-
Leveraging Reinforcement Learning in Red Teaming for Advanced Ransomware Attack Simulations
Authors:
Cheng Wang,
Christopher Redino,
Ryan Clark,
Abdul Rahman,
Sal Aguinaga,
Sathvik Murli,
Dhruv Nandakumar,
Roland Rao,
Lanxiao Huang,
Daniel Radke,
Edward Bowen
Abstract:
Ransomware presents a significant and increasing threat to individuals and organizations by encrypting their systems and not releasing them until a large fee has been extracted. To bolster preparedness against potential attacks, organizations commonly conduct red teaming exercises, which involve simulated attacks to assess existing security measures. This paper proposes a novel approach utilizing…
▽ More
Ransomware presents a significant and increasing threat to individuals and organizations by encrypting their systems and not releasing them until a large fee has been extracted. To bolster preparedness against potential attacks, organizations commonly conduct red teaming exercises, which involve simulated attacks to assess existing security measures. This paper proposes a novel approach utilizing reinforcement learning (RL) to simulate ransomware attacks. By training an RL agent in a simulated environment mirroring real-world networks, effective attack strategies can be learned quickly, significantly streamlining traditional, manual penetration testing processes. The attack pathways revealed by the RL agent can provide valuable insights to the defense team, hel** them identify network weak points and develop more resilient defensive measures. Experimental results on a 152-host example network confirm the effectiveness of the proposed approach, demonstrating the RL agent's capability to discover and orchestrate attacks on high-value targets while evading honeyfiles (decoy files strategically placed to detect unauthorized access).
△ Less
Submitted 25 June, 2024;
originally announced June 2024.
-
Discovering Command and Control (C2) Channels on Tor and Public Networks Using Reinforcement Learning
Authors:
Cheng Wang,
Christopher Redino,
Abdul Rahman,
Ryan Clark,
Daniel Radke,
Tyler Cody,
Dhruv Nandakumar,
Edward Bowen
Abstract:
Command and control (C2) channels are an essential component of many types of cyber attacks, as they enable attackers to remotely control their malware-infected machines and execute harmful actions, such as propagating malicious code across networks, exfiltrating confidential data, or initiating distributed denial of service (DDoS) attacks. Identifying these C2 channels is therefore crucial in hel…
▽ More
Command and control (C2) channels are an essential component of many types of cyber attacks, as they enable attackers to remotely control their malware-infected machines and execute harmful actions, such as propagating malicious code across networks, exfiltrating confidential data, or initiating distributed denial of service (DDoS) attacks. Identifying these C2 channels is therefore crucial in hel** to mitigate and prevent cyber attacks. However, identifying C2 channels typically involves a manual process, requiring deep knowledge and expertise in cyber operations. In this paper, we propose a reinforcement learning (RL) based approach to automatically emulate C2 attack campaigns using both the normal (public) and the Tor networks. In addition, payload size and network firewalls are configured to simulate real-world attack scenarios. Results on a typical network configuration show that the RL agent can automatically discover resilient C2 attack paths utilizing both Tor-based and conventional communication channels, while also bypassing network firewalls.
△ Less
Submitted 14 February, 2024;
originally announced February 2024.
