Next Gen Rat Trap: Evolving Sandbox Techniques for Malware
Abstract not provided.
Abstract not provided.
Abstract not provided.
Abstract not provided.
2020 IEEE Conference on Communications and Network Security, CNS 2020
From manufacturing plants to power grids, industrial control systems are increasingly controlled and networked digitally. While networking these systems together improves their efficiency and convenience to control, it also opens them up to attacks by malicious actors. When these attacks occur, forensic investigators should be able to determine what was compromised and which corrective actions need to be taken.In this paper, we propose a method to investigate attacks on industrial control systems by simulating the logged inputs of the system over time using a model constructed from the control programs. We detect any attacks that will lead to perturbations of the normal operation of the system by comparing the simulated output to the actual output. We also perform dependency tracing between the inputs and outputs of the system, so that attacks can be traced from the anomaly to their sources and vice-versa. Our method can greatly aid investigators in recovering the complete attack graph used by the attacker using only the input and output logs from an industrial control system. To evaluate our method, we constructed a hybrid testbed with a simulated version of the Simplified Tennessee Eastman process, using a hardware-inthe-loop Allen-Bradley Micrologix 1100 PLC. We were able to accurately detect all attack anomalies with a false positive rate of 0.3% or less.
Abstract not provided.
Abstract not provided.
Today’s networked systems utilize advanced security components such as Next Generation Firewall (NGFW), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and methods for network traffic classification. A fundamental aspect of these security components and methods is network packet visibility and packet inspection. To achieve packet visibility, a compute mechanism used by these security components and methods is Deep Packet Inspection (DPI). DPI is used to obtain visibility into packet fields by looking deeper inside packets, beyond just IP address, port, and protocol. However, DPI is considered extremely expensive in terms of compute processing costs and very challenging to implement on high speed network systems. The fundamental scientific paradigm addressed in this research project is the application of greater network packet visibility and packet inspection at data rates greater than 40Gbps to secure computer network systems. The greater visibility and inspection will enable detection of advanced content-based threats that exploit application vulnerabilities and are designed to bypass traditional security approaches such as firewalls and antivirus scanners. Greater visibility and inspection are achieved through identification of the application protocol (e.g., HTTP, SMTP, Skype) and, in some cases, extraction and processing of the information contained in the packet payload. Analysis is then performed on the resulting DPI data to identify potentially malicious behavior. In order to obtain visibility and inspect the application protocol and contents at high speed data rates, advanced DPI technologies and implementations are developed.
Abstract not provided.
Abstract not provided.
Abstract not provided.
Abstract not provided.
Abstract not provided.
Abstract not provided.
Abstract not provided.
Abstract not provided.
Abstract not provided.
Abstract not provided.
Proceedings - 8th IEEE International Symposium on Cloud and Services Computing, SC2 2018
The cloud has been leveraged for many applications across different industries. Despite its popularity, the cloud technologies are still immature. The security implications of cloud computing also dominate the research space. Many confidentiality-and integrity-based (C-I) security controls concerning data-at-rest and data-in-transit are focused on encryption. In the world where social-media platforms transparently gather data about user behaviors and user interests, the need for user privacy and data protection is of the utmost importance. However, how can a user know that his data is safe, that her data is secure, that his data's integrity is upheld; to be confident that her communications only reach the intended recipients? We propose: They can't. Many threats have been hypothesized in the shared-service arena, with many solutions formulated to avert those threats; however, we illustrate that many technologies and standards supporting C-I controls may be ineffective, not just against the adversarial actors, but also against trusted entities. Service providers and malicious insiders can intercept and decrypt network-and host-based data without any guest or user knowledge.
Cyber-Physical Systems Security
Sandia National Laboratories performed a 6-month effort to stand up a "zero-entry" cyber range environment for the purpose of providing self-directed practice to augment transmedia learning across diverse media and/or devices that may be part of a loosely coupled, distributed ecosystem. This 6-month effort leveraged Minimega, an open-source Emulytics™ (emulation + analytics) tool for launching and managing virtual machines in a cyber range. The proof of concept addressed a set of learning objectives for cybersecurity operations by providing three, short "zero-entry" exercises for beginner, intermediate, and advanced levels in network forensics, social engineering, penetration testing, and reverse engineering. Learners provided answers to problems they explored in networked virtual machines. The hands-on environment, Cyber Scorpion, participated in a preliminary demonstration in April 2017 at Ft. Bragg, NC. The present chapter describes the learning experience research and software development effort for a cybersecurity use case and subsequent lessons learned. It offers general recommendations for challenges which may be present in future learning ecosystems.
Abstract not provided.
Abstract not provided.
Abstract not provided.
Abstract not provided.
Abstract not provided.
Abstract not provided.