Malicious web pages that host drive-by-download exploits have become a popular means for compromising hosts on the Internet and, subsequently, for creating large-scale botnets. In a drive-bydownload exploit, an attacker embeds a malicious script (typically written in JavaScript) into a web page. When a victim visits this page, the script is executed and attempts to compromise the browser or one of its plugins. To detect drive-by-download exploits, researchers have developed a number of systems that analyze web pages for the presence of malicious code. Most of these systems use dynamic analysis. That is, they run the scripts associated with a web page either directly in a real browser (running in a virtualized environment) or in an emulated browser, and they monitor the scripts ’ executions for malicious activity. While the tools are quite precise, the analysis process is costly, often requiring in the order of

Abstract—Modern networks are complex and hence, network operators often rely on automation to assist in assuring the security, availability, and performance of these networks. At the core of many of these systems are general-purpose anomalydetection algorithms that seek to identify normal behavior and detect deviations. While the number and variations of these algorithms are large, two broad categories have emerged as leading approaches to this problem: those based on spatial correlation and those based on temporal analysis. In this paper, we compare one promising approach from each of these categories, namely entropy-based PCA and HHH-based wavelets. I.

How do we identify what is actually running on high-performance computing systems? Names of binaries, dynamic libraries loaded, or other elements in a submission to a batch queue can give clues, but binary names can be changed, and libraries provide limited insight and resolution on the code being run. In this paper, we present a method for “fingerprinting” code running on HPC machines using elements of communication and computation. We then discuss how that fingerprint can be used to determine if the code is consistent with certain other types of codes, what a user usually runs, or what the user requested an allocation to do. In some cases, our techniques enable us to fingerprint HPC codes using runtime MPI data with a high degree of accuracy. 1

Abstract—In a masquerade attack, an adversary who has stolen a legitimate user’s credentials attempts to impersonate him to carry out malicious actions. Automatic detection of such attacks is often undertaken constructing models of normal behaviour of each user and then measuring significant departures from them. One potential vulnerability of this approach is that anomaly detection algorithms are generally susceptible of being deceived. In this paper, we first investigate how a resourceful masquerader can successfully evade detection while still accomplishing his goals. We then propose an algorithm based on the Kullback-Leibler divergence which attempts to identify if a sufficiently anomalous attack is present within an apparently normal request. Our experimental results indicate that the proposed scheme achieves considerably better detection quality than adversarial-unaware approaches. Index Terms—Anomaly detection; insider threats; masqueraders; mimicry attacks; Kullback-Leibler divergence. I.

Abstract. Web applications have emerged as the primary means of access to vital and sensitive services such as online payment systems and databases storing personally identifiable information. Unfortunately, the need for ubiquitous and often anonymous access exposes web servers to adversaries. Indeed, network-borne zero-day attacks pose a critical and widespread threat to web servers that cannot be mitigated by the use of signature-based intrusion detection systems. To detect previously unseen attacks, we correlate web requests containing user submitted content across multiple web servers that is deemed abnormal by local Content Anomaly Detection (CAD) sensors. The cross-site information exchange happens in real-time leveraging privacy preserving data structures. We filter out high entropy and rarely seen legitimate requests reducing the amount of data and time an operator has to spend sifting through alerts. Our results come from a fully working prototype using eleven weeks of real-world data from production web servers. During that period, we identify at least three application-specific attacks not belonging to an existing class of web attacks as well as a wide-range of traditional classes of attacks including SQL injection, directory traversal, and code inclusion without using human specified knowledge or input.

Abstract Quality of drinking water has always been a matter of concern. Traditionally, water supplied by utilities is analysed by independent laboratories to guarantee its quality and suitability for the human consumption. Being part of a critical infrastructure, recently water quality has received attention from the security point of view. Real-time monitoring of water quality requires analysis of sensor data gathered at distributed locations and generation of alarms when changes in quality indicators indicate anomalies. The event detection system should produce accurate alarms, with low latency and few false positives. This chapter addresses the application of data mining techniques developed for information infrastructure security in a new setting. The hypothesis is that a clustering algorithm ADWICE that has earlier been successfully applied to n-dimensional data spaces in IP networks, can also be deployed for real-time anomaly detection in water management systems. The chapter describes the evaluation of the anomaly detection software when integrated in a SCADA system. The system manages water sensors and provides data for analysis within the Water Security initiative of the U.S. Environmental Protection Agency (EPA). Performance of the algorithm is illustrated and improvements to the collected data to deal with missing and inaccurate data are proposed. 1

