Bullying is a national problem for families, courts, schools, and the economy. Social, educational, and professional lives of victims are affected. Early detection of bullies mitigates destructive effects of bullying. Our previous research found, given specific characteristics of an actor, actor logics can be developed utilizing input from natural language processing and graph analysis. Given similar characteristics of cyberbullies, in this paper, we create specific actor logics and apply these to a select social media dataset for the purpose of rapid identification of cyberbullying.
Utilization of traditional sentiment analysis for predicting the outcome of an event on a social network depends on: precise understanding of what topics relate to the event, selective elimination of trends that don't fit, and in most cases, expert knowledge of major players of the event. Sentiment analysis has traditionally taken one of two approaches to derive a quantitative value from qualitative text. These approaches include the bag of words model", and the usage of "NLP" to attempt a real understanding of the text. Each of these methods yield very similar accuracy results with the exception of some special use cases. To do so, however, they both impose a large computational burden on the analytic system. Newer approaches have this same problem. No matter what approach is used, SA typically caps out around 80% in accuracy. However, accuracy is the result of both polarity and degree of polarity, nothing else. In this paper we present a method for hybridizing traditional SA methods to better determine shifts in opinion over time within social networks. This hybridization process involves augmenting traditional SA measurements with contextual understanding, and knowledge about writers' demographics. Our goal is to not only to improve accuracy, but to do so with minimal impact to computation requirements.
Information Cascades (IC) through a social network occur due to the decision of users to disseminate content. We define this decision process as User Diffusion (UD). IC models typically describe an information cascade by treating a user as a node within a social graph, where a node’s reception of an idea is represented by some activation state. The probability of activation then becomes a function of a node’s connectedness to other activated nodes as well as, potentially, the history of activation attempts. We enrich this Coarse-Grained User Diffusion (CGUD) model by applying actor type logics to the nodes of the graph. The resulting Fine-Grained User Diffusion (FGUD) model utilizes prior research in actor typing to generate a predictive model regarding the future influence a user will have on an Information Cascade. Furthermore, we introduce a measure of Information Resonance that is used to aid in predictions regarding user behavior.
In this paper, we present a system for Dynamic Malware Analysis which incorporates the use of IntroVirt™. IntroVirt is
an introspective hypervisor architecture and infrastructure that supports advanced analysis techniques for stealth-malwareanalysis.
This system allows for complete guest monitoring and interaction, including the manipulation and blocking of
system calls. IntroVirt is capable of bypassing virtual machine detection capabilities of even the most sophisticated malware,
by spoofing returns to system call responses. Additional fuzzing capabilities can be employed to detect both malware
vulnerabilities and polymorphism.
KEYWORDS: Sensors, Data integration, Data modeling, Artificial intelligence, Databases, Data storage, Situational awareness sensors, Operating systems, Failure analysis, Analytical research
An increasing need for situational awareness within network-deployed Systems Under Test has increased desire for frameworks
that facilitate system-wide data correlation and analysis. Massive event streams are generated from heterogeneous
sensors which require tedious manual analysis. We present a framework for sensor data integration and event correlation
based on Linked Data principles, Semantic Web reasoning technology, complex event processing, and blackboard architectures.
Sensor data are encoded as RDF models, then processed by complex event processing agents (which incorporate
domain specific reasoners, as well as general purpose Semantic Web reasoning techniques). Agents can publish inferences
on shared blackboards and generate new semantic events that are fed back into the system. We present AIS, Inc.’s Cyber
Battlefield Training and Effectiveness Environment to demonstrate use of the framework.
Given competing claims, an objective head-to-head comparison of the performance of both the Snort R
and Suricata Intrusion Detection Systems is needed. In this paper, we present a comprehensive quantitative comparison of the two
systems. We have developed a rigorous testing framework that examines the performance of both systems as we scale
system resources. Our results show that a single instance of Suricata is able to deliver substantially higher performance
than a corresponding single instance of Snort. This paper describes in detail both the testing framework capabilities, tests
performed and results found.
KEYWORDS: Network security, Web 2.0 technologies, Social networks, Homeland security, Internet, Data storage, Data processing, Information security, Control systems, Analytics
Social media networks make up a large percentage of the content available on the Internet and most of
the time users spend online today is in interacting with them. All of the seemingly small pieces of
information added by billions of people result in a enormous rapidly changing dataset. Searching,
correlating, and understanding billions of individual posts is a significant technical problem; even the
data from a single site such as Twitter can be difficult to manage. In this paper, we present Coalmine a
social network data-mining system. We describe the overall architecture of Coalmine including the
capture, storage and search components. We also describe our experience with pulling 150-350 GB of
Twitter data per day through their REST API. Specifically, we discuss our experience with the
evolution of the Twitter data APIs from 2011 to 2012 and present strategies for maximizing the amount
of data collected. Finally, we describe our experiences looking for evidence of botnet command and
control channels and examining patterns of SPAM in the Twitter dataset.
