An extensible pattern-based library and taxonomy of security threats for distributed systems

Security is one of the most essential quality attributes of distributed systems, which often operate over untrusted networks such as the Internet. To incorporate security features during the development of a distributed system requires a sound analysis of potential attacks or threats in various contexts, a process that is often termed "threat modeling". To reduce the level of security expertise required, threat modeling can be supported by threat libraries (structured or unstructured lists of threats), which have been found particularly effective in industry scenarios; or attack taxonomies, which offer a classification scheme to help developers find relevant attacks more easily. In this paper we combine the values of threat libraries and taxonomies, and propose an extensible, two-level "pattern-based taxonomy" for (general) distributed systems. The taxonomy is based on the novel concept of a threat pattern, which can be customized and instantiated in different architectural contexts to define specific threats to a system. This allows developers to quickly consider a range of relevant threats in various architectural contexts as befits a threat library, increasing the efficacy of, and reducing the expertise required for, threat modeling. The taxonomy aims to classify a wide variety of more abstract, system- and technology-independent threats, which keeps the number of threats requiring consideration manageable, increases the taxonomy's applicability, and makes it both more practical and more useful for security novices and experts alike. After describing the taxonomy which applies to distributed systems generally, we propose a simple and effective method to construct pattern-based threat taxonomies for more specific system types and/or technology contexts by specializing one or more threat patterns. This allows for the creation of a single application-specific taxonomy. We demonstrate our approach to specialization by constructing a threat taxonomy for peer-to-peer systems.     

An overview of anomaly detection techniques: Existing solutions and latest technological trends

As advances in networking technology help to connect the distant corners of the globe and as the Internet continues to expand its influence as a medium for communications and commerce, the threat from spammers, attackers and criminal enterprises has also grown accordingly. It is the prevalence of such threats that has made intrusion detection systems—the cyberspace’s equivalent to the burglar alarm—join ranks with firewalls as one of the fundamental technologies for network security. However, today’s commercially available intrusion detection systems are predominantly signature-based intrusion detection systems that are designed to detect known attacks by utilizing the signatures of those attacks. Such systems require frequent rule-base updates and signature updates, and are not capable of detecting unknown attacks. In contrast, anomaly detection systems, a subset of intrusion detection systems, model the normal system/network behavior which enables them to be extremely effective in finding and foiling both known as well as unknown or “zero day” attacks. While anomaly detection systems are attractive conceptually, a host of technological problems need to be overcome before they can be widely adopted. These problems include: high false alarm rate, failure to scale to gigabit speeds, etc. In this paper, we provide a comprehensive survey of anomaly detection systems and hybrid intrusion detection systems of the recent past and present. We also discuss recent technological trends in anomaly detection and identify open problems and challenges in this area.     

An evaluation of indirect attacks and countermeasures in fingerprint verification systems

Biometric recognition systems are vulnerable to numerous security threats. These include direct attacks to the sensor or indirect attacks, which represent the ones aimed towards internal system modules. In this work, indirect attacks against fingerprint verification systems are analyzed in order to better understand how harmful they can be. Software attacks via hill climbing algorithms are implemented and their success rate is studied under different conditions. In a hill climbing attack, a randomly generated synthetic template is presented to the matcher, and is iteratively modified based on the score output until it is accepted as genuine. Countermeasures against such attacks are reviewed and analyzed, focusing on score quantization as a case study. It is found that hill climbing attacks are highly effective in the process of creating synthetic templates that are accepted by the matcher as genuine ones. We also find that score quantization drastically reduces the attack success rate. We analyze the hill climbing approach over two state-of-the-art fingerprint verification systems: the NIST Fingerprint Image Software 2, running on a PC and a prototype system fully embedded in a smart card (Match-on-Card). Results of both systems are obtained using a sub corpus of the publicly available MCYT database.     

