One of the key characteristics of cloud computing is the device and location independence that enables the user to access
systems regardless of their location. Because cloud computing is heavily based on sharing resource, it is vulnerable to cyber
attacks. In this paper, we investigate a localization attack that enables the adversary to leverage central processing unit
(CPU) resources to localize the physical location of server used by victims. By increasing and reducing CPU usage through
the malicious virtual machine (VM), the response time from the victim VM will increase and decrease correspondingly. In
this way, by embedding the probing signal into the CPU usage and correlating the same pattern in the response time from
the victim VM, the adversary can find the location of victim VM. To determine attack accuracy, we investigate features in
both the time and frequency domains. We conduct both theoretical and experimental study to demonstrate the effectiveness
of such an attack.
Given competing claims, an objective head-to-head comparison of the performance of both the Snort R
and Suricata Intrusion Detection Systems is needed. In this paper, we present a comprehensive quantitative comparison of the two
systems. We have developed a rigorous testing framework that examines the performance of both systems as we scale
system resources. Our results show that a single instance of Suricata is able to deliver substantially higher performance
than a corresponding single instance of Snort. This paper describes in detail both the testing framework capabilities, tests
performed and results found.
Industrial Control Systems (ICS) monitor and control operations associated with the national critical infrastructure (e.g., electric power grid, oil and gas pipelines and water treatment facilities). These systems rely on technologies and architectures that were designed for system reliability and availability. Security associated with ICS was never an inherent concern, primarily due to the protections afforded by network isolation. However, a trend in ICS operations is to migrate to commercial networks via TCP/IP in order to leverage commodity benefits and cost savings. As a result, system vulnerabilities are now exposed to the online community. Indeed, recent research has demonstrated that many exposed ICS devices are being discovered using readily available applications (e.g., ShodanHQ search engine and Google-esque queries). Due to the lack of security and logging capabilities for ICS, most knowledge about attacks are derived from real world incidents after an attack has already been carried out and the damage has been done. This research provides a method for introducing sensors into the ICS environment that collect information about network-based attacks. The sensors are developed using an inexpensive Gumstix platform that can be deployed and incorporated with production systems. Data obtained from the sensors provide insight into attack tactics (e.g., port scans, Nessus scans, Metasploit modules, and zero-day exploits) and characteristics (e.g., attack origin, frequency, and level of persistence). Findings enable security professionals to draw an accurate, real-time awareness of the
threats against ICS devices and help shift the security posture from reactionary to preventative.
An increasing need for situational awareness within network-deployed Systems Under Test has increased desire for frameworks
that facilitate system-wide data correlation and analysis. Massive event streams are generated from heterogeneous
sensors which require tedious manual analysis. We present a framework for sensor data integration and event correlation
based on Linked Data principles, Semantic Web reasoning technology, complex event processing, and blackboard architectures.
Sensor data are encoded as RDF models, then processed by complex event processing agents (which incorporate
domain specific reasoners, as well as general purpose Semantic Web reasoning techniques). Agents can publish inferences
on shared blackboards and generate new semantic events that are fed back into the system. We present AIS, Inc.’s Cyber
Battlefield Training and Effectiveness Environment to demonstrate use of the framework.
As more enterprises are enticed to move data to a cloud environment to enhance data sharing and reduce
operating costs by exploiting shared resources, concerns have risen over the ability to secure information
within the cloud. This paper examines how a traditional Identity and Access Control (IDAM) architecture can
be adapted to address security concerns of a cloud environment. We propose changing the paradigm of
IDAM form a pure trust model to a risk based model will enable information to be protected securely in a cloud
environment without impacting efficiencies of cloud environments.
Many approaches in software analysis, particularly dynamic malware analyis, benefit greatly from the use of linked data and
other Semantic Web technology. In this paper, we describe AIS, Inc.’s Semantic Extractor (SemEx) component from the
Malware Analysis and Attribution through Genetic Information (MAAGI) effort, funded under DARPA’s Cyber Genome
program. The SemEx generates OWL-based semantic models of high and low level behaviors in malware samples from
system call traces generated by AIS’s introspective hypervisor, IntroVirtTM. Within MAAGI, these semantic models were
used by modules that cluster malware samples by functionality, and construct “genealogical” malware lineages. Herein, we
describe the design, implementation, and use of the SemEx, as well as the C2DB, an OWL ontology used for representing
software behavior and cyber-environments.
This paper describes the research, development, and analysis performed during the Remote Suspect Identification
(RSID) effort. The effort produced a keystroke dynamics sensor capable of authenticating, continuously verifying,
and identifying masquerading users with equal error rates (EER) of approximately 0.054, 0.050, and 0.069,
respectively. This sensor employs 11 distinct algorithms, each using between one and five keystroke features,
that are fused (across features and algorithms) using a weighted majority ballot algorithm to produce rapid and
accurate measurements. The RSID sensor operates discretely, quickly (using few keystrokes), and requires no
additional hardware. The researchers also analyzed the difference in sensor performance across 10 demographic
features using a keystroke dynamics dataset consisting of data from over 2,200 subjects. This analysis indicated
that there are significant and discernible differences across age groups, ethnicities, language, handedness, height,
occupation, sex, typing frequency, and typing style.
In this paper, we present a system for Dynamic Malware Analysis which incorporates the use of IntroVirt™. IntroVirt is
an introspective hypervisor architecture and infrastructure that supports advanced analysis techniques for stealth-malwareanalysis.
