A notation for describing the steps in indicator expansion

Indicator expansion is a process of using one or more data sources to obtain more indicators of malicious activity by identifying those related to currently known indicators. Due to the many variables in how the process is carried out, it quickly becomes difficult to capture the process that leads to an expanded set of data. Keeping track of this process is important for description to other analysts. A compact description of the process is even necessary just for the analysts doing the work to keep track of their own process and which paths have been investigated, particularly in naming files. This paper proposes a method of succinctly capturing the process of indicator expansion in a deterministic yet flexible and extensible manner. The target audience is analysts and investigators engaged in indicator expansion or directly consuming results therefrom

Modeling malicious domain name take-down dynamics: Why eCrime pays

Domain names drive the ubiquitous use of the Internet. Criminals and adversaries also use domain names for their enterprise. Defenders compete to remove or block such malicious domains. This is a complicated space on the Internet to measure comprehensively, as the malicious actors attempt to hide, the defenders do not like to share data or methods, and what data is public is not consistently formatted. This paper derives an ad hoc model of this competition on large, decentralized networks using a modification of Lanchester's equations for combat. The model is applied to what is known of the current state of malicious domain activity on the Internet. The model aligns with currently published research, and provides a more comprehensive description of possible strategies and limitations based on the general dynamics of the model. When taken with the economic realities and physical laws to which the Internet is bound, the model demonstrates that the current approach to removing malicious domain names is unsustainable and destined for obsolescence. However, there are technical, policy, and legal modifications to the current approach that would be effective, such as preemptively populating watch lists, limits on a registrant's registrations, and international cooperation. The results indicate that the defenders should not expect to eliminate or significantly reduce malicious domain name usage without employing new digital tactics and deploying new rules in the physical world

Exploring a Mechanistic Approach to Experimentation in Computing

The mechanistic approach in philosophy of science contributes to our understanding of experimental design. Applying the mechanistic approach to experimentation in computing is beneficial for two reasons. It connects the methodology of experimentation in computing with the methodology of experimentation in established sciences, thereby strengthening the scientific reputability of computing and the quality of experimental design therein. Furthermore, it pinpoints the idiosyncrasies of experimentation in computing: computing deals closely with both natural and engineered mechanisms. Better understanding of the idiosyncrasies, which manifest in terms of a nonstandard role for experimentation, are interesting both for computer scientists and for philosophers of science. Computer scientists can think more clearly about their experimental choices. The role of experimentation elucidated by computer science merits further study from philosophers of science generally, as it highlights a role for experimentation hitherto unrecognized by philosophers: demonstration that activities exist

Review of human decision-making during computer security incident analysis

We review practical advice on decision-making during computer security incident response. Scope includes standards from the IETF, ISO, FIRST, and the US intelligence community. To focus on human decision-making, the scope is the evidence collection, analysis, and reporting phases of response. The results indicate both strengths and gaps. A strength is available advice on how to accomplish many specific tasks. However, there is little guidance on how to prioritize tasks in limited time or how to interpret, generalize, and convincingly report results. Future work should focus on these gaps in explication and specification of decision-making during incident analysis

A refinement to the general mechanistic account

Phyllis Illari and Jon Williamson propose a formulation for a general mechanistic account, the purpose of which is to capture the similarities across mechanistic accounts in the sciences. Illari and Williamson extract insight from mechanisms in astrophysics—which are notably different from the typical biological mechanisms discussed in the literature on mechanisms—to show how their general mechanistic account accommodates mechanisms across various sciences. We present argumentation that demonstrates why an amendment is necessary to the ontology (entities and activities) referred to by the general mechanistic account provided by Illari and Williamson. The amendment is required due to the variability of some components in computing mechanisms: the very same component serves as either entity or activity, both between levels and within the same level of the explanatory hierarchy. We argue that the proper ontological account of these mechanistic components involves disambiguation via explicitly indexing them as entities or activities

Correlating domain registrations and DNS first activity in general and for malware

From the date that a domain name is registered with a registrar, there should be a pattern in the amount of time it takes for that domain to be actively resolved on the Internet. We first attempt to describe that pattern in general terms by correlating data from registries for several top-level domains and a large passive DNS data source. This pattern is then used as a baseline for a comparison with the pattern of activity in domains that malicious software utilizes. While our quantitative results are not to be considered representative of the patterns exhibited by all types of malware, the malicious domains are found to have a significantly different pattern than the standard domains

Practicing a Science of Security: A Philosophy of Science Perspective

Our goal is to refocus the question about cybersecurity research from 'is this process scientific' to 'why is this scientific process producing unsatisfactory results'. We focus on five common complaints that claim cybersecurity is not or cannot be scientific. Many of these complaints presume views associated with the philosophical school known as Logical Empiricism that more recent scholarship has largely modified or rejected. Modern philosophy of science, supported by mathematical modeling methods, provides constructive resources to mitigate all purported challenges to a science of security. Therefore, we argue the community currently practices a science of cybersecurity. A philosophy of science perspective suggests the following form of practice: structured observation to seek intelligible explanations of phenomena, evaluating explanations in many ways, with specialized fields (including engineering and forensics) constraining explanations within their own expertise, inter-translating where necessary. A natural question to pursue in future work is how collecting, evaluating, and analyzing evidence for such explanations is different in security than other sciences

Toward Realistic Modeling Criteria of Games in Internet Security

There have been various attempts to apply game theory to various aspects of security situations. This article is particularly interested in security as relates to computers and the Internet. While there have been varying levels of success in describing different aspects of security in game-theoretic terms, there has been little success in describing the problem on a large scale that would be appropriate for making decisions about enterprise or Internet security policy. This article attempts to provide such a description

Towards robust experimental design for user studies in security and privacy

Background: Human beings are an integral part of computer security, whether we actively participate or simply build the systems. Despite this importance, understanding users and their interaction with security is a blind spot for most security practitioners and designers. / Aim: Define principles for conducting experiments into usable security and privacy, to improve study robustness and usefulness. / Data: The authors’ experiences conducting several research projects complemented with a literature survey. Method: We extract principles based on relevance to the advancement of the state of the art. We then justify our choices by providing published experiments as cases of where the principles are and are not followed in practice to demonstrate the impact. Each principle is a discipline specific instantiation of desirable experiment-design elements as previously established in the domain of philosophy of science. / Results: Five high-priority principles – (i) give participants a primary task; (ii) incorporate realistic risk; (iii) avoid priming the participants; (iv) perform doubleblind experiments whenever possible and (v) think carefully about how meaning is assigned to the terms threat model, security, privacy, and usability. / Conclusion: The principles do not replace researcher acumen or experience, however they can provide a valuable service for facilitating evaluation, guiding younger researchers and students, and marking a baseline common language for discussing further improvements