Threat Trekker: An Approach to Cyber Threat Hunting

Threat hunting is a proactive methodology for exploring, detecting and mitigating cyberattacks within complex environments. As opposed to conventional detection systems, threat hunting strategies assume adversaries have infiltrated the system; as a result they proactively search out any unusual patterns or activities which might indicate intrusion attempts. Historically, this endeavour has been pursued using three investigation methodologies: (1) Hypothesis-Driven Investigations; (2) Indicator of Compromise (IOC); and (3) High-level machine learning analysis-based approaches. Therefore, this paper introduces a novel machine learning paradigm known as Threat Trekker. This proposal utilizes connectors to feed data directly into an event streaming channel for processing by the algorithm and provide feedback back into its host network. Conclusions drawn from these experiments clearly establish the efficacy of employing machine learning for classifying more subtle attacks.Comment: I am disseminating this outcome to all of you, despite the fact that the results may appear somewhat idealistic, given that certain datasets utilized for the training of the machine learning model comprise simulated dat

On the Security of the K Minimum Values (KMV) Sketch

Data sketches are widely used to accelerate operations in big data analytics. For example, algorithms use sketches to compute the cardinality of a set, or the similarity between two sets. Sketches achieve significant reductions in computing time and storage requirements by providing probabilistic estimates rather than exact values. In many applications, an estimate is sufficient and thus, it is possible to trade accuracy for computational complexity; this enables the use of probabilistic sketches. However, the use of probabilistic data structures may create security issues because an attacker may manipulate the data in such a way that the sketches produce an incorrect estimate. For example, an attacker could potentially inflate the estimate of the number of distinct users to increase its revenues or popularity. Recent works have shown that an attacker can manipulate Hyperloglog, a sketch widely used for cardinality estimate, with no knowledge of its implementation details. This paper considers the security of K Minimum Values (KMV), a sketch that is also widely used to implement both cardinality and similarity estimates. Next sections characterize vulnerabilities at an implementationindependent level, with attacks formulated as part of a novel adversary model that manipulates the similarity estimate. Therefore, the paper pursues an analysis and simulation; the results suggest that as vulnerable to attacks, an increase or reduction of the estimate may occur. The execution of the attacks against the KMV implementation in the Apache DataSketches library validates these scenarios. Experiments show an excellent agreement between theory and experimental results.Pedro Reviriego acknowledges the support of the ACHILLES project PID2019-104207RB-I00 and the Go2Edge network RED2018-102585-T funded by the Spanish Ministry of Economy and Competitivity and of the Madrid Community research project TAPIR-CM under Grant P2018/TCS-4496

Adaptive one memory access bloom filters

Bloom filters are widely used to perform fast approximate membership checking in networking applications. The main limitation of Bloom filters is that they suffer from false positives that can only be reduced by using more memory. We suggest to take advantage of a common repetition in the identity of queried elements to adapt Bloom filters for avoiding false positives for elements that repeat upon queries. In this paper, one memory access Bloom filters are used to design an adaptation scheme that can effectively remove false positives while completing all queries in a single memory access. The proposed filters are well suited for scenarios on which the number of memory bits per element is low and thus complement existing adaptive cuckoo filters that are not efficient in that case. The evaluation results using packet traces show that the proposed adaptive Bloom filters can significantly reduce the false positive rate in networking applications with the single memory access. In particular, when using as few as four bits per element, false positive rates below 5% are achieved.This work was supported by the ACHILLES project PID2019-104207RB-I00 and the Go2Edge network RED2018-102585-T funded by the Spanish Agencia Estatal de Investigación (AEI) 10.13039/501100011033 and by the Madrid Community research project TAPIR-CM grant no. P2018/TCS-4496

Detección de ARNs circulares y estudio de su implicación en adenocarcinoma pulmonar

La finalidad del presente trabajo es la generación de un modelo bioinformático que permita establecer un conjunto de circRNAs que actúen como biomarcadores moleculares para el adenocarcinoma pulmonar, capaz de clasificar muestras como sanas o tumorales. Para conseguir la finalidad del proyecto, se ha generado un pipeline para identificar circRNAs a partir de dos herramientas existentes (CIRI2 y CircExplorer2), consolidando los resultados. Este pipeline se ha aplicado a un conjunto de muestras sanas y tumorales proporcionadas por un estudio previo y se ha generado un informe integrado.La finalitat del present treball és la generació d'un model bioinformàtic que permeti establir un conjunt de circRNAs que actuïn com biomarcadors moleculars pel adenocarcinoma pulmonar, capaç de classificar mostres com a sanes o tumorals. Per aconseguir la finalitat del projecte, s'ha generat un pipeline per identificar circRNAs a partir de dues eines existents (CIRI2 i CircExplorer2), consolidant els resultats. Aquest pipeline s'ha aplicat a un conjunt de mostres sanes i tumorals proporcionades per un estudi previ i s'ha generat un informe integrat.The goal of this project is the generation of a bioinformatics model capable of identifying circRNA biomarkers for the lung adenocarcinoma in order to classify samples as normal or tumoral. To achieve the expected project goals, a pipeline to identify circRNAs using two existing tools (CIRI2 and CircExplorer2) has been generated, consolidating the results produced by both applications. This pipeline has been applied to a set of normal and tumoral samples provided by a previous research study, and an integrated report has been produced

