Automatic Handling of Protocol Dependencies and Reaction to 0-Day Attacks with ScriptGen Based Honeypots

Abstract. Spitzner proposed to classify honeypots into low, medium and high interaction ones. Several instances of low interaction exist, such as honeyd, as well as high interaction, such as GenII. Medium interaction systems have recently received increased attention. ScriptGen and Role-Player, for instance, are as talkative as a high interaction system while limiting the associated risks. In this paper, we do build upon the work we have proposed on ScriptGen to automatically create honeyd scripts able to interact with attack tools without relying on any a-priori knowl-edge of the protocols involved. The main contributions of this paper are threefold. First, we propose a solution to detect and handle so-called intra-protocol dependencies. Second, we do the same for inter-protocols dependencies. Last but not least, we show how, by modifying our initial refinement analysis, we can, on the fly, generate new scripts as new at-tacks, i.e. 0-day, show up. As few as 50 samples of attacks, i.e. less than one per platform we have currently deployed in the world, is enough to produce a script that can then automatically enrich all these platforms.

The challenges of containing SARS-CoV-2 via test-trace-and-isolate

Without a cure, vaccine, or proven long-term immunity against SARS-CoV-2, test-trace-and-isolate (TTI) strategies present a promising tool to contain the viral spread. For any TTI strategy, however, a major challenge arises from pre- and asymptomatic transmission as well as TTI-avoiders, which contribute to hidden, unnoticed infection chains. In our semi-analytical model, we identified two distinct tipping points between controlled and uncontrolled spreading: one, at which the behavior-driven reproduction number of the hidden infections becomes too large to be compensated by the available TTI capabilities, and one at which the number of new infections starts to exceed the tracing capacity, causing a self-accelerating spread. We investigated how these tipping points depend on realistic limitations like limited cooperativity, missing contacts, and imperfect isolation, finding that TTI is likely not sufficient to contain the natural spread of SARS-CoV-2. Therefore, complementary measures like reduced physical contacts and improved hygiene probably remain necessary

Transition from regular to complex behaviour in a discrete deterministic asymmetric neural network model

We study the long time behaviour of the transient before the collapse on the periodic attractors of a discrete deterministic asymmetric neural networks model. The system has a finite number of possible states so it is not possible to use the term chaos in the usual sense of sensitive dependence on the initial condition. Nevertheless, at varying the asymmetry parameter, $k$, one observes a transition from ordered motion (i.e. short transients and short periods on the attractors) to a ``complex'' temporal behaviour. This transition takes place for the same value $k_{\rm c}$ at which one has a change for the mean transient length from a power law in the size of the system ($N$) to an exponential law in $N$. The ``complex'' behaviour during the transient shows strong analogies with the chaotic behaviour: decay of temporal correlations, positive Shannon entropy, non-constant Renyi entropies of different orders. Moreover the transition is very similar to that one for the intermittent transition in chaotic systems: scaling law for the Shannon entropy and strong fluctuations of the ``effective Shannon entropy'' along the transient, for $k > k_{\rm c}$.Comment: 18 pages + 6 figures, TeX dialect: Plain TeX + IOP macros (included

Relaxation, closing probabilities and transition from oscillatory to chaotic attractors in asymmetric neural networks

Attractors in asymmetric neural networks with deterministic parallel dynamics were shown to present a "chaotic" regime at symmetry eta < 0.5, where the average length of the cycles increases exponentially with system size, and an oscillatory regime at high symmetry, where the typical length of the cycles is 2. We show, both with analytic arguments and numerically, that there is a sharp transition, at a critical symmetry \e_c=0.33, between a phase where the typical cycles have length 2 and basins of attraction of vanishing weight and a phase where the typical cycles are exponentially long with system size, and the weights of their attraction basins are distributed as in a Random Map with reversal symmetry. The time-scale after which cycles are reached grows exponentially with system size $N$, and the exponent vanishes in the symmetric limit, where $T\propto N^{2/3}$. The transition can be related to the dynamics of the infinite system (where cycles are never reached), using the closing probabilities as a tool. We also study the relaxation of the function $E(t)=-1/N\sum_i |h_i(t)|$, where $h_i$ is the local field experienced by the neuron $i$. In the symmetric system, it plays the role of a Ljapunov function which drives the system towards its minima through steepest descent. This interpretation survives, even if only on the average, also for small asymmetry. This acts like an effective temperature: the larger is the asymmetry, the faster is the relaxation of $E$, and the higher is the asymptotic value reached. $E$ reachs very deep minima in the fixed points of the dynamics, which are reached with vanishing probability, and attains a larger value on the typical attractors, which are cycles of length 2.Comment: 24 pages, 9 figures, accepted on Journal of Physics A: Math. Ge

