CAMLIS 2021

Contributors/Speakers: Katie Paxton-Fear, Duncan Hodges, and Oliver Buckley

Insider threats—attacks by employees or trusted individuals—are often more damaging and harder to detect than external attacks. Insiders have legitimate access, knowledge of systems, and can blend malicious actions with normal behavior, allowing attacks to go unnoticed for long periods. Detecting them is challenging because suspicious actions (like accessing sensitive files) may also be part of routine work, and insiders may bypass controls or exploit organizational gaps.

This work introduces a dynamic insider threat model built from large collections of real incident narratives using NLP and topic modeling. It identifies key themes like motivation, methods, and organizational weaknesses, then visualizes incidents as structured graphs to help investigators explore key questions and decision points. The approach supports better incident analysis and prevention by turning unstructured reports into actionable insights, offering a scalable, data-driven tool for understanding insider threats.

Presentation >

Contributors/Speakers: Ethan Rudd and David Krisiloff

Malware classification in the wild remains a difficult problem due in part to concept drift and out-of-distribution data. Concept drift occurs when the statistical properties of target classes, e.g., malware or goodware, change over time, and practical application of machine learning (ML) for information security can be framed as an Open Set Recognition problem. Under an Open Set paradigm, samples that are ill-supported by data in the training set occur at deployment and one must be able to flag these unsupported samples as “unknowns” to differentiate them from properly classified samples. Open Set Recognition was formalized in Scheirer et. al. [1] as a risk minimization problem.

ML deployments for malware detection in the industry typically address concept drift through periodic model retrains on novel data at some specified cadence and do not address the open set problem at all. In practice, a specified cadence for model updates could be replaced by a measure of concept drift, and rather than accepting potential false positives from ‘unknown’ samples and dealing with them as they occur, some measure of support could be used instead to flag these samples and pre-emptively route them to auxiliary detection technologies, least expensive to most expensive (e.g., when static detection is ill-supported route to dynamic detection; when dynamic detection is ill-supported, route to an analyst). Thus, there is motivation for a malware classification model whose representation can be used to provide measurements of statistical support and concept drift for each sample.

While discriminative models are effective at encouraging class separation in a latent space, they are susceptible to concept drift and are not guaranteed to work well in an Open Set Recognition regime, particularly for losses which aim to force separation at the margin but do little to bound the span of class predictions. Moreover, losses which rely on an associated sample label can only be evaluated during training and validation stages; not on new samples encountered after deployment.

By contrast, generative models aim to characterize data distributions and can specifically shape the distribution of sample points in the latent space. For example, Variational Auto-Encoders (VAEs) aim to enforce specific Gaussian distributional constraints which can be used to bound the spread of samples in latent space. Moreover, VAE loss functions can often be computed irrespective of class label, as loss terms are typically evaluated with respect to either data reconstruction, divergence from a known distribution, or the veracity of a sample (real/fake) as is commonly devised in adversarial learning paradigms.

In this presentation, we explore methods to combine loss functions from generative models with standard discriminative losses into multi-objective hybrid discriminative-generative models. We then discuss the impacts on classification performance and training of these auxiliary loss terms on malware detection through examples on open-source malware and goodware datasets (e.g., EMBER 2018, SOREL 20M), applying open set evaluation protocols [1]. We then investigate the characteristics of the associated latent spaces, motivate measurements of concept drift between source and target distributions, and implement classification confidence measures. Additionally, we compare how thresholding generative losses during deployment might be used to enhance classification confidence and reduce open space risk.

[1] W. J. Scheirer, A. Rocha, A. Sapkota, and T. E. Boult, “Towards open set recognition,” IEEE T-PAMI, vol. 36, July 2013.

Presentation >

Contributors/Speakers:Nancirose Piazza, Yaser Faghan,Vahid Behzadan and Ali Fathi

Deep Reinforcement Learning (DRL) has become an appealing solution to algorithmic trading such as high frequency trading of stocks and cyptocurrencies. However, DRL policies are shown to be susceptible to adversarial attacks. It follows that algorithmic trading DRL agents may also be compromised by such adversarial techniques, leading to policy manipulation. In this paper, we develop a threat model for deep trading policies, and propose two active attack techniques for manipulating the performance of such policies at test-time. Additionally, we explore the exploitation of a passive attack based on adversarial policy imitation. Furthermore, we demonstrate the effectiveness of the proposed attacks against benchmark and real-world DQN trading agents.

Presentation >

Speaker: Aditya Kuppa

Machine Learning methods are playing a vital role in combating ever-evolving threats in the Cybersecurity domain. Explanation methods that shed light on the decision process of black-box classifiers are one of the biggest drivers in the successful adoption of these models. Explaining predictions that address ‘Why?/Why Not?’ questions help users/stakeholders/analysts understand and accept the predicted outputs with confidence and build trust. Counterfactual explanations are gaining popularity as an alternative method to help users not only understand the decisions of black-box models (why?) but also provide a mechanism to highlight mutually exclusive data instances that would change the outcomes (why not?).

