Madison, United States
Madison, United States

Time filter

Source Type

News Article | May 22, 2017
Site: www.eurekalert.org

By analyzing network traffic going to suspicious domains, security administrators could detect malware infections weeks or even months before they're able to capture a sample of the invading malware, a new study suggests. The findings point toward the need for new malware-independent detection strategies that will give network defenders the ability to identify network security breaches in a more timely manner. The strategy would take advantage of the fact that malware invaders need to communicate with their command and control computers, creating network traffic that can be detected and analyzed. Having an earlier warning of developing malware infections could enable quicker responses and potentially reduce the impact of attacks, the study's researchers say. "Our study shows that by the time you find the malware, it's already too late because the network communications and domain names used by the malware were active weeks or even months before the actual malware was discovered," said Manos Antonakakis, an assistant professor in the School of Electrical and Computer Engineering at the Georgia Institute of Technology. "These findings show that we need to fundamentally change the way we think about network defense." Traditional defenses depend on the detection of malware in a network. While analyzing malware samples can identify suspicious domains and help attribute network attacks to their sources, relying on samples to drive defensive actions gives malicious actors a critical time advantage to gather information and cause damage. "What we need to do is minimize the amount of time between the compromise and the detection event," Antonakakis added. The research, which will be presented May 24 at the 38th IEEE Security and Privacy Symposium in San Jose, California, was supported by the U.S. Department of Commerce, the National Science Foundation, the Air Force Research Laboratory and the Defense Advanced Research Projects Agency. The project was done in collaboration with EURECOM in France and the IMDEA Software Institute in Spain - whose work was supported by the regional government of Madrid and the government of Spain. In the study, Antonakakis, Graduate Research Assistant Chaz Lever and colleagues analyzed more than five billion network events from nearly five years of network traffic carried by a major U.S. internet service provider (ISP). They also studied domain name server (DNS) requests made by nearly 27 million malware samples, and examined the timing for the re-registration of expired domains - which often provide the launch sites for malware attacks. "There were certain networks that were more prone to abuse, so looking for traffic into those hot spot networks was potentially a good indicator of abuse underway," said Lever, the first author of the paper and a student in Georgia Tech's School of Electrical and Computer Engineering. "If you see a lot of DNS requests pointing to hot spots of abuse, that should raise concerns about potential infections." The researchers also found that requests for dynamic DNS also related to bad activity, as these often correlate with services used by bad actors because they provide free domain registrations and the ability to add quickly add domains. The researchers had hoped that the registration of previously expired domain names might provide a warning of impending attacks. But Lever found there was often a lag of months between when expired domains were re-registered and attacks from them began. The research required development of a filtering system to separate benign network traffic from malicious traffic in the ISP data. The researchers also conducted what they believe is the largest malware classification effort to date to differentiate the malicious software from potentially unwanted programs (PUPs). To study similarities, they assigned the malware to specific "families." By studying malware-related network traffic seen by the ISPs prior to detection of the malware, the researchers were able to determine that malware signals were present weeks and even months before new malicious software was found. Relating that to human health, Antonakakis compares the network signals to the fever or general feeling of malaise that often precedes identification of the microorganism responsible for an infection. "You know you are sick when you have a fever, before you know exactly what's causing it," he said. "The first thing the adversary does is set up a presence on the internet, and that first signal can indicate an infection. We should try to observe that symptom first on the network because if we wait to see the malware sample, we are almost certainly allowing a major infection to develop." In all, the researchers found more than 300,000 malware domains that were active for at least two weeks before the corresponding malware samples were identified and analyzed. But as with human health, detecting a change indicating infection requires knowledge of the baseline activity, he said. Network administrators must have information about normal network traffic so they can detect the abnormalities that may signal a developing attack. While many aspects of an attack can be hidden, malware must always communicate back to those who sent it. "If you have the ability to detect traffic in a network, regardless of how the malware may have gotten in, the action of communicating through the network will be observable," Antonakais said. "Network administrators should minimize the unknowns in their networks and classify their appropriate communications as much as possible so they can see the bad activity when it happens." Antonakakis and Lever hope their study will lead to development of new strategies for defending computer networks. "The choke point is the network traffic, and that's where this battle should be fought," said Antonakakis. "This study provides a fundamental observation of how the next generation of defense mechanisms should be designed. As more complicated attacks come into being, we will have to become smarter at detecting them earlier." In addition to those already mentioned, the study included Davide Balzarotti from EURECOM, and Platon Kotzias and Juan Cabellero from IMDEA Software Institute. This material is based upon work supported in part by the U.S. Department of Commerce grant 2106DEK, National Science Foundation (NSF) grant 2106DGX and Air Force Research Laboratory/Defense Advanced Research Projects Agency grant 2106DTX. This research was also partially supported by the Regional Government of Madrid through the N-GREENS Software-CM S2013/ICE-2731 project and by the Spanish Government through the DEDETIS grant TIN2015-7013-R. Any opinions, findings, conclusions, or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the Department of Commerce, National Science Foundation, Air Force Research Laboratory, or Defense Advanced Research Projects Agency. CITATION: Chaz Lever, et al., "A Lustrum of Malware Network Communication: Evolution and Insights," (38th IEEE Security and Privacy Symposium, 2017).


