Current trends in technology point to increasing ubiquity of “social-network” and “application” centric frameworks. While these trends have dramatic security implications, which highlight the need to detect deceptive behaviors, it can also underscore the importance of developing new methods for malware detection and deterrence.
One of the problems facing the agents of a social-technological network can be to identify and classify the various forms of deception and attacks in traces executed on end point devices. Just as attackers can employ deception to achieve an attack (e.g., a benign sounding flash light app that actually opens a back door on the end point device to surveil the device's GPS coordinates, (see, e.g., Reference 1)), a defensive user can also check and validate that an app abides by a specific system security property, such as non-surveillance, which could be validated on the end point device by use of a trace monitor. The transactions in social-technological networks embody many such repeated games, with payoffs and costs, as in the previous example in which the sender of the flash light app receives the benefit of asymmetric information relative to each receiving agent (e.g., each end point device which installed the flash light app). The receiver can incur a cost through both the loss of privacy, and unawareness of the asymmetric information exploited by the sender.
Technical approaches toward attaining cyber security have created pressure on malware attackers to evolve technical sophistication and harden attacks with increased precision, including socially engineered malware, and distributed denial of service (“DDoS”) attacks. A general and simple design for achieving cyber security remains elusive, and addressing the problem of malware has become such an important task, that technological, economic and social forces are needed to address this problem.
For example, in March of 2013, an attacker issued a DDoS attack that was so massive, it slowed internet speeds around the globe. Known as Spamhaus/Cyberbunker, this attack clogged servers with dummy internet traffic at a rate of about 300 gigabits per second. By comparison, DDoS attacks against banks typically register only about 50 gigabits per second. The Spamhaus attack came 13 years after the publication of best practices on preventing DDoS attacks, and it was not an isolated event.
Recent figures indicate that cyber-attacks continue to rise. Research from the security firm Symantec indicates that in 2012, targeted cyber-attacks increased by 42 percent. In part, for example, existing technologies facilitate the role of attacker over the role of defender, since in this hide-and-seek game, the tricks to hide the attack are many, whereas the techniques to seek them are meager and resource intensive.
The feasibility of the recommendation-verification system opens the way to new defense mechanisms that can be scalable to populations of users in a social-technological network in the era of ubiquitous computing.
Behavior modeling of agent based populations in cyber-social systems via signaling games was previously introduced, (see, e.g., Reference 2); this was later extended to minority games with epistatic signaling. Both simulation studies can be used to understand how a recommendation-verification system can operate practically. In signaling games, the parameters of costs/payoffs were shown to have dramatic outcomes on expected system (e.g., of population of agents) behavior. Epistatic signaling games, where defense options consider a vast attack surface, can provide more realistic simulations, yet retain many of the dynamics discovered in signaling games. The system wide effects of an early adapter advantage was explored in the minority game variation. This facilitates the exploration of the effects of preferentially rewarding early challenging receivers who adapt effective defenses in response to an ongoing attack technique, an important condition for any system that provides incentives for challenges to adapt (e.g., via mutation or other means) to novel attacks. Further exploration investigated the use of strong and transparent metrics for scoring security challenges (e.g., properties), and how this can lead to a more effective population wide response to emerging attacks. While the simulation studies address population behavior and dynamics, the question of how to implement such a system remained open, and it can be demonstrated how to challenge options for a recommendation-verification system could be realized with a methodology that learns the properties of traces from a particular malicious code family Zeus/Zbot (referred to as Zeus).
Formal methods including model checking, properties (e.g., as sets of traces) and hyper-properties (e.g., as sets of properties), can be referenced as ways forward to address the growing problem of malware and cyber security in today's ecology of computing. (See e.g., Reference 3). Hyper properties can also be used as a potential means to formally describe attack behavior and malicious use cases. Hyper properties can be shown (see e.g., Reference 4) to compactly describe security properties, such as non-interference, where a guarantee can be described as a hyper property. Such challenge options could be realized on end point devices by the use of trace monitors. To facilitate the needs of recommendation-verification, detectors (e.g., challenge options) can be described in a formal and standard way that can also be human interpretable. Therefore, hyper properties can be an ideal format.
The use of machine learning in the area of cyber security can be prevalent. (See, e.g., References 5-8). In this exemplary approach, machine learning methods can be used which can produce interpretable models (see, e.g., References 10 and 11), which develops procedures for inducing a simple and interpretable model from structured features (see, e.g., Reference 12) for boosting a classifier by combining an ensemble of weaker learners, and for ensemble boosting for interpretable decision trees. (See, e.g., Reference 13).
The exemplary technique illustrated on Zeus can be related in subject to previous work (see, e.g., Reference 7), which confines the learning objectives to features obtained from traditional runtime behavioral observations. A trace based approach can be pursued, which can construct an analogous analysis technique, but can limit the feature space to API count profiles, and stop short of measuring critical performance metrics (e.g., including model complexity) which would be utilized in a distributed recommendation-verification system. (See, e.g., Reference 6). The learning objective can be extended from the feature space of API count profiles to a feature space that includes primitive features (e.g., k-mers) of local ordering (e.g., of function call sequences), and the outcome suggests that this extension can lead to more concise and low complexity models. It can be further shown how to translate the results to a formal property, which could be deployed in a federated response.
