About
181
Publications
27,006
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
4,261
Citations
Publications
Publications (181)
Neural network (NN)-based network intrusion detection systems (NIDSs) are becoming popular these days due to their notable advantages. This article reviews the current application of explainable artificial intelligence techniques and tools for explaining the behavior of the NIDS.
While network attacks play a critical role in many advanced persistent threat (APT) campaigns, an arms race exists between the network defenders and the adversary: to make APT campaigns stealthy, the adversary is strongly motivated to evade the detection system. However, new studies have shown that neural network is likely a game-changer in the arm...
The past several years have witnessed rapidly increasing use of machine learning (ML) systems in multiple industry sectors. Since security analysis is one of the most essential parts of the real-world ML system protection practice, there is an urgent need to conduct systematic security analysis of ML systems. However, it is widely recognized that t...
An adversarial example, which is an input instance with small, intentional feature perturbations to machine learning models, represents a concrete problem in Artificial intelligence safety. As an emerging defense method to defend against adversarial examples, generative adversarial networks-based defense methods have recently been studied. However,...
Network attacks have become a major security concern for organizations worldwide. A category of network attacks that exploit the logic (security) flaws of a few widely-deployed authentication protocols has been commonly observed in recent years. Such logic-flaw-exploiting network attacks often do not have distinguishing signatures, and can thus eas...
This paper proposes a co-design adaptive defense scheme against a class of zero-day buffer over-read attacks that follow unknown stationary probability distributions. In particular, the co-design scheme integrates an improved UCB algorithm and a customized server. The improved UCB algorithm adaptively allocates guard pages on a heap based on induce...
As control-flow protection methods get widely deployed it is difficult for attackers to corrupt control data to build attacks. Instead, data-oriented exploits, which modify non-control data for malicious goals, have been demonstrated to be possible and powerful. To defend against data-oriented exploits, the first fundamental step is to identify non...
Conventional encryption solutions cannot defend against a coercive attacker who can capture the device owner, and force the owner to disclose keys used for decrypting sensitive data. To defend against such a coercive adversary, Plausibly Deniable Encryption (PDE) was introduced to allow the device owner to deny the very existence of sensitive data....
Network attack is still a major security concern for organizations worldwide. Recently, researchers have started to apply neural networks to detect network attacks by leveraging network traffic data. However, public network data sets have major drawbacks such as limited data sample variations and unbalanced data with respect to malicious and benign...
In recent years, deep learning gained proliferating popularity in the cybersecurity application domain, since when being compared to traditional machine learning, it usually involves less human effort, produces better results, and provides better generalizability. However, the imbalanced data issue is very common in cybersecurity, which can substan...
One of the most challenging problems in the field of intrusion detection is anomaly detection for discrete event logs. While most earlier work focused on applying unsupervised learning upon engineered features, most recent work has started to resolve this challenge by applying deep learning methodology to abstraction of discrete event entries. Insp...
Network attacks have become a major security concern for organizations worldwide and have also drawn attention in the academics. Recently, researchers have applied neural networks to detect network attacks with network logs. However, public network data sets have major drawbacks such as limited data sample variations and unbalanced data with respec...
Advanced persistent threat campaigns employ sophisticated strategies and tactics to achieve their attack goal.
Growing multi-stage attacks in computer networks impose significant security risks and necessitate the development of effective defense schemes that are able to autonomously respond to intrusions during vulnerability windows. However, the defender faces several real-world challenges, e.g., unknown likelihoods and unknown impacts of successful explo...
Return-oriented programming (ROP) is a code reuse attack that chains short snippets of existing code to perform arbitrary operations on target machines. Existing detection methods against ROP exhibit unsatisfactory detection accuracy and/or have high runtime overhead.
In this paper, we present DeepReturn, which innovatively combines address space l...
Although using machine learning techniques to solve computer security challenges is not a new idea, the rapidly emerging Deep Learning technology has recently triggered a substantial amount of interests in the computer security community. This paper seeks to provide a dedicated review of the very recent research works on using Deep Learning techniq...
Adversarial examples are human-imperceptible perturbations to inputs to machine learning models. While attacking machine learning models, adversarial examples cause the model to make a false positive or a false negative. So far, two representative defense architectures have shown a significant effect: (1) model retraining architecture; and (2) inpu...
Due to the risk of data leakage while training deep learning models in a shared environment, we propose a new privacy-preserving deep learning(PPDL) method using a structural image de-identification approach for object classification. The proposed structural image de-identification approach is designed based on the fact that the degree of structura...