News Article | May 22, 2017
Site: phys.org

The strategy would take advantage of the fact that malware invaders need to communicate with their command and control computers, creating network traffic that can be detected and analyzed. Having an earlier warning of developing malware infections could enable quicker responses and potentially reduce the impact of attacks, the study's researchers say. "Our study shows that by the time you find the malware, it's already too late because the network communications and domain names used by the malware were active weeks or even months before the actual malware was discovered," said Manos Antonakakis, an assistant professor in the School of Electrical and Computer Engineering at the Georgia Institute of Technology. "These findings show that we need to fundamentally change the way we think about network defense." Traditional defenses depend on the detection of malware in a network. While analyzing malware samples can identify suspicious domains and help attribute network attacks to their sources, relying on samples to drive defensive actions gives malicious actors a critical time advantage to gather information and cause damage. "What we need to do is minimize the amount of time between the compromise and the detection event," Antonakakis added. The research, which will be presented May 24 at the 38th IEEE Security and Privacy Symposium in San Jose, California, was supported by the U.S. Department of Commerce, the National Science Foundation, the Air Force Research Laboratory and the Defense Advanced Research Projects Agency. The project was done in collaboration with EURECOM in France and the IMDEA Software Institute in Spain - whose work was supported by the regional government of Madrid and the government of Spain. In the study, Antonakakis, Graduate Research Assistant Chaz Lever and colleagues analyzed more than five billion network events from nearly five years of network traffic carried by a major U.S. internet service provider (ISP). They also studied domain name server (DNS) requests made by nearly 27 million malware samples, and examined the timing for the re-registration of expired domains - which often provide the launch sites for malware attacks. "There were certain networks that were more prone to abuse, so looking for traffic into those hot spot networks was potentially a good indicator of abuse underway," said Lever, the first author of the paper and a student in Georgia Tech's School of Electrical and Computer Engineering. "If you see a lot of DNS requests pointing to hot spots of abuse, that should raise concerns about potential infections." The researchers also found that requests for dynamic DNS also related to bad activity, as these often correlate with services used by bad actors because they provide free domain registrations and the ability to add quickly add domains. The researchers had hoped that the registration of previously expired domain names might provide a warning of impending attacks. But Lever found there was often a lag of months between when expired domains were re-registered and attacks from them began. The research required development of a filtering system to separate benign network traffic from malicious traffic in the ISP data. The researchers also conducted what they believe is the largest malware classification effort to date to differentiate the malicious software from potentially unwanted programs (PUPs). To study similarities, they assigned the malware to specific "families." By studying malware-related network traffic seen by the ISPs prior to detection of the malware, the researchers were able to determine that malware signals were present weeks and even months before new malicious software was found. Relating that to human health, Antonakakis compares the network signals to the fever or general feeling of malaise that often precedes identification of the microorganism responsible for an infection. "You know you are sick when you have a fever, before you know exactly what's causing it," he said. "The first thing the adversary does is set up a presence on the internet, and that first signal can indicate an infection. We should try to observe that symptom first on the network because if we wait to see the malware sample, we are almost certainly allowing a major infection to develop." In all, the researchers found more than 300,000 malware domains that were active for at least two weeks before the corresponding malware samples were identified and analyzed. But as with human health, detecting a change indicating infection requires knowledge of the baseline activity, he said. Network administrators must have information about normal network traffic so they can detect the abnormalities that may signal a developing attack. While many aspects of an attack can be hidden, malware must always communicate back to those who sent it. "If you have the ability to detect traffic in a network, regardless of how the malware may have gotten in, the action of communicating through the network will be observable," Antonakais said. "Network administrators should minimize the unknowns in their networks and classify their appropriate communications as much as possible so they can see the bad activity when it happens." Antonakakis and Lever hope their study will lead to development of new strategies for defending computer networks. "The choke point is the network traffic, and that's where this battle should be fought," said Antonakakis. "This study provides a fundamental observation of how the next generation of defense mechanisms should be designed. As more complicated attacks come into being, we will have to become smarter at detecting them earlier." Explore further: Here's how the ransomware attack was stopped – and why it could soon start again More information: Chaz Lever, et al., "A Lustrum of Malware Network Communication: Evolution and Insights," 38th IEEE Security and Privacy Symposium, 2017.