Phishing website analysis is largely still a time-consuming manual process of discovering potential
phishing sites, verifying if suspicious sites truly are malicious spoofs and if so, distributing their URLs
to the appropriate blacklisting services. Attackers increasingly use sophisticated systems for bringing
phishing sites up and down rapidly at new locations, making automated response essential. In this
paper, we present a method for rapid, automated detection and analysis of phishing websites. Our
method relies on near real-time gathering and analysis of URLs posted on social media sites. We fetch
the pages pointed to by each URL and characterize each page with a set of easily computed values
such as number of images and links. We also capture a screen-shot of the rendered page image,
compute a hash of the image and use the Hamming distance between these image hashes as a form of
visual comparison. We provide initial results demonstrate the feasibility of our techniques by
comparing legitimate sites to known fraudulent versions from Phishtank.com, by actively introducing
a series of minor changes to a phishing toolkit captured in a local honeypot and by performing some
initial analysis on a set of over 2.8 million URLs posted to Twitter over a 4 days in August 2011. We
discuss the issues encountered during our testing such as resolvability and legitimacy of URL's posted
on Twitter, the data sets used, the characteristics of the phishing sites we discovered, and our plans for
future work.
Networking systems and individual applications have traditionally been defended using signature-based
tools that protect the perimeter, many times to the detriment of service, performance, and information
flow. These tools require knowledge of both the system on which they run and the attack they are
preventing. As such, by their very definition, they only account for what is known to be malicious and
ignore the unknown. The unknown, or zero day threat, can occur when defenses have yet to be
immunized via a signature or other identifier of the threat. In environments where execution of the
mission is paramount, the networks and applications must perform their function of information
delivery without endangering the enterprise or losing the salient information, even when facing zero
day threats. In this paper we, describe a new defensive strategy that provides a means to more
deliberately balance the oft mutually exclusive aspects of protection and availability. We call this new
strategy Protection without Detection, since it focuses on network protection without sacrificing
information availability. The current instantiation analyzes the data stream in real time as it passes
through an in-line device. Critical files are recognized, and mission-specific trusted templates are
applied as they are forwarded to their destination. The end result is a system which eliminates the
opportunity for propagation of malicious or unnecessary payloads via the various containers that are
inherent in the definition of standard file types. In some cases, this method sacrifices features or
functionality that is typically inherent in these files. However, with the flexibility of the template
approach, inclusion or exclusion of these features becomes a deliberate choice of the mission owners,
based on their needs and amount of acceptable risk. The paper concludes with a discussion of future
extensions and applications.
Today's networks must maintain functionality in an ever increasing threat environment. To date, many of the PDR (Protection, Detection, Reaction) mechanisms have focused on technologies to defend systems while maintaining consistent network presence. In this paper we discuss a dynamic network schema wherein system protection is accomplished through a unique implementation of IP roaming. This method is shown to mask a system on a network undergoing various types of attacks while maintaining connectivity with trusted clients. Additionally, this method
allows for new clients to associate without heavy authentication or knowledge of the remote systems IP Roaming status. This paper will show the advantages of implementing this unique method of IP roaming with the goal of minimizing system overhead and maximizing sustained connectivity.
KEYWORDS: Security technologies, Data storage, Photonics, Defense technologies, Defense and security, Aerospace engineering, Current controlled current source, Microelectromechanical systems, Commercial off the shelf technology, Forensic science
Current high speed networks have reached a throughput capacity in practical implementation of up to OC-768. Current commercial of the shelf (COTS) hardware cannot meet the requirements for full data capture at these rates. In this paper, we first provide an analysis of capabilities of best available hardware. We then propose a method for non-standard configuration of hardware to provide for high speed data capture at 40 Gbps and beyond. This configuration will provide a suitable hardware back-end to enable transport, storage, and processing of the 40+ Gbps full duplex captured data to enable forensics without disposing of any potentially valuable information.
Much work to date has been done in the identification of physical layer optical network attacks. Our own work has indicated additional attacks against data integrity through various forms of optical coupling. In this paper, we present an analysis of coupling attacks on a fiber optic link. In addition we demonstrate on such form of a coupling attack using standard hardware and allowing injection of additional data onto the fiber. This method introduces minimal power losses that are well below most physical layer intrusion detection sensor thresholds.
In technology the notion of beyond state-of-the-art often begins when a paradigm is shifted. In this paper the
authors present their work which has fundamentally enabled an enterprise to insure operational viability
under the very real cyber facts: "we are under constant attack, it is a hostile space and we can control the
point of contact." That point of contact is the optical bit stream which is currently beyond the scope of the
standard cyber toolset. EverisTM, in working with our customers, has developed the tools to capture, view,
analyze, and control the correlative (interdependent network, metadata, data and users) information as it
traverses the core, regional, and global fiber optic networks. This capability to visualize below the
operational picture afforded by current network intrusion detection systems can be combined with real-time
intervention at the network core yielding prioritization, identification, and authentication of authentication.
This directly translates into sophisticated end user interaction across the interdependencies often viewed as
the "cloud". Everis has demonstrated unique applications based on this capability that includes mitigation of
DDOS (Distributed Denial of Service), identification of "forged" IP (Internet Protocol) addresses, malicious
executable destruction, WAN (Wide Area Network) IPS (Intrusion Prevention System) and connectionless
routing vs. connection based switching.
Access to the requested content is limited to institutions that have purchased or subscribe to SPIE eBooks.
You are receiving this notice because your organization may not have SPIE eBooks access.*
*Shibboleth/Open Athens users─please
sign in
to access your institution's subscriptions.
To obtain this item, you may purchase the complete book in print or electronic format on
SPIE.org.
INSTITUTIONAL Select your institution to access the SPIE Digital Library.
PERSONAL Sign in with your SPIE account to access your personal subscriptions or to use specific features such as save to my library, sign up for alerts, save searches, etc.