Investigating system intrusions with data provenance analytics

To aid threat detection and investigation, enterprises are increasingly relying on commercially available security solutions, such as Intrusion Detection Systems (IDS) and Endpoint Detection and Response (EDR) tools. These security solutions first collect and analyze audit logs throughout the enterprise and then generate threat alerts when suspicious activities occur. Later, security analysts investigate those threat alerts to separate false alarms from true attacks by extracting contextual history from the audit logs, i.e., the trail of events that caused the threat alert. Unfortunately, investigating threats in enterprises is a notoriously difficult task, even for expert analysts, due to two main challenges. First, existing enterprise security solutions are optimized to miss as few threats as possible – as a result, they generate an overwhelming volume of false alerts, creating a backlog of investigation tasks. Second, modern computing systems are operationally complex that produce an enormous volume of audit logs per day, making it difficult to correlate events for threats that span across multiple processes, applications, and hosts. In this dissertation, I propose leveraging data provenance analytics to address the challenges mentioned above. I present five provenance-based techniques that enable system defenders to effectively and efficiently investigate malicious behaviors in enterprise settings. First, I present NoDoze, an alert triage system that automatically prioritizes generated alerts based on their anomalous contextual history. Following that, RapSheet brings benefits of data provenance to commercial EDR tools and provides compact visualization of multi-stage attacks to system defenders. Swift then realized a provenance graph database that generates contextual history around generated alerts in real-time even when analyzing audit logs containing tens of millions of events. Finally, OmegaLog and Zeek Agent introduced the vision of universal provenance analysis, which unifies all forensically relevant provenance information on the system regardless of their layer of origin, improving investigation capabilities

Morbidity Measures Predicting Mortality in Inpatients:A Systematic Review

OBJECTIVES: Morbidity is an important risk factor for mortality and a variety of morbidity measures have been developed to predict patients' health outcomes. The objective of this systematic review was to compare the capacity of morbidity measures in predicting mortality among inpatients admitted to internal medicine, geriatric, or all hospital wards. DESIGN: A systematic literature search was conducted from inception to March 6, 2019 using 4 databases: Medline, Embase, Cochrane, and CINAHL. Articles were included if morbidity measures were used to predict mortality (registration CRD42019126674). SETTING AND PARTICIPANTS: Inpatients with a mean or median age ≥65 years. MEASUREMENTS: Morbidity measures predicting mortality. RESULTS: Of the 12,800 articles retrieved from the databases, a total of 34 articles were included reporting on inpatients admitted to internal medicine, geriatric, or all hospital wards. The Charlson Comorbidity Index (CCI) was reported most frequently and a higher CCI score was associated with greater mortality risk, primarily at longer follow-up periods. Articles comparing morbidity measures revealed that the Geriatric Index of Comorbidity was better predicting mortality risk than the CCI, Cumulative Illness Rating Scale, Index of Coexistent Disease, and disease count. CONCLUSIONS AND IMPLICATIONS: Higher morbidity measure scores are better in predicting mortality at longer follow-up period. The Geriatric Index of Comorbidity was best in predicting mortality and should be used more often in clinical practice to assist clinical decision making

Don't cry over spilled records: Memory elasticity of data-parallel applications and its application to cluster scheduling

Understanding the performance of data-parallel workloads when resource-constrained has significant practical importance but unfortunately has received only limited attention. This paper identifies, quantifies and demonstrates memory elasticity, an intrinsic property of data-parallel tasks. Memory elasticity allows tasks to run with significantly less memory that they would ideally want while only paying a moderate performance penalty. For example, we find that given as little as 10% of ideal memory, PageRank and NutchIndexing Hadoop reducers become only 1.2x/1.75x and 1.08x slower. We show that memory elasticity is prevalent in the Hadoop, Spark, Tez and Flink frameworks. We also show that memory elasticity is predictable in nature by building simple models for Hadoop and extending them to Tez and Spark. To demonstrate the potential benefits of leveraging memory elasticity, this paper further explores its application to cluster scheduling. In this setting, we observe that the resource vs. time trade-off enabled by memory elasticity becomes a task queuing time vs task runtime trade-off. Tasks may complete faster when scheduled with less memory because their waiting time is reduced. We show that a scheduler can turn this task-level trade-off into improved job completion time and cluster-wide memory utilization. We have integrated memory elasticity into Apache YARN. We show gains of up to 60% in average job completion time on a 50-node Hadoop cluster. Extensive simulations show similar improvements over a large number of scenarios

Patulin mycotoxin in mango and orange fruits, juices, pulps, and jams marketed in Pakistan