News Article | May 25, 2017
Site: www.sciencedaily.com

By analyzing network traffic going to suspicious domains, security administrators could detect malware infections weeks or even months before they're able to capture a sample of the invading malware, a new study suggests. The findings point toward the need for new malware-independent detection strategies that will give network defenders the ability to identify network security breaches in a more timely manner. The strategy would take advantage of the fact that malware invaders need to communicate with their command and control computers, creating network traffic that can be detected and analyzed. Having an earlier warning of developing malware infections could enable quicker responses and potentially reduce the impact of attacks, the study's researchers say. "Our study shows that by the time you find the malware, it's already too late because the network communications and domain names used by the malware were active weeks or even months before the actual malware was discovered," said Manos Antonakakis, an assistant professor in the School of Electrical and Computer Engineering at the Georgia Institute of Technology. "These findings show that we need to fundamentally change the way we think about network defense." Traditional defenses depend on the detection of malware in a network. While analyzing malware samples can identify suspicious domains and help attribute network attacks to their sources, relying on samples to drive defensive actions gives malicious actors a critical time advantage to gather information and cause damage. "What we need to do is minimize the amount of time between the compromise and the detection event," Antonakakis added. The research, which will be presented May 24 at the 38th IEEE Security and Privacy Symposium in San Jose, California, was supported by the U.S. Department of Commerce, the National Science Foundation, the Air Force Research Laboratory and the Defense Advanced Research Projects Agency. The project was done in collaboration with EURECOM in France and the IMDEA Software Institute in Spain -- whose work was supported by the regional government of Madrid and the government of Spain. In the study, Antonakakis, Graduate Research Assistant Chaz Lever and colleagues analyzed more than five billion network events from nearly five years of network traffic carried by a major U.S. internet service provider (ISP). They also studied domain name server (DNS) requests made by nearly 27 million malware samples, and examined the timing for the re-registration of expired domains -- which often provide the launch sites for malware attacks. "There were certain networks that were more prone to abuse, so looking for traffic into those hot spot networks was potentially a good indicator of abuse underway," said Lever, the first author of the paper and a student in Georgia Tech's School of Electrical and Computer Engineering. "If you see a lot of DNS requests pointing to hot spots of abuse, that should raise concerns about potential infections." The researchers also found that requests for dynamic DNS also related to bad activity, as these often correlate with services used by bad actors because they provide free domain registrations and the ability to add quickly add domains. The researchers had hoped that the registration of previously expired domain names might provide a warning of impending attacks. But Lever found there was often a lag of months between when expired domains were re-registered and attacks from them began. The research required development of a filtering system to separate benign network traffic from malicious traffic in the ISP data. The researchers also conducted what they believe is the largest malware classification effort to date to differentiate the malicious software from potentially unwanted programs (PUPs). To