Jose Andre Morales

Social network-based botnet command-and-control: emerging threats and countermeasures

Botnets have become a major threat in cyberspace. In order to effectively combat botnets, we need to understand a botnets Command-and-Control (C&C), which is challenging because C&C strategies and methods evolve rapidly. Very recently, botmasters have begun to exploit social network websites (e.g., Twitter.com) as their C&C infrastructures, which turns out to be quite stealthy because it is hard to distinguish the C&C activities from the normal social networking traffic. In this paper, we study the problem of using social networks as botnet C&C infrastructures. Treating as a starting point the current generation of social network-based botnet C&C, we envision the evolution of such C&C methods and explore social networks-based countermeasures.

Cyber Security via Signaling Games: Toward a Science of Cyber Security

In March of 2013, what started as a minor dispute between Spamhaus and Cyberbunker quickly escalated to a distributed denial of service DDoS attack that was so massive, it was claimed to have slowed internet speeds around the globe. The attack clogged servers with dummy internet traffic at a rate of about 300 gigabits per second. By comparison, the largest observed DDoS attacks typically against banks had thus far registered only 50 gigabits per second. The record breaking Spamhaus/Cyberbunker conflict arose 13 years after the publication of best practices on preventing DDoS attacks, and it was not an isolated event. Recently, NYUs Courant Institute and Carnegie Mellon Software Engineering Institute have collaboratively devised a game-theoretic approaches to address various cyber security problems involving exchange of information asymmetrically. This research aims to discover and understand complex structures of malicious use cases within the context of secure systems with the goal of developing an incentives-based measurement system that ensures a high level of resilience to attack.

CD147 and Ki-67 overexpression confers poor prognosis in squamous cell carcinoma of oral tongue: A tissue microarray study

OBJECTIVE Squamous cell carcinoma of the oral tongue (SCCOT) exhibits high risk for recurrence and regional metastasis even after surgical resection. We assessed the clinicopathologic and prognostic significance of a group of functionally related biomarkers. STUDY DESIGN We used a tissue microarray consisting of SCCOT from 32 patients for this study. These patients were treated at the University of Texas MD Anderson Cancer Center from 1995 to 2008. Biomarker expression levels were examined by immunohistochemistry and graded semiquantitatively to determine their prognostic significance. RESULTS CD147 and Tp63 expressions were significantly associated with a higher T stage and Ki-67 labeling index, as well as a shorter overall survival (OS) rate. Expression of Tp63 associated positively with poorly differentiated histology. There was significant association of Tp63 with the expression levels of CD147 and Glut-1. Glut-1 overexpression was marginally associated with a higher T stage. There was no prognostic significance of CD44 v6 expression in SCCOT. CONCLUSION SCCOT with CD147 overexpression in combination with high Ki-67 labeling index had poor OS. CD147 and Ki-67 overexpression is associated with aggressive disease with poor prognosis in SCCOT.

Analyzing and Exploiting Network Behaviors of Malware

In this paper we address the following questions: From a networking perspective, do malicious programs (malware, bots, viruses, etc...) behave differently from benign programs that run daily for various needs? If so, how may we exploit the differences in network behavior to detect them? To address these questions, we are systematically analyzing the behavior of a large set (at the magnitude of 2,000) of malware samples. We present our initial results after analyzing 1000 malware samples. The results show that malicious and benign programs behave quite differently from a network perspective. We are still in the process of attempting to interpret the differences, which nevertheless have been utilized to detect 31 malware samples which were not detected by any antivirus software on Virustotal.com as of 01 April 2010, giving evidence that the differences between malicious and benign network behavior has a possible use in helping stop zero-day attacks on a host machine.

Analyzing DNS activities of bot processes

Detecting bots is becoming increasingly challenging with the sophistication of current bot technology. Most research has focused on identifying infected host machines but is unable to identify the specific bot processes on the host. This research analyzes active bot processes with emphasis on a newly identified vector of detection based on DNS activities occurring throughout the bot life cycle with a primary focus on the early stage of the cycle (i.e., when bots first join a botnet). Specifically, we propose criteria for detecting bot processes based on their reaction-to-DNS-response behavior (RD behavior). Our experimental results confirm that the newly identified vector of detection can, in most cases, accurately identify bot processes during the early stage in their life cycle and can improve detection results of current commercial bot detection software.

Symptoms-based detection of bot processes

Botnets have become the most powerful tool for attackers to victimize countless users across cyberspace. Previous work on botnet detection has mainly focused on identifying infected bot computers or IP addresses and not on identifying bot processes on a host machine. This paper aims to fill this gap by presenting a bot process detection technique based on process symptoms such as: TCP connection attempts, DNS activities, digital signatures, unauthorized process tampering, and process hiding. We partition symptoms into sets which are input into classifiers generating individual detection models which are later appropriately integrated so as to improve the detection accuracy. The integrated approach correctly identified two bot processes and did not produced any false positives and false negatives.