Although many building blocks of today’s cyber-defense solutions are already fully automatic, there is still a debate on whether next-generation cyber-defense solutions should be wholly autonomous. In this paper, we contribute to the debate in the context of Cybersecurity Operations Centers (CSOCs), which have been widely established in prominent c...
Kernel heap buffer overflow vulnerabilities have been exposed for decades, but there are few practical countermeasures that can be applied to OS kernels. Previous solutions either suffer from high performance overhead or compatibility problems with mainstream kernels and hardware. In this article, we present
Kruiser
, a concurrent kernel heap buf...
This paper investigates simultaneous input and state estimation for a class of nonlinear stochastic systems. We propose a recursive filter to concurrently estimate system states and unknown inputs. We show that the estimation errors of the proposed filter are Practically Exponentially Stable in probability, and the estimation error covariance matri...
With the emergence of hardware-assisted processor tracing, execution traces can be logged with lower runtime overhead and integrated into the core dump. In comparison with an ordinary core dump, such a new post-crash artifact provides software developers and security analysts with more clues to a program crash. However, existing works only rely on...
The purpose of this chapter is to introduce cyber security researchers to key concepts in modern control and game theory that are relevant to Moving Target Defenses and Adaptive Cyber Defense. We begin by observing that there are fundamental differences between control models and game models that are important for security practitioners to understa...
In this chapter, we leverage reinforcement learning as a unified framework to design effective adaptive cyber defenses against zero-day attacks. Reinforcement learning is an integration of control theory and machine learning. A salient feature of reinforcement learning is that it does not require the defender to know critical information of zero-da...
This chapter introduces cyber security researchers to key concepts in the data streaming and sketching literature that are relevant to Adaptive Cyber Defense (ACD) and Moving Target Defense (MTD). We begin by observing the challenges met in the big data realm. Particular attention is paid to the need for compact representations of large datasets, a...
During the past 25 years, the arms race between attacks exploiting memory corruption and memory protection techniques has drawn tremendous attention. This book chapter seeks to give an in-depth review of the newest research progress made on applying the MTD methodology to protect memory corruption exploits. The new research progress also represents...
This paper investigates a class of multi-player discrete games where each player aims to maximize its own utility function. Each player does not know the other players’ action sets, their deployed actions or the structures of its own or the others’ utility functions. Instead, each player only knows its own deployed actions and its received utility...
Today’s cyber defenses are largely static allowing adversaries to pre-plan their attacks. In response to this situation, researchers have started to investigate various methods that make networked information systems less homogeneous and less predictable by engineering systems that have homogeneous functionalities but randomized manifestations.
The...
Software upgrades play a pivotal role in enhancing software performance, and are a critical component of resolving software bugs and patching security issues. However, consumers' eagerness to upgrade to the newest operating system is often tempered after release. In this paper, we focus on the upgrade perceptions and practices of users utilizing Mi...
In the wake of the research community gaining deep understanding about control-hijacking attacks, data-oriented attacks have emerged. Among data-oriented attacks, data structure manipulation attack (DSMA) is a major category. Pioneering research was conducted and shows that DSMA is able to circumvent the most effective defenses against control-hija...
Cyberresiliency is the capability of an enterprise network to continuously provide (the supported missions and business processes with) essential functions in the midst of an attack campaign. It is defined as "the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that inclu...
Return-oriented programming (ROP) is a code reuse attack that chains short snippets of existing code (known as gadgets) to perform arbitrary operations on target machines. Existing detection mechanisms against ROP often rely on certain heuristic rules and/or require instrumentations to the program or the compiler. As a result, they exhibit low dete...
Cyber-defense and cyber-resilience techniques sometimes fail in defeating cyber-attacks. One of the primary causes is the ineffectiveness of business process impact assessment in the enterprise network. In this paper, we propose a new business process impact assessment method, which measures the impact of an attack towards a business-process-suppor...
Security operations centers (SOCs) employ various cyber defend measures to monitor network events. Apart from these measures, SOCs also have to resort to human analysts to make sense of the collected data for incident detection and response. However, with the oncoming network data collected and accumulated at a rapid speed, analysts are usually ove...
Users are often educated to follow advices from security experts. For example, using a password manager is considered an effective way to maintain a unique and strong password for every website. However, user surveys reveal that most users are not willing to adopt this tool. They feel uncomfortable when they grant password managers the privilege to...
This technical report provides the description and the derivation of a novel nonlinear unknown input and state estimation algorithm (NUISE) for mobile robots. The algorithm is designed for real-world robots with nonlinear dynamic models and subject to stochastic noises on sensing and actuation. Leveraging sensor readings and planned control command...