study similarities, they assigned the malware to specific "families." By studying malware-related network traffic seen by the ISPs prior to detection of the malware, the researchers were able to determine that malware signals were present weeks and even months before new malicious software was found. Relating that to human health, Antonakakis compares the network signals to the fever or general feeling of malaise that often precedes identification of the microorganism responsible for an infection. "You know you are sick when you have a fever, before you know exactly what's causing it," he said. "The first thing the adversary does is set up a presence on the internet, and that first signal can indicate an infection. We should try to observe that symptom first on the network because if we wait to see the malware sample, we are almost certainly allowing a major infection to develop." In all, the researchers found more than 300,000 malware domains that were active for at least two weeks before the corresponding malware samples were identified and analyzed. But as with human health, detecting a change indicating infection requires knowledge of the baseline activity, he said. Network administrators must have information about normal network traffic so they can detect the abnormalities that may signal a developing attack. While many aspects of an attack can be hidden, malware must always communicate back to those who sent it. "If you have the ability to detect traffic in a network, regardless of how the malware may have gotten in, the action of communicating through the network will be observable," Antonakais said. "Network administrators should minimize the unknowns in their networks and classify their appropriate communications as much as possible so they can see the bad activity when it happens." Antonakakis and Lever hope their study will lead to development of new strategies for defending computer networks. "The choke point is the network traffic, and that's where this battle should be fought," said Antonakakis. "This study provides a fundamental observation of how the next generation of defense mechanisms should be designed. As more complicated attacks come into being, we will have to become smarter at detecting them earlier."


PubMed | Indiana University, Graduate Research Assistant and Ohio State University
Type: | Journal: Preventive medicine reports | Year: 2015

Few worksite trials have examined the impact of diabetes prevention interventions on psychological and behavioral outcomes. Thus, the impact of a worksite lifestyle intervention on psychosocial outcomes, food group intake, and step counts for physical activity (PA) was evaluated.A randomized pretest/posttest control group design with 3-month follow-up was employed from October 2012 to May 2014 at a U.S. university worksite among employees with prediabetes. The experimental group (n=35) received a 16-week group-based intervention while the control group received usual care (n=33). Repeated measures analysis of variance compared the change in outcomes between groups across time.A significant difference occurred between groups post-intervention for self-efficacy associated with eating and PA; goal commitment and difficulty; satisfaction with weight loss and physical fitness; peer social support for healthful eating; generation of alternatives for problem solving; and intake of fruits, meat, fish, poultry, nuts, and seeds (all ps < .05). The experimental group significantly increased step counts post-intervention (p = .0279) and were significantly more likely to report completing their work at study end (p = .0231).The worksite trial facilitated improvement in modifiable psychosocial outcomes, dietary patterns, and step counts; the long-term impact on diabetes prevention warrants further investigation.ClinicalTrials.gov identifier: NCT01682954.


