compuesta por diferentes nodos distribuidos a lo largo de una infraestructura de red que realizan funciones de detección de ataques --fundamentalmente a través de Sistemas de Detección de Intrusiones, o IDS--, intercambio de información con otros nodos de la IDN, y agregación y correlación de eventos procedentes de distintas fuentes. En conjunto, una IDN es capaz de detectar ataques distribuidos y de gran escala que se manifiestan en diferentes partes de la red simultáneamente. Las IDNs se han convertido en objeto de ataques avanzados cuyo fin es evadir las funciones de seguridad que ofrecen y ganar así control sobre los sistemas protegidos. Con objeto de garantizar la seguridad y privacidad de la infraestructura de red y de la IDN, es necesario diseñar arquitecturas resilientes para IDNs que sean capaces de mantener un nivel mínimo de funcionalidad incluso cuando ciertos nodos son evadidos, comprometidos o inutilizados. La investigación en este campo se ha centrado tradicionalmente en el diseño de algoritmos de detección robustos para IDS. Sin embargo, la seguridad global de la IDN ha recibido considerablemente menos atención, lo que ha resultado en una carencia de principios de diseño para arquitecturas de IDN resilientes. Esta Tesis Doctoral proporciona varias contribuciones en la investigación de IDN resilientes. La investigación aquí presentada se agrupa en dos grandes bloques. Por un lado, las dos primeras contribuciones proporcionan técnicas de análisis de la seguridad de nodos IDS contra ataques deliberados. Por otro lado, las contribuciones tres y cuatro presentan mecanismos de diseño de arquitecturas IDS robustas frente a adversarios. En la primera contribución se proponen ataques de evasión e ingeniería inversa sobre detectores de anomalíaas que utilizan algoritmos de clasificación en el motor de detección. Estos algoritmos han sido ampliamente estudiados en el campo de la detección de anomalías y son generalmente considerados efectivos y eficientes. A pesar de esto, los detectores de anomalías no consideran el papel que un adversario puede desempeñar si persigue activamente decrementar la efectividad o la eficiencia del proceso de detección. En esta Tesis se demuestra que el uso de algoritmos de clasificación simples para la detección de anomalías es, en general, vulnerable a ataques de ingeniería inversa y evasión, lo que convierte a estos algoritmos en inapropiados para sistemas reales. La segunda contribución analiza la seguridad de la aleatorización como contramedida frente a los ataques de evasión contra detectores de anomalías. Esta contramedida ha sido propuesta recientemente como mecanismo de ocultación de la superficie de decisión, lo que supuestamente dificulta la tarea del adversario. En esta Tesis se propone un ataque de ingeniería inversa basado en un análisis consulta-respuesta que demuestra que, en general, la aleatorización no proporciona un nivel de seguridad sustancialmente superior. El ataque se demuestra contra Anagram, un detector de anomalías muy popular basado en el análisis de n-gramas que opera en la capa de aplicación. El ataque permite a un adversario descubrir la información secreta utilizada durante la aleatorización mediante la construcción de paquetes cuidadosamente diseñados. Tras la finalización de este proceso, el adversario se encuentra en disposición de lanzar un ataque de evasión. Los trabajos descritos anteriormente motivan la investigación de técnicas que permitan proteger sistemas de ciberdefensa tales como una IDN incluso cuando la seguridad de algunos de sus nodos se ve comprometida, así como soluciones para la asignación óptima de contramedidas. Para ello, resulta esencial disponer de modelos tanto de los nodos de una IDN como de las capacidades del adversario. En la tercera contribución de esta Tesis se proporcionan modelos conceptuales para ambos elementos. El modelo de sistema permite representar una IDN como una red de nodos cuyas conexiones y componentes internos determinan la arquitectura y funcionalidad de la red global de defensa. Este modelo se basa en el análisis y abstracción de diferentes arquitecturas para IDNs propuestas en los últimos años. Asimismo, se desarrolla un modelo de adversario para IDNs basado en las capacidades clásicas de un atacante en redes de comunicaciones que permite especificar