100 research outputs found
A Hierarchical Filtering-Based Monitoring Architecture for Large-scale Distributed Systems
On-line monitoring is essential for observing and improving the reliability and performance of large-scale distributed (LSD) systems. In an LSD environment, large numbers of events are generated by system components during their execution and interaction with external objects (e.g. users or processes). These events must be monitored to accurately determine the run-time behavior of an LSD system and to obtain status information that is required for debugging and steering applications. However, the manner in which events are generated in an LSD system is complex and represents a number of challenges for an on-line monitoring system. Correlated events axe generated concurrently and can occur at multiple locations distributed throughout the environment. This makes monitoring an intricate task and complicates the management decision process. Furthermore, the large number of entities and the geographical distribution inherent with LSD systems increases the difficulty of addressing traditional issues, such as performance bottlenecks, scalability, and application perturbation.
This dissertation proposes a scalable, high-performance, dynamic, flexible and non-intrusive monitoring architecture for LSD systems. The resulting architecture detects and classifies interesting primitive and composite events and performs either a corrective or steering action. When appropriate, information is disseminated to management applications, such as reactive control and debugging tools.
The monitoring architecture employs a novel hierarchical event filtering approach that distributes the monitoring load and limits event propagation. This significantly improves scalability and performance while minimizing the monitoring intrusiveness. The architecture provides dynamic monitoring capabilities through: subscription policies that enable applications developers to add, delete and modify monitoring demands on-the-fly, an adaptable configuration that accommodates environmental changes, and a programmable environment that facilitates development of self-directed monitoring tasks. Increased flexibility is achieved through a declarative and comprehensive monitoring language, a simple code instrumentation process, and automated monitoring administration. These elements substantially relieve the burden imposed by using on-line distributed monitoring systems. In addition, the monitoring system provides techniques to manage the trade-offs between various monitoring objectives.
The proposed solution offers improvements over related works by presenting a comprehensive architecture that considers the requirements and implied objectives for monitoring large-scale distributed systems. This architecture is referred to as the HiFi monitoring system.
To demonstrate effectiveness at debugging and steering LSD systems, the HiFi monitoring system has been implemented at the Old Dominion University for monitoring the Interactive Remote Instruction (IRI) system. The results from this case study validate that the HiFi system achieves the objectives outlined in this thesis
CVE-driven Attack Technique Prediction with Semantic Information Extraction and a Domain-specific Language Model
This paper addresses a critical challenge in cybersecurity: the gap between
vulnerability information represented by Common Vulnerabilities and Exposures
(CVEs) and the resulting cyberattack actions. CVEs provide insights into
vulnerabilities, but often lack details on potential threat actions (tactics,
techniques, and procedures, or TTPs) within the ATT&CK framework. This gap
hinders accurate CVE categorization and proactive countermeasure initiation.
The paper introduces the TTPpredictor tool, which uses innovative techniques to
analyze CVE descriptions and infer plausible TTP attacks resulting from CVE
exploitation. TTPpredictor overcomes challenges posed by limited labeled data
and semantic disparities between CVE and TTP descriptions. It initially
extracts threat actions from unstructured cyber threat reports using Semantic
Role Labeling (SRL) techniques. These actions, along with their contextual
attributes, are correlated with MITRE's attack functionality classes. This
automated correlation facilitates the creation of labeled data, essential for
categorizing novel threat actions into threat functionality classes and TTPs.
The paper presents an empirical assessment, demonstrating TTPpredictor's
effectiveness with accuracy rates of approximately 98% and F1-scores ranging
from 95% to 98% in precise CVE classification to ATT&CK techniques.
TTPpredictor outperforms state-of-the-art language model tools like ChatGPT.
Overall, this paper offers a robust solution for linking CVEs to potential
attack techniques, enhancing cybersecurity practitioners' ability to
proactively identify and mitigate threats
The pivotal role of cholesterol absorption inhibitors in the management of dyslipidemia
Elevated low-density lipoprotein (LDL)-cholesterol is associated with a significantly increased risk of coronary heart disease. Ezetimibe is the first member of a new class of selective cholesterol absorption inhibitors. It impairs the intestinal reabsorption of both dietary and hepatically excreted biliary cholesterol. Ezetimibe is an effective and safe agent for lowering LDL-C and non HDL-C. Short term clinical trials have established the role of ezetimibe monotherapy and its use in combination with statins. Furthermore, ezetimibe and statin combination therapy increased the percentage of patients who achieved their LDL-C treatment goal. Studies using surrogate markers of atherosclerosis have suggested a possible role of ezetimibe in combating atherosclerosis. Ezetimibe provides an effective therapeutic strategy for the management of homozygous familial hypercholesterolemia (HoFH) and sitosterolemia. The lack of outcomes and long term safety data is attributed to the relatively recent introduction of this medication
Language Model for Text Analytic in Cybersecurity
NLP is a form of artificial intelligence and machine learning concerned with
a computer or machine's ability to understand and interpret human language.