Patino-Fernandez A.M.,Assistant Professor of Clinical Pediatrics | Hernandez J.,Graduate Research Assistant | Villa M.,Postdoctoral Fellow
Journal of School Health | Year: 2013

BACKGROUND: The prevalence of childhood obesity is high, particularly among minority youth. The objective of this article was to evaluate parent and school staff perspectives of childhood health and weight qualitatively to guide the development of a school-based obesity prevention program for minority youth. METHODS: Hispanic parents (N=9) of first graders participated in 1 of 3 focus groups, consisting of 3 parents each. School staff (N=7) participated in 1 focus group. All sessions were digitally recorded and transcribed verbatim. Using NVivo, 2 independent coders rated the transcriptions to identify themes and a third coder addressed commonalities and discrepancies in the coding schemes. RESULTS: Parents and school staff have conflicting views over whose responsibility it is to provide nutritional education and participation in physical activity (PA). Parents felt the school should teach children about healthy nutrition, provide guidance in the cafeteria, and offer more structured PA in school. In contrast, school staff noted that parents have the primary responsibility of ensuring children get adequate nutrition and PA. CONCLUSIONS: Despite contrasting views, parents and staff agreed with the need for comprehensive school-based obesity prevention efforts emphasizing parent and teacher collaboration to promote healthy school and home environments. © 2013, American School Health Association.


Crossley W.A.,Purdue University | Skillen M.D.,Purdue University | Skillen M.D.,Graduate Research Assistant | Frommer J.B.,Purdue University | And 4 more authors.
Journal of Aircraft | Year: 2011

This paper summarizes design optimization approaches for sizing a morphing aircraft for which the wing can make significant shape changes in flight. The approaches include single-level problems solved by gradient-free and gradient-based optimizers and a multilevel problem solved by gradient-based optimizers; of these, the multilevel approach proved most efficient. In the multilevel approach, a top-level problem minimizes the aircraft gross weight using reference design variables (T=W, S, AR, t=c, Δ, and γ), along with morphing limit variables describing the maximum shape change as a function of the reference geometry (e.g.,Δb,Δc, and ΔΔ). A sublevel problem for each mission segment determines an optimal wing-shape scheduling that minimizes fuel consumption, satisfies performance constraints, and operates within the geometric domain prescribed by the top-level problem. While the empty-weight buildup uses traditional predictors for fixed-geometry components, the wing weight prediction uses a parametric equation derived from structural optimization studies of morphing wings. The multilevel optimization approach then sizes an aircraft for which the wing can change sweep and root chord length, demonstrating: 1) the optimal wing-shape scheduling and maximum shape change for the morphing strategy, 2) the approach's ability to facilitate continuous morphing during mission segment analysis, and 3) improved effectiveness over previous singlelevel morphing aircraft sizing approaches. © Copyright 2010.


PubMed | Palmer Center for Chiropractic Research and Graduate Research Assistant
Type: Journal Article | Journal: Journal of chiropractic medicine | Year: 2016

The purpose of this study is to examine the feasibility of novel variations to the way cervical flexion-relaxation phenomenon (FRP) studies are conducted and the feasibility of using cervical axial rotation as an alternative objective measure of cervical pain/dysfunction.Electromyographic data were collected from cervical paraspinal muscles of 5 participants with neck pain and 5 asymptomatic controls. Cervical FRP was conducted as reported in the literature with the participants seated, except that they started with the head fully flexed instead of being erect. Data were also collected with participants laying prone, starting with their head hanging over the edge of the table. Additional data were collected from cervical paraspinal and sternocleidomastoid (SCM) muscles while the seated participants rotated their head fully to the right and left. Ratios were obtained for each type of test by dividing the electromyographic amplitude when muscles were most active by that when they were relaxed or in contralateral rotation.In each case, the ratio was higher for the controls than for those with neck pain, suggesting that any of the 4 methods could be used to distinguish between 2 groups. The ratios were most pronounced from SCMs during axial rotation. There appeared to be a negative relationship between pain level and the ratios obtained from each method.The findings from this small study are encouraging for all methods used, with axial rotation using SCMs appearing to be the most promising. These results indicate that larger, powered studies are warranted.


