Visible to the public Empirical Models for Vulnerability Exploits - UMD - October 2015Conflict Detection Enabled

Submitted by jkatz on Mon, 10/12/2015 - 10:18pm

PI(s): Tudor Dumitras
Researchers: Octavian Suciu, Carl Sabottke, Daniel Chen, Michael Hicks, Jonathan Katz, Joseph JaJa

HARD PROBLEM(S) ADDRESSED

Security-Metrics-Driven Evaluation, Design, Development, and Deployment

Project synopsis
The security of deployed and actively used systems is a moving target, influenced by factors not captured in the existing security metrics. For example, the count and severity of vulnerabilities in source code, as well as the corresponding attack surface, are commonly used as measures of a software product's security. For example, simply estimating the number of vulnerabilities in source code does not account for the fact that some vulnerabilities are never exploited by attackers, perhaps due to reduced attack surfaces or because of other technologies that render exploits less likely to succeed. Conversely, vulnerabilities that have been "patched" can continue to impact security in the real world because some users do not deploy the corresponding software patches. Overall, we currently do not know how to assess the security of real-world systems. In this task, we will conduct empirical studies of security in the real world. Our goals are to derive empirical models of vulnerabilities and attack surfaces exercised in cyber attacks and to understand the deployment-specific factors that influence the security of systems in active use.

PUBLICATIONS

[1] C. Sabottke, O. Suciu, and T. Dumitras. 'Vulnerability disclosure in the age of social media: Exploiting Twitter for predicting real-world exploits.' In USENIX Security Symposium (USENIX Security'15), Washington, DC, Aug 2015.


[2] B. Kwon, J. Mondal, L. Bilge, J. Jang, and T. Dumitras. 'The Dropper Effect: Insights into Malware Distribution with Downloader Graph Analytics.' In ACM Conference on Computer and Communications Security (CCS'15), Denver, CO, Oct 2015.

ACCOMPLISHMENT HIGHLIGHTS

This quarter we published two papers and we organized a discussion session:

  • A paper on forecasting which vulnerabilities will be exploited in the wild, using Twitter analytics [1]. More information is available at http://www.umiacs.umd.edu/~tdumitra/blog/2015/08/02/predicting-vulnerability-exploits/
  • At the heart of malware delivery techniques are executable files (known as downloader trojans or droppers) that download other malware. Because the act of downloading software is not inherently malicious, benign and malicious downloaders are difficult to distinguish based only on their content and behavior. We explored the growth patterns of benign and malicious download graphs, which are graphs encoding information about which software components download others. By combining telemetry from anti-virus and intrusion-prevention systems, we reconstruct and analyze 19 million download graphs from 5 million hosts. Based on our work, we implemented and evaluated a machine-learning system for malware detection. Our system achieves a 96% true-positive rate with a 1% false-positive rate, and detects malware an average of 9.24 days earlier than existing antivirus products. This paper appeared at ACM CCCS 2015 [2]. More information is available at http://www.umiacs.umd.edu/~tdumitra/blog/2015/10/10/detecting-malware-with-downloader-graph-analytics/
  • Tudor Dumitras co-lead a discussion session at HotSec'15 on security research conducted with non-public data and on the impact these research methods have on the science of security https://www.usenix.org/conference/hotsec15/summit-program/presentation/dumitras
Groups: