Spatio-Temporal Mining of Software Adoption & Penetration
How does malware propagate? Does it form spikes over time? Does it resemble the propagation pattern of benign files, such as software patches? Does it spread uniformly over countries? How long does it take for a URL that distributes malware to be detected and shut down?
In this work, we answer these questions by analyzing patterns from 22 million malicious (and benign) files, found on 1.6 million hosts worldwide during the month of June 2011. We conduct this study using the WINE database available at Symantec Research Labs. Additionally, we explore the research questions raised by sampling on such large databases of executables; the importance of studying the implications of sampling is twofold: First, sampling is a means of reducing the size of the database hence making it more accessible to researchers; second, because every such data collection can be perceived as a sample of the real world.
Finally, we discover the SharkFin temporal propagation pattern of executable files, the GeoSplit pattern in the geographical spread of machines that report executables to Symantec's servers, the Periodic Power Law (Ppl) distribution of the life-time of URLs, and we show how to efficiently extrapolate crucial properties of the data from a small sample. To the best of our knowledge, our work represents the largest study of propagation patterns of executables.
By: Evangelos Papalexakis (CMU), Tudor Dumitraș (Symantec Research Labs), Polo Chau (Georgia Tech), B. Aditya Prakash (Virginia Tech), and Christos Faloutsos (CMU)
Published in: IEEE/ACM International Conference on Social Networks Analysis and Mining (ASONAM 2013), August 2013, Ontario, Canada.
MINESTRONE: Testing the SOUP
Software development using type-unsafe languages (e.g., C and C++) is a challenging task for several reasons, security being one of the most important. Ensuring that a piece of code is bug or vulnerability free is a one of the most critical aspects of software engineering. While most software development life cycle processes address security early on in the requirement analysis phase and refine it during testing, it is not always sufficient. Therefore the use of commercial security tools has been widely adopted by the software industry to help identify vulnerabilities, but they often have a high false-positive rate and have limited effectiveness. In this paper we present MINESTRONE, a novel architecture that integrates static analysis, dynamic confinement, and code diversification to identify, mitigate, and contain a broad class of software vulnerabilities in Software Of Uncertain Provenance (SOUP). MINESTRONE has been tested against an extensive test suite and showed promising results. MINESTRONE showed an improvement of 34.6% over the state-of-the art for memory corruption bugs that are commonly exploited.
By: Azzedine Benameur, Nathan Evans, Matthew Elder (Symantec Research Labs)
Published in: 2013 USENIX Workshop on Cyber Security Experimentation and Test (CSET ‘13) Workshop, August 2013, Washington, D.C.
Cloud Resiliency and Security via Diversified Replica Execution and Monitoring
The Information Technology industry heavily relies on the cloud computing paradigm for large-scale infrastructures, and more military and critical infrastructure systems are moving towards cloud platforms as well. Leveraging the cloud can reduce the total cost of ownership and allocates resources on demand in order to cope with load. Two key expectations when shifting to cloud-based services are availability and security. However, recent outages with major Platform as a Service (PaaS) providers reported widely in the press have proven that even a cloud platform cannot provide perfect availability. In addition, a 2013 Defense Science Board report on “Cyber Security and Reliability in a Digital Cloud” finds that while some security practices can be improved in a cloud environment, some threats are different or exacerbated. In this paper we present an approach to leverage the elasticity and on-demand provisioning features of the cloud to improve resilience to availability concerns and common attacks. Our approach utilizes diversification of lightweight virtualized application servers for redundancy and protection against both application errors and network-based attacks.
By: Azzedine Benameur, Nathan Evans, Matthew Elder (Symantec Research Labs)
Published in: 1st International Symposium on Resilient Cyber Systems, August 2013, San Francisco, CA.
DISCLOSURE: Detecting Botnet Command and Control Servers Through Large-Scale NetFlow Analysis
Botnets continue to be a significant problem on the Internet. Accordingly, a great deal of research has focused on methods for detecting and mitigating the effects of botnets. Two of the primary factors preventing the development of effective large-scale, wide-area botnet detection systems are seemingly contradictory. On the one hand, technical and administrative restrictions result in a general unavailability of raw network data that would facilitate botnet detection on a large scale. On the other hand, were this data available, real-time processing at that scale would be a formidable challenge. In contrast to raw network data, NetFlow data is widely available. However, NetFlow data imposes several challenges for performing accurate botnet detection.
In this paper, we present Disclosure, a large-scale, wide-area botnet detection system that incorporates a combination of novel techniques to overcome the challenges imposed by the use of NetFlow data. In particular, we identify several groups of features that allow Disclosure to reliably distinguish C&C channels from benign traffic using NetFlow records (i.e., flow sizes, client access patterns, and temporal behavior). To reduce Disclosure's false positive rate, we incorporate a number of external reputation scores into our system's detection procedure. Finally, we provide an extensive evaluation of Disclosure over two large, real-world networks. Our evaluation demonstrates that Disclosure is able to perform real-time detection of botnet C&C channels over datasets on the order of billions of flows per day.
By: Leyla Bilge (SRL), Davide Balzarotti (Eurecom), William Robertson (Northeastern University), Engin Kirda (Northeastern University), Christopher Kruegel (UCSB)
Published in: 2012 Annual Computer Security Applications Conference (ACSAC) December 9-13th, 2012, Orlando, Florida
Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World
Little is known about the duration and prevalence of zero-day attacks, which exploit vulnerabilities that have not been disclosed publicly. Knowledge of new vulnerabilities gives cyber criminals a free pass to attack any target of their choosing, while remaining undetected. Unfortunately, these serious threats are difficult to analyze, because, in general, data is not available until after an attack is discovered. Moreover, zero-day attacks are rare events that are unlikely to be observed in honeypots or in lab experiments. In this paper, we describe a method for automatically identifying zero-day attacks from field-gathered data that records when benign and malicious binaries are downloaded on 11 million real hosts around the world. Searching this data set for malicious files that exploit known vulnerabilities indicates which files appeared on the Internet before the corresponding vulnerabilities were disclosed. We identify 18 vulnerabilities exploited before disclosure, of which 11 were not previously known to have been employed in zero-day attacks. We also find that a typical zero-day attack lasts 312 days on average and that, after vulnerabilities are disclosed publicly, the volume of attacks exploiting them increases by up to 5 orders of magnitude.
By: Leyla Bilge, Tudor Dumitras
Published in: 19th ACM Conference on Computer and Communications Security October 16-18th, 2012, Raleigh, NC
Security of Power Grids: a European Perspective
Industrial control systems (ICS) are rapidly becoming a new major target of cyber-criminals. This was pointed out in multiple occasions by security experts and was confirmed by a recent survey carried out by Symantec. In this survey, 53% of the 1580 critical infrastructure companies that were interviewed admitted to having been targeted by cyber attacks. On average, the surveyed companies admitted to having been attacked 10 times in the last 5 years, with each of these attacks having an average cost of 850k USD. The survey provides a basis for a quantitative estimate of the extent of the problem and implies that the incidents reported by the press over the last several years are nothing but the tip of a considerably larger problem: the vast majority of incidents have never been disclosed. Still, the details of the publicly disclosed incidents give us a better understanding of the underlying issues we face. For instance, a recently discovered malware variant called Stuxnet which has been analyzed at length by Symantec was shown to be part of a highly sophisticated targeted attack aiming at tampering with devices involved in the control of high speed engines, and compromise the associated industrial process. The infection was only uncovered accidentally when an operational anomaly was discovered — Stuxnet has probably been operating undetected since June of 2009. Stuxnet, and other related threats discovered recently, show that industrial control systems are evolving, bringing powerful capabilities into the critical infrastructure environment along with new and yet undiscovered threats. This work provides an overview on the key issues associated to the security of the power grids, and the approach that is currently being followed by the CRISALIS FP7 project at addressing them.
By: Corrado Leita, Marc Dacier
Published in: NIST Cyber-Physical Systems Workshop, April 23-24th, 2012, Gaitesburg, Maryland.
