-
Vulnerability Forecasting: In theory and practice
Authors:
Éireann Leverett,
Matilda Rhode,
Adam Wedgbury
Abstract:
Why wait for zero-days when you could predict them in advance? It is possible to predict the volume of CVEs released in the NVD as much as a year in advance. This can be done within 3 percent of the actual value, and different predictive algorithms perform well at different lookahead values. It is also possible to estimate the proportions of that total volumn belonging to specific vendors, softwar…
▽ More
Why wait for zero-days when you could predict them in advance? It is possible to predict the volume of CVEs released in the NVD as much as a year in advance. This can be done within 3 percent of the actual value, and different predictive algorithms perform well at different lookahead values. It is also possible to estimate the proportions of that total volumn belonging to specific vendors, software, CVSS scores, or vulnerability types. Strategic patch management should become much easier, with this uncertainty reduction.
△ Less
Submitted 7 December, 2020;
originally announced December 2020.
-
Adversarial Attacks on Machine Learning Cybersecurity Defences in Industrial Control Systems
Authors:
Eirini Anthi,
Lowri Williams,
Matilda Rhode,
Pete Burnap,
Adam Wedgbury
Abstract:
The proliferation and application of machine learning based Intrusion Detection Systems (IDS) have allowed for more flexibility and efficiency in the automated detection of cyber attacks in Industrial Control Systems (ICS). However, the introduction of such IDSs has also created an additional attack vector; the learning models may also be subject to cyber attacks, otherwise referred to as Adversar…
▽ More
The proliferation and application of machine learning based Intrusion Detection Systems (IDS) have allowed for more flexibility and efficiency in the automated detection of cyber attacks in Industrial Control Systems (ICS). However, the introduction of such IDSs has also created an additional attack vector; the learning models may also be subject to cyber attacks, otherwise referred to as Adversarial Machine Learning (AML). Such attacks may have severe consequences in ICS systems, as adversaries could potentially bypass the IDS. This could lead to delayed attack detection which may result in infrastructure damages, financial loss, and even loss of life. This paper explores how adversarial learning can be used to target supervised models by generating adversarial samples using the Jacobian-based Saliency Map attack and exploring classification behaviours. The analysis also includes the exploration of how such samples can support the robustness of supervised models using adversarial training. An authentic power system dataset was used to support the experiments presented herein. Overall, the classification performance of two widely used classifiers, Random Forest and J48, decreased by 16 and 20 percentage points when adversarial samples were present. Their performances improved following adversarial training, demonstrating their robustness towards such attacks.
△ Less
Submitted 10 April, 2020;
originally announced April 2020.
-
Real-time malware process detection and automated process killing
Authors:
Matilda Rhode,
Pete Burnap,
Adam Wedgbury
Abstract:
Perimeter-based detection is no longer sufficient for mitigating the threat posed by malicious software. This is evident as antivirus (AV) products are replaced by endpoint detection and response (EDR) products, the latter allowing visibility into live machine activity rather than relying on the AV to filter out malicious artefacts. This paper argues that detecting malware in real-time on an endpo…
▽ More
Perimeter-based detection is no longer sufficient for mitigating the threat posed by malicious software. This is evident as antivirus (AV) products are replaced by endpoint detection and response (EDR) products, the latter allowing visibility into live machine activity rather than relying on the AV to filter out malicious artefacts. This paper argues that detecting malware in real-time on an endpoint necessitates an automated response due to the rapid and destructive nature of some malware.
The proposed model uses statistical filtering on top of a machine learning dynamic behavioural malware detection model in order to detect individual malicious processes on the fly and kill those which are deemed malicious. In an experiment to measure the tangible impact of this system, we find that fast-acting ransomware is prevented from corrupting 92% of files with a false positive rate of 14%. Whilst the false-positive rate currently remains too high to adopt this approach as-is, these initial results demonstrate the need for a detection model which is able to act within seconds of the malware execution beginning; a timescale that has not been addressed by previous work.
△ Less
Submitted 12 January, 2022; v1 submitted 7 February, 2019;
originally announced February 2019.
-
Data Capture & Analysis to Assess Impact of Carbon Credit Schemes
Authors:
Matilda Rhode,
Omer Rana,
Tim Edwards
Abstract:
Data enables Non-Governmental Organisations (NGOs) to quantify the impact of their initiatives to themselves and to others. The increasing amount of data stored today can be seen as a direct consequence of the falling costs in obtaining it. Cheap data acquisition harnesses existing communications networks to collect information. Globally, more people are connected by the mobile phone network than…
▽ More
Data enables Non-Governmental Organisations (NGOs) to quantify the impact of their initiatives to themselves and to others. The increasing amount of data stored today can be seen as a direct consequence of the falling costs in obtaining it. Cheap data acquisition harnesses existing communications networks to collect information. Globally, more people are connected by the mobile phone network than by the Internet. We worked with Vita, a development organisation implementing green initiatives to develop an SMS-based data collection application to collect social data surrounding the impacts of their initiatives. We present our system design and lessons learned from on-the-ground testing.
△ Less
Submitted 20 November, 2017;
originally announced November 2017.
-
Early Stage Malware Prediction Using Recurrent Neural Networks
Authors:
Matilda Rhode,
Pete Burnap,
Kevin Jones
Abstract:
Static malware analysis is well-suited to endpoint anti-virus systems as it can be conducted quickly by examining the features of an executable piece of code and matching it to previously observed malicious code. However, static code analysis can be vulnerable to code obfuscation techniques. Behavioural data collected during file execution is more difficult to obfuscate, but takes a relatively lon…
▽ More
Static malware analysis is well-suited to endpoint anti-virus systems as it can be conducted quickly by examining the features of an executable piece of code and matching it to previously observed malicious code. However, static code analysis can be vulnerable to code obfuscation techniques. Behavioural data collected during file execution is more difficult to obfuscate, but takes a relatively long time to capture - typically up to 5 minutes, meaning the malicious payload has likely already been delivered by the time it is detected.
In this paper we investigate the possibility of predicting whether or not an executable is malicious based on a short snapshot of behavioural data. We find that an ensemble of recurrent neural networks are able to predict whether an executable is malicious or benign within the first 5 seconds of execution with 94% accuracy. This is the first time general types of malicious file have been predicted to be malicious during execution rather than using a complete activity log file post-execution, and enables cyber security endpoint protection to be advanced to use behavioural data for blocking malicious payloads rather than detecting them post-execution and having to repair the damage.
△ Less
Submitted 18 June, 2018; v1 submitted 11 August, 2017;
originally announced August 2017.