Farsighted Risk Mitigation of Lateral Movement Using Dynamic Cognitive Honeypots

Lateral movement of advanced persistent threats has posed a severe security challenge. Due to the stealthy and persistent nature of the lateral movement, defenders need to consider time and spatial locations holistically to discover latent attack paths across a large time-scale and achieve long-term security for the target assets. In this work, we propose a time-expanded random network to model the stochastic service links in the user-host enterprise network and the adversarial lateral movement. We design cognitive honeypots at idle production nodes and disguise honey links as service links to detect and deter the adversarial lateral movement. The location of the honeypot changes randomly at different times and increases the honeypots' stealthiness. Since the defender does not know whether, when, and where the initial intrusion and the lateral movement occur, the honeypot policy aims to reduce the target assets' Long-Term Vulnerability (LTV) for proactive and persistent protection. We further characterize three tradeoffs, i.e., the probability of interference, the stealthiness level, and the roaming cost. To counter the curse of multiple attack paths, we propose an iterative algorithm and approximate the LTV with the union bound for computationally efficient deployment of cognitive honeypots. The results of the vulnerability analysis illustrate the bounds, trends, and a residue of LTV when the adversarial lateral movement has infinite duration. Besides honeypot policies, we obtain a critical threshold of compromisability to guide the design and modification of the current system parameters for a higher level of long-term security. We show that the target node can achieve zero vulnerability under infinite stages of lateral movement if the probability of movement deterrence is not less than the threshold

Adaptive Honeypot Engagement through Reinforcement Learning of Semi-Markov Decision Processes

A honeynet is a promising active cyber defense mechanism. It reveals the fundamental Indicators of Compromise (IoCs) by luring attackers to conduct adversarial behaviors in a controlled and monitored environment. The active interaction at the honeynet brings a high reward but also introduces high implementation costs and risks of adversarial honeynet exploitation. In this work, we apply infinite-horizon Semi-Markov Decision Process (SMDP) to characterize a stochastic transition and sojourn time of attackers in the honeynet and quantify the reward-risk trade-off. In particular, we design adaptive long-term engagement policies shown to be risk-averse, cost-effective, and time-efficient. Numerical results have demonstrated that our adaptive engagement policies can quickly attract attackers to the target honeypot and engage them for a sufficiently long period to obtain worthy threat information. Meanwhile, the penetration probability is kept at a low level. The results show that the expected utility is robust against attackers of a large range of persistence and intelligence. Finally, we apply reinforcement learning to the SMDP to solve the curse of modeling. Under a prudent choice of the learning rate and exploration policy, we achieve a quick and robust convergence of the optimal policy and value.Comment: The presentation can be found at https://youtu.be/GPKT3uJtXqk. arXiv admin note: text overlap with arXiv:1907.0139

Micro-computed tomography and histology to explore internal morphology in decapod larvae

Traditionally, the internal morphology of crustacean larvae has been studied using destructive techniques such as dissection and microscopy. The present study combines advances in microcomputed tomography (micro-CT) and histology to study the internal morphology of decapod larvae, using the common spider crab (Maja brachydactyla Balss, 1922) as a model and resolving the individual limitations of these techniques. The synergy of micro-CT and histology allows the organs to be easily identified, revealing simultaneously the gross morphology (shape, size, and location) and histological organization (tissue arrangement and cell identification). Micro-CT shows mainly the exoskeleton, musculature, digestive and nervous systems, and secondarily the circulatory and respiratory systems, while histology distinguishes several cell types and confirms the organ identity. Micro-CT resolves a discrepancy in the literature regarding the nervous system of crab larvae. The major changes occur in the metamorphosis to the megalopa stage, specifically the formation of the gastric mill, the shortening of the abdominal nerve cord, the curving of the abdomen beneath the cephalothorax, and the development of functional pereiopods, pleopods, and lamellate gills. The combination of micro-CT and histology provides better results than either one alone.Financial support was provided by the Spanish Ministry of Economy and Competitiveness through the INIA project (grant number RTA2011-00004-00-00) to G.G. and a pre-doctoral fellowship to D.C. (FPI-INIA)

Topoisomerase IIβ Activates a Subset of Neuronal Genes that Are Repressed in AT-Rich Genomic Environment

