A Study of Gaps in Cyber Defense Automation

Abstract : Cyber defense automation (CDA) refers to automated response and recovery from cyber at-tacks while still preserving a certain level of mission functionality. The vision of CDA research is to build self-healing, self-immunizing systems. Seven major components are necessary to achieve this vision: attack/vulnerability detection, attack/vulnerability analysis, impact blocking, recovery, vulnerability patching, system cleansing, and an optional active response component (e.g., deception or counter-attack). In this report, by reviewing the state of the art for each of these components, we identify high-priority, short-term research objectives for CDA components, which include: designing low false positive vulnerability detection techniques, developing scalable and fast-impact blocking mechanisms, accurately identifying the location of vulnerabilities, developing new roll-back techniques, evaluating various deception options, and using sanitization techniques for improved cleansing of compromised systems. These eorts will constitute the basic blocks of an effective and automated CDA system.

[1]  Stephen McCamant,et al.  Input generation via decomposition and re-stitching: finding bugs in Malware , 2010, CCS '10.

[2]  Tao Xie,et al.  MetaSymploit: Day-One Defense against Script-based Attacks with Security-Enhanced Symbolic Analysis , 2013, USENIX Security Symposium.

[3]  Joel Young,et al.  Auto-learning of SMTP TCP Transport-Layer Features for Spam and Abusive Message Detection , 2011, LISA.

[4]  Wenke Lee,et al.  Understanding the prevalence and use of alternative plans in malware with network games , 2011, ACSAC '11.

[5]  Arun K. Sood,et al.  Incorruptible Self-Cleansing Intrusion Tolerance and Its Application to DNS Security , 2006, J. Networks.

[6]  William K. Robertson,et al.  PatchDroid: scalable third-party security patches for Android devices , 2013, ACSAC.

[7]  Stefan Katzenbeisser,et al.  From Patches to Honey-Patches: Lightweight Attacker Misdirection, Deception, and Disinformation , 2014, CCS.

[8]  Michael D. Ernst,et al.  Automatically patching errors in deployed software , 2009, SOSP '09.

[9]  Thorsten Holz,et al.  IceShield: Detection and Mitigation of Malicious Websites with a Frozen DOM , 2011, RAID.

[10]  Nicolas Christin,et al.  Automatically Detecting Vulnerable Websites Before They Turn Malicious , 2014, USENIX Security Symposium.

[11]  Chad R. Meiners,et al.  A Study of Gaps in Attack Analysis , 2016 .

[12]  Frank Piessens,et al.  DEMACRO: Defense against Malicious Cross-Domain Requests , 2012, RAID.

[13]  Yuewu Wang,et al.  DeepDroid: Dynamically Enforcing Enterprise Policy on Android Devices , 2015, NDSS.

[14]  Vitaly Shmatikov,et al.  Fix Me Up: Repairing Access-Control Bugs in Web Applications , 2013, NDSS.

[15]  Farnam Jahanian,et al.  CANVuS: Context-Aware Network Vulnerability Scanning , 2010, RAID.

[16]  Angelos D. Keromytis,et al.  Self-healing multitier architectures using cascading rescue points , 2012, ACSAC '12.

[17]  Herbert Bos,et al.  SoK: P2PWNED - Modeling and Evaluating the Resilience of Peer-to-Peer Botnets , 2013, 2013 IEEE Symposium on Security and Privacy.

[18]  Robert Beverly,et al.  Exploiting Transport-Level Characteristics of Spam , 2008, CEAS.

[19]  Arun K. Sood,et al.  Securing Web Servers Using Self Cleansing Intrusion Tolerance (SCIT) , 2009, 2009 Second International Conference on Dependability.

[20]  Eric Lahtinen,et al.  Automatic error elimination by horizontal code transfer across multiple applications , 2015, PLDI.

[21]  Gregg Rothermel,et al.  Software testing: a research travelogue (2000–2014) , 2014, FOSE.

[22]  David Brumley,et al.  Unleashing Mayhem on Binary Code , 2012, 2012 IEEE Symposium on Security and Privacy.

[23]  Mu Zhang,et al.  AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking Attacks in Android Applications , 2014, NDSS.

[24]  Wenke Lee,et al.  Beheading hydras: performing effective botnet takedowns , 2013, CCS.

[25]  David Brumley,et al.  ReDeBug: Finding Unpatched Code Clones in Entire OS Distributions , 2012, 2012 IEEE Symposium on Security and Privacy.

[26]  Dawei Qi,et al.  SemFix: Program repair via semantic analysis , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[27]  Vinod Yegneswaran,et al.  EKHunter: A Counter-Offensive Toolkit for Exploit Kit Infiltration , 2015, NDSS.

[28]  Christopher Krügel,et al.  JACKSTRAWS: Picking Command and Control Connections from Bot Traffic , 2011, USENIX Security Symposium.

[29]  Name M. Lastname Automatically Finding Patches Using Genetic Programming , 2013 .

[30]  Jonathon T. Giffin,et al.  Automated remote repair for mobile malware , 2011, ACSAC '11.

[31]  Somesh Jha,et al.  Efficient runtime-enforcement techniques for policy weaving , 2014, FSE 2014.

[32]  Fan Long,et al.  An analysis of patch plausibility and correctness for generate-and-validate patch generation systems , 2015, ISSTA.

[33]  Jaechang Nam,et al.  Automatic patch generation learned from human-written patches , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[34]  Swarat Chaudhuri,et al.  Extraction of statistically significant malware behaviors , 2013, ACSAC.

[35]  Gianluca Stringhini,et al.  B@bel: Leveraging Email Delivery for Spam Mitigation , 2012, USENIX Security Symposium.

[36]  Y. Huang Self-Cleansing Systems for Intrusion Containment , 2006 .