Evaluating detection and treatment effectiveness of commercial anti-malware programs

Commercial anti-malware programs consist of two main components: detection and treatment. Detection accuracy is often used to rank effectiveness of commercial anti-malware programs with less emphasis on the equally important treatment component. Effectiveness measures of commercial anti-malware programs should consider equally detection and treatment. This can be achieved by standardized measurements of both components. This paper presents a novel approach to evaluate the effectiveness of a commercial anti-malware programs detection and treatment components against malicious objects by partitioning true positives to incorporate detection and treatment. This new measurement is used to evaluate the effectiveness of four commercial anti-malware programs in three tests. The results show that several anti-malware programs produced numerous incorrectly treated or untreated true positives and false negatives leaving many infected objects unresolved and thereby active threats in the system. These results further demonstrate that our approach evaluates the detection and treatment components of commercial anti-malware programs in a more effective and realistic manner than currently accepted measurements which primarily focus on detection accuracy.

Agent-based trace learning in a recommendation-verification system for cybersecurity

Agents in a social-technological network can be thought of as strategically interacting with each other by continually observing their own local or hyperlocal information and communicating suitable signals to the receivers who can take appropriate actions. Such interactions have been modeled as information-asymmetric signaling games and studied in our earlier work to understand the role of deception, which often results in general loss of cybersecurity. While there have been attempts to model and check such a body of agents for various global properties and hyperproperties, it has become clear that various theoretical obstacles against this approach are unsurmountable. We instead advocate an approach to dynamically check various liveness and safety hyperproperties with the help of recommenders and verifiers; we focus on empirical studies of the resulting signaling games to understand their equilibria and stability. Agents in such a proposed system may mutate, publish, and recommend strategies and verify properties, for instance, by using statistical inference, machine learning, and model checking with models derived from the past behavior of the system. For the sake of concreteness, we focus on a well-studied problem of detecting a malicious code family using statistical learning on trace features and show how such a machine learner - in this study a classifier for Zeus/Zbot - can be rendered as a property, and then be deployed on endpoint devices with trace monitors. The results of this paper, in combination with our earlier work, indicate the feasibility and way forward for a recommendation-verification system to achieve a novel defense mechanism in a social-technological network in the era of ubiquitous computing.

Proximax: measurement-driven proxy dissemination (short paper)

Many people currently use proxies to circumvent government censorship that blocks access to content on the Internet. Unfortunately, the dissemination channels used to distribute proxy server locations are increasingly being monitored to discover and quickly block these proxies. This has given rise to a large number of ad hoc dissemination channels that leverage trust networks to reach legitimate users and at the same time prevent proxy server addresses from falling into the hands of censors. To address this problem in a more principled manner, we present Proximax, a robust system that continuously distributes pools of proxies to a large number of channels. The key research challenge in Proximax is to distribute the proxies among the different channels in a way that maximizes the usage of these proxies while minimizing the risk of having them blocked. This is challenging because of two conflicting goals: widely disseminating the location of the proxies to fully utilize their capacity and preventing (or at least delaying) their discovery by censors.

Compliance Control: Managed Vulnerability Surface in Social-Technological Systems via Signaling Games

The agents of an organization, in fulfillment of their tasks, generate a cyber-physical-human trace, which is amenable to formal analysis with modal logic to verify safety and liveness properties. Trusted but non-trustworthy agents within an organization may attempt to conceal their true intentions, develop deceptive strategies, and exploit the organization--a scenario modeled here as a basic compliance signaling game. The challenge for the organization, only partially informed of its own true state, is in measuring and estimating its own safety and liveness properties as accurately as possible--the subject of this paper. To improve measurements, we suggest counter strategies where the organization presents honey objectives on a closely monitored attack surface to elicit exploitive actions and to estimate its own safety properties, an activity required for an adaptive response aiming to manage an organizations vulnerability and safety surfaces. We expand the basic game to a system of social-technological agents and tailor the encounter structure of evolutionary games to one that best fits a typical organization. Focusing on these double-sided signaling games (compliance and measure) within a system of social-technological agents, we outline a simple gradient ascent-based control mechanism and report on its ability to select and stabilize desirable equilibria despite the typical non-stationarity and chaos within evolutionary game systems. We clarify the design of our feedback-driven control system by using behavioral sensing, estimation and numerical optimization, and actuation with micro-incentives.