Testing SOAR Tools in Use

Modern security operation centers (SOCs) rely on operators and a tapestry of logging and alerting tools with large scale collection and query abilities. SOC investigations are tedious as they rely on manual efforts to query diverse data sources, overlay related logs, and correlate the data into information and then document results in a ticketing system. Security orchestration, automation, and response (SOAR) tools are a new technology that promise to collect, filter, and display needed data; automate common tasks that require SOC analysts' time; facilitate SOC collaboration; and, improve both efficiency and consistency of SOCs. SOAR tools have never been tested in practice to evaluate their effect and understand them in use. In this paper, we design and administer the first hands-on user study of SOAR tools, involving 24 participants and 6 commercial SOAR tools. Our contributions include the experimental design, itemizing six characteristics of SOAR tools and a methodology for testing them. We describe configuration of the test environment in a cyber range, including network, user, and threat emulation; a full SOC tool suite; and creation of artifacts allowing multiple representative investigation scenarios to permit testing. We present the first research results on SOAR tools. We found that SOAR configuration is critical, as it involves creative design for data display and automation. We found that SOAR tools increased efficiency and reduced context switching during investigations, although ticket accuracy and completeness (indicating investigation quality) decreased with SOAR use. Our findings indicated that user preferences are slightly negatively correlated with their performance with the tool; overautomation was a concern of senior analysts, and SOAR tools that balanced automation with assisting a user to make decisions were preferred

AI ATAC 1: An Evaluation of Prominent Commercial Malware Detectors

This work presents an evaluation of six prominent commercial endpoint malware detectors, a network malware detector, and a file-conviction algorithm from a cyber technology vendor. The evaluation was administered as the first of the Artificial Intelligence Applications to Autonomous Cybersecurity (AI ATAC) prize challenges, funded by / completed in service of the US Navy. The experiment employed 100K files (50/50% benign/malicious) with a stratified distribution of file types, including ~1K zero-day program executables (increasing experiment size two orders of magnitude over previous work). We present an evaluation process of delivering a file to a fresh virtual machine donning the detection technology, waiting 90s to allow static detection, then executing the file and waiting another period for dynamic detection; this allows greater fidelity in the observational data than previous experiments, in particular, resource and time-to-detection statistics. To execute all 800K trials (100K files $\times$ 8 tools), a software framework is designed to choreographed the experiment into a completely automated, time-synced, and reproducible workflow with substantial parallelization. A cost-benefit model was configured to integrate the tools' recall, precision, time to detection, and resource requirements into a single comparable quantity by simulating costs of use. This provides a ranking methodology for cyber competitions and a lens through which to reason about the varied statistical viewpoints of the results. These statistical and cost-model results provide insights on state of commercial malware detection

Search for dark matter produced in association with bottom or top quarks in √s = 13 TeV pp collisions with the ATLAS detector

A search for weakly interacting massive particle dark matter produced in association with bottom or top quarks is presented. Final states containing third-generation quarks and miss- ing transverse momentum are considered. The analysis uses 36.1 fb−1 of proton–proton collision data recorded by the ATLAS experiment at √s = 13 TeV in 2015 and 2016. No significant excess of events above the estimated backgrounds is observed. The results are in- terpreted in the framework of simplified models of spin-0 dark-matter mediators. For colour- neutral spin-0 mediators produced in association with top quarks and decaying into a pair of dark-matter particles, mediator masses below 50 GeV are excluded assuming a dark-matter candidate mass of 1 GeV and unitary couplings. For scalar and pseudoscalar mediators produced in association with bottom quarks, the search sets limits on the production cross- section of 300 times the predicted rate for mediators with masses between 10 and 50 GeV and assuming a dark-matter mass of 1 GeV and unitary coupling. Constraints on colour- charged scalar simplified models are also presented. Assuming a dark-matter particle mass of 35 GeV, mediator particles with mass below 1.1 TeV are excluded for couplings yielding a dark-matter relic density consistent with measurements

Robust estimation of bacterial cell count from optical density

Optical density (OD) is widely used to estimate the density of cells in liquid culture, but cannot be compared between instruments without a standardized calibration protocol and is challenging to relate to actual cell count. We address this with an interlaboratory study comparing three simple, low-cost, and highly accessible OD calibration protocols across 244 laboratories, applied to eight strains of constitutive GFP-expressing E. coli. Based on our results, we recommend calibrating OD to estimated cell count using serial dilution of silica microspheres, which produces highly precise calibration (95.5% of residuals <1.2-fold), is easily assessed for quality control, also assesses instrument effective linear range, and can be combined with fluorescence calibration to obtain units of Molecules of Equivalent Fluorescein (MEFL) per cell, allowing direct comparison and data fusion with flow cytometry measurements: in our study, fluorescence per cell measurements showed only a 1.07-fold mean difference between plate reader and flow cytometry data

Isotopic niche overlap among foraging marine turtle species in the Gulf of Mexico

