686 research outputs found
Recommended from our members
Spyware detection technique based on reinforcement learning
Analysis of the antivirus technologies, showed that they are not able to detect new spyware with high efficiency, which significantly reduces the reliability and efficiency of its identification. Techniques based on heuristic analysis have a high rate of false positives. The paper presents a new technique for the spyware detection method in computer systems that provides a principle of proactivity and is based on mechanisms machine learning with the reinforce-mentlearning. The suggested method of spyware detection is based on software behavior analysis in computer systems. The suggested method involves the computer systems monitoring concerning the software, operates with the behavior
Intelligence graphs for threat intelligence and security policy validation of cyber systems
While the recent advances in Data Science and Machine Learning attract lots of attention in Cyber Security because of their promise for effective security analytics, Vulnerability Analysis, Risk Assessment and Security Policy Validation remain slightly aside. This is mainly due to the relatively slow progress in the theoretical formulation and the technologi-cal foundation of the cyber security concepts such as logical vulnerability, threats and risks. In this article we are proposing a framework for logical analysis, threat intelligence and validation of security policies in cyber systems. It is based on multi-level model, consisting of ontology of situations and actions under security threats, security policies governing the security-related activities, and graph of the transactions. The framework is validated using a set of scenarios describing the most common security threats in digital banking and a proto-type of an event-driven engine for navigation through the intelligence graphs has been im-plemented. Although the framework was developed specifically for application in digital banking, the authors believe that it has much wider applicability to security policy analysis, threat intelligence and security by design of cyber systems for financial, commercial and business operations
Applications of Machine Learning to Threat Intelligence, Intrusion Detection and Malware
Artificial Intelligence (AI) and Machine Learning (ML) are emerging technologies with applications to many fields. This paper is a survey of use cases of ML for threat intelligence, intrusion detection, and malware analysis and detection. Threat intelligence, especially attack attribution, can benefit from the use of ML classification. False positives from rule-based intrusion detection systems can be reduced with the use of ML models. Malware analysis and classification can be made easier by developing ML frameworks to distill similarities between the malicious programs. Adversarial machine learning will also be discussed, because while ML can be used to solve problems or reduce analyst workload, it also introduces new attack surfaces
XSS-FP: Browser Fingerprinting using HTML Parser Quirks
There are many scenarios in which inferring the type of a client browser is
desirable, for instance to fight against session stealing. This is known as
browser fingerprinting. This paper presents and evaluates a novel
fingerprinting technique to determine the exact nature (browser type and
version, eg Firefox 15) of a web-browser, exploiting HTML parser quirks
exercised through XSS. Our experiments show that the exact version of a web
browser can be determined with 71% of accuracy, and that only 6 tests are
sufficient to quickly determine the exact family a web browser belongs to
Research on Deception in Defense of Information Systems
This paper appeared in the Command and Control Research and Technology Symposium, San Diego, CA,
June 2004.Our research group has been broadly studying the use of deliberate deception by software to foil attacks on
information systems. This can provide a second line of defense when access controls have been breached or
against insider attacks. The thousands of new attacks being discovered every year that subvert access
controls say that such a second line of defense is desperately needed. We have developed a number of
demonstration systems, including a fake directory system intended to waste the time of spies, a Web
information resource that delays suspicious requests, a modified file-download utility that pretends to
succumb to a buffer overflow, and a tool for systematically modifying an operating system to insert deceptive
responses. We are also developing an associated theory of deception that can be used to analyze and create
offensive and defensive deceptions, with especial attention to reasoning about time using temporal logic. We
conclude with some discussion of the legal implications of deception by computers.Approved for public release; distribution is unlimited
Generic Black-Box End-to-End Attack Against State of the Art API Call Based Malware Classifiers
In this paper, we present a black-box attack against API call based machine
learning malware classifiers, focusing on generating adversarial sequences
combining API calls and static features (e.g., printable strings) that will be
misclassified by the classifier without affecting the malware functionality. We
show that this attack is effective against many classifiers due to the
transferability principle between RNN variants, feed forward DNNs, and
traditional machine learning classifiers such as SVM. We also implement GADGET,
a software framework to convert any malware binary to a binary undetected by
malware classifiers, using the proposed attack, without access to the malware
source code.Comment: Accepted as a conference paper at RAID 201
Detecting Malicious Software By Dynamicexecution
Traditional way to detect malicious software is based on signature matching. However, signature matching only detects known malicious software. In order to detect unknown malicious software, it is necessary to analyze the software for its impact on the system when the software is executed. In one approach, the software code can be statically analyzed for any malicious patterns. Another approach is to execute the program and determine the nature of the program dynamically. Since the execution of malicious code may have negative impact on the system, the code must be executed in a controlled environment. For that purpose, we have developed a sandbox to protect the system. Potential malicious behavior is intercepted by hooking Win32 system calls. Using the developed sandbox, we detect unknown virus using dynamic instruction sequences mining techniques. By collecting runtime instruction sequences in basic blocks, we extract instruction sequence patterns based on instruction associations. We build classification models with these patterns. By applying this classification model, we predict the nature of an unknown program. We compare our approach with several other approaches such as simple heuristics, NGram and static instruction sequences. We have also developed a method to identify a family of malicious software utilizing the system call trace. We construct a structural system call diagram from captured dynamic system call traces. We generate smart system call signature using profile hidden Markov model (PHMM) based on modularized system call block. Smart system call signature weakly identifies a family of malicious software
Propagation, Detection and Containment of Mobile Malware.
Today's enterprise systems and networks are frequent targets of
malicious attacks, such as worms, viruses, spyware and intrusions
that can disrupt, or even disable critical services. Recent trends
suggest that by combining spyware as a malicious payload with worms
as a delivery mechanism, malicious programs can potentially be used
for industrial espionage and identity theft. The problem is
compounded further by the increasing convergence of wired, wireless
and cellular networks, since virus writers can now write malware
that can crossover from one network segment to another,
exploiting services and vulnerabilities specific to each network.
This dissertation makes four primary contributions. First, it builds
more accurate malware propagation models for emerging hybrid malware
(i.e., malware that use multiple propagation vectors such as
Bluetooth, Email, Peer-to-Peer, Instant Messaging, etc.), addressing
key propagation factors such as heterogeneity of nodes, services and
user mobility within the network. Second, it develops a proactive containment framework based on group-behavior of
hosts against such malicious agents in an enterprise setting. The
majority of today's anti-virus solutions are reactive, i.e., these
are activated only after a malicious activity has been detected at a
node in the network. In contrast, proactive containment has the
potential of closing the vulnerable services ahead of infection, and
thereby halting the spread of the malware. Third, we study (1) the
current-generation mobile viruses and worms that target SMS/MMS
messaging and Bluetooth on handsets, and the corresponding exploits,
and (2) their potential impact in a large SMS provider network using
real-life SMS network data. Finally, we propose a new behavioral
approach for detecting emerging malware targeting mobile handsets.
Our approach is based on the concept of generalized behavioral
patterns instead of traditional signature-based detection. The
signature-based methods are not scalable for deployment in mobile
devices due to limited resources available on today's typical
handsets. Further, we demonstrate that the behavioral approach not
only has a compact footprint, but also can detect new classes of
malware that combine some features from existing classes of malware.Ph.D.Computer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/60849/1/abose_1.pd
- …