A Hierarchical Filtering-Based Monitoring Architecture for Large-scale Distributed Systems

On-line monitoring is essential for observing and improving the reliability and performance of large-scale distributed (LSD) systems. In an LSD environment, large numbers of events are generated by system components during their execution and interaction with external objects (e.g. users or processes). These events must be monitored to accurately determine the run-time behavior of an LSD system and to obtain status information that is required for debugging and steering applications. However, the manner in which events are generated in an LSD system is complex and represents a number of challenges for an on-line monitoring system. Correlated events axe generated concurrently and can occur at multiple locations distributed throughout the environment. This makes monitoring an intricate task and complicates the management decision process. Furthermore, the large number of entities and the geographical distribution inherent with LSD systems increases the difficulty of addressing traditional issues, such as performance bottlenecks, scalability, and application perturbation. This dissertation proposes a scalable, high-performance, dynamic, flexible and non-intrusive monitoring architecture for LSD systems. The resulting architecture detects and classifies interesting primitive and composite events and performs either a corrective or steering action. When appropriate, information is disseminated to management applications, such as reactive control and debugging tools. The monitoring architecture employs a novel hierarchical event filtering approach that distributes the monitoring load and limits event propagation. This significantly improves scalability and performance while minimizing the monitoring intrusiveness. The architecture provides dynamic monitoring capabilities through: subscription policies that enable applications developers to add, delete and modify monitoring demands on-the-fly, an adaptable configuration that accommodates environmental changes, and a programmable environment that facilitates development of self-directed monitoring tasks. Increased flexibility is achieved through a declarative and comprehensive monitoring language, a simple code instrumentation process, and automated monitoring administration. These elements substantially relieve the burden imposed by using on-line distributed monitoring systems. In addition, the monitoring system provides techniques to manage the trade-offs between various monitoring objectives. The proposed solution offers improvements over related works by presenting a comprehensive architecture that considers the requirements and implied objectives for monitoring large-scale distributed systems. This architecture is referred to as the HiFi monitoring system. To demonstrate effectiveness at debugging and steering LSD systems, the HiFi monitoring system has been implemented at the Old Dominion University for monitoring the Interactive Remote Instruction (IRI) system. The results from this case study validate that the HiFi system achieves the objectives outlined in this thesis

CVE-driven Attack Technique Prediction with Semantic Information Extraction and a Domain-specific Language Model

This paper addresses a critical challenge in cybersecurity: the gap between vulnerability information represented by Common Vulnerabilities and Exposures (CVEs) and the resulting cyberattack actions. CVEs provide insights into vulnerabilities, but often lack details on potential threat actions (tactics, techniques, and procedures, or TTPs) within the ATT&CK framework. This gap hinders accurate CVE categorization and proactive countermeasure initiation. The paper introduces the TTPpredictor tool, which uses innovative techniques to analyze CVE descriptions and infer plausible TTP attacks resulting from CVE exploitation. TTPpredictor overcomes challenges posed by limited labeled data and semantic disparities between CVE and TTP descriptions. It initially extracts threat actions from unstructured cyber threat reports using Semantic Role Labeling (SRL) techniques. These actions, along with their contextual attributes, are correlated with MITRE's attack functionality classes. This automated correlation facilitates the creation of labeled data, essential for categorizing novel threat actions into threat functionality classes and TTPs. The paper presents an empirical assessment, demonstrating TTPpredictor's effectiveness with accuracy rates of approximately 98% and F1-scores ranging from 95% to 98% in precise CVE classification to ATT&CK techniques. TTPpredictor outperforms state-of-the-art language model tools like ChatGPT. Overall, this paper offers a robust solution for linking CVEs to potential attack techniques, enhancing cybersecurity practitioners' ability to proactively identify and mitigate threats

The pivotal role of cholesterol absorption inhibitors in the management of dyslipidemia

Elevated low-density lipoprotein (LDL)-cholesterol is associated with a significantly increased risk of coronary heart disease. Ezetimibe is the first member of a new class of selective cholesterol absorption inhibitors. It impairs the intestinal reabsorption of both dietary and hepatically excreted biliary cholesterol. Ezetimibe is an effective and safe agent for lowering LDL-C and non HDL-C. Short term clinical trials have established the role of ezetimibe monotherapy and its use in combination with statins. Furthermore, ezetimibe and statin combination therapy increased the percentage of patients who achieved their LDL-C treatment goal. Studies using surrogate markers of atherosclerosis have suggested a possible role of ezetimibe in combating atherosclerosis. Ezetimibe provides an effective therapeutic strategy for the management of homozygous familial hypercholesterolemia (HoFH) and sitosterolemia. The lack of outcomes and long term safety data is attributed to the relatively recent introduction of this medication