The objective of the study was to explore the incidence of patulin (PAT) mycotoxin in mango and orange fruits and derived products marketed in Pakistan. A total of 274 samples, including 70 mango fruits, 63 mango-based products (juices, pulp, and jam), 77 orange fruits, and 64 orange-based products, were collected. PAT was determined by reverse-phase high-performance liquid chromatography (HPLC) with UV-Vis detector (276 nm). Linear detector response was observed (R2 > 0.99), the limit of detection (LOD) was 5 µg/kg and recovery percentage was 97.4%. The incidence of PAT in mango samples was 61.7%, and the concentration ranged from <LOD to 6415 µg/kg with a mean of 110.9 µg/kg. Our results showed the high susceptibility of mango fruits to patulin, and it was observed that decayed mango fruits were most contaminated with PAT. Among the mango samples, PAT concentration was higher in fruits than in processed products such as mango juice, pulp, and jam. Toxin incidence in orange samples was 52.5% with concentrations from <LOD to 61 µg/kg and a mean of 6.3 µg/kg. As much as 29 samples of mango (21.8%) contained PAT concentration above the regulatory limit (50 µg/kg), whereas there was only one exceeding orange sample (0.7%). Our results show that PAT seems to be a problem in fruits, juices, and derived solid products, especially from mango, and needs surveillance on regular basis

Xanthus: Push-button Orchestration of Host Provenance Data Collection

Host-based anomaly detectors generate alarms by inspecting audit logs for suspicious behavior. Unfortunately, evaluating these anomaly detectors is hard. There are few high-quality, publicly-available audit logs, and there are no pre-existing frameworks that enable push-button creation of realistic system traces. To make trace generation easier, we created Xanthus, an automated tool that orchestrates virtual machines to generate realistic audit logs. Using Xanthus' simple management interface, administrators select a base VM image, configure a particular tracing framework to use within that VM, and define post-launch scripts that collect and save trace data. Once data collection is finished, Xanthus creates a self-describing archive, which contains the VM, its configuration parameters, and the collected trace data. We demonstrate that Xanthus hides many of the tedious (yet subtle) orchestration tasks that humans often get wrong; Xanthus avoids mistakes that lead to non-replicable experiments.Comment: 6 pages, 1 figure, 7 listings, 1 table, worksho

Do morbidity measures predict the decline of activities of daily living and instrumental activities of daily living amongst older inpatients? A systematic review

Objectives: Older adults often suffer from multimorbidity, which results in hospitalisations. These are often associated with poor health outcomes such as functional dependence and mortality. The aim of this review was to summarise the current literature on the capacities of morbidity measures in predicting activities of daily living (ADL) and instrumental activities of daily living (IADL) amongst inpatients. Methods: A systematic literature search was performed using four databases: Medline, Cochrane, Embase, and Cinahl Central from inception to 6th March 2019. Keywords included comorbidity, multimorbidity, ADL, and iADL, along with specific morbidity measures. Articles reporting on morbidity measures predicting ADL and IADL decline amongst inpatients aged 65 years or above were included. Results: Out of 7334 unique articles, 12 articles were included reporting on 7826 inpatients (mean age 77.6 years, 52.7% females). Out of five morbidity measures, the Charlson Comorbidity Index was most often reported. Overall, morbidity measures were poorly associated with ADL and IADL decline amongst older inpatients. Conclusion: Morbidity measures are poor predictors for ADL or IADL decline amongst older inpatients and follow-up duration does not alter the performance of morbidity measures

Lead Toxicity-Mediated Growth and Metabolic Alterations at Early Seedling Stages of Maize (<i>Zea mays</i> L.)

To investigate the toxic effects of lead (Pb) on key metabolic activities essential for proper germination and seedling growth of maize seeds, experiments were carried out with different levels of Pb (0 to 120 mg of Pb L−1 as PbCl2) applied through growth medium to two maize hybrids H-3310S and H-6724. The research findings indicated that growth and metabolic activities were adversely affected by increased Pb contamination in growth medium; however, a slow increase in these parameters was recorded with increasing time from 0 to 120 h. Protease activity decreased with an increase in the level of Pb contamination but increased with time; consequently, a reduction in seed proteins and an increase in total free amino acids were observed with time. Similarly, α-amylase activity decreased with an increase in Pb concentration in growth medium while it increased with increasing time from 0 to 120 h; consequently, reducing and non-reducing sugars increased with time but decreased with exposure to lead. The roots of both maize hybrids had higher Pb contents than those of the shoot, which decreased the uptake of nitrogen, phosphorus, and potassium. All these nutrients are essential for optimal plant growth; therefore, the reduction in growth and biomass of maize seedlings could be due to Pb toxicity that altered metabolic processes, as sugar and amino acids are necessary for the synthesis of metabolic compounds, rapid cell division, and proper functioning of enzymes in the growing embryo, but all were dramatically reduced due to suppression of protease and α-amylase by toxicity of Pb. In general, hybrid H-3310S performed better in Pb-contaminated growth medium than H-6724