In this paper, we present HOLMES, a system that implements a new approach to the detection of Advanced and Persistent Threats (APTs). HOLMES is inspired by several case studies of real-world APTs that highlight some common goals of APT actors. In a nutshell, HOLMES aims to produce a detection signal that indicates the presence of a coordinated set of activities that are part of an APT campaign. One of the main challenges addressed by our approach involves developing a suite of techniques that make the detection signal robust and reliable. At a high-level, the techniques we develop effectively leverage the correlation between suspicious information flows that arise during an attacker campaign. In addition to its detection capability, HOLMES is also able to generate a high-level graph that summarizes the attacker's actions in real-time. This graph can be used by an analyst for an effective cyber response. An evaluation of our approach against some real-world APTs indicates that HOLMES can detect APT campaigns with high precision and low false alarm rate. The compact high-level graphs produced by HOLMES effectively summarizes an ongoing attack campaign and can assist real-time cyber-response operations.
Abstract. We investigate a security framework for collaborative applications that relies on the role-based access control (RBAC) model. In our framework, roles are pre-defined and organized in a hierarchy (partial order). However, we assume that users are not previously identified, therefore the actions that they can perform are dynamically determined based on their own attribute values and on the attribute values associated with the resources. Those values can vary over time (e.g., the user's location or whether the resource is open for visiting) thus enabling or disabling a user's ability to perform an action on a particular resource. In our framework, constraint values form partial orders and determine the association of actions with the resources and of users with roles. We have implemented our framework by exploring the capabilities of semantic web technologies, and in particular of OWL 1.1, to model both our framework and the domain of interest and to perform several types of reasoning. In addition, we have implemented a user interface whose purpose is twofold: (1) to offer a visual explanation of the underlying reasoning by displaying roles and their associations with users (e.g., as the user's locations vary); and (2) to enable monitoring of users that are involved in a collaborative application. Our interface uses the Google Maps API and is particularly suited to collaborative applications where the users' geospatial locations are of interest.
In this paper, we follow the role-based access control (RBAC) approach and extend it to provide for the dynamic association of roles with users. In our framework, privileges associated with resources are assigned depending on the attribute values of the resources, attribute values associated with users determine the association of users with privileges, and a location mapping function between physical and logical locations allows to enable/disable roles depending on the logical location of the users and thus preserve the privacy of the location. We use Semantic Web technologies and a graphical user interface based on the Google Maps API.
Android's Inter-Component Communication (ICC) mechanism strongly relies on Intent messages. Unfortunately, due to the lack of message origin verification in Intents, application security completely relies on the programmer's skill and attention. In this paper, we advance the state of the art by developing a method to automatically detect potential vulnerabilities and, most importantly, demonstrate whether they can be exploited or not. To this end, we adopt a formal approach to automatically produce malicious payloads that can trigger dangerous behavior in vulnerable applications. We test our methods on a representative sample of applications, and we find that 29 out of 64 tested applications are potentially vulnerable, while 26 of them are automatically proven to be exploitable.
The purpose of this paper is to explore the notion of formative design in the context of the design, development, implementation, and evaluation of a collectible card game (CCG) for teaching cybersecurity to middle school students. The approach involved a formative design approach, educational design research (EDR) that evolved from design-based research and design experiments commonly employed in fields such as the learning sciences, educational technology, and instructional design. The authors assert that the EDR process used to design an educational CCG is an effective approach for formative learning game design work. Keywords Cybersecurity. Educational design research. Design based research. Collectible card games The information age has an Achilles heel. Governments and enterprise organizations greatly rely upon computer systems and networks for their ability to exchange information and support decision processes. However, this digital infrastructure is also vulnerable to attacks by criminals, foreign nations, hackers, and disgruntled employees. In 2015, the Government Accountability Office reported that the number of security incidents related to federal agencies increased from approximately 5503 in 2006 to 67,168 in 2014, a more than tenfold increase (Wilshusen 2015). A recent annual analysis by the Ponemon Institute of 245 companies in seven countries found that the average cost of cybercrime to a company was $11.7 million per year, with a maximum cost of over $77.1 million (Ponemon Institute 2017). Cybersecurity attacks have become a common occurrence causing profound damage. As we become more reliant on cyberinfrastructure, we also become more vulnerable to cyberattack. While in office, President Barack Obama identified cybersecurity as one of the USA's most serious economic and national security challenges, but one that we are not adequately prepared to counter (Obama 2014). Shortly after taking office, President Obama ordered a review of federal efforts to deal with the problem of defending the US information infrastructure and to develop a comprehensive approach for meeting current and future cybersecurity threats (Unites States Department of Homeland Security 2011; United States Executive Office of the President 2011). In 2015, President Obama emphasized the importance of not only dealing with cybersecurity threats but also focusing on protecting children as part of this effort. He stated, BNo foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids^(Obama 2015). The events surrounding the 2016 US presidential election demonstrate the urgent need for the development of cybersecurity expertise and for better and stronger cybersecurity systems. On May 11, 2017, President Trump issued an executive order on BStrengthening the Cybersecurity of Federal Networks and Critical Infrastructure,^which included a call for various sectors of the government to: B…assess the scope and sufficiency of efforts to educa...
Kernel audit logs are an invaluable source of information in the forensic investigation of a cyber-attack. However, the coarse granularity of dependency information in audit logs leads to the construction of huge attack graphs which contain false or inaccurate dependencies. To overcome this problem, we propose a system, called ProPatrol, which leverages the open compartmentalized design in families of enterprise applications used in security-sensitive contexts (e.g., browser, chat client, email client). To achieve its goal, ProPatrol infers a model for an application's high-level tasks as input-processing compartments using purely the audit log events generated by that application. The main benefit of this approach is that it does not rely on source code or binary instrumentation, but only on a preliminary and general knowledge of an application's architecture to bootstrap the analysis. Our experiments with enterprise-level attacks demonstrate that ProPatrol significantly cuts down the forensic investigation effort and quickly pinpoints the rootcause of attacks. ProPatrol incurs less than 2% runtime overhead on a commodity operating system.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.