下一代网络入侵防御研究

随着信息化的发展和网络应用的普及,针对企业和个人的各种攻击越来越复杂,攻击技术和策略也在不断调整,传统的入侵防御系统必须进化到能够处理先进的有针对性的威胁。首先介绍了下一代网络入侵防御系统的概念和主要功能,接着分析了和其它网络安全产品的关系,然后,阐述了下一代网络入侵防御典型产品的关键技术,最后,指出了下一代网络入侵防御的发展前景。     

Spike in phishing and malware a danger to IT

Security firms are reporting that IT departments must be careful of increased threats to corporate networks and data from phishing and malware attacks. There are 33 million unique phishing messages every week, according to Dave Cole, director of security product management at Symantec Security Response. He says this plus an increase in the distribution of malware designed to steal confidential information presents a challenge for IT. Phishing, according to the Anti-Phishing Working Group (APWG), an industry association devoted to eliminating phishing, is definable as attacks that "use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials." Corporations often find that they are victims of another type of phishing attack in which attackers use their good brand names and logos to trick people into responding to bogus solicitations. Although basic security approaches can protect against phishing and malware, Cole says it is also important to have "good Internet security hygiene" and multiple levels of protection for mail clients, servers, and client machines.     

A New Batch Verifying Scheme for Identifying Illegal Signatures

The concept of batch verifying multiple digital signatures is to find a method by which multiple digital signatures can be verified simultaneously in a lower time complexity than separately verifying all the signatures.In this article,we analyze the complexity of the batch verifying schemes defined by Li,Hwang and Chen in 2010,and propose a new batch verifying multiple digital signature scheme,in two variants:one for RSA-by completing the Harn’s schema with an identifying illegal signatures algorithm,and the other adapted for a modified Elliptic Curve Digital Signature Algorithm protocol.     

Analyzing and comparing the security of self-sovereign identity management systems through threat modeling

The concept of Self-Sovereign Identity (SSI) promises to strengthen the security and user-centricity of identity management. Since any secure online service relies on secure identity management, we comparatively analyze the intrinsic security of SSI. Thus, we adopt a hybrid threat modeling approach comprising STRIDE, attack trees, and ratings towards this unique context. Data flow diagrams of the isolated, centralized and the SSI model serve as the foundation for the assessment. The evolution of the paradigms shows an increasing complexity in security zones and communication paths between the components. We identified 35 threats to all SSI components and 15 protection measures that reduce the threats’ criticality. As a result, our research shows that the SSI paradigm’s threat surface is significantly higher compared to the traditional models. Besides the threat assessment on model level, the adapted methodology can evaluate a specific implementation. We analyzed uPort with a restricted scope to its user agent. Thus, 2 out of 10 threats were not properly addressed, leading to potential spoofing, denial, or repudiation of identity actions.

     

Collecting and evaluating speech recognition corpora for 11 South African languages

We describe the Lwazi corpus for automatic speech recognition (ASR), a new telephone speech corpus which contains data from the eleven official languages of South Africa. Because of practical constraints, the amount of speech per language is relatively small compared to major corpora in world languages, and we report on our investigation of the stability of the ASR models derived from the corpus. We also report on phoneme distance measures across languages, and describe initial phone recognisers that were developed using this data. We find that a surprisingly small number of speakers (fewer than 50) and around 10 to 20 h of speech per language are sufficient for the purposes of acceptable phone-based recognition.     

Pick’n’mix comparative tests.

The main question we are going to analyze is: “What is the best way to put together an informative, comprehensive and fair comparative test of scanners?” A common procedure is to take a set of known samples and compare the detection rates. Unfortunately, such tests only check the reactive abilities of scanners because the usual test sets are comprised of only known viruses.Due to the increased connectivity provided by the Internet virus outbreaks can occur and spread much more quickly Viruses involved are always new. For scanners to provide protection they have to be able to proactively detect new viruses. Methods that can be used to measure proactive scanners’ capabilities (generics and heuristics) are presented and compared.We use the Monte Carlo method to analyze a common test situation. Computer simulations show that to achieve higher fairness, test sets ought to be expanded as much as possible. When the test set is small the very process of random sample selection for the test set sorts scanners into “lucky” and “unlucky” categories (we called this effect a “random pick” problem). We also discuss ranking threats as a way of sorting the threats in the test set. The ways to rank the threats and the drawbacks of “Wildlist”—based ranking are discussed.This paper is an attempt to give you an insight into what limitations comparative tests have. It gives several recommendations to the testing bodies on how to improve the quality of tests and make them more suitable to the current situation. It should assist you in understanding the comparative tests.