By revisiting the problem of machine learning malware families from trace data, an immediate and promising possibility for development of receiver challenges in a practical recommendation-verification system can be explored.
A previous publication has pointed out that “[t]he need to secure computational infrastructure has become significant in all areas including those of relevance to the DoD and the intelligence community. (See e.g., Reference 3). Owing to the level of interconnection and interdependency of modern computing systems, the possibility exists that critical functions can be seriously degraded by exploiting security flaws. However, while the level of effort expended in securing networks and computers can be significant, current approaches in this area overly rely on empiricism and can be viewed to have had only limited success.” The following rationale was offered: the challenge in defining a science of cyber-security derives from the peculiar aspects of the field. The “universe” of cyber-security can be an artificially constructed environment that can be only weakly tied to the physical universe.
Thus, the difficulty in developing a science of cyber security (“SCS”) can be thought to stem from its inherent Manicheanness, where the adversary can be strategic and utilitarian, as opposed to being oblivious and stochastic (e.g., Augustine). (See e.g., Reference 3). However, it must also be noted that a significant fragment of a SCS has to be built upon a complex computational infrastructure that can be amenable to reasoning and re-engineering based on logical models, such as Kripke structures. Thus, it appears that a successful approach to the cyber security problem can come from an amalgamation of a dualistic approach, which can be partly based on techniques from game theory (e.g., inspired and validated with the tools of systems biology, (e.g., analysis of immune systems) and partly based on model building (e.g., machine learning and statistical inference) and model checking. In light of this discussion, it can be worth re-examining the strategic choices that entities such as SPAMHAUS and CYBERBUNKER made, despite the obvious fact that both parties must have been well-informed about the accepted norms and best practices that were incorporated in the hardware, software and protocol architectures; divorced from a model of the humans and the utilities they wished to derive from their strategic choices, the protocols, practices and norms achieved precious little.
Cyber security can be thought of in terms of classical Information-Asymmetry Games (e.g., also called Signaling Games) (see, e.g., Reference 3), where the players (e.g., agents) can assume either a role of a sender (“S”) or that of a receiver (“T”). The sender can have a certain type, t, for instance: beneficent (e.g., “C” for cooperator) or malicious (e.g., “D” for defector), which could be assumed to be given by nature. The sender can observe his own type while the receiver does not know the type of the sender. Based on his knowledge of his own type, the sender chooses to send a message from a set of possible messages M={m1, m2, m3, . . . , mj}; these messages can be complex, for instance, an offer of a mobile app with certain advertised utility and a price. The receiver can observe the message, but not the type of the sender, or the ability to fully verify the message. Then, the receiver can choose an action from a set of feasible actions A={a1, a2, a3, . . . , ak}; the receiver can be oblivious/trusting (e.g., C for cooperator) or vigilant/mistrustful (e.g., D for defector). For instance, the offer of a mobile app can be ignored, accepted, or verified and rejected, with a possibility of a reputation-labeling of the app, the sender or the app-store, etc. The two players can receive payoffs dependent on the sender's type, the message chosen by the sender and the action chosen by the receiver.
Because of the informational asymmetry, it can be possible for a sender to be deceptive, as can often be the case in the cyber context. Traditional techniques such as making the signaling somewhat “costly” for the sender can help, but must be engineered carefully, otherwise the very information-sharing capabilities of the cyber system can be seriously compromised. There have been proposals for a new internet architecture, new internet protocols and “bandwidth-as-price” mechanisms (see, e.g., References 1, 2, 4, 5, 7-9, 16, 18 and 19), but any such approach can burden the normal transactions with an unwelcome and unacceptably heavy overhead.
At the center of many dynamic online strategic interactions (e.g., in social-technological networks) can be simple information-asymmetric games. Each interaction among agents, exchanging digital messages or Apps, presents a chance that either party can employ deception, and gain advantages over the other. Take for example the flash-light App for smart-phones which was also discovered to open a GPS-tracking backdoor to gain private information by tracking the device's physical location. (See e.g., Reference 1). While the producer (e.g., sender) of the flash-light App can advertise (e.g., signal) that the application can be designed to provide a flashlight feature (e.g., for smart phones) the sender creates the deceptive impression of respecting the user's privacy as implied by the app's benign sounding name: “flash-light App.” Typical user's expectations of privacy would proscribe the surveillance capabilities (e.g., physically tracking the user's device via GPS-tracking) and not foresee encroachment by an app that can be prima facie simple, benign and desirable. In this case (e.g., and others like it) a typical consumer (e.g., receiver) would recognize that they had been deceived upon discovery of the App's true scope of capabilities which include the GPS-tracking, and subsequent to the discovery of the deceptive attack, the receivers can label the sender as a miscreant, and tarnish their reputation with a negative ranking and comments sprinkled with such labels as “backdoor,” “Trojan,” or “Malware.” The encounter, concluded before the discovery of the attack, has its costs and benefits, as the cost to the receiver can be the loss of privacy, and the benefit to the sender can be the ability to gain strategic informational advantages with unanticipated usages.
Thus, it may be beneficial to provide an exemplary system, method and computer-accessible medium that can overcome at least some of the deficiencies described herein above, and provide, for example, malware deterrence.