Abstract. Peer-to-peer real-time communication and media streaming applications optimize their performance by using application-level topology estimation services such as virtual coordinate systems. Virtual coordinate systems allow nodes in a peer-to-peer network to accurately predict latency between arbitrary nodes without the need of performing extensive measurements. However, systems that leverage virtual coordinates as supporting building blocks, are prone to attacks conducted by compromised nodes that aim at disrupting, eavesdropping, or mangling with the underlying communications. Recent research proposed techniques to mitigate basic attacks (inflation, deflation, oscillation) considering a single attack strategy model where attackers perform only one type of attack. In this work we explore supervised machine learning techniques to mitigate more subtle yet highly effective attacks (frog-boiling, network-partition) that are able to bypass existing defenses. We evaluate our techniques on the Vivaldi system against a more complex attack strategy model, where attackers perform sequences of all known attacks against virtual coordinate systems, using both simulations and Internet deployments. 1

Keywords: Today’s power grid depends on embedded control systems to function properly. Securing these systems presents a unique challenge, since on top of the resource restrictions inherent to embedded devices, SCADA systems must accommodate strict timing requirements that are nonnegotiable, and their massive scale greatly amplifies costs such as power consumption. Together, these constraints make the conventional approach to host intrusion detection—namely, using a hypervisor to create a safe environment from which a monitoring entity can operate—too costly or impractical for embedded control systems in such critical infrastructure. In this paper, we introduce Autoscopy, an experimental host intrusion detection mechanism that operates from within the kernel and leverages its built-in tracing framework to look for control-flow anomalies, which are most often caused by rootkits hijacking kernel hooks. In initial testing on a standard laptop system, our prototype was able to detect a representative selection of control-flow hijacking rootkit techniques while imposing less than 5 % performance overhead for the majority of our benchmark tests. We argue that its design and effectiveness make it both feasible for and uniquely suited to intrusion detection for SCADA systems, and are currently porting Autoscopy to actual power hardware to test our hypothesis. Being situated in the kernel, Autoscopy needs some hardware (e.g., memory immutability) or software protection (i.e., kernel hardening) measures in place for its own protection; however, such protective measures would cost less than full-blown reference monitor isolation via hardware virtualization at the core of hypervisor-based proposals. IDS, intrusion detection, embedded system2 1.

Rigorous identification of vulnerabilities in program code is a key to implementing and operating secure systems. Unfortunately, only some types of vulnerabilities can be detected automatically. While techniques from software testing can accelerate the search for security flaws, in the general case discovery of vulnerabilities is a tedious process that requires significant expertise and time. In this paper, we propose a method for assisted discovery of vulnerabilities in source code. Our method proceeds by embedding code in a vector space and automatically determining API usage patterns using machine learning. Starting from a known vulnerability, these patterns can be exploited to guide the auditing of code and to identify potentially vulnerable code with similar characteristics—a process we refer to as vulnerability extrapolation. We empirically demonstrate the capabilities of our method in different experiments. In a case study with the library FFmpeg, we are able to narrow the search for interesting code from 6,778 to 20 functions and discover two security flaws, one being a known flaw and the other constituting a zero-day vulnerability. 1

Despite the recent security improvements in Adobe’s PDF viewer, its underlying code base remains vulnerable to novel exploits. A steady flow of rapidly evolving PDF malware observed in the wild substantiates the need for novel protection instruments beyond the classical signature-based scanners. In this contribution we present a technique for detection of JavaScript-bearing malicious PDF documents based on static analysis of extracted JavaScript code. Compared to previous work, mostly based on dynamic analysis, our method incurs an order of magnitude lower run-time overhead and does not require special instrumentation. Due to its efficiency we were able to evaluate it on an extremely large real-life dataset obtained from the VirusTotal malware upload portal. Our method has proved to be effective against both known and unknown malware and suitable for large-scale batch processing.