Abstract Sympatric species may overlap in their use of habitat and dietary resources, which can increase competition. Comparing the ecological niches and quantifying the degree of niche overlap among these species can provide insights into the extent of resource overlap. This information can be used to guide multispecies management approaches tailored to protect priority habitats that offer the most resources for multiple species. Stable isotope analysis is a valuable tool used to investigate spatial and trophic niches, though few studies have employed this method for comparisons among sympatric marine turtle species. For this study, stable carbon, nitrogen, and sulfur isotope values from epidermis tissue were used to quantify isotopic overlap and compare isotopic niche size in loggerhead (Caretta caretta), green (Chelonia mydas), and Kemp's ridley (Lepidochelys kempii) turtles sampled from a shared foraging area located offshore of Crystal River, Florida, USA. Overall, the results revealed high degrees of isotopic overlap (>68%) among species, particularly between loggerhead and Kemp's ridley turtles (85 to 91%), which indicates there may be interspecific competition for resources. Samples from green turtles had the widest range of isotopic values, indicating they exhibit higher variability in diet and habitat type. Samples from loggerhead turtles had the most enriched mean δ34S, suggesting they may forage in slightly different micro‐environments compared with the other species. Finally, samples from Kemp's ridley turtles exhibited the smallest niche size, which is indicative of a narrower use of resources. This is one of the first studies to investigate resource use in a multispecies foraging aggregation of marine turtles using three isotopic tracers. These findings provide a foundation for future research into the foraging ecology of sympatric marine turtle species and can be used to inform effective multispecies management efforts

Image_1_Stress Odorant Sensory Response Dysfunction in Drosophila Fragile X Syndrome Mutants.jpg

<p>Sensory processing dysfunction (SPD) is present in most patients with intellectual disability (ID) and autism spectrum disorder (ASD). Silencing expression of the Fragile X mental retardation 1 (FMR1) gene leads to Fragile X syndrome (FXS), the most common single gene cause of ID and ASD. Drosophila have a highly conserved FMR1 ortholog, dfmr1. dfmr1 mutants display cognitive and social defects reminiscent of symptoms seen in individuals with FXS. We utilized a robust behavioral assay for sensory processing of the Drosophila stress odorant (dSO) to gain a better understanding of the molecular basis of SPD in FXS. Here, we show that dfmr1 mutant flies present significant defects in dSO response. We found that dfmr1 expression in mushroom bodies is required for dSO processing. We also show that cyclic adenosine monophosphate (cAMP) signaling via PKA is activated after exposure to dSO and that several drugs regulating both cAMP and cyclic guanosine monophosphate (cGMP) levels significantly improved defects in dSO processing in dfmr1 mutant flies.</p

Long-term Memory Testing in Children With Typical Development and Neurodevelopmental Disorders: Remote Web-based Image Task Feasibility Study

BackgroundNeurodevelopmental disorders (NDD) cause individuals to have difficulty in learning facts, procedures, or social skills. NDD has been linked to several genes, and several animal models have been used to identify potential therapeutic candidates based on specific learning paradigms for long-term and associative memory. In individuals with NDD, however, such testing has not been used so far, resulting in a gap in translating preclinical results to clinical practice. ObjectiveWe aim to assess if individuals with NDD could be tested for paired association learning and long-term memory deficit, as shown in previous animal models. MethodsWe developed an image-based paired association task, which can be performed at different time points using remote web-based testing, and evaluated its feasibility in children with typical development (TD), as well as NDD. We included 2 tasks: object recognition as a simpler task and paired association. Learning was tested immediately after training and also the next day for long-term memory. ResultsWe found that children aged 5-14 years with TD (n=128) and with NDD of different types (n=57) could complete testing using the Memory Game. Children with NDD showed deficits in both recognition and paired association tasks on the first day of learning, in both 5-9–year old (P<.001 and P=.01, respectively) and 10-14–year old groups (P=.001 and P<.001, respectively). The reaction times to stimuli showed no significant difference between individuals with TD or NDD. Children with NDD exhibited a faster 24-hour memory decay for the recognition task than those with TD in the 5-9–year old group. This trend is reversed for the paired association task. Interestingly, we found that children with NDD had their retention for recognition improved and matched with typically developing individuals by 10-14 years of age. The NDD group also showed improved retention deficits in the paired association task at 10-14 years of age compared to the TD group. ConclusionsWe showed that web-based learning testing using simple picture association is feasible for children with TD, as well as with NDD. We showed how web-based testing allows us to train children to learn the association between pictures, as shown in immediate test results and those completed 1 day after. This is important as many models for learning deficits in NDD target both short- and long-term memory for therapeutic intervention. We also demonstrated that despite potential confounding factors, such as self-reported diagnosis bias, technical issues, and varied participation, the Memory Game shows significant differences between typically developing children and those with NDD. Future experiments will leverage this potential of web-based testing for larger cohorts and cross-validation with other clinical or preclinical cognitive tasks

Mixer-settler development : use of a shrouded paddle /

"Engineering.""Printed for the United States Atomic Energy Commission Contract AT(07-2)-1.""August 1955.""DP-130."Includes bibliographical references (p. 9).Mode of access: Internet