338 research outputs found
A notation for describing the steps in indicator expansion
Indicator expansion is a process of using one or more data sources to obtain more indicators of malicious activity by identifying those related to currently known indicators. Due to the many variables in how the process is carried out, it quickly becomes difficult to capture the process that leads to an expanded set of data. Keeping track of this process is important for description to other analysts. A compact description of the process is even necessary just for the analysts doing the work to keep track of their own process and which paths have been investigated, particularly in naming files. This paper proposes a method of succinctly capturing the process of indicator expansion in a deterministic yet flexible and extensible manner. The target audience is analysts and investigators engaged in indicator expansion or directly consuming results therefrom
Modeling malicious domain name take-down dynamics: Why eCrime pays
Domain names drive the ubiquitous use of the Internet. Criminals and adversaries also use domain names for their enterprise. Defenders compete to remove or block such malicious domains. This is a complicated space on the Internet to measure comprehensively, as the malicious actors attempt to hide, the defenders do not like to share data or methods, and what data is public is not consistently formatted. This paper derives an ad hoc model of this competition on large, decentralized networks using a modification of Lanchester's equations for combat. The model is applied to what is known of the current state of malicious domain activity on the Internet. The model aligns with currently published research, and provides a more comprehensive description of possible strategies and limitations based on the general dynamics of the model. When taken with the economic realities and physical laws to which the Internet is bound, the model demonstrates that the current approach to removing malicious domain names is unsustainable and destined for obsolescence. However, there are technical, policy, and legal modifications to the current approach that would be effective, such as preemptively populating watch lists, limits on a registrant's registrations, and international cooperation. The results indicate that the defenders should not expect to eliminate or significantly reduce malicious domain name usage without employing new digital tactics and deploying new rules in the physical world
Exploring a Mechanistic Approach to Experimentation in Computing
The mechanistic approach in philosophy of science contributes to our understanding of experimental design. Applying the mechanistic approach to experimentation in computing is beneficial for two reasons. It connects the methodology of experimentation in computing with the methodology of experimentation in established sciences, thereby strengthening the scientific reputability of computing and the quality of experimental design therein. Furthermore, it pinpoints the idiosyncrasies of experimentation in computing: computing deals closely with both natural and engineered mechanisms. Better understanding of the idiosyncrasies, which manifest in terms of a nonstandard role for experimentation, are interesting both for computer scientists and for philosophers of science. Computer scientists can think more clearly about their experimental choices. The role of experimentation elucidated by computer science merits further study from philosophers of science generally, as it highlights a role for experimentation hitherto unrecognized by philosophers: demonstration that activities exist
Review of human decision-making during computer security incident analysis
We review practical advice on decision-making during computer security incident response. Scope includes standards from the IETF, ISO, FIRST, and the US intelligence community. To focus on human decision-making, the scope is the evidence collection, analysis, and reporting phases of response. The results indicate both strengths and gaps. A strength is available advice on how to accomplish many specific tasks. However, there is little guidance on how to prioritize tasks in limited time or how to interpret, generalize, and convincingly report results. Future work should focus on these gaps in explication and specification of decision-making during incident analysis
A refinement to the general mechanistic account
Phyllis Illari and Jon Williamson propose a formulation for a general mechanistic account, the purpose of which is to capture the similarities across mechanistic accounts in the sciences. Illari and Williamson extract insight from mechanisms in astrophysics—which are notably different from the typical biological mechanisms discussed in the literature on mechanisms—to show how their general mechanistic account accommodates mechanisms across various sciences. We present argumentation that demonstrates why an amendment is necessary to the ontology (entities and activities) referred to by the general mechanistic account provided by Illari and Williamson. The amendment is required due to the variability of some components in computing mechanisms: the very same component serves as either entity or activity, both between levels and within the same level of the explanatory hierarchy. We argue that the proper ontological account of these mechanistic components involves disambiguation via explicitly indexing them as entities or activities
Correlating domain registrations and DNS first activity in general and for malware
From the date that a domain name is registered with
a registrar, there should be a pattern in the amount of time it
takes for that domain to be actively resolved on the Internet. We
first attempt to describe that pattern in general terms by
correlating data from registries for several top-level domains and
a large passive DNS data source. This pattern is then used as a
baseline for a comparison with the pattern of activity in domains
that malicious software utilizes. While our quantitative results
are not to be considered representative of the patterns exhibited
by all types of malware, the malicious domains are found to have
a significantly different pattern than the standard domains
Practicing a Science of Security: A Philosophy of Science Perspective
Our goal is to refocus the question about cybersecurity research from 'is this process scientific' to 'why is this scientific process producing unsatisfactory results'. We focus on five common complaints that claim cybersecurity is not or cannot be scientific. Many of these complaints presume views associated with the philosophical school known as Logical Empiricism that more recent scholarship has largely modified or rejected. Modern philosophy of science, supported by mathematical modeling methods, provides constructive resources to mitigate all purported challenges to a science of security. Therefore, we argue the community currently practices a science of cybersecurity. A philosophy of science perspective suggests the following form of practice: structured observation to seek intelligible explanations of phenomena, evaluating explanations in many ways, with specialized fields (including engineering and forensics) constraining explanations within their own expertise, inter-translating where necessary. A natural question to pursue in future work is how collecting, evaluating, and analyzing evidence for such explanations is different in security than other sciences
Toward Realistic Modeling Criteria of Games in Internet Security
There have been various attempts to apply game theory to various aspects of security situations. This article is particularly interested in security as relates to computers and the Internet. While there have been varying levels of success in describing different aspects of security in game-theoretic terms, there has been little success in describing the problem on a large scale that would be appropriate for making decisions about enterprise or Internet security policy. This article attempts to provide such a description
Towards robust experimental design for user studies in security and privacy
Background: Human beings are an integral part of computer
security, whether we actively participate or simply
build the systems. Despite this importance, understanding
users and their interaction with security is a blind spot
for most security practitioners and designers. / Aim: Define principles for conducting experiments into
usable security and privacy, to improve study robustness
and usefulness. / Data: The authors’ experiences conducting several research
projects complemented with a literature survey.
Method: We extract principles based on relevance to the
advancement of the state of the art. We then justify our
choices by providing published experiments as cases of
where the principles are and are not followed in practice
to demonstrate the impact. Each principle is a discipline specific
instantiation of desirable experiment-design elements
as previously established in the domain of philosophy
of science. / Results: Five high-priority principles – (i) give participants
a primary task; (ii) incorporate realistic risk;
(iii) avoid priming the participants; (iv) perform doubleblind
experiments whenever possible and (v) think carefully
about how meaning is assigned to the terms threat
model, security, privacy, and usability. / Conclusion: The principles do not replace researcher
acumen or experience, however they can provide a valuable
service for facilitating evaluation, guiding younger
researchers and students, and marking a baseline common
language for discussing further improvements
- …