Privacy-Conscious Threat Intelligence Using DNSBLoom van Rijswijk-Deij, Roland; Rijnders, Gijs; Bomhoff, Matthijs ...
2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM),
2019-April
Conference Proceeding
The Domain Name System (DNS) is an essential component of every interaction on the Internet. DNS translates human-readable names into machine readable IP addresses. Conversely, DNS requests provide a ...wealth of information about what goes on in the network. Malicious activity - such as phishing, malware and botnets - also makes use of the DNS. Thus, monitoring DNS traffic is essential for the security team's toolbox. Yet because DNS is so essential to Internet services, tracking DNS is also highly privacy-invasive, as what domain names a user requests reveals their Internet use. Therefore, in an age of comprehensive privacy legislation, such as Europe's GDPR, simply logging every DNS request is not acceptable.In this paper we present DNSBloom, a system that uses Bloom Filters as a privacy-enhancing technology to store DNS requests. Bloom Filters act as a probabilistic set, where a membership test either returns probable membership (with a small false positive probability), or certain non-membership. Because Bloom Filters do not store original information, and because DNSBloom aggregates queries from multiple users over fixed time periods, the system offers strong privacy guarantees while enabling security professionals to check with a high degree of confidence whether certain DNS queries associated with malicious activity have occurred. We validate DNSBloom through three case studies performed on the production DNS infrastructure of a major global research network, and release a working prototype, that integrates with popular DNS resolvers, in open source.
At present, the security situation in the industrial internet is becoming more and more serious. Various threats such as network attacks, malicious code and vulnerability utilization are gradually ...increasing. Consequently, it is urgent to study industrial threat detection methods. In order to tackle typical network attacks, system vulnerabilities and malicious operations, a real-time intelligent industrial threat detection method is proposed by analyzing the network data in the industrial control system. Particularly, artificial intelligence technique, adversarial sample generation technique and deep learning model are used in the method. Besides, the proposed method is achieved in the real network, and the corresponding industrial threat detection platform is developed. The results show that the developed threat detection platform can detect a variety of typical network attacks, system vulnerabilities, malicious code, etc. At the same time, the platform has good throughput and compatibility and is suitable for the actual industrial environment.
Detailed analysis of cybersecurity intelligence in various data is essential to counter the recent advanced and complex evolution of cyber security attacks and threats. In particular, highly ...sophisticated learning models are required to classify cyberattacks and threats or extract security intelligence from unstructured data described in natural language.
This study addresses text classification as the first step toward such sophisticated models. More specifically, we performed a multi-label classification of cybersecurity documents to reduce the cost of threat analysis and incident response. Detailed analysis of security incidents requires an integrated model that performs security intelligence extraction and event extraction tasks that leverage their relationships. We performed document-level multi-label classification with the standard categories of MITRE for cybersecurity attack and threat models. Furthermore, to reduce the cost of creating a large set of annotated data to improve the accuracy of the model, we automated generating of training data by using distant supervision 18. We compared some methods for extracting keywords obtained from texts related to a defined classification category and multiple label assignment rules. We used cybersecurity documents from social news sites, threat reports, blog articles posted by security vendors as training and test data. We train a multi-label classification model on these texts using their document-level embedding vector obtained from a pre-trained language model. We also reported the experimental classification result for each category and compare several models and labeling with distant supervision.
In addition, we performed human annotation for the sampled documents in the test data and evaluated the accuracy of classification on the annotated data. We showed that the machine learning models are slightly more accurate than the rule-based classifying with distant supervision on the test data. In some cases, the classification accuracy of distant supervision labeling is higher than the machine learning model on the human-annotated data.
Furthermore, we analyzed and discussed the statistics of labels assigned by distant supervision, their co-occurrence with the predicted categories by the trained model, and how to utilize the classification model in cybersecurity incident response.
Different variations in deployment environments of machine learning techniques may affect the performance of the implemented systems. The variations may cause changes in the data for machine learning ...solutions, such as in the number of classes and the extracted features. This paper investigates the capabilities of Genetic Programming (GP) for malicious insider detection in corporate environments under such changes. Assuming a Linear GP detector, techniques are introduced to allow a previously trained GP population to adapt to different changes in the data. The experiments and evaluation results show promising insider threat detection performances of the techniques in comparison with training machine learning classifiers from scratch. This reduces the amount of data needed and computation requirements for obtaining dependable insider threat detectors under new conditions.
