Detection of Early-Stage Enterprise Infection by Mining Large-Scale Log Data

Recent years have seen the rise of more sophisticated attacks including advanced persistent threats (APTs) which pose severe risks to organizations and governments by targeting confidential proprietary information. Additionally, new malware strains are appearing at a higher rate than ever before. Since many of these malware are designed to evade existing security products, traditional defenses deployed by most enterprises today, e.g., anti-virus, firewalls, intrusion detection systems, often fail at detecting infections at an early stage. We address the problem of detecting early-stage infection in an enterprise setting by proposing a new framework based on belief propagation inspired from graph theory. Belief propagation can be used either with "seeds" of compromised hosts or malicious domains (provided by the enterprise security operation center -- SOC) or without any seeds. In the latter case we develop a detector of C&C communication particularly tailored to enterprises which can detect a stealthy compromise of only a single host communicating with the C&C server. We demonstrate that our techniques perform well on detecting enterprise infections. We achieve high accuracy with low false detection and false negative rates on two months of anonymized DNS logs released by Los Alamos National Lab (LANL), which include APT infection attacks simulated by LANL domain experts. We also apply our algorithms to 38TB of real-world web proxy logs collected at the border of a large enterprise. Through careful manual investigation in collaboration with the enterprise SOC, we show that our techniques identified hundreds of malicious domains overlooked by state-of-the-art security products

On the Mass-Period Distributions and Correlations of Extrasolar Planets

In addition to fitting the data of 233 extra-solar planets with power laws, we construct a correlated mass-period distribution function of extrasolar planets, as the first time in this field. The algorithm to generate a pair of positively correlated beta-distributed random variables is introduced and used for the construction of correlated distribution functions. We investigate the mass-period correlations of extrasolar planets both in the linear and logarithm spaces, determine the confidence intervals of the correlation coefficients, and confirm that there is a positive mass-period correlation for the extrasolar planets. In addition to the paucity of massive close-in planets, which makes the main contribution on this correlation, there are other fine structures for the data in the mass-period plane.Comment: to be published in AJ, tentatively in December 200

Role of myosin light chain kinase in intestinal epithelial barrier defects in a rat model of bowel obstruction

<p>Abstract</p> <p>Background</p> <p>Bowel obstruction is a common cause of abdominal emergency, since the patients are at increased risk of septicemia resulting in high mortality rate. While the compartmentalized changes in enteric microfloral population and augmentation of bacterial translocation (BT) have already been reported using experimental obstruction models, alterations in epithelial permeability of the obstructed guts has not been studied in detail. Myosin light chain kinase (MLCK) is actively involved in the contraction of epithelial perijunctional actinomyosin ring and thereby increases paracellular permeability. In the current study we attempt to investigate the role of MLCK in epithelial barrier defects using a rat model of simple mechanical obstruction.</p> <p>Methods</p> <p>Wistar rats received intraperitoneal injection of ML-7 (a MLCK inhibitor) or vehicle at 24, 12 and 1 hrs before and 12 hrs after intestinal obstruction (IO). The distal small intestine was obstructed with a single ligature placed 10 cm proximal to the ileocecal junction in IO rats for 24 hrs. Sham-operated rats served as controls.</p> <p>Results</p> <p>Mucosal injury, such as villous blunting and increased crypt/villus ratio, was observed in the distal small intestine of IO rats. Despite massive enterocyte shedding, intestinal villi were covered with a contiguous epithelial layer without cell apoptosis. Increased transmural macromolecular flux was noticed in the distal small intestine and the proximal colon after IO. The bacterial colony forming units in the spleen and liver of IO rats were significantly higher than those of sham controls. Addition of ML-7 ameliorated the IO-triggered epithelial MLC phosphorylation, mucosal injury and macromolecular flux, but not the level of BT.</p> <p>Conclusions</p> <p>The results suggest that IO-induced premature enterocytic sloughing and enhanced paracellular antigenic flux were mediated by epithelial MLCK activation. In addition, enteric bacteria may undergo transcytotic routes other than paracellular paths to cross the epithelium.</p

JCMT POL-2 and ALMA polarimetric observations of 6000-100 au scales in the protostar B335: linking magnetic field and gas kinematics in observations and MHD simulations

We present our analysis of the magnetic field structures from 6000 au to 100 au scales in the Class 0 protostar B335 inferred from our JCMT POL-2 observations and the ALMA archival polarimetric data. To interpret the observational results, we perform a series of (non-)ideal MHD simulations of the collapse of a rotating non-turbulent dense core, whose initial conditions are adopted to be the same as observed in B335, and generate synthetic polarization maps. The comparison of our JCMT and simulation results suggests that the magnetic field on a 6000 au scale in B335 is pinched and well aligned with the bipolar outflow along the east-west direction. Among all our simulations, the ALMA polarimetric results are best explained with weak magnetic field models having an initial mass-to-flux ratio of 9.6. However, we find that with the weak magnetic field, the rotational velocity on a 100 au scale and the disk size in our simulations are larger than the observational estimates by a factor of several. An independent comparison of our simulations and the gas kinematics in B335 observed with the SMA and ALMA favors strong magnetic field models with an initial mass-to-flux ratio smaller than 4.8. We discuss two possibilities resulting in the different magnetic field strengths inferred from the polarimetric and molecular-line observations, (1) overestimated rotational-to-gravitational energy in B335 and (2) additional contributions in the polarized intensity due to scattering on a 100 au scale.Comment: Accepted by Ap

