Pellicle of <i>Paramecium caudatum</i> as Revealed by Freeze Etching

Endpoint monitoring solutions are widely deployed in today's enterprise environments to support advanced attack detection and investigation. These monitors continuously record system-level activities as audit logs and provide deep visibility into security incidents. Unfortunately, to recognize behaviors of interest and detect potential threats, cyber analysts face a semantic gap between low-level audit events and high-level system behaviors. To bridge this gap, existing work largely matches streams of audit logs against a knowledge base of rules that describe behaviors. However, specifying such rules heavily relies on expert knowledge. In this paper, we present WATSON, an automated approach to abstracting behaviors by inferring and aggregating the semantics of audit events. WATSON uncovers the semantics of events through their usage context in audit logs. By extracting behaviors as connected system operations, WATSON then combines event semantics as the representation of behaviors. To reduce analysis workload, WATSON further clusters semantically similar behaviors and distinguishes the representatives for analyst investigation. In our evaluation against both benign and malicious behaviors, WATSON exhibits high accuracy for behavior abstraction. Moreover, WATSON can reduce analysis workload by two orders of magnitude for attack investigation.

show abstract

A Novel Verifiably Encrypted Signature Scheme Without Random Oracle

Zhang

Mao

View full text Add to dashboard Cite

A New Algorithm for Identifying Loops in Decompilation

Wei

Mao

Zou

et al. 2007

View full text Add to dashboard Cite

Abstract. Loop identification is an essential step of control flow analysis in decompilation. The Classical algorithm for identifying loops is Tarjan's intervalfinding algorithm, which is restricted to reducible graphs. Havlak presents one extension of Tarjan's algorithm to deal with irreducible graphs, which constructs a loop-nesting forest for an arbitrary flow graph. There's evidence showing that the running time of this algorithm is quadratic in the worst-case, and not almost linear as claimed. Ramalingam presents an improved algorithm with low time complexity on arbitrary graphs, but it performs not quite well on "real" control flow graphs (CFG). We present a novel algorithm for identifying loops in arbitrary CFGs. Based on a more detailed exploration on properties of loops and depth-first search (DFS), this algorithm traverses a CFG only once based on DFS and collects all information needed on the fly. It runs in approximately linear time and does not use any complicated data structures such as Interval/Derived Sequence of Graphs (DSG) or UNION-FIND sets. To perform complexity analysis of the algorithm, we introduce a new concept called unstructuredness coefficient to describe the unstructuredness of CFGs, and we find that the unstructuredness coefficients of these executables are usually small (<1.5). Such "low-unstructuredness" property distinguishes these CFGs from general singleroot connected directed graphs, and it offers an explanation why those algorithms existed perform not quite well on real-world cases. The new algorithm has been applied to 11526 CFGs in 6 typical binary executables on both Linux and Window platforms. Experimental result has validated our theoretical analysis and it shows that our algorithm runs 2-5 times faster than the Havlak-Tarjan algorithm, and 2-8 times faster than the Ramalingam-Havlak-Tarjan algorithm.

show abstract

BaitAlarm: Detecting Phishing Sites Using Similarity in Fundamental Visual Features

Mao

et al. 2013

View full text Add to dashboard Cite

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

334 Leonard St

Brooklyn, NY 11211

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Jian Mao

Optimal and Safe Upper Limits of Iodine Intake for Early Pregnancy in Iodine-Sufficient Regions: A Cross-Sectional Study of 7190 Pregnant Women in China

Phishing-Alarm: Robust and Efficient Phishing Detection via Page Component Similarity

A position-aware Merkle tree for dynamic cloud data integrity verification

Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning

WATSON: Abstracting Behaviors from Audit Logs via Aggregation of Contextual Semantics

A Novel Verifiably Encrypted Signature Scheme Without Random Oracle

A New Algorithm for Identifying Loops in Decompilation

BaitAlarm: Detecting Phishing Sites Using Similarity in Fundamental Visual Features

Contact Info

Product

Resources

About