The MEERKATS Cloud Security Architecture
MEERKATS is a novel architecture for cloud environments that elevates continuous system evolution and change as first-rate design principles. Our goal is to enable an environment for cloud services that constantly changes along several dimensions, toward creating an unpredictable target for an adversary. This unpredictability will both impede the adversary’s ability to achieve an initial system compromise and, if a compromise occurs, to detect, disrupt, and/or otherwise impede his ability to exploit this success. Thus, we envision an environment where cloud services and data are constantly in flux, using adaptive (both proactive and reactive) protection mechanisms and distributed monitoring at various levels of abstraction. A key element of MEERKATS is the focus on both the software and the data in the cloud, not just protecting but leveraging both to improve mission resilience. MEERKATS seeks to effectively exploit “economies of scale” (in resources available) to provide higher flexibility and effectiveness in the deployment and use of protection mechanisms as and where needed, focusing on current and anticipated application and mission needs instead of an inefficient, “blanket” approach to protecting “everything the same way, all the time”. We outline our vision for MEERKATS and describe our approach toward prototyping it.
By: Angelos Keromytis, Roxana Geambasu, Simha Sethumadhavan, Salvatore Stolfo, Junfeng Yang (Columbia University), Azzedine Benameur, Marc Dacier, Matthew Elder, Darrell Kienzle (Symantec Research Labs), Angelos Stavrou (George Mason University)
Published in: Proceedings of the 2012 32nd International Conference on Distributed Computing Systems Workshops, ser. ICDCSW ’12, pp. 446–450. June 2012, Macau, China.
Ask WINE: Are We Safer Today? Evaluating Operating System Security through Big Data Analysis
The Internet can be a dangerous place: 800,000 new malware variants are detected each day, and this number is growing at an exponential rate—driven by the quest for economic gains. However, over the past ten years operating-system vendors have introduced a number of security technologies that aim to make exploits harder and to reduce the attack surface of the platform. Faced with these two conflicting trends, it is difficult for end users to determine what techniques make them safer from Internet attacks. In this position paper, we argue that to answer this question conclusively we must analyze field data collected on real hosts that are targeted by attacks—e.g., the approximately 50 million records of anti-virus telemetry available through Symantec’s WINE platform. Such studies can characterize the factors that drive the production of malware, can help us understand the impact of security technologies in the real world and can suggest new security metrics, derived from field observations rather than small lab experiments, indicating how susceptible to attacks a computing platform may be.
By: Tudor Dumitras, Petros Efstathopoulos (Symantec Research Labs)
Published in: USENIX Workshop on Large Scale Exploits and Emerging Threats (LEET ‘12), April 2012, San Jose, California.
The Provenance of WINE
The results of cyber security experiments are often impossible to reproduce, owing to the lack of adequate descriptions of the data collection and experimental processes. Such provenance information is difficult to record consistently when collecting data from distributed sensors and when sharing raw data among research groups with variable standards for documenting the steps that produce the final experimental result. In the WINE benchmark, which provides field data for cyber security experiments, we aim to make the experimental process self-documenting. The data collected includes provenance information—such as when, where and how an attack was first observed or detected—and allows researchers to gauge information quality. Experiments are conducted on a common testbed, which provides tools for recording each procedural step. The ability to understand the provenance of research results enables rigorous cyber security experiments, conducted at scale.
By: Tudor Dumitras, Petros Efstathopoulos (Symantec Research Labs)
Published in: European Dependable Computing Conference (EDCC ’12), May 2012, Sibiu, Romania.
Experimental Challenges in Cyber Security: A Story of Provenance and Lineage for Malware
Rigorous experiments and empirical studies hold the promise of empowering researchers and practitioners to develop better approaches for cyber security. For example, understanding the provenance and lineage of polymorphic malware strains can lead to new techniques for detecting and classifying unknown attacks. Unfortunately, many challenges stand in the way: the lack of sufficient field data (e.g., malware samples and contextual information about their impact in the real world), the lack of metadata about the collection process of the existing data sets, the lack of ground truth, the difficulty of developing tools and methods for rigorous data analysis.
