Rebecca Cathey

Misuse detection for information retrieval systems

We present a novel approach to detect misuse within an information retrieval system by gathering and maintaining knowledge of the behavior of the user rather than anticipating attacks by unknown assailants. Our approach is based on building and maintaining a profile of the behavior of the system user through tracking, or monitoring of user activity within the information retrieval system. Any new activity of the user is compared to the user profile to detect a potential misuse for the authorized user. We propose four different methods to detect misuse in information retrieval systems. Our experimental results on

Optimal content delivery with network coding

2

Yizkor books: a voice for the silent past

GB collection favorably demonstrate the validity of our approach.

Behavior Analysis via Execution Path Clusters

We present a unified linear program formulation for optimal content delivery in content delivery networks (CDNs), taking into account various costs and constraints associated with content dissemination from the origin server to storage nodes, data storage, and the eventual fetching of content from storage nodes by end users. Our formulation can be used to achieve a variety of performance goals and system behavior, including the bounding of fetch delay, load balancing, and robustness against node and arc failures. Simulation results suggest that our formulation performs significantly better than the traditional minimum k-median formulation for the delivery of multiple content, even under modest circumstances (small network, few objects, low storage budget, low dissemination costs).

Relationally Mapping XML Queries For Scalable XML Search

Yizkor Book collections contain firsthand commemorative accounts of events from the era surrounding the rise and fall of Nazi Germany, including documents from before, during, and after the Holocaust. Prior to our effort, information regarding the content and location of each Yizkor Book volume was limited. We established a centralized index and metadata repository for the Yizkor Book collection and developed a detailed search interface accessible worldwide.

Automated Execution Control and Dynamic Behavior Monitoring for Android (TM) Applications

As the presence of malware increases in binary applications, behavior analysis is rapidly becoming necessary. We examine the application of execution path clustering and information pedigree analysis to analyze the behaviors of an application. An execution path is the sequence of basic blocks in a binary that are executed in response to a given input. One execution path represents a specific behavior of the application, likewise, similar execution paths define similar application behaviors. We cluster dynamic execution paths using the hierarchical agglomerative clustering algorithm to characterize program behavior. Furthermore, through comparisons between clusters, we can use information pedigree analysis to identify the modal inputs which cause the execution of unique behaviors within a cluster. Through this form of modality analysis, we can identify the modal inputs which control the mode in which the application executes. This approach allows us to automatically elicit the specification of software for which we only have the binary image. To assess the utility of this approach, we report on experiments conducted against a set of test Android applications.

Worldwide accessibility to Yizkor books

The growing trend of using XML to share security data requires scalable technology to effectively manage the volume and variety of data. Although a wide variety of methods exist for storing and searching XML, the two most common techniques are conventional tree-based approaches and relational approaches. Tree-based approaches represent XML as a tree and use indexes and path join algorithms to process queries. In contrast, the relational approach seeks to utilize the power of a mature relational database to store and search XML. This method relationally maps XML queries to SQL and reconstructs the XML from the database results. We use the XBench benchmark to compare the scalability of the SQLGenerator, our relational approach, with eXist, a popular tree-based approach.

Exploiting parallelism to support scalable hierarchical clustering

We explore techniques for eliciting a behavioral description from an Android smartphone app in a controlled manner. A description of app behavior is useful for performing subsequent analysis such as model checking, for example to verify the app satisfies a set of desirable security properties. Our solution is to dynamically execute the app in a customized version of the Android SDK emulator, which provides many of an apps inputs as responses to invoked API calls. A more focused set of input values computed offline are then injected to the app via hooks introduced into the Android API implementation. To dynamically monitor app behavior, we instrument the app bytecode to record control and data flows during execution. We also instrument the Android API to record all of the apps inputs and outputs. We have used this technique on the DARPA Automated Program Analysis for Cybersecurity (APAC) program to reveal hidden, triggerable attacks in independently developed challenge apps. Our framework for extracting app behavior is part of Droid Reasoning, Analysis, and Protection Engine (DRAPE), an integrated, semi-automated app behavior analysis system capable of discovering hidden malware in Android apps.

Using a relational database for scalable XML search

Yizkor Books contain firsthand accounts of events that occurred before, during, and after the Holocaust. These books were published with parts in thirteen languages, across six continents, spanning a period of more than 60 years and are an important resource for research of Eastern European Jewish communities, Holocaust studies, and genealogical investigations. Numerous Yizkor Book collections span the globe. One of the largest collections of Yizkor Books is housed within the United States Holocaust Memorial Museum. Due to their rare and often fragile conditions, the original Yizkor Books are vastly underutilized. Ongoing efforts to digitize and reprint Yizkor Books increases the availability of the books, however, the capability to search information about their content is nonexistent. We established a centralized index for Yizkor Books and developed a detailed search interface accessible worldwide, capable of efficiently querying the data. Our interface offers unique features and provides novel approaches to foreign name and location search. Furthermore, we describe and demonstrate a rule set to assist searches based on inaccurate terms. This system is currently under the auspices of the United States Holocaust Memorial Museum.