Adversarial Robustness of Hybrid Machine Learning Architecture for Malware Classification

The detection heuristic in contemporary machine learning Windows malware classifiers is typically based on the static properties of the sample. In contrast, simultaneous utilization of static and behavioral telemetry is vaguely explored. We propose a hybrid model that employs dynamic malware analysis techniques, contextual information as an executable filesystem path on the system, and static representations used in modern state-of-the-art detectors. It does not require an operating system virtualization platform. Instead, it relies on kernel emulation for dynamic analysis. Our model reports enhanced detection heuristic and identify malicious samples, even if none of the separate models express high confidence in categorizing the file as malevolent. For instance, given the $0.05\%$ false positive rate, individual static, dynamic, and contextual model detection rates are $18.04\%$, $37.20\%$, and $15.66\%$. However, we show that composite processing of all three achieves a detection rate of $96.54\%$, above the cumulative performance of individual components. Moreover, simultaneous use of distinct malware analysis techniques address independent unit weaknesses, minimizing false positives and increasing adversarial robustness. Our experiments show a decrease in contemporary adversarial attack evasion rates from $26.06\%$ to $0.35\%$ when behavioral and contextual representations of sample are employed in detection heuristic

Advanced Threat Intelligence: Interpretation of Anomalous Behavior in Ubiquitous Kernel Processes

Targeted attacks on digital infrastructures are a rising threat against the confidentiality, integrity, and availability of both IT systems and sensitive data. With the emergence of advanced persistent threats (APTs), identifying and understanding such attacks has become an increasingly difficult task. Current signature-based systems are heavily reliant on fixed patterns that struggle with unknown or evasive applications, while behavior-based solutions usually leave most of the interpretative work to a human analyst. This thesis presents a multi-stage system able to detect and classify anomalous behavior within a user session by observing and analyzing ubiquitous kernel processes. Application candidates suitable for monitoring are initially selected through an adapted sentiment mining process using a score based on the log likelihood ratio (LLR). For transparent anomaly detection within a corpus of associated events, the author utilizes star structures, a bipartite representation designed to approximate the edit distance between graphs. Templates describing nominal behavior are generated automatically and are used for the computation of both an anomaly score and a report containing all deviating events. The extracted anomalies are classified using the Random Forest (RF) and Support Vector Machine (SVM) algorithms. Ultimately, the newly labeled patterns are mapped to a dedicated APT attacker–defender model that considers objectives, actions, actors, as well as assets, thereby bridging the gap between attack indicators and detailed threat semantics. This enables both risk assessment and decision support for mitigating targeted attacks. Results show that the prototype system is capable of identifying 99.8% of all star structure anomalies as benign or malicious. In multi-class scenarios that seek to associate each anomaly with a distinct attack pattern belonging to a particular APT stage we achieve a solid accuracy of 95.7%. Furthermore, we demonstrate that 88.3% of observed attacks could be identified by analyzing and classifying a single ubiquitous Windows process for a mere 10 seconds, thereby eliminating the necessity to monitor each and every (unknown) application running on a system. With its semantic take on threat detection and classification, the proposed system offers a formal as well as technical solution to an information security challenge of great significance.The financial support by the Christian Doppler Research Association, the Austrian Federal Ministry for Digital and Economic Affairs, and the National Foundation for Research, Technology and Development is gratefully acknowledged

A taxonomy of attacks and a survey of defence mechanisms for semantic social engineering attacks

Social engineering is used as an umbrella term for a broad spectrum of computer exploitations that employ a variety of attack vectors and strategies to psychologically manipulate a user. Semantic attacks are the specific type of social engineering attacks that bypass technical defences by actively manipulating object characteristics, such as platform or system applications, to deceive rather than directly attack the user. Commonly observed examples include obfuscated URLs, phishing emails, drive-by downloads, spoofed web- sites and scareware to name a few. This paper presents a taxonomy of semantic attacks, as well as a survey of applicable defences. By contrasting the threat landscape and the associated mitigation techniques in a single comparative matrix, we identify the areas where further research can be particularly beneficial

A Survey on Industrial Control System Testbeds and Datasets for Security Research