As a first step towards rigorous experimental methods, we introduce two techniques for reconstructing the phylogenetic trees and dynamic control-flow graphs of unknown binaries, inspired from research in software evolution, bioinformatics and time series analysis. Our approach is based on the observation that the long evolution histories of open source projects provide an opportunity for creating precise models of lineage and provenance, which can be used for detecting and clustering malware as well.
As a second step, we present experimental methods that combine the use of a representative corpus of malware and contextual information (gathered from end hosts rather than from network traces or honeypots) with sound data collection and analysis techniques. While our experimental methods serve a concrete purpose— understanding lineage and provenance—they also provide a general blueprint for addressing the threats to the validity of cyber security studies.
By: Tudor Dumitras (Symantec Research Labs), Iulian Neamtiu (CMU)
Published in: 2011 USENIX Workshop on Cyber Security Experimentation and Test (CSET ‘11), August 2011, San Francisco, CA.
The MINESTRONE Architecture Combining Static and Dynamic Analysis Techniques for Software Security
We present MINESTRONE, a novel architecture that integrates static analysis, dynamic confinement, and code diversification techniques to enable the identification, mitigation and containment of a large class of software vulnerabilities in third-party software. Our initial focus is on software written in C and C++; however, many of our techniques are equally applicable to binary-only environments (but are not always as efficient or as effective) and for vulnerabilities that are not specific to these languages. Our system seeks to enable the immediate deployment of new software (e.g., a new release of an open-source project) and the protection of already deployed (legacy) software by transparently inserting extensive security instrumentation, while leveraging concurrent program analysis, potentially aided by runtime data gleaned from profiling actual use of the software, to gradually reduce the performance cost of the instrumentation by allowing selective removal or refinement. Artificial diversification techniques are used both as confinement mechanisms and for fault-tolerance purposes. To minimize the performance impact, we are leveraging multicore hardware or (when unavailable) remote servers that enable quick identification of likely compromise. To cover the widest possible range of systems, we require no specific hardware or operating system features, although we intend to take advantage of such features where available to improve both runtime performance and vulnerability coverage.
By: Angelos Keromytis, Salvatore Stolfo, Junfeng Yang (Columbia University), Angelos Stavrou, Anup Ghosh (George Mason University), Dawson Engler (Stanford University), Marc Dacier, Matthew Elder, Darrell Kienzle (Symantec Research Labs)
Published in: 1st SysSec Workshop (SysSec 2011), July 2011, Amsterdam, The Netherlands.
Toward a Standard Benchmark for Computer Security Research: The Worldwide Intelligence Network Environment (WINE)
Unlike benchmarks that focus on performance or reliability evaluations, a benchmark for computer security must necessarily include sensitive code and data. Because these artifacts could damage systems or reveal personally identifiable information about the users affected by cyber attacks, publicly disseminating such a benchmark raises several scientific, ethical and legal challenges. We propose the Worldwide Intelligence Network Environment (WINE), a security-benchmarking approach based on rigorous experimental methods. WINE includes representative field data, collected worldwide from 240,000 sensors, for new empirical studies, and it will enable the validation of research on all the phases in the lifecycle of security threats. We tackle the key challenges for security benchmarking by designing a platform for repeatable experimentation on the WINE data sets and by collecting the metadata required for understanding the results. In this paper, we review the unique characteristics of the WINE data, we discuss why rigorous benchmarking will provide fresh insights on the security arms race and we propose a research agenda for this area.
By: Tudor Dumitras and Darren Shou (Symantec Research Labs)
Published in: Proceedings of the First EuroSys Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (EuroSys BADGERS 2011), Salzburg, Austria, April 2011
Please obtain a copy of this paper from the ACM.
HARMUR: Storing and Analyzing Historic Data on Malicious Domains
A large amount of work has been done to develop tools and techniques to detect and study the presence of threats on the web. This includes, for instance, the development of a variety of different client honeypot techniques for the detection and study of drive-by downloads, as well as the creation of blacklists to prevent users from visiting malicious web pages. Due to the extent of the web and the scale of the problem, existing work typically focuses on the collection of information on the current state of web pages and does not take into account the temporal dimension of the problem.
