2,750 research outputs found
A preliminary analysis of vulnerability scores for attacks in wild
NVD and Exploit-DB are the de facto standard databases used for research on vulnerabilities, and the CVSS score is the standard measure for risk. On open question is whether such databases and scores are actually representative of at- tacks found in the wild. To address this question we have constructed a database (EKITS) based on the vulnerabili- ties currently used in exploit kits from the black market and extracted another database of vulnerabilities from Symantec's Threat Database (SYM). Our nal conclusion is that the NVD and EDB databases are not a reliable source of in- formation for exploits in the wild, even after controlling for the CVSS and exploitability subscore. An high or medium CVSS score shows only a signi cant sensitivity (i.e. prediction of attacks in the wild) for vulnerabilities present in exploit kits (EKITS) in the black market. All datasets ex- hibit a low speci city
Predicting Exploitation of Disclosed Software Vulnerabilities Using Open-source Data
Each year, thousands of software vulnerabilities are discovered and reported
to the public. Unpatched known vulnerabilities are a significant security risk.
It is imperative that software vendors quickly provide patches once
vulnerabilities are known and users quickly install those patches as soon as
they are available. However, most vulnerabilities are never actually exploited.
Since writing, testing, and installing software patches can involve
considerable resources, it would be desirable to prioritize the remediation of
vulnerabilities that are likely to be exploited. Several published research
studies have reported moderate success in applying machine learning techniques
to the task of predicting whether a vulnerability will be exploited. These
approaches typically use features derived from vulnerability databases (such as
the summary text describing the vulnerability) or social media posts that
mention the vulnerability by name. However, these prior studies share multiple
methodological shortcomings that inflate predictive power of these approaches.
We replicate key portions of the prior work, compare their approaches, and show
how selection of training and test data critically affect the estimated
performance of predictive models. The results of this study point to important
methodological considerations that should be taken into account so that results
reflect real-world utility
Adversarial Detection of Flash Malware: Limitations and Open Issues
During the past four years, Flash malware has become one of the most
insidious threats to detect, with almost 600 critical vulnerabilities targeting
Adobe Flash disclosed in the wild. Research has shown that machine learning can
be successfully used to detect Flash malware by leveraging static analysis to
extract information from the structure of the file or its bytecode. However,
the robustness of Flash malware detectors against well-crafted evasion attempts
- also known as adversarial examples - has never been investigated. In this
paper, we propose a security evaluation of a novel, representative Flash
detector that embeds a combination of the prominent, static features employed
by state-of-the-art tools. In particular, we discuss how to craft adversarial
Flash malware examples, showing that it suffices to manipulate the
corresponding source malware samples slightly to evade detection. We then
empirically demonstrate that popular defense techniques proposed to mitigate
evasion attempts, including re-training on adversarial examples, may not always
be sufficient to ensure robustness. We argue that this occurs when the feature
vectors extracted from adversarial examples become indistinguishable from those
of benign data, meaning that the given feature representation is intrinsically
vulnerable. In this respect, we are the first to formally define and
quantitatively characterize this vulnerability, highlighting when an attack can
be countered by solely improving the security of the learning algorithm, or
when it requires also considering additional features. We conclude the paper by
suggesting alternative research directions to improve the security of
learning-based Flash malware detectors
Quantifying the security risk of discovering and exploiting software vulnerabilities
2016 Summer.Includes bibliographical references.Most of the attacks on computer systems and networks are enabled by vulnerabilities in a software. Assessing the security risk associated with those vulnerabilities is important. Risk mod- els such as the Common Vulnerability Scoring System (CVSS), Open Web Application Security Project (OWASP) and Common Weakness Scoring System (CWSS) have been used to qualitatively assess the security risk presented by a vulnerability. CVSS metrics are the de facto standard and its metrics need to be independently evaluated. In this dissertation, we propose using a quantitative approach that uses an actual data, mathematical and statistical modeling, data analysis, and measurement. We have introduced a novel vulnerability discovery model, Folded model, that estimates the risk of vulnerability discovery based on the number of residual vulnerabilities in a given software. In addition to estimating the risk of vulnerabilities discovery of a whole system, this dissertation has furthermore introduced a novel metrics termed time to vulnerability discovery to assess the risk of an individual vulnerability discovery. We also have proposed a novel vulnerability exploitability risk measure termed Structural Severity. It is based on software properties, namely attack entry points, vulnerability location, the presence of the dangerous system calls, and reachability analysis. In addition to measurement, this dissertation has also proposed predicting vulnerability exploitability risk using internal software metrics. We have also proposed two approaches for evaluating CVSS Base metrics. Using the availability of exploits, we first have evaluated the performance of the CVSS Exploitability factor and have compared its performance to Microsoft (MS) rating system. The results showed that exploitability metrics of CVSS and MS have a high false positive rate. This finding has motivated us to conduct further investigation. To that end, we have introduced vulnerability reward programs (VRPs) as a novel ground truth to evaluate the CVSS Base scores. The results show that the notable lack of exploits for high severity vulnerabilities may be the result of prioritized fixing of vulnerabilities
Understanding emerging client-Side web vulnerabilities using dynamic program analysis