Enforcing a variety of security measures (such as intrusion detection systems, etc.) can provide a certain level of protection to computer networks. However, such security practice often fall short in face of zero-day attacks. Due to the information asymmetry between attackers and defenders, detecting zero-day attacks remains to be a challenge. Ins...
Data triage is a fundamental stage of cyber defense analysis for achieving cyber situational awareness in a Security Operations Center (SOC). It has a high requirement for cyber security analysts' capabilities of information processing and expertise in cyber defense. However, the present situation is that most novice analysts who are responsible fo...
Cloud computing, with the paradigm of computing as a utility, has the potential to significantly tranform the IT industry. Attracted by the high efficiency, low cost, and great flexibility of cloud, enterprises began to migrate large parts of their networks into cloud. The cloud becomes a public space where multiple “tenants” reside. Except for som...
Triage analysis is a fundamental stage in cyber operations in Security Operations Centers (SOCs). The massive data sources generate great demands on cyber security analysts’ capability of information processing and analytical reasoning. Furthermore, most junior security analysts perform much less efficiently than senior analysts in deciding what da...
This chapter studies the zero-day attack path identification problem. Detecting zero-day attacks is a fundamental challenge faced by enterprise network security defense. A multi-step attack involving one or more zero-day exploits forms a zero-day attack path. This chapter describes a prototype system called ZePro, which takes a probabilistic approa...
Mobile devices today have been increasingly used to store and process sensitive information. To protect sensitive data, mobile operating systems usually incorporate a certain level of encryption to protect sensitive data. However, conventional encryption cannot defend against a coercive attacker who can capture the device owner, and force the owner...
Encryption ransomware is a malicious software that stealthily encrypts user files and demands a ransom to provide access to these files. Several prior studies have developed systems to detect ransomware by monitoring the activities that typically occur during a ransomware attack. Unfortunately, by the time the ransomware is detected, some files alr...
Emerging zero-day vulnerabilities in information and communications technology systems make cyber defenses very challenging. In particular, the defender faces uncertainties of; e.g., system states and the locations and the impacts of vulnerabilities. In this paper, we study the defense problem on a computer network that is modeled as a partially ob...
Mobile robots are cyber-physical systems where the cyberspace and the physical world are strongly coupled. Attacks against mobile robots can transcend cyber defenses and escalate into disastrous consequences in the physical world. In this paper, we focus on the detection of active attacks that are capable of directly influencing robot mission opera...
Today’s cyber-attacks towards enterprise networks often undermine and even fail the mission assurance of victim networks. Mission cyber resilience (or active cyber defense) is critical to prevent or minimize negative consequences towards missions. Without effective mission impact assessment, mission cyber resilience cannot be really achieved. Howev...
The rapid evolution of Internet-of-Things (IoT) technologies has led to an emerging need to make them smarter. A variety of applications now run simultaneously on an ARM-based processor. For example, devices on the edge of the Internet are provided with higher horsepower to be entrusted with storing, processing and analyzing data collected from IoT...
This paper investigates a class of multi-player discrete games where each player aims to maximize its own utility function. Two particular challenges are considered. Firstly, each player is unaware of the structure of its utility function and the actions of other players, but is able to access the corresponding utility value given an action profile...
Conventional overwriting-based and encryption-based secure deletion schemes can only sanitize data. However, the past existence of the deleted data may leave artifacts in the layout at all layers of a computing system. These structural artifacts may be utilized by the adversary to infer sensitive information about the deleted data or even to fully...
Jun Xu Pinyao Guo Bo Chen- [...]
Peng Liu
This demo paper describes an approach to detect memory corruption attacks using artificial diversity. Our approach conducts offline symbolic execution of multiple variants of a system to identify paths which diverge in different variants. In addition, we build an efficient input matcher to check whether an online input matches the constraints of a...
This paper studies attack-resilient estimation of a class of switched nonlinear systems subject to stochastic process and measurement noises. We consider two classes of attacks which are signal attacks and switching attacks. The problem is formulated as the joint estimation of state, attack vector and mode of hidden-mode switched systems. We propos...
Black-box mutational fuzzing is a simple yet effective method for finding software vulnerabilities. In this work, we collect and analyze fuzzing campaign data of 60,000 fuzzing runs, 4,000 crashes and 363 unique bugs, from multiple Linux programs using CERT Basic Fuzzing Framework. Motivated by the results of empirical analysis, we propose a stocha...
