Full Program »
Case Studies II
Thursday, 12 December 2019
15:30 - 17:00
Chair: Larry Wagoner, NSA
Hype or hope? Machine learning based security analytics for web applications, Lei Ding, Xiaoyong Yuan, and Malek Ben Salem, Accenture SLIDES
Abstract: Web applications have become a favorite target for cyber-attacks due to easy access and constantly increasing vulnerabilities. Machine learning based anomaly detection solutions are proposed to learn network traffic patterns of web applications and provide early warning of web-based exploits.
Unfortunately, ML is not a panacea for anomaly detection for web applications. ML based solutions have their limitations. What ML can do and cannot do in the space of web application security analytics? What type(s) of data is required to achieve the full benefits of ML based detections? What types of web-based exploits are not yet covered? What attack methods and techniques can bypass ML based detections and still be successful? What practical guidelines can be followed to make the best use of ML based detection solutions in an organization?
In this talk, we attempt to answer these questions using practical demonstrations that highlight the real threats for web application owners and how ML can help with the new threat detection capabilities. We will describe a case study where malicious HTTP traffic can be detected at higher accuracy, which we have evaluated on real-world web applications.
Bios: Dr. Lei Ding is a cybersecurity researcher with Accenture Labs in Washington, D.C., where she focuses on developing, evaluating, and deploying novel data mining approaches and machine learning models in support of endpoint and network security solutions.
Xiaoyong Yuan is currently a PhD student in Department of Computer & Information Science & Engineering at University of Florida. His research interests include security and deep learning. He received a BS degree in mathematics from Fudan University in 2012 and a MS degree in software engineering from Peking University in 2015.
Malek Ben Salem, PhD is a cybersecurity researcher based in Washington, D.C. She leads a security research team at Accenture Labs, where her research focuses on behavioral biometrics, IoT security, data protection, security analytics, Blockchain, and cloud and mobile security. She is also developing AI-based security offerings. Malek has authored several peer-reviewed publications and patents. She earned a PhD in Computer Science from Columbia University in New York and a Diploma of Electrical Engineering from the University of Hanover, GERMANY.
Applying the Guilt By Association Principle to Threat Detection with Sparsely Labeled Data, Kevin Roundy, Symantec Research Labs SLIDES
Abstract: Data scientists tasked with detecting security threats regularly encounter the following data problems: a massive class imbalance between malicious and benign data, data with sparsely populated features, data labels that are either extremely scarce, non-existent, existent for one class but not the other, or existent for commonplace threats but not the emergency-level threats they seek to detect. This talk describes several ways in which the Guilt-By-Association (GBA) principle can be applied to detect and prioritize security threats through mining of co-occurrence relationships among labeled and unlabeled data.
We draw insights from 6 GBA-based security algorithms developed by Symantec to overcome the data challenges described above, all of which have been published or are under peer-review. The most important GBA tools used in these efforts are Random Walk with Restart and Belief Propagation algorithms for scalable guilt propagation, Maximum A Posteriori probability estimation for false positive avoidance, and Locality-Sensitive Hashing to cluster related files with similar guilt profiles. We have successfully applied these tools to malware classification, critical security incident discovery, software package detection and classification, and the discovery of malicious mobile apps used for stalking and inter-personal attacks. We believe that the GBA principle can and should be applied in many additional settings and will seek to equip security practitioners with the GBA tools suited to the challenges posed by their data.
Bio: Kevin Alejandro Roundy completed his Ph.D. at the University of Wisconsin in 2012 and joined Symantec Research Labs that same year. He has used graph-based methods leveraging the Guilt-By Association in several of his publications since joining Symantec, with existing methods always being adapted and tailored to the peculiarities and challenges of a variety of datasets. These methods have been applied to cross-product intrusion detection, reputation systems for malware detection, and the detection and categorization of mobile apps used to attack vulnerable populations. Other interests include human-computer interaction and static and dynamic analysis of program binaries.
JEX: A Straightforward, Portable and Scalable Framework for Automatic Exploit Generation for Java, Mohammadreza Ashouri, University of Potsdam, Germany SLIDES
Abstract: Errors in the sanitization of user inputs lead to serious security vulnerabilities. Many applications contain such errors, making them vulnerable to input sanitization exploits. Therefore, internet worms, such as WannaCry, via exploiting vulnerabilities in applications infect hundreds of thousands of users in a matter of short time, causing hundreds of millions of dollars in damages.
Undoubtedly the rapid spread of internet worms makes it impossible to manually protect the infection of a large number of hosts under attack. Hence, to successfully counter internet worms, we need automatic detection and defense mechanisms that can detect and block runtime attacks. An ideal mechanism should be simple to deploy, resulting in few false positives and few false negatives.
In this presentation we introduce JEX, an automatic dynamic taint analysis framework to detect and generate exploits for sanitization based vulnerabilities for Java web applications. Our method works based on tracking the flow of taint information from untrusted input into the application sensitive methods (such as console, file, network, database or another program). Our proposed framework is portable, quick and accurate, and does not need the source code of applications.
We demonstrate the usefulness of the framework by finding several zero-day vulnerabilities along with popular Java applications.
Bio: Mohammadreza Ashouri is a PhD candidate and research assistant in software security at the University of Potsdam, Germany. His research areas are Dynamic Taint Tracking in JVM, Browser Fingerprinting, Web Security and Security Fuzzing.