In this paper we describe HARMUR, a security dataset developed in the context of the WOMBAT project that aims at exploring the dynamics of the security and contextual information associated to malicious domains. We detail the design decisions that have led to the creation of an easily extensible architecture, and describe the characteristics of the underlying dataset. Finally, we demonstrate through examples the value of the collected information, and the importance of tracking the evolution of the state of malicious domains to gather a more complete picture on the threat landscape.
By: Corrado Leita (Symantec Research Labs) and Marco Cova** (University of Birmingham)
Published in: Proceedings of the First EuroSys Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (EuroSys BADGERS 2011), Salzburg, Austria, April 2011
Please obtain a copy of this paper from the ACM.
An Attack Surface Metric
Measurement of software security is a long standing challenge to the research community. At the same time, practical security metrics and measurements are essential for secure software development. Hence the need for metrics is more pressing now due to a growing demand for secure software. In this paper, we propose to use a software system's attack surface measurement as an indicator of the system's security. We formalize the notion of a system's attack surface and introduce an attack surface metric to measure the attack surface in a systematic manner. Our measurement method is agnostic to a software system's implementation language and is applicable to systems of all sizes; we demonstrate our method by measuring the attack surfaces of small desktop applications and large enterprise systems implemented in C and Java. We conducted three exploratory empirical studies to validate our method. Software developers can mitigate their software's security risk by measuring and reducing their software's attack surfaces. Our attack surface reduction approach complements software industry's traditional code quality improvement approach for security risk mitigation and is useful in multiple phases of the software development lifecycle. Our collaboration with SAP demonstrates the use of our metric in the software development process.
By: Pratyusa K. Manadhata* (Symantec Research Labs) and Jeannette M. Wing (Carnegie Mellon University)
Published in: IEEE Transactions on Software Engineering, accepted for future publication and available online from the IEEE as a preprint, June 2010
Please obtain a copy of this paper from the IEEE at http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=5482589
Responsibility for the Harm and Risk of Software Security Flaws
Software vulnerabilities are a vexing problem for the state of information assurance and security. Who is responsible for the risk and harm of software security is controversial. Deliberation of the responsibility for harm and risk due to software security flaws requires considering how incentives (and disincentives) and network effects shape the practices of vendors and adopters, and the consequent effects on the state of software security. This chapter looks at these factors in more detail in the context of private markets and public welfare.
By: Cassio Goldschmidt* (Symantec Research Labs); Melissa Jane Dark, and Hina Chaudhry (Purdue University)
Published in: Information Assurance and Security Ethics in Complex Systems: Interdisciplinary Perspectives, by Melissa Jane Dark (Purdue University), August 31, 2010, IGI Global, August 31, 2010, pp. 104-131.
Please obtain a copy of this chapter from the publisher listed above.
Advances in Topological Vulnerability Analysis
Currently, network administrators must rely on labor-intensive processes for tracking network configurations and vulnerabilities, which requires a great deal of expertise and is error prone. The organization of networks and the inter dependencies of vulnerabilities are so complex as to make traditional vulnerability analysis inadequate. We describe a Topological Vulnerability Analysis (TVA) approach that analyzes vulnerability dependencies and shows all possible attack paths into a network. From models of the network vulnerabilities and potential attacker exploits, we discover attack paths (organized as graphs) that convey the impact of individual and combined vulnerabilities on overall security. We provide sophisticated attack graph visualizations, with high-level overviews and detail drill down. Decision support capabilities let analysts make optimal tradeoffs between safety and availability, and show how to best apply limited security resources. We employ efficient algorithms that scale well to larger networks.
By: Steven Noel (George Mason University); Matthew Elder (Symantec Research Labs); Sushil Jajodia, Pramod Kalapa (George Mason University); Scott O’Hare, and Kenneth Prole (Secure Decisions, Division of Applied Visions Inc.)