Language Model for Text Analytic in Cybersecurity

NLP is a form of artificial intelligence and machine learning concerned with a computer or machine's ability to understand and interpret human language. Language models are crucial in text analytics and NLP since they allow computers to interpret qualitative input and convert it to quantitative data that they can use in other tasks. In essence, in the context of transfer learning, language models are typically trained on a large generic corpus, referred to as the pre-training stage, and then fine-tuned to a specific underlying task. As a result, pre-trained language models are mostly used as a baseline model that incorporates a broad grasp of the context and may be further customized to be used in a new NLP task. The majority of pre-trained models are trained on corpora from general domains, such as Twitter, newswire, Wikipedia, and Web. Such off-the-shelf NLP models trained on general text may be inefficient and inaccurate in specialized fields. In this paper, we propose a cybersecurity language model called SecureBERT, which is able to capture the text connotations in the cybersecurity domain, and therefore could further be used in automation for many important cybersecurity tasks that would otherwise rely on human expertise and tedious manual efforts. SecureBERT is trained on a large corpus of cybersecurity text collected and preprocessed by us from a variety of sources in cybersecurity and the general computing domain. Using our proposed methods for tokenization and model weights adjustment, SecureBERT is not only able to preserve the understanding of general English as most pre-trained language models can do, but also effective when applied to text that has cybersecurity implications.Comment: This is the initial draft of this work and it may contain errors and typos. The revised version has already been submitted to a venu

Automated CVE Analysis for Threat Prioritization and Impact Prediction

The Common Vulnerabilities and Exposures (CVE) are pivotal information for proactive cybersecurity measures, including service patching, security hardening, and more. However, CVEs typically offer low-level, product-oriented descriptions of publicly disclosed cybersecurity vulnerabilities, often lacking the essential attack semantic information required for comprehensive weakness characterization and threat impact estimation. This critical insight is essential for CVE prioritization and the identification of potential countermeasures, particularly when dealing with a large number of CVEs. Current industry practices involve manual evaluation of CVEs to assess their attack severities using the Common Vulnerability Scoring System (CVSS) and mapping them to Common Weakness Enumeration (CWE) for potential mitigation identification. Unfortunately, this manual analysis presents a major bottleneck in the vulnerability analysis process, leading to slowdowns in proactive cybersecurity efforts and the potential for inaccuracies due to human errors. In this research, we introduce our novel predictive model and tool (called CVEDrill) which revolutionizes CVE analysis and threat prioritization. CVEDrill accurately estimates the CVSS vector for precise threat mitigation and priority ranking and seamlessly automates the classification of CVEs into the appropriate CWE hierarchy classes. By harnessing CVEDrill, organizations can now implement cybersecurity countermeasure mitigation with unparalleled accuracy and timeliness, surpassing in this domain the capabilities of state-of-the-art tools like ChaptGPT

Global Verification and Analysis of Network Access Control Configuration

Network devices such as routers, firewalls, IPSec gateways, and NAT are configured using access control lists. However, recent studies and ISP surveys show that the management of access control configurations is a highly complex and error prone task. Without automated global configuration management tools, unreachablility and insecurity problems due to the misconfiguration of network devices become an ever more likely. In this report, we present a novel approach that models the global end-to-end behavior of access control devices in the network including routers, firewalls, NAT, IPSec gateways for unicast and multicast packets. Our model represents the network as a state machine where the packet header and location determine the state. The transitions in this model are determined by packet header information, packet location, and policy semantics for the devices being modeled. We encode the semantics of access control policies with Boolean functions using binary decision diagrams (BDDs). We extended computation tree logic (CTL) to provide more useful operators and then we use CTL and symbolic model checking to investigate all future and past states of this packet in the network and verify network reachability and security requirements. The model is implemented in a tool called ConfigChecker. We gave special consideration to ensure an efficient and scalable implementation. Our extensive evaluation study with various network and policy sizes shows that ConfigChecker has acceptable computation and space requirements with large number of nodes and configuration rules

HoneyBug: Personalized Cyber Deception for Web Applications

Cyber deception is used to reverse cyber warfare asymmetry by diverting adversaries to false targets in order to avoid their attacks, consume their resources, and potentially learn new attack tactics. In practice, effective cyber deception systems must be both attractive, to offer temptation for engagement, and believable, to convince unknown attackers to stay on the course. However, developing such a system is a highly challenging task because attackers have different expectations, expertise levels, and objectives. This makes a deception system with a static configuration only suitable for a specific type of attackers. In order to attract diverse types of attackers and prolong their engagement, we need to dynamically characterize every individual attacker\u27s interactions with the deception system to learn her sophistication level and objectives and personalize the deception system to match with her profile and interest. In this paper, we present an adaptive deception system, called HoneyBug, that dynamically creates a personalized deception plan for web applications to match the attacker\u27s expectation, which is learned by analyzing her behavior over time. Each HoneyBug plan exhibits fake vulnerabilities specifically selected based on the learned attacker\u27s profile. Through evaluation, we show that HoneyBug characterization model can accurately characterize the attacker profile after observing only a few interactions and adapt its cyber deception plan accordingly. The HoneyBug characterization is built on top of a novel and generic evidential reasoning framework for attacker profiling, which is one of the focal contributions of this work