Recent Explainable Artificial Intelligence literature has focused on three main areas : (a) creating and improving explainability methods that help users better understand how the internal of ML models work as well as their outputs; (b) attacks on interpreters with a white-box setting; (c) defining the relevant properties, metrics of explanations generated by models. Nevertheless, there is no thorough study of how the model explanations can introduce new attack surface to the underlying systems. A motivated adversary can leverage the information provided by explanations to launch membership inference, model extraction attacks to compromise the overall privacy of the system. Similarly, explanations can also facilitate powerful evasion attacks such as poisoning and back door attacks.

In this paper, we cover this gap by tackling various cyber security properties and threat models related to counterfactual explanations. We study black-box attacks that leverages Explainable Artificial Intelligence (XAI) methods to compromise confidentiality and privacy properties of underlying classifiers. We validate our approach with datasets and models used in cyber security domain to demonstrate that our method achieves the attacker's goal under threat models which reflect the real-world settings.

Presentation >

Speaker: Tamás Vörös, Rich Harang, Josh Saxe, and Konstantin Berlin

Most modern malware like Remote Administration Tools, ransomware, coin miners and espionage tools require communication with the internet, as they need to accept commands, transmit payloads, or exfiltrate sensitive information. Identifying such malicious communication potentially requires firewalls to decrypt encrypted traffic, make expensive queries to cloud infrastructure, or otherwise perform resource intensive computations, making such data collection impractical for all passing traffic.

IP allow/block lists can potentially be used as a computational cheap pre-filter for these expensive operations but cannot be applied to unlisted IPs. Here we demonstrate that we can effectively expand upon the coverage of an allow or blocklist by building a machine learning (ML) model that is able to accurately predict if a previously unseen IP address is likely to be involved in known malicious behavior. While predicting malicious traffic based only on the IP address is difficult, we greatly improve on existing baseline with two different deep learning architectures and additionally utilizing pretraining.

We test our approaches on two distinct datasets and show that combining our deep learning architectures and pretraining improves the area under the curve from .89 and .992 to .93 and .995 respectively. Our results show the viability of building an ML model as a replacement or augmentation to traditional allow and blocklists, and importantly should generalize to IPv6 data, where maintaining such lists manually might become intractable.

Presentation >

Contributors/Speakers: Xigao Li, David Krisiloff, and Scott Coull

Traditional antivirus systems rely on static analysis for fast, on-device malware detection, but these methods are easily evaded through techniques like packing. Dynamic sandbox analysis is more robust but slow and resource-intensive. This work explores binary emulation as a middle ground, using tools like SpeakEasy to simulate program execution on-device and capture rich behavioral data such as API calls, memory usage, and network activity for machine learning models.

Using emulation data, we built models for malware detection and family classification, combining API call sequences and memory features with techniques like gradient boosting and neural networks. Results show emulation-based models can correct up to 50% of errors from static models, and combining both approaches improves performance further. This method balances accuracy, speed, and resource use, offering a scalable alternative for detecting evasive malware.

Presentation >‍

Contributors/Speakers: Sunil Vasisht, Philip Tully, Jay Gibble

Malware analysts often rely on static and dynamic analysis to understand a binary’s behavior, but deeper insights typically require reverse engineering using tools like IDA Pro or Ghidra. These disassemblers convert binaries into low-level assembly and higher-level pseudocode while performing operations like function recognition and auto-naming. Function names are augmented using signatures and prior human annotations, but coverage is limited: most functions in a fresh malware sample remain unnamed, slowing triage and analysis. Improving function name coverage is therefore crucial for accelerating malware investigation workflows.

We frame function name prediction as a neural machine translation problem, using structured disassembly representations such as ASTs and CFGs. AST paths and leaf tokens are embedded and encoded using BiLSTMs, while CFGs capture control flow and call relationships for graph-based modeling. Our dataset includes 360k functions from 4.3k malicious PE files, annotated with IDA-generated names, expert-labeled metadata, and capabilities from tools like capa. Evaluations using F1 scores and expert feedback show that leveraging syntactic structure enables accurate natural language function annotations, reducing reverse engineering effort and offering potential for integration into IDA plug-ins or scalable malware analysis pipelines.