Machine Learning (ML) technologies applied to Cybersecurity, especially in the area of network cyber threat detection, are a promising choice, but they require additional research in the ...applicability of a wide range of available algorithms. Such algorithms usually require training using good-quality and quantitatively significant datasets, which are rarely publicly available. To this end, in this paper we describe a novel experimental framework, that we call the Mouseworld, that combines NFV and SDN to create an environment able to (1) blend and transmit real and synthetic traffic and (2) collect and label this traffic in order to be utilised for training and validating ML algorithms that will be applied to the detection of cybersecurity threats. The Mouseworld framework includes a set of traffic generation, collection and labelling modules, jointly with analytics and algorithm training and visualization components. The OSM open-source network orchestrator is utilized to control and manage the framework and to deploy the training and validation scenarios. We present a preliminary result on the area of Security threat detection as a demonstration of the framework viability.
This paper presents a new method for automatically determining the dielectric permittivity and thickness of a penetrable dielectric affixed to the human body by processing radar image responses. This ...is an important problem for explosives detection with body security scanners, with the potential for reducing the false alarm rate. Starting with reconstructed multistatic mm-wave images of a conductive surface partially covered with a weak dielectric bar, the algorithm determines the nominal conductive surface, identifies the position of the surface-attached dielectric anomaly, finds the front and back dielectric surface reflection responses, and then determines the permittivity and thickness of the dielectric bar.
This paper analyzes the current network security environment and the shortcomings of firewall products in the current network environment, and expounds the benefits that can be brought by the ...application of AI technology in threat detection. Then, the paper analyzes the advantages of AI firewall and expounds the characteristics that AI firewall can build learning models and realize the independent evolution of threat detection capability. Finally, the intelligent defense system and logical architecture of AI firewall are designed. The intelligent defense system has three components, including cloud intelligence, security center and firewall. The logical architecture has six layers of architecture, including hardware layer, data layer, algorithm layer, detection layer, analysis layer and interaction layer. These designs provide some reference for the design and development of AI firewall.
Accurate X-ray screening systems are of paramount importance in the present day. Most existing systems predict only on the basis of a single image, which could lead to false positives and false ...negatives due to limited information present. We implemented several approaches using single, two and multiple X-Ray views to make a reliable and practical model with varying levels of success in threat object detection. These approaches include long-established methods such as Bag of Visual Words (BOVW), 3D Object Recognition, Adaptive Implicit Shape Model and Deep Neural Networks. The approaches took in dual inputs to make more informed predictions. Varying levels of success are obtained in these methods ranging from 73% using BOVW to 87% using Deep CNN. It was observed that, when two views of an object are considered, an improvement of 5% to 15% in performance took place (considering various approaches) compared to a single view.
A plethora of research is available for detecting and mitigating threats that occur across the organization's boundaries. However, Insider Threat Detection has only recently entered the limelight. It ...turns out to be a daunting task, given that insiders can evade firewalls, Intrusion Detection Systems, and other security mechanisms aimed at protecting the information infrastructure from outside attacks. In addition to this, some insiders having administrative rights to access privileged information and perform operations on it might turn rogue. Their malicious actions could go undetected as their digital footprint might get buried in massive dumps of log data. This survey aims to provide a comprehensive explanation of the problem statement at hand, Insider Threat Detection using Deep Learning. It has been initiated by introducing Insider Threat Detection and related terminology. Deep Learning has been chosen as the preferred approach for solving this problem statement as it has been proven to be better than the conventional Machine Learning algorithms while dealing with complex data originating from varied sources. Here, Deep Learning and Log based Anomaly Detection have been explained. Some datasets available specifically for the research domain of Insider Threat Detection have been brought under one roof. Then, by having a closer look at the CERT Insider Threat Dataset, a brief comparative analysis of the existing Deep Learning solutions for Insider Threat Detection based on this dataset is provided. Also, this work overviews the challenges faced and how they open doors for further research. In order to cater to the readers looking for an industry-oriented approach, this survey explains how a Deep Learning model can be integrated with the Elasticsearch-Logstash-Kibana (ELK) Stack.
With the population of the world increasing substantially decade after decade, the probability of terrorist attacks on people will increase. Detecting terrorists with dangerous objects is necessary. ...Airport security is very good, but how about other forms of public transportation such as subways and city buses? More threat detection is expected in these areas. Our research work focuses on developing a system made of two main parts to detect and classify dangerous objects placed on the chest of terrorists. The first part is made up of Wi- Fi imaging. Images are created using Wi-Fi signals scanning a person head-to-toe with a 2\mathrm{x}2 antenna array. The second part uses a Region-based Convolutional Neural Network to classify whether the Wi-Fi image contains a dangerous object or something harmless such as a tablet. Our results demonstrate the feasibility of the proposed system. Also, our system only uses one out of many channels used in the Wi-Fi bandwidth, which allows for the remaining channels to be used for users' Internet applications on public transportation.