Michael Spertus

Smoke Detector: Cross-Product Intrusion Detection With Weak Indicators

The central task of a Security Incident and Event Manager (SIEM) or Managed Security Service Provider (MSSP) is to detect security incidents on the basis of tens of thousands of event types coming from many kinds of security products. We present Smoke Detector, which processes trillions of security events with the Random Walk with Restart (RWR) algorithm, inferring high order relationships between known security incidents and imperfect secondary security events (smoke) to find undiscovered security incidents (fire). By finding previously undetected incidents, Smoke Detectors RWR algorithm is able to increase the MSSPs critical incident count by 19% with a 1.3% FP rate. Perhaps equally importantly, our approach offers significant benefits beyond increased incident detection: (1) It provides a robust approach for leveraging Big Data sensor nets to increase adversarial resistance of protected networks; (2) Our event-scoring techniques enable efficient discovery of primary indicators of compromise; (3) Our confidence scores provide intuition and tuning capabilities for Smoke Detectors discovered security incidents, aiding incident display and response.

A Simple, Fast, and Compact Static Dictionary

We present a new static dictionary that is very fast and compact, while also extremely easy to implement. A combination of properties make this algorithm very attractive for applications requiring large static dictionaries: 1 High performance, with membership queries taking O(1)-time with a near-optimal constant. 1 Continued high performance in external memory, with queries requiring only 1-2 disk seeks. If the dictionary has n items in

Efficient backups using dynamically shared storage pools in peer-to-peer networks

\left\{ 0, ..., m\!-\!1 \right\}

Adaptive instrumentation through dynamic recompilation

and d is the number of bytes retrieved from disk on each read, then the average number of seeks is

Interactive debugging system with debug data base system

\min\left(1.63, 1 + O\left( \frac{\sqrt{n} \log m}{d} \right)\right)

Malware detection using a white list

. 1 Efficient use of space, storing n items from a universe of size m in

Redundancy management service for peer-to-peer networks

n \log m - \frac{1}{2} n \log n + O\left(n + \log \log m\right)

Conservative garbage collectors that can be used with general memory allocators

bits. We prove this space bound with a novel application of the Kolmogorov-Smirnov distribution. 1 Simplicity, with a 20-line pseudo-code construction algorithm and 4-line query algorithm.