Kairos: Practical Intrusion Detection and Investigation using Whole-system Provenance

Provenance graphs are structured audit logs that describe the history of a system's execution. Recent studies have explored a variety of techniques to analyze provenance graphs for automated host intrusion detection, focusing particularly on advanced persistent threats. Sifting through their design documents, we identify four common dimensions that drive the development of provenance-based intrusion detection systems (PIDSes): scope (can PIDSes detect modern attacks that infiltrate across application boundaries?), attack agnosticity (can PIDSes detect novel attacks without a priori knowledge of attack characteristics?), timeliness (can PIDSes efficiently monitor host systems as they run?), and attack reconstruction (can PIDSes distill attack activity from large provenance graphs so that sysadmins can easily understand and quickly respond to system intrusion?). We present KAIROS, the first PIDS that simultaneously satisfies the desiderata in all four dimensions, whereas existing approaches sacrifice at least one and struggle to achieve comparable detection performance. Kairos leverages a novel graph neural network-based encoder-decoder architecture that learns the temporal evolution of a provenance graph's structural changes to quantify the degree of anomalousness for each system event. Then, based on this fine-grained information, Kairos reconstructs attack footprints, generating compact summary graphs that accurately describe malicious activity over a stream of system audit logs. Using state-of-the-art benchmark datasets, we demonstrate that Kairos outperforms previous approaches.Comment: 23 pages, 16 figures, to appear in the 45th IEEE Symposium on Security and Privacy (S&P'24

CAT: LoCalization and IdentificAtion Cascade Detection Transformer for Open-World Object Detection

Open-world object detection (OWOD), as a more general and challenging goal, requires the model trained from data on known objects to detect both known and unknown objects and incrementally learn to identify these unknown objects. The existing works which employ standard detection framework and fixed pseudo-labelling mechanism (PLM) have the following problems: (i) The inclusion of detecting unknown objects substantially reduces the model's ability to detect known ones. (ii) The PLM does not adequately utilize the priori knowledge of inputs. (iii) The fixed selection manner of PLM cannot guarantee that the model is trained in the right direction. We observe that humans subconsciously prefer to focus on all foreground objects and then identify each one in detail, rather than localize and identify a single object simultaneously, for alleviating the confusion. This motivates us to propose a novel solution called CAT: LoCalization and IdentificAtion Cascade Detection Transformer which decouples the detection process via the shared decoder in the cascade decoding way. In the meanwhile, we propose the self-adaptive pseudo-labelling mechanism which combines the model-driven with input-driven PLM and self-adaptively generates robust pseudo-labels for unknown objects, significantly improving the ability of CAT to retrieve unknown objects. Comprehensive experiments on two benchmark datasets, i.e., MS-COCO and PASCAL VOC, show that our model outperforms the state-of-the-art in terms of all metrics in the task of OWOD, incremental object detection (IOD) and open-set detection.Comment: CVPR 2023 camera-ready versio

Spatial epidemiology in zoonotic parasitic diseases: insights gained at the 1st International Symposium on Geospatial Health in Lijiang, China, 2007

The 1st International Symposium on Geospatial Health was convened in Lijiang, Yunnan province, People's Republic of China from 8 to 9 September, 2007. The objective was to review progress made with the application of spatial techniques on zoonotic parasitic diseases, particularly in Southeast Asia. The symposium featured 71 presentations covering soil-transmitted and water-borne helminth infections, as well as arthropod-borne diseases such as leishmaniasis, malaria and lymphatic filariasis. The work made public at this occasion is briefly summarized here to highlight the advances made and to put forth research priorities in this area. Approaches such as geographical information systems (GIS), global positioning systems (GPS) and remote sensing (RS), including spatial statistics, web-based GIS and map visualization of field investigations, figured prominently in the presentation

Ranking hospitals based on preventable hospital death rates:a systematic review with implications for both direct measurement and indirect measurement through standardized mortality rates

Objectives There is interest in monitoring avoidable or preventable deaths measured directly or indirectly through standardized mortality rates (SMRs). We reviewed studies that use implicit case note reviews to estimate the range of preventable death rates observed, the measurement characteristics of those estimates, and the measurement procedures used to generate them. We comment on the implications for monitoring SMRs and illustrate a way to calculate the number of reviews needed to establish a reliable estimate of preventability of one death or the hospital preventable death rate. Design Systematic review of the literature supplemented by re-analysis of authors previously published and un-published data and measurement design calculations. Data source Searches in PubMed, MEDLINE (OvidSP) and Web of Knowledge in June 2012, updated December 2017. Eligibility criteria Studies of hospital-wide admissions from general and acute medical wards where preventable deaths rates are provided or can be estimate and which can provide inter- observer variations. Results Twenty-four studies were included from 1983-2017. Recent larger studies suggest consistently low rates of preventable deaths (3.0-6.5% since 2012). Reliability of a single review for distinguishing between individual cases with regard to the preventability of death had a Kappa rate of 0.27-0.50 for deaths and 0.24-0.76 for adverse events. A Kappa of 0.35 would require an average of 8-17 reviews of a single case to be precise enough to have confidence about high stakes decisions to change care procedures or impose sanctions within a hospital as a result. No study estimated the variation in preventable deaths across hospitals, although we were able to re-analyse one study to obtain an estimate. Based on this estimate, 200-300 total case-note reviews per hospital could be required to reliably distinguish between hospitals. The studies display considerable heterogeneity: 13/24 studies defined preventable with a threshold of ≥4 in a six-category Likert scale; 11/24 involved a two-stage screening process with nurses at the first stage and physicians at the second. Fifteen studies provided expert clinical review support for reviewer disagreements, advice, or quality control. A ‘generalist/internist’ was the modal physician specialty for reviewers and they received 1-3 days of generic tools orientation and case-note review practice. Methods did not consider the influence of human or environmental factors. Conclusions The literature provides limited information about the measurement characteristics of preventable deaths that suggests substantial numbers of reviews may be needed to create reliable estimates of preventable deaths at the individual or hospital level. Any operational program would require population specific estimates of reliability. Preventable death rates are low, which is likely to make it difficult to use SMRs based on all deaths to validly profile hospitals. The literature provides little information to guide improvements in the measurement procedures. Systematic review registration The systematic review was conceived prior to PROSPERO, and so has not been registered

Deep Geophysical Anomalies Beneath the Changbaishan Volcano

Subsurface imaging is key to understanding the origin of intraplate volcanoes. The Changbaishan volcano, located about 2,000 km away from the western Pacific subduction zone, has several debated origins. To investigate this, we compared regional seismic tomography with the electrical resistivity results and obtained high-resolution 1D and quasi-2D velocity-depth profiles. We show that the upper mantle is characterized by two anomalies exhibiting distinct features which cannot be explained by the same mechanism. We document a localized low-velocity anomaly atop the 410-km discontinuity, where the P-wave velocity is reduced more than that of the S-wave (i.e., lower Vp/Vs). We propose that this anomaly is caused by the reduction of the effective moduli during the phase transformation of olivine. The other anomaly, located between 300 and 370 km depth, reveals a significant reduction of the S-wave velocity (i.e., higher Vp/Vs), associated with a reduction of the electrical resistivity, altogether consistent with partial melting

para-Selective C-H amidation of simple arenes with nitriles

A para-selective C-H amidation of simple arenes with nitriles has been developed. By increasing the amount of arenes, a further meta-selective C-H arylation of the produced amides occurred. Both steric and electronic effects are utilized to control the selectivity, resulting in only para-selective amidation products. The readily available nitriles as amidation reagents instead of amides makes the synthesis of N-arylamides more accessible