Mobile App Fingerprinting through Automata Learning and Machine Learning

Application fingerprinting is crucial in network management and security to provide the best Quality of Service (QoS). To generate fingerprints for applications, we use an automata learning algorithm to observe the temporal order among destination-related features of network traffic and create a language as a fingerprint. We label fingerprints through machine learning classifiers. We propose our approach in a framework called ML-NetLang for fingerprinting mobile applications from encrypted network traffic. Our evaluation achieves an average accuracy of 95% for Android and iOS applications. ML-NetLang outperforms comparable state-of-the-art techniques using behavioral-based, correlation-based, and machine-learning solutions.</p

Detecting Anomalous Misconfigurations in AWS Identity and Access Management Policies

In recent years, misconfigurations of cloud services have led to major security incidents and large-scale data breaches. Due to the dynamic and complex nature of cloud environments, misconfigured (e.g., overly permissive) access policies can be easily introduced and often go undetected for a long period of time. Therefore, it is critical to identify any potential misconfigurations before they can be abused. In this paper, we present a novel misconfiguration detection approach for identity and access management policies in AWS. We base our approach on the observation that policies can be modeled as permissions between entities and objects in the form of a graph. Our key idea is that misconfigurations can be effectively detected as anomalies in such a graph representation. We evaluate our approach on real-world identity and access management policy data from three enterprise cloud environments. We investigate the effectiveness of our approach to detect misconfigurations, showing that it has a slightly lower precision compared to rule-based systems, but it is able to correctly detect between 3.7 and 6.4 times as many misconfigurations

FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic

Mobile-application fingerprinting of network traffic is valuable for many security solutions as it provides insights into the apps active on a network. Unfortunately, existing techniques require prior knowledge of apps to be able to recognize them. However, mobile environments are constantly evolving, i.e., apps are regularly installed, updated, and uninstalled. Therefore, it is infeasible for existing fingerprinting approaches to cover all apps that may appear on a network. Moreover, most mobile traffic is encrypted, shows similarities with other apps, e.g., due to common libraries or the use of content delivery networks, and depends on user input, further complicating the fingerprinting process. As a solution, we propose FlowPrint, a semi-supervised approach for fingerprinting mobile apps from (encrypted) network traffic. We automatically find temporal correlations among destination-related features of network traffic and use these correlations to generate app fingerprints. Our approach is able to fingerprint previously unseen apps, something that existing techniques fail to achieve. We evaluate our approach for both Android and iOS in the setting of app recognition, where we achieve an accuracy of 89.2%, significantly outperforming state-of-the-art solutions. In addition, we show that our approach can detect previously unseen apps with a precision of 93.5%, detecting 72.3% of apps within the first five minutes of communication

DEEPCASE: Semi-Supervised Contextual Analysis of Security Events

Security monitoring systems detect potentially malicious activities in IT infrastructures, by either looking for known signatures or for anomalous behaviors. Security operators investigate these events to determine whether they pose a threat to their organization. In many cases, a single event may be insufficient to determine whether certain activity is indeed malicious. Therefore, a security operator frequently needs to correlate multiple events to identify if they pose a real threat. Unfortunately, the vast number of events that need to be correlated often overload security operators, forcing them to ignore some events and, thereby, potentially miss attacks. This work studies how to automatically correlate security events and, thus, automate parts of the security operator workload. We design and evaluate DEEPCASE, a system that leverages the context around events to determine which events require further inspection. This approach reduces the number of events that need to be inspected. In addition, the context provides valuable insights into why certain events are classified as malicious. We show that our approach automatically filters 86.72% of the events and reduces the manual workload of security operators by 90.53%, while underestimating the risk of potential threats in less than 0.001% of cases

Characterization of a model of systemic inflammation in humans in vivo elicited by continuous infusion of endotoxin

Investigating the systemic inflammatory response in patients with critical illness such as sepsis, trauma and burns is complicated due to uncertainties about the onset, duration and severity of the insult. Therefore, in vivo models of inflammation are essential to study the pathophysiology and to evaluate immunomodulatory therapies. Intravenous bolus administration of endotoxin to healthy volunteers is a well-established model of a short-lived systemic inflammatory response, characterized by increased plasma cytokine levels, flu-like symptoms and fever. In contrast, patients suffering from systemic inflammation are often exposed to inflammatory stimuli for an extended period of time. Therefore, continuous infusion of endotoxin may better reflect the kinetics of the inflammatory response encountered in these patients. Herein, we characterize a novel model of systemic inflammation elicited by a bolus infusion of 1 ng/kg, followed by a 3hr continuous infusion of 1 ng/kg/h of endotoxin in healthy volunteers, and compared it with models of bolus administrations of 1 and 2 ng/kg of endotoxin. The novel model was well-tolerated and resulted in a more pronounced increase in plasma cytokine levels with different kinetics and more prolonged symptoms and fever compared with the bolus-only models. Therefore, the continuous endotoxin infusion model provides novel insights into kinetics of the inflammatory response during continuous inflammatory stimuli and accommodates a larger time window to evaluate immunomodulating therapies