Thomas E. Dube

Firmware modification attacks on programmable logic controllers

Abstract Recent attacks on industrial control systems, such as the highly publicized Stuxnet malware, have intensified a “race to the bottom” where lower-level attacks have a tactical advantage. Programmable logic controller (PLC) firmware, which provides a software-driven interface between system inputs and physical outputs, can be easily modified at the user level. Efforts directed at protecting against firmware modification are hindered by the lack of foundational research about attack development and implementation. This paper examines the vulnerability of PLCs to intentional firmware modifications in order to obtain a better understanding of the threats posed by PLC firmware modification attacks and the feasibility of these attacks. A general firmware analysis methodology is presented, and a proof-of-concept experiment is used to demonstrate how legitimate firmware can be updated and uploaded to an Allen-Bradley ControlLogix L61 PLC.

Malware target recognition via static heuristics

Organizations increasingly rely on the confidentiality, integrity and availability of their information and communications technologies to conduct effective business operations while maintaining their competitive edge. Exploitation of these networks via the introduction of undetected malware ultimately degrades their competitive edge, while taking advantage of limited network visibility and the high cost of analyzing massive numbers of programs. This article introduces the novel Malware Target Recognition (MaTR) system which combines the decision tree machine learning algorithm with static heuristic features for malware detection. By focusing on contextually important static heuristic features, this research demonstrates superior detection results. Experimental results on large sample datasets demonstrate near ideal malware detection performance (99.9+% accuracy) with low false positive (8.73e-4) and false negative rates (8.03e-4) at the same point on the performance curve. Test results against a set of publicly unknown malware, including potential advanced competitor tools, show MaTRs superior detection rate (99%) versus the union of detections from three commercial antivirus products (60%). The resulting model is a fine granularity sensor with potential to dramatically augment cyberspace situation awareness.

Hindering Reverse Engineering: Thinking Outside the Box

In this article, we present the state of the art in todays nonmalicious software defense protections. We also present an overview of the tools and techniques that attackers use to defeat current defenses. Finally, we expound on some unorthodox approaches to defending software, including tactics that advanced malware currently uses to protect itself.

Malware Target Recognition of Unknown Threats

Organizations traditionally use signature-based commercial antivirus products as a frontline defense against malware, but advanced persistent threats craft custom malicious tools to achieve their objectives. Organizations safeguarding sensitive information have difficulty in identifying new malware threats among millions of benign executables using only signature-based antivirus systems. This paper extends a performance-based malware target recognition architecture that currently uses only static heuristic features. Experimental results show that this architectural component achieves an overall test accuracy of 98.5% against a malware set collected from operational environments, while three commercial antivirus products combine for a detection accuracy of only 60% with their most sensitive settings. Implementations of this architecture will enable organizations to self-discover new malware threats, providing enhanced situation awareness for cyberspace operators in hostile threat environments.

Malware Type Recognition and Cyber Situational Awareness

Current technologies for computer network and host defense do not provide suitable information to support strategic and tactical decision making processes. Although pattern-based malware detection is an active research area, the additional context of the type of malware can improve cyber situational awareness. This additional context is an indicator of threat capability thus allowing organizations to assess information losses and focus response actions appropriately. Malware Type Recognition (MaTR) is a research initiative extending detection technologies to provide the additional context of malware types using only static heuristics. Test results with MaTR demonstrate over a 99% accurate detection rate and 59% test accuracy in malware typing.

QuEST for malware type-classification

Current cyber-related security and safety risks are unprecedented, due in no small part to information overload and skilled cyber-analyst shortages. Advances in decision support and Situation Awareness (SA) tools are required to support analysts in risk mitigation. Inspired by human intelligence, research in Artificial Intelligence (AI) and Computational Intelligence (CI) have provided successful engineering solutions in complex domains including cyber. Current AI approaches aggregate large volumes of data to infer the general from the particular, i.e. inductive reasoning (pattern-matching) and generally cannot infer answers not previously programmed. Whereas humans, rarely able to reason over large volumes of data, have successfully reached the top of the food chain by inferring situations from partial or even partially incorrect information, i.e. abductive reasoning (pattern-completion); generating a hypothetical explanation of observations. In order to achieve an engineering advantage in computational decision support and SA we leverage recent research in human consciousness, the role consciousness plays in decision making, modeling the units of subjective experience which generate consciousness, qualia. This paper introduces a novel computational implementation of a Cognitive Modeling Architecture (CMA) which incorporates concepts of consciousness. We apply our model to the malware type-classification task. The underlying methodology and theories are generalizable to many domains.

Feature extraction and feature selection for classifying cyber traffic threats

Cyber networks frequently encounter amounts of network traffic too large to process real-time threat detection efficiently. This research examines combined classification and feature selection using the artificial neural network (ANN) for cyber network threat detection. Examined network traffic data was from the 2003–2007 and 2009 Department of Defense Cyber Defense Exercises (CDXs). Firstly, a feature extraction process is developed using Fullstats to extract 248 features from the CDX dataset. Security Onion is used to determine class labels (cyber attack and severity of attack). Various threat detection scenarios are considered in analyzing the data: threats versus no-threats, severity of threats (low, medium, and high) for known threats, and complete (no-threat, low, medium, and high). ANN signal-to-noise ratio feature selection was used to remove non-salient features and determine an appropriate level of dimensionality for classifying cyber attack and normal operating conditions. Considering the set of 248 features from the CDX data, consistent classification accuracy of 83–97% (testing/training sets) and 63–88% (validation sets) is seen until 18 features. Thus, a 90% data reduction is shown to be possible with negligible reduction in performance with additional insight into the source (Transmission Control Protocol/Internet Protocol or Open Systems Interconnection layer) of salient features.