-
MIA-BAD: An Approach for Enhancing Membership Inference Attack and its Mitigation with Federated Learning
Authors:
Soumya Banerjee,
Sandip Roy,
Sayyed Farid Ahamed,
Devin Quinn,
Marc Vucovich,
Dhruv Nandakumar,
Kevin Choi,
Abdul Rahman,
Edward Bowen,
Sachin Shetty
Abstract:
The membership inference attack (MIA) is a popular paradigm for compromising the privacy of a machine learning (ML) model. MIA exploits the natural inclination of ML models to overfit upon the training data. MIAs are trained to distinguish between training and testing prediction confidence to infer membership information. Federated Learning (FL) is a privacy-preserving ML paradigm that enables mul…
▽ More
The membership inference attack (MIA) is a popular paradigm for compromising the privacy of a machine learning (ML) model. MIA exploits the natural inclination of ML models to overfit upon the training data. MIAs are trained to distinguish between training and testing prediction confidence to infer membership information. Federated Learning (FL) is a privacy-preserving ML paradigm that enables multiple clients to train a unified model without disclosing their private data. In this paper, we propose an enhanced Membership Inference Attack with the Batch-wise generated Attack Dataset (MIA-BAD), a modification to the MIA approach. We investigate that the MIA is more accurate when the attack dataset is generated batch-wise. This quantitatively decreases the attack dataset while qualitatively improving it. We show how training an ML model through FL, has some distinct advantages and investigate how the threat introduced with the proposed MIA-BAD approach can be mitigated with FL approaches. Finally, we demonstrate the qualitative effects of the proposed MIA-BAD methodology by conducting extensive experiments with various target datasets, variable numbers of federated clients, and training batch sizes.
△ Less
Submitted 28 November, 2023;
originally announced December 2023.
-
Enhancing Exfiltration Path Analysis Using Reinforcement Learning
Authors:
Riddam Rishu,
Akshay Kakkar,
Cheng Wang,
Abdul Rahman,
Christopher Redino,
Dhruv Nandakumar,
Tyler Cody,
Ryan Clark,
Daniel Radke,
Edward Bowen
Abstract:
Building on previous work using reinforcement learning (RL) focused on identification of exfiltration paths, this work expands the methodology to include protocol and payload considerations. The former approach to exfiltration path discovery, where reward and state are associated specifically with the determination of optimal paths, are presented with these additional realistic characteristics to…
▽ More
Building on previous work using reinforcement learning (RL) focused on identification of exfiltration paths, this work expands the methodology to include protocol and payload considerations. The former approach to exfiltration path discovery, where reward and state are associated specifically with the determination of optimal paths, are presented with these additional realistic characteristics to account for nuances in adversarial behavior. The paths generated are enhanced by including communication payload and protocol into the Markov decision process (MDP) in order to more realistically emulate attributes of network based exfiltration events. The proposed method will help emulate complex adversarial considerations such as the size of a payload being exported over time or the protocol on which it occurs, as is the case where threat actors steal data over long periods of time using system native ports or protocols to avoid detection. As such, practitioners will be able to improve identification of expected adversary behavior under various payload and protocol assumptions more comprehensively.
△ Less
Submitted 5 October, 2023;
originally announced October 2023.
-
Cross-temporal Detection of Novel Ransomware Campaigns: A Multi-Modal Alert Approach
Authors:
Sathvik Murli,
Dhruv Nandakumar,
Prabhat Kumar Kushwaha,
Cheng Wang,
Christopher Redino,
Abdul Rahman,
Shalini Israni,
Tarun Singh,
Edward Bowen
Abstract:
We present a novel approach to identify ransomware campaigns derived from attack timelines representations within victim networks. Malicious activity profiles developed from multiple alert sources support the construction of alert graphs. This approach enables an effective and scalable representation of the attack timelines where individual nodes represent malicious activity detections with connec…
▽ More
We present a novel approach to identify ransomware campaigns derived from attack timelines representations within victim networks. Malicious activity profiles developed from multiple alert sources support the construction of alert graphs. This approach enables an effective and scalable representation of the attack timelines where individual nodes represent malicious activity detections with connections describing the potential attack paths. This work demonstrates adaptability to different attack patterns through implementing a novel method for parsing and classifying alert graphs while maintaining efficacy despite potentially low-dimension node features.
△ Less
Submitted 1 September, 2023;
originally announced September 2023.