The risk of false inclusion of a relative in parentage testing – an in silico population study

Aim To investigate the potential of false inclusion of a close genetic relative in paternity testing by using computer generated families. Methods 10 000 computer-simulated families over three generations were generated based on genotypes using 15 short tandem repeat loci. These data were used in assessing the probability of inclusion or exclusion of paternity when the father is actually a sibling, grandparent, uncle, half sibling, cousin, or a random male. Further, we considered a duo case where the mother’s DNA type was not available and a trio case including the mother’s profile. Results The data showed that the duo scenario had the highest and lowest false inclusion rates when considering a sibling (19.03 ± 0.77%) and a cousin (0.51 ± 0.14%) as the father, respectively; and the rate when considering a random male was much lower (0.04 ± 0.04%). The situation altered slightly with a trio case where the highest rate (0.56 ± 0.15%) occurred when a paternal uncle was considered as the father, and the lowest rate (0.03 ± 0.03%) occurred when a cousin was considered as the father. We also report on the distribution of the numbers for non-conformity (non-matching loci) where the father is a close genetic relative. Conclusions The results highlight the risk of false inclusion in parentage testing. These data provide a valuable reference when incorporating either a mutation in the father’s DNA type or if a close relative is included as being the father; particularly when there are varying numbers of non-matching loci

A novel strategy for sibship determination in trio sibling model

Aim To use a virtually simulated population, generated from published allele frequencies based on 15 short tandem repeats (STR), to evaluate the efficacy of trio sibship testing and sibling assignment for forensic purposes. Methods Virtual populations were generated using 15 STR loci to create a large number of related and unrelated genotypes (10 000 trio combinations). Using these virtual populations, the probability of related and unrelated profiles can be compared to determine the chance of inclusions of being siblings if they are true siblings and the chance of inclusion if they are unrelated. Two specific relationships were tested – two reference siblings were compared to a third true sibling (3S trio, sibling trio) and two reference siblings were compared to an unrelated individual (2S1U trio, non-sibling trio). Results When the likelihood ratio was greater than 1, 99.87% of siblings in the 3S trio population were considered as siblings (sensitivity); 99.88% of non-siblings in the 2S1U trio population were considered as non-siblings (specificity); 99.9% of both populations were identified correctly as siblings and non-siblings; and the accuracy of the test was 99.88%. Conclusions The high sensitivity and specificity figures when using two known siblings compared to a putative sibling are significantly greater than when using only one known relative. The data also support the use of increasing number of loci allowing for greater confidence in genetic identification. The system established in this study could be used as the model for evaluating and simulating the cases with multiple relatives

A novel strategy for sibship determination in trio sibling model

Aim To use a virtually simulated population, generated from published allele frequencies based on 15 short tandem repeats (STR), to evaluate the efficacy of trio sibship testing and sibling assignment for forensic purposes. Methods Virtual populations were generated using 15 STR loci to create a large number of related and unrelated genotypes (10 000 trio combinations). Using these virtual populations, the probability of related and unrelated profiles can be compared to determine the chance of inclusions of being siblings if they are true siblings and the chance of inclusion if they are unrelated. Two specific relationships were tested – two reference siblings were compared to a third true sibling (3S trio, sibling trio) and two reference siblings were compared to an unrelated individual (2S1U trio, non-sibling trio). Results When the likelihood ratio was greater than 1, 99.87% of siblings in the 3S trio population were considered as siblings (sensitivity); 99.88% of non-siblings in the 2S1U trio population were considered as non-siblings (specificity); 99.9% of both populations were identified correctly as siblings and non-siblings; and the accuracy of the test was 99.88%. Conclusions The high sensitivity and specificity figures when using two known siblings compared to a putative sibling are significantly greater than when using only one known relative. The data also support the use of increasing number of loci allowing for greater confidence in genetic identification. The system established in this study could be used as the model for evaluating and simulating the cases with multiple relatives

Liver angiosarcoma, a rare liver malignancy, presented with intraabdominal bleeding due to rupture- a case report

Liver angiosarcoma is a rare disease, however it still ranks as the third of most common primary liver maligancies. The prognosis of liver angiosarcoma is very poor with almost all patients with this kind of disease die within 2 years after diagnosis. No specific symptoms and signs are closely associated with this disease. Here, we report a case presenting shock status at first due to rupture of liver angiosarcoma- induced internal bleeding. After emergent transarterial embolization (TAE), she received partial hepatectomy two weeks later. 4 months after operation, she is still with a good performance status without obvious recurrence or metastasis identified

Construction of Coupled Period-Mass Functions in Extrasolar Planets through the Nonparametric Approach

Using the period and mass data of two hundred and seventy-nine extrasolar planets, we have constructed a coupled period-mass function through the non-parametric approach. This analytic expression of the coupled period-mass function has been obtained for the first time in this field. Moreover, due to a moderate period-mass correlation, the shapes of mass/period functions vary as a function of period/mass. These results of mass and period functions give way to two important implications: (1) the deficit of massive close-in planets is confirmed, and (2) the more massive planets have larger ranges of possible semi-major axes. These interesting statistical results will provide important clues into the theories of planetary formation.Comment: 20 pages, 7 figures, published in AJ, 137, 329 (2009