Using Coordinated Transmission with Energy Efficient Ethernet

Part 4: Energy EfficiencyInternational audienceIEEE 802.3az Energy Efficient Ethernet (EEE) supports link active and sleep (idle) modes as a means of reducing the energy consumption of lightly utilized Ethernet links. A link wakes-up when an interface has packets to send and returns to idle when there are no packets. In this paper, we show how Coordinated Transmission (CT) in a 10GBASE-T link can allow for key physical layer (PHY) components to be shutdown to further reduce Ethernet energy consumption and enable longer cable lengths. CT is estimated to enable an additional 25% energy savings with a trade-off of an added frame latency of up to 40 μs, which is expected to have a negligible impact on most applications. The effective link capacity is approximately 4 Gb/s for symmetric traffic and close to 7 Gb/s for asymmetric traffic. This can be sufficient in many situations. Additionally a mechanism to switch to the normal full-duplex mode is proposed to allow for full link capacity when needed while retaining the additional energy savings when the link load is low

Extending SWRL to Enhance Mathematical Support

Abstract. This paper presents an extension to the Semantic Web Rule Language and a methodology to enable advanced mathematical support in SWRL rules. This solution separates mathematical and problem semantics allowing the inclusion of integration, differentiation and other operations not built-in to SWRL. Using this approach, it is possible to create rules to cope with complex scenarios that include mathematical relationships and formulas that exceed the SWRL capabilities.

Unequal error protection codes derived from SEC-DED codes

Error correction codes are commonly used to protect the data stored in memories from errors. Among the codes used, single error correction double error detection (SEC-DED) codes are probably the most common due to their simplicity. In some applications, the importance of the bits is different, being some of them critical while others can tolerate some errors. This is the case, for example, in some multimedia and signal processing systems. For those applications, unequal error protection (UEP) codes that provide different protection for different bits can be used. In many cases, the bits that require extra protection are only a few. Therefore, it would be convenient to use a traditional code extended to provide additional protection for a few bits. A simple method to derive UEP codes from SEC-DED codes is presented. The proposed UEP codes protect a few bits against double errors and behave as SEC-DED codes for the rest. Encoding and decoding complexity is only slightly larger than that of an SEC-DED code and the implementation is a simple modification of the SEC-DED implementation

Attacking the Privacy of Approximate Membership Check Filters by Positive Concentration

Approximate membership check filters are increasingly used to speed up data processing in many applications. Also, privacy is becoming a key design objective for many systems and thus, the privacy of filters needs to be carefully considered. Previous works have shown that an attacker that knows the implementation details of the filter and has access to its content, may be able to extract some information about the elements stored in the filter. This attack is, however, specific to Bloom filters and requires that the universe of elements must be small. In this paper, we show that in many practical settings, an attacker that has only a black-box access to the filter, can extract information about the elements stored in the filter regardless of the specific filter type and the universe size. This is possible based on the key observation that in many applications, the elements stored in the filter are not randomly chosen, but they are concentrated in one or more parts of the universe of elements. To identify these parts, the positive probability can be measured on different parts of the universe; the parts having significantly larger values than the average positive probability for the filter are the ones on which the filter elements are concentrated. This approach is formalized and applied to several case studies showing the process by which the attacker can get additional information about the elements stored for the filters in a wide range of scenarios

Fault Injection Emulation for Systems in FPGAs: Tools, Techniques and Methodology, a Tutorial

Communication systems that work in jeopardized environments such as space are affected by soft errors that can cause malfunctions in the behavior of the circuits such as, for example, single event upsets (SEUs) or multiple bit upsets (MBUs). In order to avoid this erroneous functioning, this kind of systems are usually protected using redundant logic such as triple modular redundancy (TMR) or error correction codes (ECCs). After the implementation of the protected modules, the communication modules must be tested to assess the achieved reliability. These tests could be driven into accelerator facilities through ionization processes or they can be performed using fault injection tools based on software simulation such as the SEUs simulation tool (SST), or based on field-programmable gate array (FPGA) emulation like the one described in this work. In this paper, a tutorial for the setup of a fault injection emulation platform based on the Xilinx soft error mitigation (SEM) intellectual property (IP) controller is depicted step by step, showing a complete cycle. To illustrate this procedure, an online repository with a complete project and a step-by-step guide is provided, using as device under test a classical communication component such as a finite impulse response (FIR) filter. Finally, the integration of the automatic configuration memory error-injection (ACME) tool to speed up the fault injection process is explained in detail at the end of the paper