Nuggets tagged detection - [remove filter]

Sept. 6, 2016 (11 months, 2 weeks ago)

Randomized Prediction Games for Adversarial Machine Learning

Malware code is typically obfuscated using random strings or byte sequences to hide known exploits and increase their chances of evading detection. Randomization has also been proposed to improve security of learning algorithms against evasion attacks, as it hides information about the classifier from the attacker. Recent work has proposed game-theoretical formulations to learn secure classifiers, by simulating different evasion attacks and modifying the classification function. However, both the classification function and the simulated data manipulations have been modeled in a deterministic manner, without accounting for randomization. This work proposes a non-cooperative game-theoretic formulation in which the classifier and the attacker make randomized strategy selections. The approach allows an improvement in the trade-off between attack detection and false alarms even against attacks that are different from those hypothesized during design. Reducing false alarms is a crtical problem in the cost effective analysis of security data.

Oct. 15, 2015 (1 year, 10 months ago)

An Anomaly Analysis Framework for Database Systems

[Behind a paywall] To handle security incidents effectively, alerts should be accompanied by information about the nature of the incident and its criticality. Without this information it is difficult to process the large number of alerts often raised by anomaly detection systems. This work presents an anomaly analysis framework which assesses the criticality of alerts with respect to the disclosure of sensitive information, along with a feature-based classification according to the type of attack. The framework has been deployed as a web-based alert audit tool that provides classification and risk ranking capabilities, which eases the analysis of, and hence responses to, database security alerts. The classification and ranking approaches have been validated using synthetic data generated through a healthcare management system.

Oct. 13, 2015 (1 year, 10 months ago)

Diversity Reduces the Impact of Malware

The internet in general is typically diverse, from the perspective of malware attacks, due to distinct configurations, firewall rules, antimalware signature sets, intrusion detection, and router policies etc. However many networks still have limited internal diversity, making them vulnerable to malware spreading. Diversity can provide a malware-halting technique and this paper models the spreading of infectious malware over networked computing devices using a model comprising a simple graph with N nodes of L types. A good measure of a model's diversity is the number of node types L. Nodes of the same type share an exploitable vulnerability, whereas nodes of different types have no common exploitable vulnerability. An epidemiological model represents the spreading phase of multi-malware outbreaks. The analysis of this phase establishes a lower bound on the diversity L needed by various halting techniques proposed for spreading networks with three different topologies: i)Sparse and homogeneous, ii) Sparse and inhomogeneous, iii) Dense and homogeneous.

July 22, 2014 (3 years ago)

Metamorphic Malware Detection Using Code Metrics

Unfortunately this paper is behind a paywall but a short preview is accessible. It claims a 97% success rate in detecting metamorphic malware. Metamorphic malware have been around for a number of years and change their code as they propagate in order to avoid anti-virus defences (which work by detecting previously seen code signatures). This approach identifies characteristic features of this type of malware assembly code, such as instructions that change  registers, instructions that change control flow, and code fragmentation. Metamorphic code is rarely used in non-malware so features that are indicative of such behaviour should yield a low false positive rate. However, although metamorphic malware is a key tactic for virus writers who want widely distributed attacks it is actually less important in Advanced Persistent Threats as they are not designed to propagate too extensively to avoid the risk of detection by anti-malware tools and researchers in the first place.

July 9, 2014 (3 years, 1 month ago)

Multiattribute SCADA-Specific Intrusion Detection System for Power Networks

This paper is behind a paywall. The abstract claims a novel approach to SCADA IDS based on multi-attributes but does not say what those attributes are. It also claims a ‘comprehensive solution to mitigate varied cyberattack threats’. Information is limited in the abstract but there is little indication that major progress can be found in the full paper.