Enterprise networks are migrating to the public cloud to acquire computing resources for promising benefits in terms of efficiency, expense, and flexibility. Except for some public services, the enterprise network islands in cloud are expected to be absolutely isolated from each other. However, some “stealthy bridges” may be created to break such i...
In recent years, many organizations have established bounty programs that attract white hat hackers who contribute vulnerability reports of web systems. In this paper, we collect publicly available data of two representative web vulnerability discovery ecosystems (Wooyun and HackerOne) and study their characteristics, trajectory, and impact. We fin...
Cyber attacks inevitably generate impacts towards relevant missions. However, concrete methods to accurately evaluate such impacts are rare. In this paper, we propose a probabilistic approach based on Bayesian networks for quantitative mission impact assessment. A System Object Dependency Graph (SODG) is first built to capture the intrusion propaga...
Multi-party distributed database networks require secure and decentralized query planning services. In this work, we propose the collaborative query planning (CQP) service that enables multiple parties to jointly plan queries and controls sensitive information disclosure at the same time. We conduct several simulated experiments to evaluate the per...
As cyber-attacks become more sophisticated, cyber-attack analysts are required to process large amounts of network data and to reason under uncertainty with the aim of detecting cyber-attacks. Capturing and studying the fine-grained analysts' cognitive processes helps researchers gain deep understanding of how they conduct analytical reasoning and...
Reducing attack surface is an effective preventive measure to strengthen security in large systems. However, it is challenging to apply this idea in an enterprise environment where systems are complex and evolving over time. In this paper, we empirically analyze and measure a real enterprise to identify unused services that expose attack surface. I...
In a federated database system, each independent party exports some of its data for information sharing. The information sharing in such a system is very inflexible, as all peer parties access the same set of data exported by a party, while the party may want to authorize different peer parties to access different portions of its information. We pr...
Efficiency and interference shielding are critical factors for conducting successful cognitive task analysis (CTA) of cyber-attack analysis. To achieve this goal, a tool, named ARSCA, is developed to work with an analyst during a cyber-attack analysis task and to capture the main elements in his/her cognitive process. ARSCA conducts process tracing...
A proactive worm containment (PWC) solution for enterprises uses a sustained faster-than-normal outgoing connection rate to determine if a host is infected. Two novel white detection techniques are used to reduce false positives, including a vulnerability time window lemma to avoid false initial containment, and a relaxation analysis to uncontain (...
Moving Target Defense techniques have been proposed to increase uncertainty and apparent complexity for attackers. When more than one Moving Target Defense techniques are effective to limit opportunities of an attack, it is required to compare these techniques and select the best defense choice. In this paper, we propose a three-layer model to eval...
The previous chapter showed that our understanding about the cognitive reasoning process of cyber analysts is rather limited. Here, we focus on ways to close this knowledge gap. This chapter starts by summarizing the current understanding about the cognitive processes of cyber analysts based on the results of previous cognitive task analyses. It al...
Recent research has developed virtualization architectures to protect the privacy of guest virtual machines. The key technology is to include an access control matrix in the hypervisor. However, existing approaches have either limited functionalities in the hypervisor or a Trusted Computing Base (TCB) which is too large to secure. In this paper, we...
In recent years, the Android operating system has had an explosive growth in the number of applications containing third-party libraries for different purposes. In this paper, we identify three library-centric threats in the real-world Android application markets: (i) the library modification threat, (ii) the masquerading threat and (iii) the aggre...
In this paper, an effective decision process method is proposed to address the challenge in a multiple criteria decision-making (MCDM) problem because of large number of criteria. This method is based on the criteria reduction, tolerance relation, and prospect theory (PT). By building a discernibility matrix for tolerance relation (DMTR) in an MCDM...
Federated coalition networks are formed by interconnected nodes belonging to different friendly-but-curious parties cooperating for common objectives. Each party has its policy regarding what information may be accessed by which other parties. Data delivery in coalition networks must provide both confidentiality and robustness. First, data should r...
In cyber analysis, it is highly desirable to support the analysis of junior analysts by leveraging the experiences of experts. But, there are two major challenges to achieve this goal. First, it is very costly to capture the experience of experts for the complex task of cyber analysis using traditional approaches such as protocol analysis. Second,...
Calling context provides important information for a large range of applications, such as event logging, profiling, debugging, anomaly detection, and performance optimization. While some techniques have been proposed to track calling context efficiently, they lack a reliable and precise decoding capability; or they work only under restricted condit...
Calling context provides important information for a large range of applications, such as event logging, profiling, debugging, anomaly detection, and performance optimization. While some techniques have been proposed to track calling context efficiently, they lack a reliable and precise decoding capability; or they work only under restricted condit...