ataques complejos contra nodos de una IDN. Finalmente, la cuarta y última contribución de esta Tesis Doctoral describe DEFIDNET, un marco que permite evaluar las vulnerabilidades de una IDN, las amenazas a las que están expuestas y las contramedidas que permiten minimizar el riesgo de manera óptima considerando restricciones de naturaleza económica u operacional. DEFIDNET se basa en los modelos de sistema y adversario desarrollados anteriormente en esta Tesis, junto con un procedimiento de evaluación de riesgos que permite calcular la propagación a lo largo de la IDN de ataques contra nodos individuales y estimar el impacto de acuerdo a diversas estrategias de ataque. El resultado del análisis de riesgos es utilizado para determinar contramedidas óptimas tanto en términos de coste involucrado como de cantidad de riesgo mitigado. Este proceso hace uso de algoritmos de optimización multiobjetivo y ofrece al analista varios conjuntos de soluciones que podrían aplicarse en distintos escenarios operacionales.Programa en Ciencia y Tecnología InformáticaPresidente: Andrés Marín López; Vocal: Sevil Sen; Secretario: David Camacho Fernánde

Detección de intrusiones basada en modelado de red resistente a evasión por técnicas de imitación

Los sistemas de red emergentes han traído consigo nuevas amenazas que han sofisticado sus modos de operación con el fin de pasar inadvertidos por los sistemas de seguridad, lo que ha motivado el desarrollo de sistemas de detección de intrusiones más eficaces y capaces de reconocer comportamientos anómalos. A pesar de la efectividad de estos sistemas, la investigación en este campo revela la necesidad de su adaptación constante a los cambios del entorno operativo como el principal desafío a afrontar. Esta adaptación supone mayores dificultades analíticas, en particular cuando se hace frente a amenazas de evasión mediante métodos de imitación. Dichas amenazas intentan ocultar las acciones maliciosas bajo un patrón estadístico que simula el uso normal de la red, por lo que adquieren una mayor probabilidad de evadir los sistemas defensivos. Con el fin de contribuir a su mitigación, este artículo presenta una estrategia de detección de intrusos resistente a imitación construida sobre la base de los sensores PAYL. La propuesta se basa en construir modelos de uso de la red y, a partir de ellos, analizar los contenidos binarios de la carga útil en busca de patrones atípicos que puedan evidenciar contenidos maliciosos. A diferencia de las propuestas anteriores, esta investigación supera el tradicional fortalecimiento mediante la aleatorización, aprovechando la similitud de paquetes sospechosos entre modelos legítimos y de evasión previamente construidos. Su eficacia fue evaluada en las muestras de tráfico DARPA’99 y UCM 2011, en los que se comprobó su efectividad para reconocer ataques de evasión por imitación.Emerging network systems have brought new threats that have sophisticated their modes of operation in order to go unnoticed by security systems, which has led to the development of more effective intrusion detection systems capable of recognizing anomalous behaviors. Despite the effectiveness of these systems, research in this field reveals the need for their constant adaptation to changes in the operating environment as the main challenge to face. This adaptation involves greater analytical difficulties, particularly when dealing with threats of evasion through imitation methods. These threats try to hide malicious actions under a statistical pattern that simulates the normal use of the network, so they acquire a greater probability of evading defensive systems. In order to contribute to its mitigation, this article presents an imitation-resistant intrusion detection strategy built on the basis of PAYL sensors. The proposal is based on building network usage models and, from them, analyzing the binary contents of the payload in search of atypical patterns that can show malicious content. Unlike previous proposals, this research overcomes the traditional strengthening through randomization, taking advantage of the similarity of suspicious packages to previously constructed legitimate and evasion models. Its effectiveness was evaluated in 1999 DARPA and 2011 UCM traffic samples, in which it was proven effective in recognizing imitation evasion attacks