東華大學圖書館 |

Towards Designing Accurate Detection Methods for Emerging Cyber Threats.

紀錄類型:	書目-電子資源 : Monograph/item
正題名/作者:	Towards Designing Accurate Detection Methods for Emerging Cyber Threats./
作者:	Yuan, Lun Pin.
出版者:	Ann Arbor : ProQuest Dissertations & Theses, : 2021,
面頁冊數:	110 p.
附註:	Source: Dissertations Abstracts International, Volume: 83-03, Section: B.
Contained By:	Dissertations Abstracts International83-03B.
標題:	Internet crime. -
電子資源:	https://pqdd.sinica.edu.tw/twdaoapp/servlet/advanced?query=28841660
ISBN:	9798460447145

Towards Designing Accurate Detection Methods for Emerging Cyber Threats.
Yuan, Lun Pin.

Towards Designing Accurate Detection Methods for Emerging Cyber Threats. - Ann Arbor : ProQuest Dissertations & Theses, 2021 - 110 p.

Source: Dissertations Abstracts International, Volume: 83-03, Section: B.

Thesis (Ph.D.)--The Pennsylvania State University, 2021.

This item must not be sold to any third party vendors.

Emerging cyber threats such as data breaches, data exfiltration, botnets, and ransomware have caused serious concerns in the security of enterprise infrastructures. The root cause of an emerging cyber threat could be a newly-developed malware or a disgruntled insider; yet, as more and more evasive techniques are available to the adversaries, emerging cyber threats have become more automated and more difficult to be identified by legacy solutions, such as signature-based detection methods. To this end, many researchers have been working on novel detection methods for emerging cyber threats, including (1) detection for zero-day malware before day zero, and (2) detection for habitual anomalies, assuming adversarial activities violate habitual patterns. In this dissertation, we study the limitations and propose three novel detection methods for emerging cyber threats, namely, Lshand, Acobe, and DabLog. In Lshand (Large Scale Hunting for Android Negative-Day malware) we discuss how we can discover undiscovered malware before day zero, which we refer to as negative-day malware. The challenge includes scalability and the fact that malware writers would apply detection evasion techniques and submission anonymization techniques. Our approach is based on the observation that malware development is a continuous process and thus malware variants inevitably will share certain characteristics throughout its development process. Accordingly, Lshand clusters scan reports based on selective features and then performs further analysis on those seemingly benign apps that share similarity with malware variants. We implemented and evaluated Lshand with submissions to VirusTotal. Our results show that Lshand is capable of hunting down undiscovered malware in a large scale, and our manual analysis and a third-party scanner have confirmed our negative-day malware findings to be malware or grayware. In Acobe (Anomaly detection method based on COmpound BEhavior) we address the fundamental limitation of anomaly detection methods that profile users based on single-day and individual-user behaviors. We argue that, without capturing long-term signals and group-correlation signals, the models cannot identify low-signal yet long-lasting threats, and will wrongly report many normal users as anomalies on busy days, which, in turn, lead to high false positive rate. In contrast, our approach takes into consideration long-term patterns and group behaviors. Our approach leverages a novel behavior representation and an ensemble of deep autoencoders and produces an ordered investigation list. Our evaluation shows that Acobe outperforms prior work by a large margin in terms of precision and recall, and our case study demonstrates that Acobe is applicable in practice for cyberattack detection. In DabLog (Deep Autoencoder-Based anomaly detection for discrete event Logs) we address the fundamental limitation of widely adopted anomaly detection for discrete logs. The limitation is that, given a seen sequence of events, most earlier work tried to predict upcoming events, and raise an anomaly alert when a prediction fails to meet a certain criterion. However, such a predict-next-event methodology may not be able to fully exploit the distinctive characteristics of sequences, and hence it may incur many false positives. We argue that it is also critical to examine the structure of sequences and the bi-directional causality among individual events. In contrast, our approach determines whether a sequence is normal or abnormal by analyzing (encoding) and reconstructing (decoding) the given sequence. Our evaluation results show that our new methodology can significantly reduce the numbers of false positives, hence achieving a higher F1 score.