DNA topoisomerase II (topo II) catalyzes a strand passage reaction in that one duplex is passed through a transient brake or gate in another. Completion of late stages of neuronal development depends on the presence of active β isoform (topo IIβ). The enzyme appears to aid the transcriptional induction of a limited number of genes essential for neuronal maturation. However, this selectivity and underlying molecular mechanism remains unknown. Here we show a strong correlation between the genomic location of topo IIβ action sites and the genes it regulates. These genes, termed group A1, are functionally biased towards membrane proteins with ion channel, transporter, or receptor activities. Significant proportions of them encode long transcripts and are juxtaposed to a long AT-rich intergenic region (termed LAIR). We mapped genomic sites directly targeted by topo IIβ using a functional immunoprecipitation strategy. These sites can be classified into two distinct classes with discrete local GC contents. One of the classes, termed c2, appears to involve a strand passage event between distant segments of genomic DNA. The c2 sites are concentrated both in A1 gene boundaries and the adjacent LAIR, suggesting a direct link between the action sites and the transcriptional activation. A higher-order chromatin structure associated with AT richness and gene poorness is likely to serve as a silencer of gene expression, which is abrogated by topo IIβ releasing nearby genes from repression. Positioning of these genes and their control machinery may have developed recently in vertebrate evolution to support higher functions of central nervous system

Transcriptional and Post-Transcriptional Mechanisms for Oncogenic Overexpression of Ether À Go-Go K+ Channel

The human ether-à-go-go-1 (h-eag1) K+ channel is expressed in a variety of cell lines derived from human malignant tumors and in clinical samples of several different cancers, but is otherwise absent in normal tissues. It was found to be necessary for cell cycle progression and tumorigenesis. Specific inhibition of h-eag1 expression leads to inhibition of tumor cell proliferation. We report here that h-eag1 expression is controlled by the p53−miR-34−E2F1 pathway through a negative feed-forward mechanism. We first established E2F1 as a transactivator of h-eag1 gene through characterizing its promoter region. We then revealed that miR-34, a known transcriptional target of p53, is an important negative regulator of h-eag1 through dual mechanisms by directly repressing h-eag1 at the post-transcriptional level and indirectly silencing h-eag1 at the transcriptional level via repressing E2F1. There is a strong inverse relationship between the expression levels of miR-34 and h-eag1 protein. H-eag1antisense antagonized the growth-stimulating effects and the upregulation of h-eag1 expression in SHSY5Y cells, induced by knockdown of miR-34, E2F1 overexpression, or inhibition of p53 activity. Therefore, p53 negatively regulates h-eag1 expression by a negative feed-forward mechanism through the p53−miR-34−E2F1 pathway. Inactivation of p53 activity, as is the case in many cancers, can thus cause oncogenic overexpression of h-eag1 by relieving the negative feed-forward regulation. These findings not only help us understand the molecular mechanisms for oncogenic overexpression of h-eag1 in tumorigenesis but also uncover the cell-cycle regulation through the p53−miR-34−E2F1−h-eag1 pathway. Moreover, these findings place h-eag1 in the p53−miR-34−E2F1−h-eag1 pathway with h-eag as a terminal effecter component and with miR-34 (and E2F1) as a linker between p53 and h-eag1. Our study therefore fills the gap between p53 pathway and its cellular function mediated by h-eag1

Rapid Internalization of the Oncogenic K+ Channel KV10.1

KV10.1 is a mammalian brain voltage-gated potassium channel whose ectopic expression outside of the brain has been proven relevant for tumor biology. Promotion of cancer cell proliferation by KV10.1 depends largely on ion flow, but some oncogenic properties remain in the absence of ion permeation. Additionally, KV10.1 surface populations are small compared to large intracellular pools. Control of protein turnover within cells is key to both cellular plasticity and homeostasis, and therefore we set out to analyze how endocytic trafficking participates in controlling KV10.1 intracellular distribution and life cycle. To follow plasma membrane KV10.1 selectively, we generated a modified channel of displaying an extracellular affinity tag for surface labeling by α-bungarotoxin. This modification only minimally affected KV10.1 electrophysiological properties. Using a combination of microscopy and biochemistry techniques, we show that KV10.1 is constitutively internalized involving at least two distinct pathways of endocytosis and mainly sorted to lysosomes. This occurs at a relatively fast rate. Simultaneously, recycling seems to contribute to maintain basal KV10.1 surface levels. Brief KV10.1 surface half-life and rapid lysosomal targeting is a relevant factor to be taken into account for potential drug delivery and targeting strategies directed against KV10.1 on tumor cells