Tracking Cyber Adversaries with Adaptive Indicators of Compromise

A forensics investigation after a breach often uncovers network and host indicators of compromise (IOCs) that can be deployed to sensors to allow early detection of the adversary in the future. Over time, the adversary will change tactics, techniques, and procedures (TTPs), which will also change the data generated. If the IOCs are not kept up-to-date with the adversary's new TTPs, the adversary will no longer be detected once all of the IOCs become invalid. Tracking the Known (TTK) is the problem of keeping IOCs, in this case regular expressions (regexes), up-to-date with a dynamic adversary. Our framework solves the TTK problem in an automated, cyclic fashion to bracket a previously discovered adversary. This tracking is accomplished through a data-driven approach of self-adapting a given model based on its own detection capabilities. In our initial experiments, we found that the true positive rate (TPR) of the adaptive solution degrades much less significantly over time than the naive solution, suggesting that self-updating the model allows the continued detection of positives (i.e., adversaries). The cost for this performance is in the false positive rate (FPR), which increases over time for the adaptive solution, but remains constant for the naive solution. However, the difference in overall detection performance, as measured by the area under the curve (AUC), between the two methods is negligible. This result suggests that self-updating the model over time should be done in practice to continue to detect known, evolving adversaries.Comment: This was presented at the 4th Annual Conf. on Computational Science & Computational Intelligence (CSCI'17) held Dec 14-16, 2017 in Las Vegas, Nevada, US

Investigating the effectiveness of many-core network processors for high performance cyber protection systems. Part I, FY2011.

This report documents our first year efforts to address the use of many-core processors for high performance cyber protection. As the demands grow for higher bandwidth (beyond 1 Gbits/sec) on network connections, the need to provide faster and more efficient solution to cyber security grows. Fortunately, in recent years, the development of many-core network processors have seen increased interest. Prior working experiences with many-core processors have led us to investigate its effectiveness for cyber protection tools, with particular emphasis on high performance firewalls. Although advanced algorithms for smarter cyber protection of high-speed network traffic are being developed, these advanced analysis techniques require significantly more computational capabilities than static techniques. Moreover, many locations where cyber protections are deployed have limited power, space and cooling resources. This makes the use of traditionally large computing systems impractical for the front-end systems that process large network streams; hence, the drive for this study which could potentially yield a highly reconfigurable and rapidly scalable solution

Defining phenotypic and functional heterogeneity of glioblastoma stem cells by mass cytometry

Most patients with glioblastoma (GBM) die within 2 years. A major therapeutic goal is to target GBM stem cells (GSCs), a subpopulation of cells that contribute to treatment resistance and recurrence. Since their discovery in 2003, GSCs have been isolated using single-surface markers, such as CD15, CD44, CD133, and α6 integrin. It remains unknown how these single-surface marker-defined GSC populations compare with each other in terms of signaling and function and whether expression of different combinations of these markers is associated with different functional capacity. Using mass cytometry and fresh operating room specimens, we found 15 distinct GSC subpopulations in patients, and they differed in their MEK/ERK, WNT, and AKT pathway activation status. Once in culture, some subpopulations were lost and previously undetectable ones materialized. GSCs that highly expressed all 4 surface markers had the greatest self-renewal capacity, WNT inhibitor sensitivity, and in vivo tumorigenicity. This work highlights the potential signaling and phenotypic diversity of GSCs. Larger patient sample sizes and antibody panels are required to confirm these findings

MCAM: Multiple Clustering Analysis Methodology for Deriving Hypotheses and Insights from High-Throughput Proteomic Datasets

Advances in proteomic technologies continue to substantially accelerate capability for generating experimental data on protein levels, states, and activities in biological samples. For example, studies on receptor tyrosine kinase signaling networks can now capture the phosphorylation state of hundreds to thousands of proteins across multiple conditions. However, little is known about the function of many of these protein modifications, or the enzymes responsible for modifying them. To address this challenge, we have developed an approach that enhances the power of clustering techniques to infer functional and regulatory meaning of protein states in cell signaling networks. We have created a new computational framework for applying clustering to biological data in order to overcome the typical dependence on specific a priori assumptions and expert knowledge concerning the technical aspects of clustering. Multiple clustering analysis methodology (‘MCAM’) employs an array of diverse data transformations, distance metrics, set sizes, and clustering algorithms, in a combinatorial fashion, to create a suite of clustering sets. These sets are then evaluated based on their ability to produce biological insights through statistical enrichment of metadata relating to knowledge concerning protein functions, kinase substrates, and sequence motifs. We applied MCAM to a set of dynamic phosphorylation measurements of the ERRB network to explore the relationships between algorithmic parameters and the biological meaning that could be inferred and report on interesting biological predictions. Further, we applied MCAM to multiple phosphoproteomic datasets for the ERBB network, which allowed us to compare independent and incomplete overlapping measurements of phosphorylation sites in the network. We report specific and global differences of the ERBB network stimulated with different ligands and with changes in HER2 expression. Overall, we offer MCAM as a broadly-applicable approach for analysis of proteomic data which may help increase the current understanding of molecular networks in a variety of biological problems.National Institutes of Health (U.S.) (NIH-U54-CA112967 )National Institutes of Health (U.S.) (NIH-R01-CA096504

Apple App Store as a Business Model Supporting U.S. Navy Requirements

Sponsored Report (for Acquisition Research Program)Naval Open Architecture (NOA) is the confluence of business and technical practices yielding modular, interoperable systems that adhere to open standards with published interfaces. This approach significantly increases opportunities for innovation and competition, enables re-use of components, facilitates rapid technology insertion, and reduces maintenance constraints. A key enabler of the NOA initiative is the Software Hardware Asset Reuse Enterprise (SHARE) repository. The repository was created in August 2006 to facilitate the reuse of software and thereby reduce future development costs. The total benefit of the repository will correspond to the quality and quantity of the applications deposited into it. Indisputably, the most successful software repository in the public sector is the Apple App Store. As of October 2011, Apple lists more than 425,000 applications available. The purpose of this research is to examine the business model of the App Store to identify which of its effective business practices might be applicable to the SHARE repository.Acquisition Research ProgramApproved for public release; distribution is unlimited