Environment-Sensitive Intrusion Detection

Abstract. We perform host-based intrusion detection by constructing a model from a program’s binary code and then restricting the program’s execution by the model. We improve the effectiveness of such model-based intrusion detection systems by incorporating into the model knowledge of the environment in which the program runs, and by increasing the accuracy of our models with a new dataflow analysis algorithm for context-sensitive recovery of static data. The environment—configuration files, command-line parameters, and environment variables—constrains acceptable process execution. Environment dependencies added to a program model update the model to the current environment at every program execution. Our new static data-flow analysis associates a program’s data flows with specific calling contexts that use the data. We use this analysis to differentiate systemcall arguments flowing from distinct call sites in the program. Using a new average reachability measure suitable for evaluation of call-stackbased program models, we demonstrate that our techniques improve the precision of several test programs ’ models from 76 % to 100%

DDoS defense by offense

This article presents the design, implementation, analysis, and experimental evaluation of speak-up, a defense against application-level distributed denial-of-service (DDoS), in which attackers cripple a server by sending legitimate-looking requests that consume computational resources (e.g., CPU cycles, disk). With speak-up, a victimized server encourages all clients, resources permitting, to automatically send higher volumes of traffic. We suppose that attackers are already using most of their upload bandwidth so cannot react to the encouragement. Good clients, however, have spare upload bandwidth so can react to the encouragement with drastically higher volumes of traffic. The intended outcome of this traffic inflation is that the good clients crowd out the bad ones, thereby capturing a much larger fraction of the server's resources than before. We experiment under various conditions and find that speak-up causes the server to spend resources on a group of clients in rough proportion to their aggregate upload bandwidths, which is the intended result.National Science Foundation (U.S.) (NSF grant CNS-0225660)National Science Foundation (U.S.) (NSF grant CNS-0520241)United States. Dept. of Defense (National Security Science and Engineering Faculty Fellowship

DNA Dynamics Is Likely to Be a Factor in the Genomic Nucleotide Repeats Expansions Related to Diseases

Trinucleotide repeats sequences (TRS) represent a common type of genomic DNA motif whose expansion is associated with a large number of human diseases. The driving molecular mechanisms of the TRS ongoing dynamic expansion across generations and within tissues and its influence on genomic DNA functions are not well understood. Here we report results for a novel and notable collective breathing behavior of genomic DNA of tandem TRS, leading to propensity for large local DNA transient openings at physiological temperature. Our Langevin molecular dynamics (LMD) and Markov Chain Monte Carlo (MCMC) simulations demonstrate that the patterns of openings of various TRSs depend specifically on their length. The collective propensity for DNA strand separation of repeated sequences serves as a precursor for outsized intermediate bubble states independently of the G/C-content. We report that repeats have the potential to interfere with the binding of transcription factors to their consensus sequence by altered DNA breathing dynamics in proximity of the binding sites. These observations might influence ongoing attempts to use LMD and MCMC simulations for TRS–related modeling of genomic DNA functionality in elucidating the common denominators of the dynamic TRS expansion mutation with potential therapeutic applications

The Chemotherapeutic Drug 5-Fluorouracil Promotes PKR-Mediated Apoptosis in a p53- Independent Manner in Colon and Breast Cancer Cells

The chemotherapeutic drug 5-FU is widely used in the treatment of a range of cancers, but resistance to the drug remains a major clinical problem. Since defects in the mediators of apoptosis may account for chemo-resistance, the identification of new targets involved in 5-FU-induced apoptosis is of main clinical interest. We have identified the ds-RNA-dependent protein kinase (PKR) as a key molecular target of 5-FU involved in apoptosis induction in human colon and breast cancer cell lines. PKR distribution and activation, apoptosis induction and cytotoxic effects were analyzed during 5-FU and 5-FU/IFNα treatment in several colon and breast cancer cell lines with different p53 status. PKR protein was activated by 5-FU treatment in a p53-independent manner, inducing phosphorylation of the protein synthesis translation initiation factor eIF-2α and cell death by apoptosis. Furthermore, PKR interference promoted a decreased response to 5-FU treatment and those cells were not affected by the synergistic antitumor activity of 5-FU/IFNα combination. These results, taken together, provide evidence that PKR is a key molecular target of 5-FU with potential relevance in the clinical use of this drug

Experiences Using Minos as A Tool for Capturing and Analyzing Novel Worms for Unknown Vulnerabilities

We present a honeypot technique based on an emulated environment of the Minos architecture [1] and describe our experiences and observations capturing and analyzing attacks. The main advantage of a Minos-enabled honeypot is that exploits based on corrupting control data can be stopped at the critical point where control flow is hijacked from the legitimate program, facilitating a detailed analysis of the exploit.\ud Although Minos hardware has not yet been implemented, we are able to deploy Minos systems with the Bochs full system Pentium emulator. We discuss complexities of the exploits Minos has caught that are not accounted for in the simple model of "buffer overflow exploits" prevalent in the literature. We then propose the Epsilon-Gamma-Pi model to describe control data attacks in a way that is useful towards understanding polymorphic techniques. This model can not only aim at the centers of the concepts of exploit vector (ε), bogus control data (γ), and payload (π) but also give them shape. This paper will quantify the polymorphism available to an attacker for γ and π, while so characterizing ε is left for future work