-
A Novel Approach To User Agent String Parsing For Vulnerability Analysis Using Mutli-Headed Attention
Authors:
Dhruv Nandakumar,
Sathvik Murli,
Ankur Khosla,
Kevin Choi,
Abdul Rahman,
Drew Walsh,
Scott Riede,
Eric Dull,
Edward Bowen
Abstract:
The increasing reliance on the internet has led to the proliferation of a diverse set of web-browsers and operating systems (OSs) capable of browsing the web. User agent strings (UASs) are a component of web browsing that are transmitted with every Hypertext Transfer Protocol (HTTP) request. They contain information about the client device and software, which is used by web servers for various pur…
▽ More
The increasing reliance on the internet has led to the proliferation of a diverse set of web-browsers and operating systems (OSs) capable of browsing the web. User agent strings (UASs) are a component of web browsing that are transmitted with every Hypertext Transfer Protocol (HTTP) request. They contain information about the client device and software, which is used by web servers for various purposes such as content negotiation and security. However, due to the proliferation of various browsers and devices, parsing UASs is a non-trivial task due to a lack of standardization of UAS formats. Current rules-based approaches are often brittle and can fail when encountering such non-standard formats. In this work, a novel methodology for parsing UASs using Multi-Headed Attention Based transformers is proposed. The proposed methodology exhibits strong performance in parsing a variety of UASs with differing formats. Furthermore, a framework to utilize parsed UASs to estimate the vulnerability scores for large sections of publicly visible IT networks or regions is also discussed. The methodology present here can also be easily extended or deployed for real-time parsing of logs in enterprise settings.
△ Less
Submitted 6 June, 2023;
originally announced June 2023.
-
Foundational Models for Malware Embeddings Using Spatio-Temporal Parallel Convolutional Networks
Authors:
Dhruv Nandakumar,
Devin Quinn,
Elijah Soba,
Eunyoung Kim,
Christopher Redino,
Chris Chan,
Kevin Choi,
Abdul Rahman,
Edward Bowen
Abstract:
In today's interconnected digital landscape, the proliferation of malware poses a significant threat to the security and stability of computer networks and systems worldwide. As the complexity of malicious tactics, techniques, and procedures (TTPs) continuously grows to evade detection, so does the need for advanced methods capable of capturing and characterizing malware behavior. The current stat…
▽ More
In today's interconnected digital landscape, the proliferation of malware poses a significant threat to the security and stability of computer networks and systems worldwide. As the complexity of malicious tactics, techniques, and procedures (TTPs) continuously grows to evade detection, so does the need for advanced methods capable of capturing and characterizing malware behavior. The current state of the art in malware classification and detection uses task specific objectives; however, this method fails to generalize to other downstream tasks involving the same malware class. In this paper, the authors introduce a novel method that combines convolutional neural networks, standard graph embedding techniques, and a metric learning objective to extract meaningful information from network flow data and create strong embeddings characterizing malware behavior. These embeddings enable the development of highly accurate, efficient, and generalizable machine learning models for tasks such as malware strain classification, zero day threat detection, and closest attack type attribution as demonstrated in this paper. A shift from task specific objectives to strong embeddings will not only allow rapid iteration of cyber-threat detection models, but also allow different modalities to be introduced in the development of these models.
△ Less
Submitted 24 May, 2023;
originally announced May 2023.
-
Zero Day Threat Detection Using Metric Learning Autoencoders
Authors:
Dhruv Nandakumar,
Robert Schiller,
Christopher Redino,
Kevin Choi,
Abdul Rahman,
Edward Bowen,
Marc Vucovich,
Joe Nehila,
Matthew Weeks,
Aaron Shaha
Abstract:
The proliferation of zero-day threats (ZDTs) to companies' networks has been immensely costly and requires novel methods to scan traffic for malicious behavior at massive scale. The diverse nature of normal behavior along with the huge landscape of attack types makes deep learning methods an attractive option for their ability to capture highly-nonlinear behavior patterns. In this paper, the autho…
▽ More
The proliferation of zero-day threats (ZDTs) to companies' networks has been immensely costly and requires novel methods to scan traffic for malicious behavior at massive scale. The diverse nature of normal behavior along with the huge landscape of attack types makes deep learning methods an attractive option for their ability to capture highly-nonlinear behavior patterns. In this paper, the authors demonstrate an improvement upon a previously introduced methodology, which used a dual-autoencoder approach to identify ZDTs in network flow telemetry. In addition to the previously-introduced asset-level graph features, which help abstractly represent the role of a host in its network, this new model uses metric learning to train the second autoencoder on labeled attack data. This not only produces stronger performance, but it has the added advantage of improving the interpretability of the model by allowing for multiclass classification in the latent space. This can potentially save human threat hunters time when they investigate predicted ZDTs by showing them which known attack classes were nearby in the latent space. The models presented here are also trained and evaluated with two more datasets, and continue to show promising results even when generalizing to new network topologies.