This system allows for complete guest monitoring and interaction, including the manipulation and blocking of
system calls. IntroVirt is capable of bypassing virtual machine detection capabilities of even the most sophisticated malware,
by spoofing returns to system call responses. Additional fuzzing capabilities can be employed to detect both malware
vulnerabilities and polymorphism.
The two stage hierarchical unsupervised learning system has been proposed for modeling complex dynamic surveillance
and cyberspace systems. Using a modification of the expectation maximization learning approach, we introduced a three
layer approach to learning concepts from input data: features, objects, and situations. Using the Bernoulli model, this
approach models each situation as a collection of objects, and each object as a collection of features. Further complexity
is added with the addition of clutter features and clutter objects. During the learning process, at the lowest level, only
binary feature information (presence or absence) is provided. The system attempts to simultaneously determine the
probabilities of the situation and presence of corresponding objects from the detected features. The proposed approach
demonstrated robust performance after a short training period. This paper discusses this hierarchical learning system in a
broader context of different feedback mechanisms between layers and highlights challenges on the road to practical
We introduce a generalized numerical prediction and forecasting algorithm. We have previously published it for
malware byte sequence feature prediction and generalized distribution modeling for disparate test article analysis. We
show how non-trivial non-periodic extrapolation of a numerical sequence (forecast and backcast) from the starting data
is possible. Our ancestor-progeny prediction can yield new options for evolutionary programming. Our equations enable
analytical integrals and derivatives to any order. Interpolation is controllable from smooth continuous to fractal structure
estimation. We show how our generalized trigonometric polynomial can be derived using a Fourier transform.
We present a fractal feature space for 3D point watermarking to
make geospatial systems more secure. By exploiting the self
similar nature of fractals, hidden information can be spatially
embedded in point cloud data in an acceptable manner as
described within this paper. Our method utilizes a blind scheme
which provides automatic retrieval of the watermark payload
without the need of the original cover data. Our method for
locating similar patterns and encoding information in LiDAR
point cloud data is accomplished through a look-up table or
code book. The watermark is then merged into the point cloud
data itself resulting in low distortion effects. With current
advancements in computing technologies, such as GPGPUs,
fractal processing is now applicable for processing of big data
which is present in geospatial as well as other systems. This
watermarking technique described within this paper can be
important for systems where point data is handled by numerous
aerial collectors including analysts use for systems such as a
National LiDAR Data Layer.
The growing in use of smart mobile devices for everyday applications has stimulated the spread of mobile malware,
especially on popular mobile platforms. As a consequence, malware detection becomes ever more critical in sustaining the
mobile market and providing a better user experience. In this paper, we review the existing malware and detection schemes.
Using real-world malware samples with known signatures, we evaluate four popular commercial anti-virus tools and our
data shows that these tools can achieve high detection accuracy. To deal with the new malware with unknown signatures,
we study the anomaly based detection using decision tree algorithm. We evaluate the effectiveness of our detection scheme
using malware and legitimate software samples. Our data shows that the detection scheme using decision tree can achieve
a detection rate up to 90% and a false positive rate as low as 10%.
We applied a two stage unsupervised hierarchical learning system to model complex dynamic surveillance and cyber space monitoring systems using a non-commercial version of the NeoAxis visualization software. The hierarchical scene learning and recognition approach is based on hierarchical expectation maximization, and was linked to a 3D graphics engine for validation of learning and classification results and understanding the human – autonomous system relationship. Scene recognition is performed by taking synthetically generated data and feeding it to a dynamic logic algorithm. The algorithm performs hierarchical recognition of the scene by first examining the features of the objects to determine which objects are present, and then determines the scene based on the objects present. This paper presents a framework within which low level data linked to higher-level visualization can provide support to a human operator and be evaluated in a detailed and systematic way.
The majority of funding for research and development (R&D) in cyber-security is focused on the end of the software
lifecycle where systems have been deployed or are nearing deployment. Recruiting of cyber-security personnel is
similarly focused on end-of-life expertise. By emphasizing cyber-security at these late stages, security problems are
found and corrected when it is most expensive to do so, thus increasing the cost of owning and operating complex
software systems. Worse, expenditures on expensive security measures often mean less money for innovative
developments. These unwanted increases in cost and potential slowing of innovation are unavoidable consequences of an
approach to security that finds and remediate faults after software has been implemented. We argue that software
security can be improved and the total cost of a software system can be substantially reduced by an appropriate
allocation of resources to the early stages of a software project. By adopting a similar allocation of R&D funds to the
early stages of the software lifecycle, we propose that the costs of cyber-security can be better controlled and,
consequently, the positive effects of this R&D on industry will be much more pronounced.
We implement a Spatial Voting (SV) based analogy of microarray analysis for digital gene marker identification in malware code sections. We examine a famous set of malware formally analyzed by Mandiant and code named Advanced Persistent Threat (APT1). APT1 is a Chinese organization formed with specific intent to infiltrate and exploit US resources. Manidant provided a detailed behavior and sting analysis report for the 288 malware samples available. We performed an independent analysis using a new alternative to the traditional dynamic analysis and static analysis we call Spatial Analysis (SA). We perform unsupervised SA on the APT1 originating malware code sections and report our findings. We also show the results of SA performed on some members of the families associated by Manidant. We conclude that SV based SA is a practical fast alternative to dynamics analysis and static analysis.