Language models are crucial in text analytics and NLP since they allow
computers to interpret qualitative input and convert it to quantitative data
that they can use in other tasks. In essence, in the context of transfer
learning, language models are typically trained on a large generic corpus,
referred to as the pre-training stage, and then fine-tuned to a specific
underlying task. As a result, pre-trained language models are mostly used as a
baseline model that incorporates a broad grasp of the context and may be
further customized to be used in a new NLP task.
The majority of pre-trained models are trained on corpora from general
domains, such as Twitter, newswire, Wikipedia, and Web. Such off-the-shelf NLP
models trained on general text may be inefficient and inaccurate in specialized
fields. In this paper, we propose a cybersecurity language model called
SecureBERT, which is able to capture the text connotations in the cybersecurity
domain, and therefore could further be used in automation for many important
cybersecurity tasks that would otherwise rely on human expertise and tedious
manual efforts. SecureBERT is trained on a large corpus of cybersecurity text
collected and preprocessed by us from a variety of sources in cybersecurity and
the general computing domain. Using our proposed methods for tokenization and
model weights adjustment, SecureBERT is not only able to preserve the
understanding of general English as most pre-trained language models can do,
but also effective when applied to text that has cybersecurity implications.Comment: This is the initial draft of this work and it may contain errors and
typos. The revised version has already been submitted to a venu
Automated CVE Analysis for Threat Prioritization and Impact Prediction
The Common Vulnerabilities and Exposures (CVE) are pivotal information for
proactive cybersecurity measures, including service patching, security
hardening, and more. However, CVEs typically offer low-level, product-oriented
descriptions of publicly disclosed cybersecurity vulnerabilities, often lacking
the essential attack semantic information required for comprehensive weakness
characterization and threat impact estimation. This critical insight is
essential for CVE prioritization and the identification of potential
countermeasures, particularly when dealing with a large number of CVEs. Current
industry practices involve manual evaluation of CVEs to assess their attack
severities using the Common Vulnerability Scoring System (CVSS) and mapping
them to Common Weakness Enumeration (CWE) for potential mitigation
identification. Unfortunately, this manual analysis presents a major bottleneck
in the vulnerability analysis process, leading to slowdowns in proactive
cybersecurity efforts and the potential for inaccuracies due to human errors.
In this research, we introduce our novel predictive model and tool (called
CVEDrill) which revolutionizes CVE analysis and threat prioritization. CVEDrill
accurately estimates the CVSS vector for precise threat mitigation and priority
ranking and seamlessly automates the classification of CVEs into the
appropriate CWE hierarchy classes. By harnessing CVEDrill, organizations can
now implement cybersecurity countermeasure mitigation with unparalleled
accuracy and timeliness, surpassing in this domain the capabilities of
state-of-the-art tools like ChaptGPT
Global Verification and Analysis of Network Access Control Configuration
Network devices such as routers, firewalls, IPSec gateways, and NAT are configured using access control lists. However, recent studies and ISP surveys show that the management of access control configurations is a highly complex and error prone task. Without automated global configuration management tools, unreachablility and insecurity problems due to the misconfiguration of network devices become an ever more likely.
In this report, we present a novel approach that models the global end-to-end behavior of access control devices in the network including routers, firewalls, NAT, IPSec gateways for unicast and multicast packets. Our model represents the network as a state machine where the packet header and location determine the state. The transitions in this model are determined by packet header information, packet location, and policy semantics for the devices being modeled. We encode the semantics of access control policies with Boolean functions using binary decision diagrams (BDDs).
We extended computation tree logic (CTL) to provide more useful operators and then we use CTL and symbolic model checking to investigate all future and past states of this packet in the network and verify network reachability and security requirements. The model is implemented in a tool called ConfigChecker. We gave special consideration to ensure an efficient and scalable implementation. Our extensive evaluation study with various network and policy sizes shows that ConfigChecker has acceptable computation and space requirements with large number of nodes and configuration rules
HoneyBug: Personalized Cyber Deception for Web Applications
Cyber deception is used to reverse cyber warfare asymmetry by diverting adversaries to false targets in order to avoid their attacks, consume their resources, and potentially learn new attack tactics. In practice, effective cyber deception systems must be both attractive, to offer temptation for engagement, and believable, to convince unknown attackers to stay on the course. However, developing such a system is a highly challenging task because attackers have different expectations, expertise levels, and objectives. This makes a deception system with a static configuration only suitable for a specific type of attackers. In order to attract diverse types of attackers and prolong their engagement, we need to dynamically characterize every individual attacker\u27s interactions with the deception system to learn her sophistication level and objectives and personalize the deception system to match with her profile and interest. In this paper, we present an adaptive deception system, called HoneyBug, that dynamically creates a personalized deception plan for web applications to match the attacker\u27s expectation, which is learned by analyzing her behavior over time. Each HoneyBug plan exhibits fake vulnerabilities specifically selected based on the learned attacker\u27s profile. Through evaluation, we show that HoneyBug characterization model can accurately characterize the attacker profile after observing only a few interactions and adapt its cyber deception plan accordingly. The HoneyBug characterization is built on top of a novel and generic evidential reasoning framework for attacker profiling, which is one of the focal contributions of this work
- …