Rogers P.M.,Graduate Research Assistant | Stevenson W.R.,University of Wisconsin - Madison
Plant Disease | Year: 2010

Isolates of Alternaria dauci causing Alternaria leaf blight (ALB) were collected from commercial carrot (Daucus carota var. sativus) fields in northeastern North America during 2004. Twenty-two isolates representing a range of genetic diversity were analyzed for their aggressiveness on three commercial carrot varieties (Bolero, Enterprise, and Heritage) varying in disease susceptibility as well as their in vitro response to three fungicides (azoxystrobin, chlorothalonil, and boscalid) commonly used for ALB control. Severity of leaf and petiole blight and leaf chlorosis varied among isolates and carrot varieties in each of three experiments. Visible differences in disease severity, which ranged from 10.9 to 45.1% of the leaf area affected, were apparent 16 days after inoculation. Intensity of chlorosis correlated strongly with blight severity among all isolates. Significant differences were noted among carrot varieties in response to ALB. These varieties may prove useful as differentials capable of distinguishing isolates because variety by isolate interactions were detected. Inhibition of conidial germination ranged from 0.01 to 0.37 μg/ml for azoxystrobin, 0.009 to 0.08 μg/ml for chlorothalonil, and 0.09 to 0.59 μg/ml for boscalid. On average, isolates were more sensitive to chlorothalonil than to azoxystrobin and boscalid. No significant correlation was noted between fungicide sensitivity and aggressiveness. These data provide evidence for phenotypic diversity among A. dauci isolates collected from areas of commercial carrot production. © 2010 The American Phytopathological Society.


Walker J.F.C.,Graduate Research Assistant | Ahmed A.,Graduate Research Assistant
51st AIAA Aerospace Sciences Meeting including the New Horizons Forum and Aerospace Exposition 2013 | Year: 2013

Tests were conducted on a specially designed slender delta wing with a 75 deg leading edge sweep and capable of rotational degrees of freedom about longitudinal and vertical axis. Aerodynamic measurements were made for three cases when the model motion was limited to roll only, yaw only and combined roll and yaw. Results were compared to the data for fully constrained case. Roll and yaw oscillations were observed to start near 28o angle of attack however the amplitude of oscillations for the roll decreased from ±30o to ±18o and that of yaw decreased from ±20o to ±5o when the model was allowed to simultaneously roll and yaw indicating unique fluid dynamic coupling. The frequency of yaw oscillations was found to be 1/3 the frequency of roll oscillations indicating stronger dependence of roll on vortex bursting. © 2013 by the American Institute of Aeronautics and Astronautics, Inc. All rights reserved.


Shkarayev S.,University of Arizona | Silin D.,University of Arizona | Silin D.,Graduate Research Assistant
AIAA Journal | Year: 2010

This study addresses the aerodynamics of elastic membrane flapping wings. Several applications of the actuator disk theory to the flapping wings of insects and birds are reviewed. In previous studies, to account for spatial and temporal variance in the wake behind the flapping wings, empirical corrections were proposed for the induced velocity and power. In the present paper, a new procedure for determination of the correction factor is proposed, using membrane-type flapping-wing devices. Wind-tunnel experiments were conducted and the stroke-averaged propulsive thrust was measured on 25-cm-wingspan (flat and 9% camber) and 74-cm-wingspan flapping-wing models. Either flapping frequency or input power was held constant during the tests. Obtained thrust forces werecompared to theoretical values predicted by the actuator disk theory. Empirical correction factors to the actuator disk theory were determined, providing a best fit to the experimental data when the flapping axis aligned with freestream velocity. It is noteworthy that the numerical value for the correction factor for the 25 cm cambered wing agrees with the results obtained on large insects. The theoretical corrections for angle of attack of the flapping wing give satisfactory agreements with the experimental data only for relatively low forward speeds.

Loading Graduate Research Assistant collaborators
Loading Graduate Research Assistant collaborators