△ Less
Submitted 1 November, 2022;
originally announced November 2022.
-
Anomaly Detection via Federated Learning
Authors:
Marc Vucovich,
Amogh Tarcar,
Penjo Rebelo,
Narendra Gade,
Ruchi Porwal,
Abdul Rahman,
Christopher Redino,
Kevin Choi,
Dhruv Nandakumar,
Robert Schiller,
Edward Bowen,
Alex West,
Sanmitra Bhattacharya,
Balaji Veeramani
Abstract:
Machine learning has helped advance the field of anomaly detection by incorporating classifiers and autoencoders to decipher between normal and anomalous behavior. Additionally, federated learning has provided a way for a global model to be trained with multiple clients' data without requiring the client to directly share their data. This paper proposes a novel anomaly detector via federated learn…
▽ More
Machine learning has helped advance the field of anomaly detection by incorporating classifiers and autoencoders to decipher between normal and anomalous behavior. Additionally, federated learning has provided a way for a global model to be trained with multiple clients' data without requiring the client to directly share their data. This paper proposes a novel anomaly detector via federated learning to detect malicious network activity on a client's server. In our experiments, we use an autoencoder with a classifier in a federated learning framework to determine if the network activity is benign or malicious. By using our novel min-max scalar and sampling technique, called FedSam, we determined federated learning allows the global model to learn from each client's data and, in turn, provide a means for each client to improve their intrusion detection system's defense against cyber-attacks.
△ Less
Submitted 12 October, 2022;
originally announced October 2022.
-
Lateral Movement Detection Using User Behavioral Analysis
Authors:
Deepak Kushwaha,
Dhruv Nandakumar,
Akshay Kakkar,
Sanvi Gupta,
Kevin Choi,
Christopher Redino,
Abdul Rahman,
Sabthagiri Saravanan Chandramohan,
Edward Bowen,
Matthew Weeks,
Aaron Shaha,
Joe Nehila
Abstract:
Lateral Movement refers to methods by which threat actors gain initial access to a network and then progressively move through said network collecting key data about assets until they reach the ultimate target of their attack. Lateral Movement intrusions have become more intricate with the increasing complexity and interconnected nature of enterprise networks, and require equally sophisticated det…
▽ More
Lateral Movement refers to methods by which threat actors gain initial access to a network and then progressively move through said network collecting key data about assets until they reach the ultimate target of their attack. Lateral Movement intrusions have become more intricate with the increasing complexity and interconnected nature of enterprise networks, and require equally sophisticated detection mechanisms to proactively detect such threats in near real-time at enterprise scale. In this paper, the authors propose a novel, lightweight method for Lateral Movement detection using user behavioral analysis and machine learning. Specifically, this paper introduces a novel methodology for cyber domain-specific feature engineering that identifies Lateral Movement behavior on a per-user basis. Furthermore, the engineered features have also been used to develop two supervised machine learning models for Lateral Movement identification that have demonstrably outperformed models previously seen in literature while maintaining robust performance on datasets with high class imbalance. The models and methodology introduced in this paper have also been designed in collaboration with security operators to be relevant and interpretable in order to maximize impact and minimize time to value as a cyber threat detection toolkit. The underlying goal of the paper is to provide a computationally efficient, domain-specific approach to near real-time Lateral Movement detection that is interpretable and robust to enterprise-scale data volumes and class imbalance.
△ Less
Submitted 29 August, 2022;
originally announced August 2022.
