Showing papers by "Richard P. Lippmann published in 2010"

Machine learning in adversarial environments

Abstract: Whenever machine learning is used to prevent illegal or unsanctioned activity and there is an economic incentive, adversaries will attempt to circumvent the protection provided. Constraints on how adversaries can manipulate training and test data for classifiers used to detect suspicious behavior make problems in this area tractable and interesting. This special issue highlights papers that span many disciplines including email spam detection, computer intrusion detection, and detection of web pages deliberately designed to manipulate the priorities of pages returned by modern search engines. The four papers in this special issue provide a standard taxonomy of the types of attacks that can be expected in an adversarial framework, demonstrate how to design classifiers that are robust to deleted or corrupted features, demonstrate the ability of modern polymorphic engines to rewrite malware so it evades detection by current intrusion detection and antivirus systems, and provide approaches to detect web pages designed to manipulate web page scores returned by search engines. We hope that these papers and this special issue encourages the multidisciplinary cooperation required to address many interesting problems in this relatively new area including predicting the future of the arms races created by adversarial learning, developing effective long-term defensive strategies, and creating algorithms that can process the massive amounts of training and test data available for internet-scale problems.

Visualizing attack graphs, reachability, and trust relationships with NAVIGATOR

Abstract: A new tool named NAVIGATOR (Network Asset VIsualization: Graphs, ATtacks, Operational Recommendations) adds significant capabilities to earlier work in attack graph visualization. Using NAVIGATOR, users can visualize the effect of server-side, client-side, credential-based, and trust-based attacks. By varying the attacker model, NAVIGATOR can show the current state of the network as well as hypothetical future situations, allowing for advance planning. Furthermore, NAVIGATOR explicitly shows network topology, infrastructure devices, and host-level data while still conveying situational awareness of the network as a whole. This tool is implemented in Java and uses an existing C++ engine for reachability and attack graph calculations.

EMBER: a global perspective on extreme malicious behavior

Abstract: Geographical displays are commonly used for visualizing wide-spread malicious behavior of Internet hosts. Placing dots on a world map or coloring regions by the magnitude of activity often results in cluttered maps that invariably emphasize population-dense metropolitan areas in developed countries where Internet connectivity is highest. To uncover atypical regions, it is necessary to normalize activity by the local computer population. This paper presents EMBER (Extreme Malicious Behavior viewER), an analysis and display of malicious activity at the city level. EMBER uses a metric called Standardized Incidence Rate (SIR) that is the number of hosts exhibiting malicious behavior per 100,000 available hosts. This metric relies on available data that (1) Maps IP addresses to geographic locations, (2) Provides current city populations, and (3) Provides computer usage penetration rates. Analysis of several months of suspicious source IP addresses from DShield identifies cities with extremely high and low malicious activity rates on a day-by-day basis. In general, cities in a few Eastern European countries have the highest SIRs whereas cities in Japan and South Korea have the lowest. Many of these results are consistent with news reports describing local cyber security policies. A simulation that models how malware spreads preferentially within cities to local IP addresses replicates the long-tailed distribution of city SIRs that was found in the data. This simulation result agrees with past analyses in suggesting that malware often preferentially spreads to local regions with already high levels of malicious activity.

Temporally oblivious anomaly detection on large networks using functional peers

Abstract: Previous methods of network anomaly detection have focused on defining a temporal model of what is "normal," and flagging the "abnormal" activity that does not fit into this pre-trained construct. When monitoring traffic to and from IP addresses on a large network, this problem can become computationally complex, and potentially intractable, as a state model must be maintained for each address. In this paper, we present a method of detecting anomalous network activity without providing any historical context. By exploiting the size of the network along with the minimal overhead of NetFlow data, we are able to model groups of hosts performing similar functions to discover anomalous behavior. As a collection, these anomalies can be further described with a few high-level characterizations and we provide a means for creating and labeling these categories. We demonstrate our method on a very large-scale network consisting of 30 million unique addresses, focusing specifically on traffic related to web servers.