Tracking Cyber Adversaries with Adaptive Indicators of Compromise

A forensics investigation after a breach often uncovers network and host indicators of compromise (IOCs) that can be deployed to sensors to allow early detection of the adversary in the future. Over time, the adversary will change tactics, techniques, and procedures (TTPs), which will also change the data generated. If the IOCs are not kept up-to-date with the adversary's new TTPs, the adversary will no longer be detected once all of the IOCs become invalid. Tracking the Known (TTK) is the problem of keeping IOCs, in this case regular expressions (regexes), up-to-date with a dynamic adversary. Our framework solves the TTK problem in an automated, cyclic fashion to bracket a previously discovered adversary. This tracking is accomplished through a data-driven approach of self-adapting a given model based on its own detection capabilities. In our initial experiments, we found that the true positive rate (TPR) of the adaptive solution degrades much less significantly over time than the naive solution, suggesting that self-updating the model allows the continued detection of positives (i.e., adversaries). The cost for this performance is in the false positive rate (FPR), which increases over time for the adaptive solution, but remains constant for the naive solution. However, the difference in overall detection performance, as measured by the area under the curve (AUC), between the two methods is negligible. This result suggests that self-updating the model over time should be done in practice to continue to detect known, evolving adversaries.Comment: This was presented at the 4th Annual Conf. on Computational Science & Computational Intelligence (CSCI'17) held Dec 14-16, 2017 in Las Vegas, Nevada, US

A Riemann solver at a junction compatible with a homogenization limit

We consider a junction regulated by a traffic lights, with n incoming roads and only one outgoing road. On each road the Phase Transition traffic model, proposed in [6], describes the evolution of car traffic. Such model is an extension of the classic Lighthill-Whitham-Richards one, obtained by assuming that different drivers may have different maximal speed. By sending to infinity the number of cycles of the traffic lights, we obtain a justification of the Riemann solver introduced in [9] and in particular of the rule for determining the maximal speed in the outgoing road.Comment: 19 page

Positions for spinal flexibility assessment.

<p>(a) standing (b) supine (c) prone (d) sitting with lateral bending (e) prone with lateral bending.</p

Patient demographic data.

<p>Patient demographic data.</p

An effective assessment method of spinal flexibility to predict the initial in-orthosis correction on the patients with adolescent idiopathic scoliosis (AIS)

<div><p>Background</p><p>Spinal flexibility is an essential parameter for clinical decision making on the patients with adolescent idiopathic scoliosis (AIS). Various methods are proposed to assess spinal flexibility, but which assessment method is more effective to predict the effect of orthotic treatment is unclear.</p><p>Objective</p><p>To investigate an effective assessment method of spinal flexibility to predict the initial in-orthosis correction, among the supine, prone, sitting with lateral bending and prone with lateral bending positions.</p><p>Methods</p><p>Thirty-five patients with AIS (mean Cobb angle: 28° ± 7°; mean age: 12 ± 2 years; Risser sign: 0–2) were recruited. Before orthosis fitting, spinal flexibility was assessed by an ultrasound system in 4 positions (apart from standing) including supine, prone, sitting with lateral bending and prone with lateral bending. After orthosis fitting, the initial in-orthosis correction was routinely assessed by whole spine standing radiograph. Comparisons and correlation analyses were performed between the spinal flexibility in the 4 positions and the initial in-orthosis correction.</p><p>Results</p><p>The mean in-orthosis correction was 41% while the mean curve correction (spinal flexibility) in the 4 studied positions were 40% (supine), 42% (prone), 127% (prone with lateral bending) and 143% (sitting with lateral bending). The correlation coefficients between initial in-orthosis correction and curve correction (spinal flexibility) in the 4 studied positions were r = 0.66 (supine), r = 0.75 (prone), r = 0.03 (prone with lateral bending) and r = 0.04 (sitting with lateral bending).</p><p>Conclusions</p><p>The spinal flexibility in the prone position is the closest to and most correlated with the initial in-orthosis correction among the 4 studied positions. Thus, the prone position could be an effective method to predict the initial effect of orthotic treatment on the patients with AIS.</p></div

An effective assessment method of spinal flexibility to predict the initial in-orthosis correction on the patients with adolescent idiopathic scoliosis (AIS) - Fig 2

<p>Ultrasound images in (a) standing position (b) supine position (c) prone position (d) sitting with lateral bending position (e) prone with lateral bending position. The left thoracolumbar curve ranged from T8 to L3 (apex at T11) with the magnitude of 26.6° in standing position, 13.5° in supine position, 12.3° in prone position, -19° in sitting with lateral bending position, and -12.8° in prone with lateral bending position (negative value refers to the curve being corrected to the opposite direction).</p

Distribution of shapes of High Intensity Zones at lumbar levels (n: 814 subjects).

<p>Distribution of shapes of High Intensity Zones at lumbar levels (n: 814 subjects).</p

Bar chart showing the overall percent prevalence of anterior and posterior High Intensity Zones per lumbar level.

<p>Posterior HIZ was most common at L5/S1 followed by L4/5. Alternatively, anterior HIZ had the highest prevalence at L3/4 followed by L2/3.</p

Classification of High Intensity Zones based on morphology and topography.

<p>High Intensity Zones (HIZ) were defined as a high intensity signal (white) surrounded by low intensity (black) located in the annulus fibrosus on T2-weighted sagittal MRI. Six types of HIZs were created based on the shape (round type, fissure type, vertical type, rim type, and giant type), and location within the disc (posterior or anterior). The images represent <b>(A)</b> posterior round type, <b>(B)</b> posterior fissure type, <b>(C)</b> posterior vertical type, <b>(D)</b> anterior round type, <b>(E)</b> anterior rim type, and <b>(F)</b> anterior enlarged type.</p

High Intensity Zones based on signal types on T1- and T2- weighted MRI.

<p>Three types of High Intensity Zones (HIZ) were created based on the signal type on T1-weighted MRI (low-intensity, high-intensity, and iso-intensity signal) and T2-weighted MRI (high-intensity signal). (I) T1-weighted low-intensity and T2-weighted high-intensity image, (II) T1-weighted high-intensity and T2-weighted high-intensity image, and (III) T1-weighted iso-intensity and T2-weighted high-intensity.</p