Nuggets tagged analysis - [remove filter]

Jan. 6, 2016 (1 year, 5 months ago)

P2CySeMoL: Predictive, Probabilistic Cyber Security Modelling Language

This paper presents an attack graph tool that can be used to estimate the cyber security of enterprise architectures. The principal current approach for this purpose uses attack graphs; applying formal reasoning and graphical modelling to present possible attack paths corresponding to a certain architecture. According to a recent survey there are more than 30 different types of attack graph approaches but there are still many important aspects that current approaches do not manage. P2CySeMoL includes theory on how attacks and defences relate quantitatively; users model their assets and how these are connected in order to enable calculations. It has been validated on both a component level and a system level using literature, domain experts, surveys, observations, experiments and case studies.

Oct. 15, 2015 (1 year, 8 months ago)

An Anomaly Analysis Framework for Database Systems

[Behind a paywall] To handle security incidents effectively, alerts should be accompanied by information about the nature of the incident and its criticality. Without this information it is difficult to process the large number of alerts often raised by anomaly detection systems. This work presents an anomaly analysis framework which assesses the criticality of alerts with respect to the disclosure of sensitive information, along with a feature-based classification according to the type of attack. The framework has been deployed as a web-based alert audit tool that provides classification and risk ranking capabilities, which eases the analysis of, and hence responses to, database security alerts. The classification and ranking approaches have been validated using synthetic data generated through a healthcare management system.

Sept. 1, 2014 (2 years, 9 months ago)

BYTEWEIGHT: Learning to Recognize Functions in Binary Code

This paper proposes BYTEWEIGHT, a new automatic function identification algorithm for binary code. The approach automatically learns key features for recognizing functions and can therefore be adapted to different platforms, new compilers, and new optimizations. Byteweight was evaluated against three currently used tools that feature function dentification: IDA, BAP, and Dyninst, and showed considerable performance enhancements across different measures. Binary analysis has applications such as protecting binaries with control flow integrity, extracting binary code sequences from malware or untrusted ode, and hot patching of vulnerabilities.

July 23, 2014 (2 years, 11 months ago)

Bitcoin mining - threat to security model

The Bitcoin cryptocurrency records its transactions in a public log called the blockchain. Its security depends on the distributed protocol that maintains the blockchain, run by participants called miners. Previously it was thought that the protocol was secure against colluding minority groups, i.e., it incentivizes miners to follow the protocol as prescribed. This paper presents an attack whereby colluding miners obtain revenue larger than their fair share. Rational miners would thus prefer to join the selfish miners, and the colluding group will increase in size until it becomes a majority. At this point, the Bitcoin system ceases to be a decentralized currency. Selfish mining is shown in this work to be feasible for any group size of colluding miners. The paper proposes a practical modification to the Bitcoin protocol that protects against selfish mining groups with less than 1/4 of the resources. Such result shows the need for extensive testing and protocol analysis of any cryptographic currency. Any, future flaw identified by cryptographic analysis can be a significant threat to the currency economics, but proving the security of such schemes is extremely difficult.

July 22, 2014 (2 years, 11 months ago)

Metamorphic Malware Detection Using Code Metrics

Unfortunately this paper is behind a paywall but a short preview is accessible. It claims a 97% success rate in detecting metamorphic malware. Metamorphic malware have been around for a number of years and change their code as they propagate in order to avoid anti-virus defences (which work by detecting previously seen code signatures). This approach identifies characteristic features of this type of malware assembly code, such as instructions that change  registers, instructions that change control flow, and code fragmentation. Metamorphic code is rarely used in non-malware so features that are indicative of such behaviour should yield a low false positive rate. However, although metamorphic malware is a key tactic for virus writers who want widely distributed attacks it is actually less important in Advanced Persistent Threats as they are not designed to propagate too extensively to avoid the risk of detection by anti-malware tools and researchers in the first place.