Presentation >

Contributors/Speakers: Gordon Werner and S. Jay Yang

Intrusion detection systems generate a large number of streaming alerts. It can be overwhelming for analysts to quickly and effectively understand behavior within a network. Critical alerts occur so infrequently that it can be difficult to determine what surrounding alerts are actually related to them, providing a deep challenge to analysts. What if an analyst could provide a collection of known critical alerts and quickly receive a summary detailing their temporal behaviors within a network as well consistently co-occurring signatures that pre-empt or succeed the critical action? What if this information could be provided in near real time, with no training data, and with the capability to adapt to changing temporal patterns and relationships across signatures? The Concept Learning for Intrusion Event Aggregation in Realtime with Rare co-Occurring Alert signature Discovery (CLEAR-ROAD) answers that question, revealing consistent co-occurrences derived from alerts with similar temporal arrival patterns. Alerts are aggregated, or sequenced, based on their unique and invariant arrival patterns, not external training data. The signature patterns expressed by such temporal activity are then discovered through pattern mining techniques. A constrained databasing approach is used to reduce the number of sequences processed by an average of 90\% for individual streams. Case studies are conducted to analyze the co-occurring signatures found across two real world datasets, one from a SOC operation and another from a penetration testing competition. CLEAR-ROAD is able to find consistently co-occurring signatures across streams and datasets quickly and effectively. Differences in temporal behavior are also found to lead to unique co-occurring signatures for some critical alerts. Case studies show the clear and near-immediate benefits provided to analysts by the system.

Presentation >

Contributors/Speakers: Nick Gregory and Harini Kannan

In recent years, exploits like Spectre, Meltdown, Rowhammer, and Return Oriented Programming (ROP) have been detected using Hardware Performance Counters. But to date, only relatively simple and well-understood counters have been used, representing just a tiny fraction of the information we can glean from the system. What's worse, using only well-known counters as detectors for these attacks has a huge disadvantage - an attacker can easily bypass known counter-based detection techniques with minimal changes to existing sample exploit code. Uncovering the treasure trove of overlooked and undocumented counters is necessary if we are to both build defenses against these attacks and anticipate how an adversary could bypass our defenses.

In this paper, we’ll first introduce our version of Spectre variant 4 with evasive changes that can bypass any detections using conventional cache miss, branch miss, and branch misprediction counters. We’ll then show how our model using select undocumented counters is able to detect this new edited variant, and how it is also able to detect a novel Spectre implementation submitted to Virus Total.

Presentation > | Video >

Speaker: Andy Applebaum

The past few decades have shown that machine learning (ML) can be a powerful tool for static malware detection, with papers today still purporting to eek out slight accuracy improvements. At the same time, researchers have noted that ML-based classifiers are susceptible to adversarial ML, whereby attackers can exploit underlying weaknesses in ML techniques to specifically tailor their malware to evade these classifiers. Defending against these kinds of attacks has proven challenging, particularly for those not steeped in the field.

To help tighten this gap, we have developed Kampff, a Windows PE malware classifier designed to detect attempts at evasion. Kampff uses a portfolio of classifiers, building on a primary classifier designed to detect ``normal'' malware by attaching classifiers designed to specific types of adversarial malware to it. While simplistic, this approach is able to make it significantly harder -- though not impossible -- to bypass the primary classifier.

Presentation >

Speaker: Sven Cattell

Adversarial attacks against AI products are more than just static events that the model gets wrong. In much of the literature we generate N points using the attack and report the accuracy of the model against those N points. When these are cheap to produce, like in the whitebox case, this is reasonable. In the blackbox case there may be thousands of queries that may take days or weeks if it's behind a rate limited API. If the attack is successful it will probably get reused. We've previously shown that we can monitor the overall adversarial drift using a bayesian approach with a cover tree. In this paper we show evidence that black box adversarial attacks induce a high measured drift, even when attackers are attempting to hide in benign traffic.

Presentation >‍

Contributors/Speaker: Shubham Jain, Ana-Maria Cretu and Yves-Alexandre de Montjoye

End-to-end encryption (E2EE) by messaging platforms enable people to securely and privately communicate with one another. Its widespread adoption however raised concerns that illegal content might now be shared undetected. Following the global pushback against key escrow systems, client-side scanning based on perceptual hashing has been recently proposed by governments and researchers to detect illegal content in E2EE communications. We here propose the first framework to evaluate the robustness of perceptual hashing-based client-side scanning to detection avoidance attacks and show current systems to not be robust. More specifically, we propose three adversarial attacks ---a general black-box attack and two white-box attacks for discrete cosine transform-based algorithms-- against perceptual hashing algorithms. In a large-scale evaluation, we show perceptual hashing-based client-side scanning mechanisms to be highly vulnerable to detection avoidance attacks in a black-box setting, with more than 99.9\% of images successfully attacked while preserving the content of the image. We furthermore show our attack to generate diverse perturbations, strongly suggesting that straightforward mitigation strategies would be ineffective. Finally, we show that the larger thresholds necessary to make the attack harder would probably require more than one billion images to be flagged and decrypted daily, raising strong privacy concerns. Taken together, our results shed serious doubts on the robustness of perceptual hashing-based client-side scanning mechanisms currently proposed by governments, organizations, and researchers around the world.

Presentation >