The Inconvenient Truths of Ground Truth for Binary Analysis

The effectiveness of binary analysis tools and techniques is often measured with respect to how well they map to a ground truth. We have found that not all ground truths are created equal. This paper challenges the binary analysis community to take a long look at the concept of ground truth, to ensure that we are in agreement with definition(s) of ground truth, so that we can be confident in the evaluation of tools and techniques. This becomes even more important as we move to trained machine learning models, which are only as useful as the validity of the ground truth in the training

A Structured Analysis of SQL Injection Runtime Mitigation Techniques

SQL injection attacks (SQLIA) still remain one of the most commonly occurring and exploited vulnerabilities. A considerable amount of research concerning SQLIA mitigation techniques has been conducted with the primary resulting solution requiring developers to code defensively. Although, defensive coding is a valid solution, the current market demand for websites is being filled by inexperienced developers with little knowledge of secure development practices. Unlike the successful case of ASLR, no SQLIA runtime mitigation technique has moved from research to enterprise use. This paper presents an in-depth analysis and classification, based on Formal Concept Analysis, of the 10 major SQLIA runtime mitigation techniques. Based on this analysis, one technique was identified that shows the greatest potential for transition to enterprise use. This analysis also serves as an enhanced SQLIA mitigation classification system. Future work includes plans to move the selected SQLIA runtime mitigation technique closer to enterprise use

Guess what? Here is a new tool that finds some new guessing attacks

If a protocol is implemented using a poor password, then the password can be guessed and verified from the messages in the protocol run. This is termed as a guessing attack. Published design and analysis efforts always lacked a general definition for guessing attacks. Further, they never considered possible type-flaws in the protocol runs or using messages from other protocols. In this paper, we provide a simple and general definition for guessing attacks. We explain how we implemented our definition in a tool based on constraint solving. Finally, we demonstrate some new guessing attacks that use type-flaws and multiple protocols which we found using our tool

Autonomous rule creation for intrusion detection

Many computational intelligence techniques for anomaly based network intrusion detection can be found in literature. Translating a newly discovered intrusion recognition criteria into a distributable rule can be a human intensive effort. This paper explores a multi-modal genetic algorithm solution for autonomous rule creation. This algorithm focuses on the process of creating rules once an intrusion has been identified, rather than the evolution of rules to provide a solution for intrusion detection. The algorithm was demonstrated on anomalous ICMP network packets (input) and Snort rules (output of the algorithm). Output rules were sorted according to a fitness value and any duplicates were removed. The experimental results on ten test cases demonstrated a 100 percent rule alert rate. Out of 33,804 test packets 3 produced false positives. Each test case produced a minimum of three rule variations that could be used as candidates for a production system

Towards resilient critical infrastructures: Application of Type-2 Fuzzy Logic in embedded network security cyber sensor

Resiliency and cyber security of modern critical infrastructures is becoming increasingly important with the growing number of threats in the cyber-environment. This paper proposes an extension to a previously developed fuzzy logic based anomaly detection network security cyber sensor via incorporating Type-2 Fuzzy Logic (T2 FL). In general, fuzzy logic provides a framework for system modeling in linguistic form capable of coping with imprecise and vague meanings of words. T2 FL is an extension of Type-1 FL which proved to be successful in modeling and minimizing the effects of various kinds of dynamic uncertainties. In this paper, T2 FL provides a basis for robust anomaly detection and cyber security state awareness. In addition, the proposed algorithm was specifically developed to comply with the constrained computational requirements of low-cost embedded network security cyber sensors. The performance of the system was evaluated on a set of network data recorded from an experimental cyber-security test-bed

Multi-Protocol Attacks and the Public Key Infrastructure

The public-key infrastructure will be utilized to store and disseminate certified copies of user's public keys for use in secure transmission and digital signature verification. This paper presents a class of attacks, multi-protocol attacks, which can be used to break otherwise secure public-key based authentication protocols. These attacks are possible when the public-key infrastructure permits the use of a user's public key in multiple protocols. An attacker can then use either an existing protocol or a tailored protocol to subvert an otherwise secure protocol. Possible solutions are discussed. Keywords: Public Key Infrastructure, Cryptography, Security, Authentication 1 Introduction The widespread use of electronic commerce and other networked applications that require a high level of authentication will benefit from the establishment of a public-key infrastructure (PKI). With such an infrastructure in place, it will be easy for users to obtain the public keys of other participan..