The increasing digitization and interconnection of legacy Industrial Control Systems (ICSs) open new vulnerability surfaces, exposing such systems to malicious attackers. Furthermore, since ICSs are often employed in critical infrastructures (e.g., nuclear plants) and manufacturing companies (e.g., chemical industries), attacks can lead to devastating physical damages. In dealing with this security requirement, the research community focuses on developing new security mechanisms such as Intrusion Detection Systems (IDSs), facilitated by leveraging modern machine learning techniques. However, these algorithms require a testing platform and a considerable amount of data to be trained and tested accurately. To satisfy this prerequisite, Academia, Industry, and Government are increasingly proposing testbed (i.e., scaled-down versions of ICSs or simulations) to test the performances of the IDSs. Furthermore, to enable researchers to cross-validate security systems (e.g., security-by-design concepts or anomaly detectors), several datasets have been collected from testbeds and shared with the community. In this paper, we provide a deep and comprehensive overview of ICSs, presenting the architecture design, the employed devices, and the security protocols implemented. We then collect, compare, and describe testbeds and datasets in the literature, highlighting key challenges and design guidelines to keep in mind in the design phases. Furthermore, we enrich our work by reporting the best performing IDS algorithms tested on every dataset to create a baseline in state of the art for this field. Finally, driven by knowledge accumulated during this survey's development, we report advice and good practices on the development, the choice, and the utilization of testbeds, datasets, and IDSs

μGIM - Microgrid intelligent management system based on a multi-agent approach and the active participation of end-users

[ES] Los sistemas de potencia y energía están cambiando su paradigma tradicional, de sistemas centralizados a sistemas descentralizados. La aparición de redes inteligentes permite la integración de recursos energéticos descentralizados y promueve la gestión inclusiva que involucra a los usuarios finales, impulsada por la gestión del lado de la demanda, la energía transactiva y la respuesta a la demanda. Garantizar la escalabilidad y la estabilidad del servicio proporcionado por la red, en este nuevo paradigma de redes inteligentes, es más difícil porque no hay una única sala de operaciones centralizada donde se tomen todas las decisiones. Para implementar con éxito redes inteligentes, es necesario combinar esfuerzos entre la ingeniería eléctrica y la ingeniería informática. La ingeniería eléctrica debe garantizar el correcto funcionamiento físico de las redes inteligentes y de sus componentes, estableciendo las bases para un adecuado monitoreo, control, gestión, y métodos de operación. La ingeniería informática desempeña un papel importante al proporcionar los modelos y herramientas computacionales adecuados para administrar y operar la red inteligente y sus partes constituyentes, representando adecuadamente a todos los diferentes actores involucrados. Estos modelos deben considerar los objetivos individuales y comunes de los actores que proporcionan las bases para garantizar interacciones competitivas y cooperativas capaces de satisfacer a los actores individuales, así como cumplir con los requisitos comunes con respecto a la sostenibilidad técnica, ambiental y económica del Sistema. La naturaleza distribuida de las redes inteligentes permite, incentiva y beneficia enormemente la participación activa de los usuarios finales, desde actores grandes hasta actores más pequeños, como los consumidores residenciales. Uno de los principales problemas en la planificación y operación de redes eléctricas es la variación de la demanda de energía, que a menudo se duplica más que durante las horas pico en comparación con la demanda fuera de pico. Tradicionalmente, esta variación dio como resultado la construcción de plantas de generación de energía y grandes inversiones en líneas de red y subestaciones. El uso masivo de fuentes de energía renovables implica mayor volatilidad en lo relativo a la generación, lo que hace que sea más difícil equilibrar el consumo y la generación. La participación de los actores de la red inteligente, habilitada por la energía transactiva y la respuesta a la demanda, puede proporcionar flexibilidad en desde el punto de vista de la demanda, facilitando la operación del sistema y haciendo frente a la creciente participación de las energías renovables. En el ámbito de las redes inteligentes, es posible construir y operar redes más pequeñas, llamadas microrredes. Esas son redes geográficamente limitadas con gestión y operación local. Pueden verse como áreas geográficas restringidas para las cuales la red eléctrica generalmente opera físicamente conectada a la red principal, pero también puede operar en modo isla, lo que proporciona independencia de la red principal. Esta investigación de doctorado, realizada bajo el Programa de Doctorado en Ingeniería Informática de la Universidad de Salamanca, aborda el estudio y el análisis de la gestión de microrredes, considerando la participación activa de los usuarios finales y la gestión energética de lascarga eléctrica y los recursos energéticos de los usuarios finales. En este trabajo de investigación se ha analizado el uso de conceptos de ingeniería informática, particularmente del campo de la inteligencia artificial, para apoyar la gestión de las microrredes, proponiendo un sistema de gestión inteligente de microrredes (μGIM) basado en un enfoque de múltiples agentes y en la participación activa de usuarios. Esta solución se compone de tres sistemas que combinan hardware y software: el emulador de virtual a realidad (V2R), el enchufe inteligente de conciencia ambiental de Internet de las cosas (EnAPlug), y la computadora de placa única para energía basada en el agente (S4E) para permitir la gestión del lado de la demanda y la energía transactiva. Estos sistemas fueron concebidos, desarrollados y probados para permitir la validación de metodologías de gestión de microrredes, es decir, para la participación de los usuarios finales y para la optimización inteligente de los recursos. Este documento presenta todos los principales modelos y resultados obtenidos durante esta investigación de doctorado, con respecto a análisis de vanguardia, concepción de sistemas, desarrollo de sistemas, resultados de experimentación y descubrimientos principales. Los sistemas se han evaluado en escenarios reales, desde laboratorios hasta sitios piloto. En total, se han publicado veinte artículos científicos, de los cuales nueve se han hecho en revistas especializadas. Esta investigación de doctorado realizó contribuciones a dos proyectos H2020 (DOMINOES y DREAM-GO), dos proyectos ITEA (M2MGrids y SPEAR), tres proyectos portugueses (SIMOCE, NetEffiCity y AVIGAE) y un proyecto con financiación en cascada H2020 (Eco-Rural -IoT)

