odymit's blog

abstract 1Cyber Threat hunting is a proactive search for known attack behaviors in the organizational information system. It is an important component to mitigate advanced persistent threats (APTs). However, the attack behaviors recorded in provenance data may not be completely consistent with the known attack behaviors. In this paper, we propose DeepHunter, a graph neural network (GNN) based graph pattern matching approach that can match provenance data against known attack behaviors in a robus ...

abstract 1In this paper, we present HOLMES, a system that implements a new approach to the detection of Advanced and Persistent Threats (APTs). HOLMES is inspired by several case studies of real-world APTs that highlight some common goals of APT actors. In a nutshell, HOLMES aims to produce a detection signal that indicates the presence of a coordinated set of activities that are part of an APT campaign. One of the main challenges addressed by our approach involves developing a suite of techniqu ...

abstract 1In this paper, we present ATLAS, a framework that constructs an end-to-end attack story from off-the-shelf audit logs. Our key observation is that different attacks may share similar abstract attack strategies, regardless of the vulnerabilities exploited and payloads executed. ATLAS leverages a novel combination of causality analysis, natural language processing, and machine learning techniques to build a sequence-based model, which establishes key patterns of attack and non-attack beh ...

abstract 1为了预测攻击者高层次的攻击目标，感知网络的安全态势，提出入侵意图识别方法．给出入侵意图的概念及其分类，提出一种基于层次化的攻击路径图．利用攻击路径图对攻击者的意图可达性、意图实现概率、意图实现 的最短路径和攻击路径预测进行定量分析．应用有向图的最小割理论制定防护措施阻止攻击者意图的实现，为管 理员的决策提供依据．实验验证了该方法的可行性和有效性． abstract指出论文内容主要有： 给出入侵意图的分类 提出基于层次化的攻击路径图 可用于意图可达性、意图实现概率、意图实现最短路径和攻击路径预测进行定量分析 意图识别内容 入侵意图 层次化的攻击路径图 定义： 弱点集合 V:{v_CVE, v_pre, v_post} 主机集合 H，端口集合 theta 攻击者可能达到的意图集合 I，I 为一个四元组 {i_name, i_target, i_pre, i_post} 模型输入为：网络拓扑信息、弱点信息、入侵意图信息 推理生成的路径图有：弱点级、主机级、保护域级 攻击路径图生成 算法简介： 攻击者已经获得了较高的权 ...

abstract 1This paper proposes a new algorithm called the Similarity of Attack Intention (SAI), which uses cosine similarity as a distance-based similarity measure to estimate similar cyber crime intentions. The algorithm is based on the Attack Intention Analysis (AIA) algorithm to predict new cyber crime intentions and assigned the probability values for these intentions. A similarity metric for the new cyber crimes intentions with others is generated in order to identify the similar intentions. ...

abstract 1This paper reviews research in the field, showing that not much work has been done in the combined area of connected vehicles and threat modeling with attack simulations. We have implemented and conducted attack simulations on two vehicle threat models using a tool called securiCAD. Our work serves as a proof of concept of the approach and indicates that the approach is useful. Especially if more research of vehicle-specific vulnerabilities, weaknesses, and countermeasures is done in o ...

abstract 1To proactively address these security issues in enterprise systems, this paper proposes a threat modeling language for enterprise security based on the MITRE Enterprise ATT&CK Matrix. It is designed using the Meta Attack Language framework and focuses on describing system assets, attack steps, defenses, and asset associations. The attack steps in the language represent adversary techniques as listed and described by MITRE. This entity-relationship model describes enterprise IT syst ...

abstract 1In this paper, we introduce design and implementation of an emulating internal vehicular network as a testbed that can be used to perform an intuitive analysis on the data set collected from the real vehicular network for different situations and replayed through the testing environment similar to an actual vehicle. abstract中指出： 该文章设计并实现了汽车内部网络的一个模拟工具 可以用来执行数据分析和数据重放 设计与实施 其设计模型图如下： 可用性评估 1The implemented framework was compared with the actual vehicle to evaluate its adequacy as an ...

做了简单的了解之后发现关于CAN、ECU的安全测试工具比较多，所以简单做了一个分类如下所示： 分析 总结 硬件 开发工具 接入和数据采集工具 无线 有线 混合 分析测试工具 软件及相关库 软件 监控分析 硬件发现 其他 相关库 C Python 声明 分析 对于CAN、ECU执行安全检测主要用到的工具，功能主要分为： 建立数据通道 - 常用的设备为ELM327、USB2CAN、USBtin等。 捕获数据 - O2OO 分析数据 - Wireshark、Intrepid Tools、CANToolz等 渗透测试 - metasploit、CANtact、CANSPY等 现有的常用的工具可能包含一个或多个上述功能。考虑成本和使用现有以下推荐： 采用ELM327作为连接，进行CAN总线数据分析可以使用wireshark，进行CAN总线安全测试可以使用metasploit框架的硬件桥接 使用USB2CAN，可以采用Linux平台的socketCAN库来进行相关的分析以及渗透操作。 最后可以采用个人或者团队开发的价格合适的相关硬件可以直接通过ODB-II ...

codechecker介绍 codechecker 是一款代码审计工具，可以扫描源码中可能存在的漏洞。该工具的主要特点有两个： clang sa/clang tidy 的多文件扫描，使用 tu_collector 对多个文件做了翻译单元的聚合，然后调用 clang sa/clang tidy 进行扫描 项目管理服务器和报告展示界面 工具仓库地址：https://github.com/Ericsson/codechecker 整体架构 目录： 编译命令记录 记录编译器指令，如make, cmake 将编译器指令转化成为JSON格式 编译命令处理 参数过滤 C/C++标准检查 编译目标检测 gcc/g++ 硬编码路径收集 交叉编译单元和静态分析的预处理 交叉编译单元：针对每一个编译动作生成AST输出 统计分析：收集不同的信息，返回值检查等，这些信息可以在静态分析步骤被重用 分析运行 Multiple analyzers run parallel using the collected information in the pre a ...