Today's Web heavily relies on JavaScript as it is the main driving force behind the plethora of Web applications that we enjoy daily. The complexity and amount of this client-side code have been steadily increasing over the years. At the same time, new vulnerabilities keep being uncovered, for which we mostly rely on manual analysis of security experts. Unfortunately, such manual efforts do not scale to the problem space at hand. Therefore in this thesis, we present techniques capable of finding vulnerabilities automatically and at scale that originate from malicious inputs to postMessage handlers, polluted prototypes, and client-side storage mechanisms. Our results highlight that the investigated vulnerabilities are prevalent even among the most popular sites, showing the need for automated systems that help developers uncover them in a timely manner. Using the insights gained during our empirical studies, we provide recommendations for developers and browser vendors to tackle the underlying problems in the future. Furthermore, we show that security mechanisms designed to mitigate such and similar issues cannot currently be deployed by first-party applications due to their reliance on third-party functionality. This leaves developers in a no-win situation, in which either functionality can be preserved or security enforced.JavaScript ist die treibende Kraft hinter all den Web Applikationen, die wir heutzutage täglich nutzen. Allerdings ist über die Zeit hinweg gesehen die Masse, aber auch die Komplexität, von Client-seitigem JavaScript Code stetig gestiegen. Außerdem finden Sicherheitsexperten immer wieder neue Arten von Verwundbarkeiten, meistens durch manuelle Analyse des Codes. In diesem Werk untersuchen wir deshalb Methodiken, mit denen wir automatisch Verwundbarkeiten finden können, die von postMessages, veränderten Prototypen, oder Werten aus Client-seitigen Persistenzmechnanismen stammen. Unsere Ergebnisse zeigen, dass die untersuchten Schwachstellen selbst unter den populärsten Websites weit verbreitet sind, was den Bedarf an automatisierten Systemen zeigt, die Entwickler bei der rechtzeitigen Aufdeckung dieser Schwachstellen unterstützen. Anhand der in unseren empirischen Studien gewonnenen Erkenntnissen geben wir Empfehlungen für Entwickler und Browser-Anbieter, um die zugrunde liegenden Probleme in Zukunft anzugehen. Zudem zeigen wir auf, dass Sicherheitsmechanismen, die solche und ähnliche Probleme mitigieren sollen, derzeit nicht von Seitenbetreibern eingesetzt werden können, da sie auf die Funktionalität von Drittanbietern angewiesen sind. Dies zwingt den Seitenbetreiber dazu, zwischen Funktionalität und Sicherheit zu wählen
Defesa por ataque: simulando ataques para promover fortes polĂticas de segurança organizacional
Cyber crime is continuously growing in current times due to the constant digitization
of everyday activities. Recently, after the world was hit with the COVID-19
pandemic, this effect was even more noticeable. With more digital activity, cyber
crime has a tendency to also increase. The simulation of adversaries as a testing
tool is one of the most important instruments when evaluating an organization’s security.
Penetration tests are not enough, as attackers resort to many other methods
such as social engineering and its techniques (phishing, impersonation, tailgating,
etc.). By simulating a full scale attack with minimal restrictions, "red teaming"
is introduced. There was an attempt to perform a red team assessment to the
University of Aveiro in order to evaluate, test and improve the security policies
of the organization. However, due to legal and bureaucratic restrictions related
mostly to data protection policies and other privacy measures, the plan was cut
short to merely the planning of the red team. The TIBER-EU Framework was also
introduced, representing the state of the art guidelines to red teaming in Europe.
This framework was followed during the planning of the assessment, which allowed
me, the author of this thesis and also the emulated red team, to find a couple
of flaws in the University’s security by executing brief threat intelligence analysis
sessions.O cibercrime está continuamente a crescer nos tempos atuais devido à constante
digitalização das atividades do quotidiano. Recentemente, após a pandemia de
COVID-19 ter atingido o planeta, este efeito foi ainda mais acentuado. Com mais
atividade digital, o cibercrime tem também uma tendência a aumentar. A simulação
de adversário como ferramenta de testagem é um dos instrumentos mais
importantes quando se avalia a segurança de uma organização. Testes de intrusão
não são suficientes, pois os atacantes recorrem a muitos outros métodos como
à engenharia social e às respetivas técnicas (phishing, personificação, tailgating,
etc.). O conceito "red teaming" é introduzido através da simulação de um ataque
de larga escala com restrições mĂnimas. Nesta dissertação houve uma tentativa de
executar um teste de red team Ă Universidade de Aveiro com o objetivo de avaliar,
testar e melhorar as polĂticas de segurança da organização. No entanto, devido
a restrições legais e bureocráticas relacionadas maioritariamente com polĂticas de
proteção de dados e outras medidas a favor da privacidade, o plano inicial ficou
apenas pelo planeamento de um teste red team. O TIBER-EU Framework foi também
introduzido, contendo as normas consideradas como estado da arte no que
toca a red teaming na Europa. Estas diretrizes foram seguidas durante o planeamento
do teste, o que me permitiu, como autor da dissertação e único membro da
red team simulada, encontrar algumas falhas de segurança na Universidade através
de breves sessões de análise de threat intelligence.Mestrado em Ciberseguranç
The Investigative Dynamics of the Use of Malware by Law Enforcement
The police have started to use malware—and other forms of government hacking—to solve crimes. Some fear coming abuses—the widespread use of malware when traditional investigative techniques would work just as well or to investigate political opponents or dissident speakers. This Article argues that these abuses will be checked, at least in part, by the very nature of malware and the way it must be controlled. This analysis utilizes a previously unformalized research methodology called “investigative dynamics” to come to these conclusions. Because every use of malware risks spoiling the tool—by revealing a software vulnerability that can be patched—the police will always encounter constraints and disincentives to widespread and unchecked use. These constraints will operate much like so-called legislative “superwarrant” requirements, which some have urged Congress to enact for malware. The investigative dynamics of malware suggest that Congress could follow this advice without disrupting police conduct in any significant measure
- …