Intrusion detection

group_project

TWC: Medium: Collaborative: HIMALAYAS: Hierarchical Machine Learning Stack for Fine-Grained Analysis of Malware Domain Groups

Submitted by Vinod Yegneswaran on Wed, 10/25/2017 - 6:58am

The domain name system (DNS) protocol plays a significant role in operation of the Internet by enabling the bi-directional association of domain names with IP addresses. It is also increasingly abused by malware, particularly botnets, by use of: (1) automated domain generation algorithms for rendezvous with a command-and-control (C&C) server, (2) DNS fast flux as a way to hide the location of malicious servers, and (3) DNS as a carrier channel for C&C communications.

group_project

TWC: Frontier: Collaborative: Enabling Trustworthy Cybersystems for Health and Wellness

Submitted by David Kotz on Mon, 10/23/2017 - 11:53pm

This frontier project tackles many of the fundamental research challenges necessary to provide trustworthy information systems for health and wellness, as sensitive information and health-related tasks are increasingly pushed into mobile devices and cloud-based services.

group_project

SaTC: An Architecture for Restoring Trust in Our Personal Computing Systems

Submitted by David August on Mon, 10/23/2017 - 11:03pm

Computers today are so complex and opaque that a user cannot possibly hope to know, let alone trust, everything occurring within the machine. While software security techniques help ensure the integrity of user computations, they are only as trustworthy as the underlying hardware. Even though many proposals provide some relief to the problem of hardware trust, the user must ultimately rely on the assurances of other parties. This work restores hardware trust through a simple, small, and slow pluggable hardware element.

group_project

CAREER: Bridging the Semantic Gap in Virtualization-based Security Solutions via Collaboration between Guest OS and Virtual Machine

Submitted by Daniela Oliveira on Mon, 10/23/2017 - 10:52pm

In the last ten years virtual machines (VMs) have been extensively used for security-related applications, such as intrusion detection systems, malicious software (malware) analyzers and secure logging and replay of system execution. A VM is high-level software designed to emulate a computer's hardware. In the traditional usage model, security solutions are placed in a VM layer, which has complete control of the system resources. The guest operating system (OS) is considered to be easily compromised by malware and runs unaware of virtualization.

Outcomes Report URL:

https://www.research.gov/research-portal/appmanager/base/desktop?_nfpb=true&_win...

group_project

TWC: Small: Analysis and Tools for Auditing Insider Accesses

Submitted by Daniel Fabbri on Mon, 10/23/2017 - 7:00pm

Compliance officers specify organizations' policies and procedures for mitigating risk to sensitive data. However, demands for employees' quick access to organizational data often limit which security technologies can be deployed. As a result, many organizations configure an open access environment in which authenticated employees can access any piece of data (e.g., a common practice across health care facilities).

group_project

TWC SBE: Small: From Threat to Boon: Understanding and Controlling Strategic Information Transmission in Cyber-Socio-Physical Systems

Submitted by Cedric Langbort on Wed, 10/18/2017 - 5:05pm

As cyber-socio-physical and infrastructure systems are increasingly relying on data and integrating an ever-growing range of disparate, sometimes unconventional, and possibly untrusted data sources, there is a growing need to consider the problem of estimation in the presence of strategic and/or self-interested sensors. This class of problems, called "strategic information transmission" (SIT), differs from classical fault-tolerant estimation since the sensors are not merely failing or malfunctioning, but are actively trying to mislead the estimator for their own benefit.

group_project

SaTC: STARSS: Collaborative: IPTrust: A Comprehensive Framework for IP Integrity Validation

Submitted by Swarup Bhunia on Wed, 10/18/2017 - 10:20am

To reduce production cost while meeting time-to-market constraints, semiconductor companies usually design hardware systems with reusable hardware modules, popularly known as Intellectual Property (IP) blocks. Growing reliance on these hardware IPs, often gathered from untrusted third-party vendors, severely affects the security and trustworthiness of the final system. The hardware IPs acquired from external sources may come with deliberate malicious implants, undocumented interfaces working as hidden backdoor, or other integrity issues.

group_project

CAREER: Applying a Criminological Framework to Understand Adaptive Adversarial Decision-Making Processes in Critical Infrastructure Cyberattacks

Submitted by arege on Mon, 10/16/2017 - 4:43pm

Infrastructure systems (such as power, water and banking) have experienced a surge in cyberattacks over the past decade. These attacks are becoming more sophisticated and resilient, suggesting that the perpetrators are intelligent, determined and dynamic. Unfortunately, current cyberdefense measures are reactive and frequently ineffective. Defenders need to move to a proactive approach, which will require an understanding of the human characteristics and behaviors of the people behind these cyberattacks.

group_project

TWC: Small: Time-Centric Modeling of Correct Behaviors for Efficient Non-intrusive Runtime Detection of Unauthorized System Actions

Submitted by Roman Lysecky on Mon, 10/16/2017 - 2:49pm

Embedded computing systems are found at the heart of medical devices, automotive systems, smartphone, etc. Securing these embedded systems is a significant challenge that requires new methods that address the power, time, and cost requirements under which these systems operate. Because embedded systems must meet precise time requirements, detecting changes in timing can indicate the presence of malware. This research investigates new models for capturing the expected behavior of embedded systems, in which time requirements play a pivotal role.

group_project

TWC: Small: Linking the Unlinkable: Design, Analysis, and Implementation of Network Flow Fingerprints for Fine-grained Traffic Analysis

Submitted by Amir Houmansadr on Mon, 10/16/2017 - 2:00pm

Network traffic analysts are currently unable to link network flows across wide area networks to determine the origin of a network traffic flow, which is critical in understanding sources of attacks. This project is developing a novel technique for linking network flows, called flow fingerprinting, that could help help network defenders identify the origin of a network-based attack or help law enforcement track the source of criminal activity. The work could also reveal weaknesses that must be addressed in systems that protect users online anonymity.