Published in: Proceedings of the Cybersecurity Applications & Technology Conference For Homeland Security (CATCH 2009), Washington, DC, March 2009
Please obtain a copy of this paper from the publisher listed above.
Reducing E-Discovery Cost by Filtering Included Emails
As businesses become more reliance on information technology, electronic information is often produced as vital evidence during civil litigation. The process of discovering electronic information as evidence is getting increasingly expensive as the volume of data explodes. This surging demand calls for a solution to reduce the cost associated with the discovery process. In this paper, we propose filtering included emails as a means to reduce review data volume, and describe efficient algorithms to identify those emails. Experiments show that this can reduce the number of emails to be reviewed by 20% in corporate email corpse.
By: Tsuen-Wan “Johnny” Ngan (Symantec Research Labs)
Published in: Proceedings of the Fifth Conference on Emails and Anti-Spam (CEAS 2008), August 2008
Please obtain a copy of this paper from the publisher listed above.
Data Space Randomization
Over the past several years, US-CERT advisories, as well as most critical updates from software vendors, have been due to memory corruption vulnerabilities such as buffer overflows, heap overflows, etc. Several techniques have been developed to defend against the exploitation of these vulnerabilities, with the most promising defenses being based on randomization. Two randomization techniques have been explored so far: address space randomization (ASR) that randomizes the location of objects in virtual memory, and instruction set randomization (ISR) that randomizes the representation of code. We explore a third form of randomization called data space randomization (DSR) that randomizes the representation of data stored in program memory. Unlike ISR, DSR is effective against non-control data attacks as well as code injection attacks. Unlike ASR, it can protect against corruption of non-pointer data as well as pointer-valued data. Moreover, DSR provides a much higher range of randomization (typically 232 for 32-bit data) as compared to ASR. Other interesting aspects of DSR include (a) it does not share a weakness common to randomization-based defenses, namely, susceptibility to information leakage attacks, and (b) it is capable of detecting some exploits that are missed by full bounds-checking techniques, e.g., some of the overflows from one field of a structure to the next field. Our implementation results show that with appropriate design choices, DSR can achieve a performance overhead in the range of 5% to 30% for a range of programs.
By: Sandeep Bhatkar (Symantec Research Labs) and R. Sekar (Stony Brook University)
Publication: Proceedings of the 5th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2008), July 2008
Please obtain a copy of this paper from the publisher listed above.
Engineering Sufficiently Secure Computing
We propose an architecture of four complimentary technologies increasingly relevant to a growing number of home users and organizations: cryptography, separation kernels, formal verification, and rapidly improving techniques relevant to software defect density estimation. Cryptographic separation protects information in transmission and storage. Formally proven properties of separation kernel based secure virtualization can bound risk for information in processing. Then, within each strongly separated domain, risk can be measured as a function of people and technology within that domain. Where hardware, software, and their interactions are proven to behave as and only as desired under all circumstances, such hardware and software can be considered to not substantially increase risk. Where the size or complexity of software is beyond such formal proofs, we discuss estimating risk related to software defect densities, and emerging work related to binary analysis with potential for improving software defect density estimation.
By: Brian Witten (Symantec Research Labs)
Published in: Proceedings of the 22nd Annual Computer Security Applications Conferences (ACSAC 2006), Miami Beach, FL, December 2006
Please obtain a copy of this paper from the publisher listed above.
Matteo Dell'Amico, Researcher
Petros Efstathopoulos, Researcher
Christopher Gates, Researcher
Fanglu Guo, Researcher
Yufei Han, Principal Research Engineer
Michael Hart, Researcher
CW Hobbs, Engineer
Yin Liu, Researcher
Daniel Marino, Researcher
Susanta Nanda, Researcher
Aleatha Parker-Wood, Researcher
Hemant Puri, Researcher
Johann Roturier, Researcher
Kevin Roundy, Researcher
Yun Shen, Researcher
Darren Shou, Director of Research
David Silva, Software Engineer
Pierre-Antoine Vervier, Senior Researcher
Leylya Yumer, Researcher