ISBN: 9798460447145Subjects--Topical Terms:

3541387
Internet crime.
Subjects--Index Terms:

Cyber threats

Towards Designing Accurate Detection Methods for Emerging Cyber Threats.
LDR:04848nmm a2200337 4500 001 2283882
005 20211115071710.5
008 220723s2021 ||||||||||||||||| ||eng d
020 $a 9798460447145
035 $a (MiAaPQ)AAI28841660
035 $a (MiAaPQ)PennState_19664lzy5118
035 $a AAI28841660
040 $a MiAaPQ $c MiAaPQ
100 1 $a Yuan, Lun Pin. $3 3562951
245 1 0 $a Towards Designing Accurate Detection Methods for Emerging Cyber Threats.
260 1 $a Ann Arbor : $b ProQuest Dissertations & Theses, $c 2021
300 $a 110 p.
500 $a Source: Dissertations Abstracts International, Volume: 83-03, Section: B.
500 $a Advisor: Zhu, Sencun.
502 $a Thesis (Ph.D.)--The Pennsylvania State University, 2021.
506 $a This item must not be sold to any third party vendors.
520 $a Emerging cyber threats such as data breaches, data exfiltration, botnets, and ransomware have caused serious concerns in the security of enterprise infrastructures. The root cause of an emerging cyber threat could be a newly-developed malware or a disgruntled insider; yet, as more and more evasive techniques are available to the adversaries, emerging cyber threats have become more automated and more difficult to be identified by legacy solutions, such as signature-based detection methods. To this end, many researchers have been working on novel detection methods for emerging cyber threats, including (1) detection for zero-day malware before day zero, and (2) detection for habitual anomalies, assuming adversarial activities violate habitual patterns. In this dissertation, we study the limitations and propose three novel detection methods for emerging cyber threats, namely, Lshand, Acobe, and DabLog. In Lshand (Large Scale Hunting for Android Negative-Day malware) we discuss how we can discover undiscovered malware before day zero, which we refer to as negative-day malware. The challenge includes scalability and the fact that malware writers would apply detection evasion techniques and submission anonymization techniques. Our approach is based on the observation that malware development is a continuous process and thus malware variants inevitably will share certain characteristics throughout its development process. Accordingly, Lshand clusters scan reports based on selective features and then performs further analysis on those seemingly benign apps that share similarity with malware variants. We implemented and evaluated Lshand with submissions to VirusTotal. Our results show that Lshand is capable of hunting down undiscovered malware in a large scale, and our manual analysis and a third-party scanner have confirmed our negative-day malware findings to be malware or grayware. In Acobe (Anomaly detection method based on COmpound BEhavior) we address the fundamental limitation of anomaly detection methods that profile users based on single-day and individual-user behaviors. We argue that, without capturing long-term signals and group-correlation signals, the models cannot identify low-signal yet long-lasting threats, and will wrongly report many normal users as anomalies on busy days, which, in turn, lead to high false positive rate. In contrast, our approach takes into consideration long-term patterns and group behaviors. Our approach leverages a novel behavior representation and an ensemble of deep autoencoders and produces an ordered investigation list. Our evaluation shows that Acobe outperforms prior work by a large margin in terms of precision and recall, and our case study demonstrates that Acobe is applicable in practice for cyberattack detection. In DabLog (Deep Autoencoder-Based anomaly detection for discrete event Logs) we address the fundamental limitation of widely adopted anomaly detection for discrete logs. The limitation is that, given a seen sequence of events, most earlier work tried to predict upcoming events, and raise an anomaly alert when a prediction fails to meet a certain criterion. However, such a predict-next-event methodology may not be able to fully exploit the distinctive characteristics of sequences, and hence it may incur many false positives. We argue that it is also critical to examine the structure of sequences and the bi-directional causality among individual events. In contrast, our approach determines whether a sequence is normal or abnormal by analyzing (encoding) and reconstructing (decoding) the given sequence. Our evaluation results show that our new methodology can significantly reduce the numbers of false positives, hence achieving a higher F1 score.
590 $a School code: 0176.
650 4 $a Internet crime. $3 3541387
650 4 $a Behavior. $3 532476
650 4 $a Malware. $3 3562952
650 4 $a Datasets. $3 3541416
650 4 $a Threats. $3 594889
650 4 $a Scanners. $3 3562953
650 4 $a COVID-19. $3 3554449
650 4 $a Computer science. $3 523869
653 $a Cyber threats
653 $a Malware
653 $a Cybercrime
690 $a 0984
710 2 $a The Pennsylvania State University. $3 699896
773 0 $t Dissertations Abstracts International $g 83-03B.
790 $a 0176
791 $a Ph.D.
792 $a 2021
793 $a English
856 4 0 $u https://pqdd.sinica.edu.tw/twdaoapp/servlet/advanced?query=28841660