High-Fidelity Provenance:Exploring the Intersection of Provenance and Security

In the past 25 years, the World Wide Web has disrupted the way news are disseminated and consumed. However, the euphoria for the democratization of news publishing was soon followed by scepticism, as a new phenomenon emerged: fake news. With no gatekeepers to vouch for it, the veracity of the information served over the World Wide Web became a major public concern. The Reuters Digital News Report 2020 cites that in at least half of the EU member countries, 50% or more of the population is concerned about online fake news. To help address the problem of trust on information communi- cated over the World Wide Web, it has been proposed to also make available the provenance metadata of the information. Similar to artwork provenance, this would include a detailed track of how the information was created, updated and propagated to produce the result we read, as well as what agents—human or software—were involved in the process. However, keeping track of provenance information is a non-trivial task. Current approaches, are often of limited scope and may require modifying existing applications to also generate provenance information along with thei regular output. This thesis explores how provenance can be automatically tracked in an application-agnostic manner, without having to modify the individual applications. We frame provenance capture as a data flow analysis problem and explore the use of dynamic taint analysis in this context. Our work shows that this appoach improves on the quality of provenance captured compared to traditonal approaches, yielding what we term as high-fidelity provenance. We explore the performance cost of this approach and use deterministic record and replay to bring it down to a more practical level. Furthermore, we create and present the tooling necessary for the expanding the use of using deterministic record and replay for provenance analysis. The thesis concludes with an application of high-fidelity provenance as a tool for state-of-the art offensive security analysis, based on the intuition that software too can be misguided by "fake news". This demonstrates that the potential uses of high-fidelity provenance for security extend beyond traditional forensics analysis

Changing the way the world thinks about computer security.

Small changes in an established system can result in larger changes in the overall system (e.g. network effects, émergence, criticality, broken Windows theory). However, in an immature discipline, such as computer security, such changes can be difficult to envision and even more difficult to amplement, as the immature discipline is likely to lack the scientific framework that would allow for the introduction of even minute changes. (Cairns, P. and Thimbleby, H, 2003) describe three of the signs of an immature discipline as postulated by (Kuhn, 1970): a. squabbles over what are legitimate tools for research b. disagreement over which phenomenon are legitimate to study, and c. inability to scope the domain of study. The research presented in this document demonstrates how the computer security field, at the time this research began, was the embodiment of thèse characteristics. It presents a cohesive analysis of the intentional introduction of a séries of small changes chosen to aid in maturation of the discipline. Summarily, it builds upon existing theory, exploring the combined effect of coordinated and strategie changes in an immature system and establishing a scientific framework by which the impact of the changes can be quantified. By critically examining the nature of the computer security system overall, this work establishes the need for both increased scientific rigor, and a multidisciplinary approach to the global computer security problem. In order for these changes to take place, many common assumptions related to computer security had to be questioned. However, as the discipline was immature, and controlled by relatively few entities, questioning the status quo was not without difficulties. However, in order for the discipline to mature, more feedback into the overall computer security (and in particular, the computer malware/virus) system was needed, requiring a shift from a mostly closed system to one that was forced to undergo greater scrutiny from various other communities. The input from these communities resulted in long-term changes and increased maturation of the system. Figure 1 illustrates the specific areas in which the research presented herein addressed these needs, provides an overview of the research context, and outlines the specific impact of the research, specifically the development of new and significant scientific paradigms within the discipline