Current virus and malware threat

The current situation in the computer security differs significantly from the situation we had just a few years ago. A long time ago, virus propagation was mainly via exchange of programs on floppy disks. It was possible to release AV updates monthly. Then file exchange via LANs and servers stepped in. Many AV companies started issuing updates via the Web pages. Now we see an Internet—connected world and deep penetration of relatively insecure operating systems and applications. Updates are now predominantly delivered automatically through the Internet. To fight outbreaks it became necessary to prepare and deliver updates almost instantly and push them out very quickly. All in all — the nature of the threat and the AV scanners have changed dramatically. Are current testing methods coping with these rapid changes?The number of viruses has increased from about 5000 in 1995 to about 30000 DOS viruses and 30000 modern threats today. Modern threats include backdoor trojans, network-aware worms, mass-mailers, DDoS (distributed denial-of-service) zombies, etc. The number of AV programs has also multiplied. In the past there were only DOS scanners. Now we have many operating systems only in “Wintel” space. We also have AV scanners for gateways, firewalls, groupware, on-line scanners, non—“Wintel” scanners and so on. We have hundreds of OS+AV combinations. It is obvious that comparing the quality of AV software has become a very complex task indeed.Fortunately, the detection capabilities of major AV products are usually embodied in their scanning engines (the virus database is meant to be part of the engine here). The engine is then plugged into many different AV products. Now, if the maximum detection capabilities of the engines are compared we would have a reference point — no ports of any engine to any product should achieve better results then the engine itself. The strength of the bare engine also gives indicates the strength of the research team involved. However, it must be clear that it is possible to have worse detection in an AV product as compared with the bare engine. The reason would be improper engine porting, compatibility, interfacing issues or environment limitations.Therefore we need tests to compare point products plus the tests to measure the maximum detection capabilities of the scanning engines. Currently, the setting up of such tests are not easy and require a lot of brains, time and money. That is why these days decent tests are only run by the bodies that are able to find the necessary resources: big universities (free manpower and state funding) or commercial certification bodies (these take fees from AV companies who, in turn, charge their users). In general, magazines cannot do a decent comparative tests on its their own any more. Exceptions to this include “Virus Bulletin” and “Secure Computing”. The former is hosted by “Sophos” (a British AV company) while the latter performs fee-based certifications. Other magazines simply do not have adequate resources and so they either republish the results from big testing bodies or their test results are plain ridiculous (say, when they test a handful of threats). It also has to be said that a lot of knowledge is required to put together a decent comparative test. Specialists in this area are rare and expensive.In the past a scanner finding 100% of viruses known one month ago was considered perfect because most of the troubles were coming from known viruses and the speed of the propagation was slow. This could have easily been tested. These days to be perfect the scanner needs to catch a virus that will cause the next global outbreak! Can this be tested at all? To some extent — yes, but instead of testing the detection rate against known viruses such a test should analyze scanners’ performance against unknown threats! However, in both cases the users want the answer to one and the same question —“Which AV product would protect me better?” Only the way to find out the answer is different today.In this paper, when talking about comparing scanners we intentionally step away from anything but detection and cleaning issues. Things like GUI interface and functionality (quarantining, scheduling, updating, etc.) are deliberately avoided because the prime goal of all scanners is to find and remove viruses. And the ability to find and clean is down to the scanner’s core — the scanning engine and the database of virus’ definitions. We also do not discuss the speed of updates in an outbreak situation but not because it is unimportant!Let us return here to my claim that most magazines’ own tests are primitive and cannot generally be trusted. Due to lack of resources such tests are usually done on a ridiculously small set of samples (like 10 or 20). It is intuitively clear that for a small test set the results may not represent real detection rates. Let us analyze why.

