Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Fixed a wrong copy paste of sections, with section 6 missing.

...

(Nokia, Arcada, F-Secure, Aalto, UH: WP2-03)

Changes to Scenario

No changes to the scenario.

Results

In the anomaly detection for RDS (detection of advanced attacks on endpoints), the focus has been on predicting false positives generated by the detection rules. In particular, endpoint clustering based on observed launches of executables has been explored for identifying unreliable rule-based detections. We haven’t been able to pursue the privacy-preserving favors of detection techniques yet due to high challenges with RDS detection precision.

A new method has been proposed for protecting integrity of the local RDS store and generalized for other important security functions in the endpoints.

Results

  • A method for ranking RDS detections based on the globally observed events submitted by the RDS sensors has been developed. The work is currently under way to address the problem of “training set poisoning”, e.g., for cases when penetration testing exercises in some of the endpoints result in very low ranking values of actual attack events in other customer systems.

  • A logistic regression classifier for RDS detection rules and endpoint clustering methods have been developed and tested for improving the RDS attack detection precision.

  • The Arcada researchers have started work in the FSC premises to closely collaborate with the FSC Data Science team on endpoint profiling and modeling as a part of the RDS anomaly detection plan.

  • An efficient approach for protecting integrity of the local RDS store has been proposed (UH and FSC) and is currently being further refined by the partners. Another important security use case for the approach has been identified.

  • Paper on optimization and performance evaluation of differential anomaly detection model for SDN enabled networks [1] [2]

  • Demo on application of differential anomaly detection model to SDN enabled networks [2] [3]. This demo was presented also in CloSer workshop on 20th April 2017.

  • Paper on optimization and performance evaluation of differential anomaly detection for IoT robot security use case [2] [4]

...

(F-Secure, Arcada, Aalto, UH)

Changes to Scenario

In the anomaly detection for RDS (detection of advanced attacks on endpoints), the focus has been on predicting false positives generated by the detection rules. In particular, endpoint clustering based on observed launches of executables has been explored for identifying unreliable rule-based detections. We haven’t been able to pursue the privacy-preserving favors of detection techniques yet due to high challenges with RDS detection precision.

A new method has been proposed for protecting integrity of the local RDS store and generalized for other important security functions in the endpoints.

Results

...

A method for ranking RDS detections based on the globally observed events submitted by the RDS sensors has been developed. The work is currently under way to address the problem of “training set poisoning”, e.g., for cases when penetration testing exercises in some of the endpoints result in very low ranking values of actual attack events in other customer systems.

...

A logistic regression classifier for RDS detection rules and endpoint clustering methods have been developed and tested for improving the RDS attack detection precision.

...

The Arcada researchers have started work in the FSC premises to closely collaborate with the FSC Data Science team on endpoint profiling and modeling as a part of the RDS anomaly detection plan.

...

More emphasis in 2018 will be on detection of phishing and malicious web sites. Also we will have high on the list near-real-time processing of unknown URL’s visited by the users to minimize the time gap between submission of new malicious or unwanted URL’s and the capability of detection / blocking of those by the protection software.

Results

  • The work is under way at FSC to enable integration and validation of the image analysis method developed by Arcada, both for identifying inappropriate image content and for utilizing image analysis results for categorizing web pages (in particular, those with very small amounts of text or with text in Asian languages).
  • A prototype of phishing site detection implemented by Aalto has been validated by FSC. The key issue at the moment is that the prototype uses several features available only at the client side, while the FSC architecture supports content analysis logic only in the backend. The partners are exploring ways of overcoming this issue.
  • Topic modeling based approaches have been implemented for identifying web resources inappropriate for children. By mapping extracted topics to pre-defined “inappropriate content” categories, good results have been obtained for detecting web pages that belong to a number of such categories, and several topic models are running in the FSC production. At the same time, the use of those models has revealed some further problems with the available training sets, to be tackled in 2018.