by ADAPT Group
Light Weight DIFT on Linux 32 bit was developed to analyze behavior of a SSH and SCP based malicious attack through its process trace during its execution via adversary’s perspective as well from victim’s perspective. Implementation of the Light Weight DIFT on Linux 32 bit systems consists of two components.
View from the adversary’s perspective Light weight DIFT was implemented to give security analysts an clear picture of the processes created by a malicious program during its execution. This tool helps to visualize process trace of an malicious program using graphs through the logs generated while the malicious program was running.
View from the victim’s perspective Light weight DIFT was implemented to capture the behavior of the processes during an execution of an malicious remote attack happens through SSH and SCP. View from the victim's perspective light weight DIFT helps to visualize process trace of a victim system during the execution of a SSH and SCP based attack.
by ADAPT Group
Dynamic Information Flow Tracking (DIFT) is a defense mechanism that dynamically track the usage of information flows in a computer system during program executions. Advanced Persistent Threats (APTs) are sophisticated, stealthy, long-term cyberattacks that target specific systems. Although DIFT has been used for detecting APTs, wide range security analysis using DIFT results in a significant increase in performance overhead and high rates of false-positives and false-negatives. This code presents a game-theoretic implementation of the strategic interaction between APT and DIFT. The DIFT-APT game is a nonzero-sum stochastic game with imperfect information and average reward structure. The average payoff structure captures the long-term behavior of the APT's interactions with the victim system. Additionally, the game has incomplete information structure as the transition probabilities (false-positive and false-negative rates) are unknown. In [1], we showed that the state space of the game has a unichain structure. Utilizing the unichain structure we proposed Multi-Agent Average Reward Nash Equilibrium (MA-ARNE) algorithm to compute an average reward Nash equilibrium of the game and proved convergence in [1].
Read Moreby ADAPT Group
Dynamic Information Flow Tracking (DIFT) is a defense mechanism that dynamically track the usage of information flows in a computer system during program executions. Advanced Persistent Threats (APTs) are sophisticated, stealthy, long-term cyberattacks that target specific systems. Although DIFT has been used for detecting APTs, wide range security analysis using DIFT results in a significant increase in performance overhead and high rates of false-positives and false-negatives. This code presents a game-theoretic implementation of the strategic interaction between APT and DIFT for efficient detection. The APT-DIFT game is a constant-sum stochastic game with total reward structure and imperfect information. We consider two scenarios of the game (i) when the false-positive and false-negative rates are known to both players and (ii) when the false-positive and false-negative rates are unknown to both players. Case (i) translates to a game with complete information and case (ii) translates to an incomplete information game with unknown transition probabilities. For case (i), we implement a value iteration algorithm with guaranteed convergence. For case (ii), we implement Hierarchical Supervised Learning (HSL), a supervised learning-based algorithm.
Read Moreby ADAPT Group
The Theia DIFT Module was developed to provide a simpler method for TA2 teams to communicate with Theia’s internal replay server. Theia’s replay server relies on recording the system’s original execution, which allows it to essentially replay the execution at a later time. Unlike approaches for whole-system record-and-replay in the past, Theia’s replay system has the capability of dynamically instrumenting the replay of the execution, which allows Theia to repeatedly apply fine-grained analysis techniques such as taint analysis on top of the original execution. This allows Theia to provide a refined version of the provenance graph that only contains the true dependencies and does not suffer from dependency explosion.
Read More