SaTC: CORE: Medium: Guarding Noisy Neighborhoods with Weak Detectors

SaTC：核心：中：用弱探测器保护嘈杂的社区

• 批准号: 1704778
• 负责人: Mohit Tiwari
• 金额: $ 119.39万
• 依托单位: University of Texas at Austin
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2017
• 资助国家: 美国
• 起止时间: 2017-07-01 至 2023-06-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1704778&HistoricalAwards=false
• 关键词: SaTC; CORE; Medium; Guarding; Noisy

Malicious programs ("malware") are expensive and can put people's lives at risk. Unfortunately, automatic malware detection is difficult and many automated detection systems produce a large number of false alarms. In large enterprises, detectors may create millions of security log entries per day, deluging the human analysts with false alarms. This project is developing algorithmic and statistical techniques to automatically analyze these security logs and reduce the number that human analysts must review from millions to only tens or hundreds per day.The researcher's key insight is that attack patterns induce transient correlations across time and nodes (users or devices). The project explores the hypothesis that encoding and algorithmically exploiting such transient correlations can lead to tremendous dimensionality reductions of the multi-scale alert data, and allow statistically significant insights into malware activity. The team is exploring this hypothesis using two ideas. First, they have defined the idea of a "neighborhood" that allows filtering of alerts. A neighborhood is a set of nodes that shares an action attribute such as having visited a common website or received emails from the same source within a specific time window. Thus, neighborhoods are dynamic collections of nodes that are likely to be exposed to a similar attack vector, e.g., a compromised web-server or a malicious phishing email. The second idea is a statistical approach for composing local detectors that uses the feature vectors (FVs) leading to local detector alerts ("alert-FVs") instead of operating only on the original alert flags from nodes. This may allow a global detector to better separate true positive neighborhoods from false positive neighborhoods by comparing the distributional shape of alert-FVs from each neighborhood. The research team will perform experiments to evaluate their techniques using production-scale, real-time alert logs from a large commercial enterprise and the University of Texas' Information Security Office.

恶意程序（“恶意软件”）是昂贵的，可以把人们的生命处于危险之中。不幸的是，自动恶意软件检测是困难的，并且许多自动检测系统产生大量的假警报。在大型企业中，检测器每天可能会创建数百万个安全日志条目，从而使人工分析人员陷入虚假警报的泥潭。该项目正在开发算法和统计技术，以自动分析这些安全日志，并将人类分析人员每天必须审查的数量从数百万减少到数十或数百。研究人员的关键见解是，攻击模式会引起跨时间和节点（用户或设备）的瞬态相关性。该项目探讨了这样一种假设，即编码和算法利用这种瞬态相关性可以导致多尺度警报数据的巨大降维，并允许对恶意软件活动进行统计上的显著洞察。 该团队正在使用两种想法来探索这一假设。首先，他们定义了允许过滤警报的“社区”概念。邻居是一组节点，它们共享一个动作属性，例如在特定时间窗口内访问过一个公共网站或收到来自同一来源的电子邮件。因此，邻域是可能暴露于类似攻击向量的节点的动态集合，例如，被入侵的网络服务器或恶意网络钓鱼电子邮件。 第二个想法是一种用于组成本地检测器的统计方法，该方法使用导致本地检测器警报（“警报-FV”）的特征向量（FV），而不是仅对来自节点的原始警报标志进行操作。这可以允许全局检测器通过比较来自每个邻域的警报FV的分布形状来更好地将真阳性邻域与假阳性邻域分开。该研究小组将进行实验，以评估他们的技术使用生产规模，实时警报日志从一个大型商业企业和得克萨斯大学的信息安全办公室。

项目成果

Model-Powered Conditional Independence Test

• 发表时间: 2017-09
• 作者: Rajat Sen;A. Suresh;Karthikeyan Shanmugam;A. Dimakis;S. Shakkottai

Learning Mixtures of Graphs from Epidemic Cascades

• 发表时间: 2019-06
• 期刊: Aesthetic Plastic Surgery
• 影响因子: 2.4
• 作者: Jessica Hoffmann;S. Basu;Surbhi Goel;C. Caramanis

Mix and Match: An Optimistic Tree-Search Approach for Learning Models from Mixture Distributions

• 发表时间: 2019-07
• 期刊: ArXiv
• 作者: Matthew Faw;Rajat Sen;Karthikeyan Shanmugam;C. Caramanis;S. Shakkottai

EM Converges for a Mixture of Many Linear Regressions

• 发表时间: 2019-05
• 期刊: ArXiv
• 作者: Jeongyeol Kwon;C. Caramanis

The Gossiping Insert-Eliminate Algorithm for Multi-Agent Bandits

• 发表时间: 2020-01
• 作者: Ronshee Chawla;Abishek Sankararaman;A. Ganesh;S. Shakkottai