“Random pick” problem for two scanners

Let us imagine a small simple test: we have 10 viruses (let us call them A…J) in total and two scanners. We suppose both scanners are equally good and detect exactly nine viruses out of ten. Furthermore, the detected virus is not the same for both scanners (see Figure 1):     

基于shell命令的内部攻击检测

信息系统不仅面临着外部攻击的威胁,同时也面临着来自系统内部的威胁。本文针对系统内部攻击,首先对信息系统的内部威胁和内部攻击进行简要阐述和分析。基于用户操作行为的一般规律,提出几种检测模型,通过对比检测结果找出检测效果好的检测模型。基于SEA公开数据集,采用词袋、TF-IDF、词汇表以及N-Gram几种方法进行特征提取,使用不同的机器学习算法建立检测模型,包括XGBoost算法、隐式马尔可夫和多层感知机(MLP)。结果显示：测试样本采用词袋+N-Gram特征模型和XGBoost学习算法的精确率和召回率较高,检测效果最好。     

移动互联网音视频类协议识别技术研究与实现

音视频类型的应用程序是应用市场中下载的热点,针对传统互联网的协议识别技术已经相对成熟,但对于移动网络中的音视频应用的识别研究还刚开始受到关注,通过对此类应用识别,运营商可以收集用户在线观看音视频等行为习惯,进而为提供用户差异化服务,也可以服务于对应用的安全审计。文章主要研究了移动互联网音视频类协议识别技术,从对应用协议数据的分析中获取应用特征值,利用特征值实现协议识别;通过开发识别程序和大量实验,实现了对移动互联网音视频类协议的自动识别,并进一步提高识别的准确率及效率。     

REX-J: Japanese referring expression corpus of situated dialogs

Identifying objects in conversation is a fundamental human capability necessary to achieve efficient collaboration on any real world task. Hence the deepening of our understanding of human referential behaviour is indispensable for the creation of systems that collaborate with humans in a meaningful way. We present the construction of REX-J, a multi-modal Japanese corpus of referring expressions in situated dialogs, based on the collaborative task of solving the Tangram puzzle. This corpus contains 24 dialogs with over 4?h of recordings and over 1,400 referring expressions. We outline the characteristics of the collected data and point out the important differences from previous corpora. The corpus records extra-linguistic information during the interaction (e.g. the position of pieces, the actions on the pieces) in synchronization with the participants’ utterances. This in turn allows us to discuss the importance of creating a unified model of linguistic and extra-linguistic information from a new perspective. Demonstrating the potential uses of this corpus, we present the analysis of a specific type of referring expression (“action-mentioning expression”) as well as the results of research into the generation of demonstrative pronouns. Furthermore, we discuss some perspectives on potential uses of this corpus as well as our planned future work, underlining how it is a valuable addition to the existing databases in the community for the study and modeling of referring expressions in situated dialog.     

Corpus-based research on English word recognition rates in primary school and word selection strategy

Acquiring vocabulary is important when studying English, as it assists in listening, speaking, reading, and writing. In this paper, we develop an English webpage corpus (EWC) and create a word frequency list using web crawler technology. By comparing EWC word lists with the British National Corpus (BNC), we find that the BNC word frequency list possesses the feature of timeliness. We also explore primary school students’ English word recognition rates by comparing the word frequency lists of several corpora, including EWC, BNC, SUBTLEX-US, and Subtitle Corpus of Children’s BBC (CBBC). The results show that the word recognition rates for primary school children are relatively low in both general language and specific language register. Motivated by the experiment results, we finally propose some word-selection strategies for compiling English textbooks for Chinese primary school students.     

解析服务器管理中的病毒检测与防护

随着互联网的发展,网络安全漏洞和黑客攻击,给网络服务器的安全、稳定运行带来了极大的威胁。该文在分析了当今网络服务器面临的威胁和攻击的基础上,讨论了网络服务器管理中病毒的检测和防护。     

Threat-driven modeling and verification of secure software using aspect-oriented Petri nets

Design-level vulnerabilities are a major source of security risks in software. To improve trustworthiness of software design, this paper presents a formal threat-driven approach, which explores explicit behaviors of security threats as the mediator between security goals and applications of security features. Security threats are potential attacks, i.e., misuses and anomalies that violate the security goals of systems' intended functions. Security threats suggest what, where, and how security features for threat mitigation should be applied. To specify the intended functions, security threats, and threat mitigations of a security design as a whole, we exploit aspect-oriented Petri nets as a unified formalism. Intended functions and security threats are modeled by Petri nets, whereas threat mitigations are modeled by Petri net-based aspects due to the incremental and crosscutting nature of security features. The unified formalism facilitates verifying correctness of security threats against intended functions and verifying absence of security threats from integrated functions and threat mitigations. As a result, our approach can make software design provably secured from anticipated security threats and, thus, reduce significant design-level vulnerabilities. We demonstrate our approach through a systematic case study on the threat-driven modeling and verification of a real-world shopping cart application.     

