Tracking Cyber Adversaries with Adaptive Indicators of Compromise

A forensics investigation after a breach often uncovers network and host indicators of compromise (IOCs) that can be deployed to sensors to allow early detection of the adversary in the future. Over time, the adversary will change tactics, techniques, and procedures (TTPs), which will also change the data generated. If the IOCs are not kept up-to-date with the adversary's new TTPs, the adversary will no longer be detected once all of the IOCs become invalid. Tracking the Known (TTK) is the problem of keeping IOCs, in this case regular expressions (regexes), up-to-date with a dynamic adversary. Our framework solves the TTK problem in an automated, cyclic fashion to bracket a previously discovered adversary. This tracking is accomplished through a data-driven approach of self-adapting a given model based on its own detection capabilities. In our initial experiments, we found that the true positive rate (TPR) of the adaptive solution degrades much less significantly over time than the naive solution, suggesting that self-updating the model allows the continued detection of positives (i.e., adversaries). The cost for this performance is in the false positive rate (FPR), which increases over time for the adaptive solution, but remains constant for the naive solution. However, the difference in overall detection performance, as measured by the area under the curve (AUC), between the two methods is negligible. This result suggests that self-updating the model over time should be done in practice to continue to detect known, evolving adversaries.Comment: This was presented at the 4th Annual Conf. on Computational Science & Computational Intelligence (CSCI'17) held Dec 14-16, 2017 in Las Vegas, Nevada, US

A Riemann solver at a junction compatible with a homogenization limit

We consider a junction regulated by a traffic lights, with n incoming roads and only one outgoing road. On each road the Phase Transition traffic model, proposed in [6], describes the evolution of car traffic. Such model is an extension of the classic Lighthill-Whitham-Richards one, obtained by assuming that different drivers may have different maximal speed. By sending to infinity the number of cycles of the traffic lights, we obtain a justification of the Riemann solver introduced in [9] and in particular of the rule for determining the maximal speed in the outgoing road.Comment: 19 page

Novel object recognition test.

<p>Blue circles: A1, A2; original objects. Red triangle: B; novel object. Oxytocin doses: 10 μg/kg, 100 μg/kg and 1000 μg/kg. In the first day of the test, the subject explored the two objects of same colour and same shape twice in 1 hour interval. Oxytocin was administrated in the second test day, then the subject explored one of the same objects previously presented and a new object of different colour and shape.</p

Open field and Amphetamine test.

<p>Oxytocin doses: 10 μg/kg, 100 μg/kg and 1000 μg/kg. The subject explored the arena for 1 hour while drug free. Then the subject explored the same arena for another 30min after drug (saline or oxytocin) injection. Finally the subject explored the same arena again for 1hour after amphetamine injection.</p

Novel object recognition and social interaction test.

<p>(A) 100 μg/kg and 1000 μg/kg oxytocin disrupted recognition memory in males. 1000 μg/kg single exposure (B) and 10 μg/kg and 100 μg/kg repeated exposure to oxytocin (C) increased social interaction in females. (D) 100 μg/kg oxytocin increased social interaction in males. Error bars refer to ± SEM. * post-hoc testing: <i>p<</i>0.05.</p

Striatum proteomics and western blot studies.

<p>(A) Multivariate analysis: partial least squares—discriminative analysis (PLS-DA) carried out using SIMCA-P+12.0 software (Umetrics). The striatal protein profile following oxytocin exposure could be clearly differentiated from saline (controls). The XY axis shows the coordinates of the protein distribution in the partial least squares—discriminative analysis (B) Western blot gel images of target proteins. (C) The relative expression of the target proteins/β-actin, Columns show mean±SEM (<i>n</i> = 9 for saline exposure; <i>n</i> = 8 for oxytocin exposure). * <i>p</i><0.05.</p

PPI test.

<p>(A) Oxytocin attenuated the baseline startle response to 120dB pulse in female mice. (B) Oxytocin increased the baseline startle response to 100dB pulse in male mice. (C) 100 μg/kg oxytocin attenuated PPI in females. (D) All doses of oxytocin improved PPI in males. Error bars refer to ± SEM.</p

Behavioural tests.

<p>The sequence of behavioural testing. Mice were dived into two groups of equal number and sex. Half the mice followed test sequence I; half followed test sequence II. PPI: Prepulse inhibition of startle.</p

Characteristics of the study and population samples.

<p>Characteristics of the study and population samples.</p

Regional plot of the strongest association for dichotomous hypertension.

<p>The plot highlights the statistical strength of the strongest association (rs6596140, <i>P</i><9×10⁻⁸, blue diamond) and surrounding markers, along with the pair-wise correlations between the surrounding markers and the putative associated variant, indicated by color. All SNPs in the region are plotted with their <i>p</i>-values (as –log₁₀ values) as a function of genomic position (using NCBI Build 36). Estimated recombination rates (taken from HapMap) are plotted to reflect the local LD structure around the associated SNP and their correlated proxies (bright red indicating highly correlated, faint red indicating weakly correlated). The annotated gene <i>FSTL4</i> (taken from UCSC table browser) is more than 70 kb away from the associated SNP.</p