-
Zero Day Threat Detection Using Graph and Flow Based Security Telemetry
Authors:
Christopher Redino,
Dhruv Nandakumar,
Robert Schiller,
Kevin Choi,
Abdul Rahman,
Edward Bowen,
Matthew Weeks,
Aaron Shaha,
Joe Nehila
Abstract:
Zero Day Threats (ZDT) are novel methods used by malicious actors to attack and exploit information technology (IT) networks or infrastructure. In the past few years, the number of these threats has been increasing at an alarming rate and have been costing organizations millions of dollars to remediate. The increasing expansion of network attack surfaces and the exponentially growing number of ass…
▽ More
Zero Day Threats (ZDT) are novel methods used by malicious actors to attack and exploit information technology (IT) networks or infrastructure. In the past few years, the number of these threats has been increasing at an alarming rate and have been costing organizations millions of dollars to remediate. The increasing expansion of network attack surfaces and the exponentially growing number of assets on these networks necessitate the need for a robust AI-based Zero Day Threat detection model that can quickly analyze petabyte-scale data for potentially malicious and novel activity. In this paper, the authors introduce a deep learning based approach to Zero Day Threat detection that can generalize, scale, and effectively identify threats in near real-time. The methodology utilizes network flow telemetry augmented with asset-level graph features, which are passed through a dual-autoencoder structure for anomaly and novelty detection respectively. The models have been trained and tested on four large scale datasets that are representative of real-world organizational networks and they produce strong results with high precision and recall values. The models provide a novel methodology to detect complex threats with low false-positive rates that allow security operators to avoid alert fatigue while drastically reducing their mean time to response with near-real-time detection. Furthermore, the authors also provide a novel, labelled, cyber attack dataset generated from adversarial activity that can be used for validation or training of other models. With this paper, the authors' overarching goal is to provide a novel architecture and training methodology for cyber anomaly detectors that can generalize to multiple IT networks with minimal to no retraining while still maintaining strong performance.
△ Less
Submitted 4 May, 2022;
originally announced May 2022.
-
Towards Refactoring DMARF and GIPSY OSS
Authors:
Aaradhna Goyal,
Ali Alshamrani,
Dhivyaa Nandakumar,
Dileep Vanga,
Dmitriy Fingerman,
Parul Gupta,
Riya Ray,
Srikanth Suryadevara
Abstract:
We present here an exploratory and investigatory study of the requirements, design, and implementation of two opensource software systems: the Distributed Modular Audio Recognition Framework (DMARF), and the General Intensional Programming System (GIPSY). The inception, development, and evolution of the two systems have overlapped and in terms of the involved developers, as well as in their applic…
▽ More
We present here an exploratory and investigatory study of the requirements, design, and implementation of two opensource software systems: the Distributed Modular Audio Recognition Framework (DMARF), and the General Intensional Programming System (GIPSY). The inception, development, and evolution of the two systems have overlapped and in terms of the involved developers, as well as in their applications. DMARF is a platform independent collection of algorithms for pattern recognition, identification and signal processing in audio and natural language text samples, become a rich platform for the research community in particular to use, test, and compare various algorithms in the broad field of pattern recognition and machine learning. Intended as a platform for intensional programming, GIPSY's inception was intended to push the field of intensional programming further, overcoming limitations in the available tools two decades ago. In this study, we present background research into the two systems and elaborate on their motivations and the requirements that drove and shaped their design and implementation. We subsequently elaborate in more depth about various aspects their architectural design, including the elucidation of some use cases, domain models, and the overall class diagram of the major components. Moreover, we investigated existing design patterns in both systems and provided a detailed view of the involved components in such patterns. Furthermore, we delve deeper into the guts of both systems, identifying code smells and suggesting possible refactorings. Patchsets of implementations of selected refactorings have been collected into patchsets and could be committed into future releases of the two systems, pending a review and approval of the developers and maintainers of DMARF and GIPSY.
△ Less
Submitted 25 November, 2014; v1 submitted 14 October, 2014;
originally announced October 2014.