Risk-based attack strategies for mobile ad hoc networks under probabilistic attack modeling framework

In this paper, we introduce and design a modeling framework that allows for the study and analysis of attack propagation in mobile ad hoc networks. The choice of a statistical approach for the problem is motivated by the dynamic characteristics of the ad hoc topology and the stochastic nature of threat propagation. Based on this probabilistic modeling framework, we study the impact of topology and mobility in the propagation of software threats over ad hoc networks. We design topology control algorithms that indicate how to properly adjust an attacker’s transmission radius, according to the measured topological characteristics and availability of its resources, in the process of infecting a network more effectively. Then based on these topology control algorithms we develop different attack strategies that may range from independent attacks to cooperative scenarios in order to increase the negative impact of an attack on the network. Our performance evaluation results demonstrate that the proposed topology control algorithms and respective attack strategies effectively balance the tradeoffs between the potential network damage and the attackers’ lifetime, and as a result significantly outperform any other flat and threshold-based approaches.     

计算机网络的安全威胁及其防御机制研究

计算机网络正面临着严重的安全威胁,这些威胁主要有端口扫描、网页软件漏洞、拒绝服务攻击、IP欺骗等,而现行的防火墙技术、入侵检测系统、加密技术、虚拟专用网技术等在防范计算机安全威胁方面都有其自身的弱点,因此,必须进一步改进和加强计算机网络安全技术,完善计算机网络安全的有效管理。     

Assessing insider threats to information security using technical,behavioural and organisational measures

The UK government took a bruising in the headlines (Sep 2008) after a Home Office contractor lost a USB stick containing unencrypted data on all 84,000 prisoners in England and Wales. As a result, the Home Office terminated the £1.5 million contract with the management consultancy firm.The world woke up to the largest attempted bank fraud ever when the UK’s National Hi-Tech Crime Unit foiled the world’s largest potential bank robbery in March 2005. With the help of the security supervisor, thieves masquerading as cleaning staff installed hardware keystroke loggers on computers within the London branch of a Japanese bank, to steal £220m.It is indeed sobering to imagine that any organisation could fall victim to such events and the damage an insider can do. The consulting firm lost the contract worth £1.5 million due to a small mistake by an employee. The London branch of the Japanese Bank would have lost £220 million had not the crime been foiled.Insider threat is a reality. Insiders commit fraud or steal sensitive information when motivated by money or revenge. Well-meaning employees can compromise the security of an organisation with their overzealousness in getting their job done. Every organisation has a varied mix of employees, consultants, management, partners and complex infrastructure and that makes handling insider threats a daunting challenge. With insider attacks, organisations face potential damage through loss of revenue, loss of reputation, loss of intellectual property or even loss of human life.The insider threat problem is more elusive and perplexing than any other threat. Assessing the insider threat is the first step to determine the likelihood of any insider attack. Technical solutions do not suffice since insider threats are fundamentally a people issue. Therefore, a three-pronged approach - technological, behavioural and organisational assessment is essential in facilitating the prediction of insider threats and pre-empt any insider attack thus improving the organization’s security, survivability, and resiliency in light of insider threats.     

Construction of an aligned monolingual treebank for studying semantic similarity

Modern paraphrase research would benefit from large corpora with detailed annotations. However, currently these corpora are still thin on the ground. In this paper, we describe the development of such a corpus for Dutch, which takes the form of a parallel monolingual treebank consisting of over 2 million tokens and covering various text genres, including both parallel and comparable text. This publicly available corpus is richly annotated with alignments between syntactic nodes, which are also classified using five different semantic similarity relations. A quarter of the corpus is manually annotated, and this informs the development of an automatic tree aligner used to annotate the remainder of the corpus. We argue that this corpus is the first of this size and kind, and offers great potential for paraphrasing research.