[cs615asa] Homework N: Neal Trischitta

Neal Trischitta ntrischi at stevens.edu
Sat Apr 25 18:11:08 EDT 2015


Neal Trischitta

Homework N

CS 615


On March 3th, the Stevens Computer Science Department and NIKSUN Technologies hosted a “CyberSecurity Workshop”, a two day event separating academic from industry presentations. One interesting presentation was from Darryle Merlette, a security and software professional specializing in large scale detection analysis and migration. His presentation was entitled “Getting Into a BIND (Big Information Network Detection)”, in which he highlighted the use of machine learning across large volumes of network traffic data in order to inquire and mitigate malicious threats. Mr.Merlette introduced his presentation by discussing the landscape of malware, by giving a brief history from the ILoveYou virus in 1999 to Stuxnet in 2010.

He also explained their implications on our national security by showing a homeland security video of a power turbine self-destructing from a malware attack. From the apparent threat of these high-level foreign and domestic attacks, he explained how various attackers have learned from these high-profile case studies and have changed tactics in order to gain strategic advantages. He cited an example of a distributed denial-of-service attack (DDoS attack) against financial institutions like Bank of America, CHASE, PNC and Capital One that lasted around 6 weeks. In addition, he also display a distribution graph of malware presently on the Internet cited from openmalware.org, its distribution was exponential increasing dramatically between the years of 2007 and 2013.  He claims that around 2007 nation states began developing and participating in cyber warfare which is accurate since Stuxnet was developed around late 2005. 

Interestingly, he mentioned how the internet is rapidly changing based upon four major areas which include Volume, Velocity, Variability and Variety. The first two areas are apparent to me, in that the Internet will increase in terms of size and speed over time. However, the last two areas were something that I never considered reasoning with regard to Internet. Variability and Variety in terms of new devices, protocols and operating systems are constantly connected to the Internet. This was seen in the evolution of smart phones and tablets which been heavily targeted, changing the landscape for new threats and prorogation methods. In order to detect malicious threats, Mr.Merlette proposes that current detection theory only works unless you know something about the environment you are working in. He explains that malware is constantly changing and being developed, causing traditional signature base detection to be obsolete and ineffective in providing sound host base security. As a result, NIKSUN has devised a detection method of using statistical analysis and machine learning on network traffic data which autonomously detects a threat base on past data collected. After a threat is detected it autonomously mitigates the threat while generating a report sending it to the system administrator. Instead he proposed to mitigates new threats by storing and collecting entire internet network traffic data. He also proposed for NIKSUN to setup large data centers with stream databases that will process internet traffic in real time and determine whether a new threat is detected. From my perspective, NIKSUN’s detection scheme has a series of implications and problems. Even though statistical analysis is stronger than signature base detection it is still relies upon a distribution that can result in undetectable custom malware that is altered to be above or below a set threshold. In addition, NIKSUN’s proposal of setting up large data centers with stream databases represents a problem in computing power and storage since, the internet traffic is constant. Regardless of detecting new threats, NIKSUN’s idea creates a major privacy issue, questioning whether their collected information is being handled in a secure and ethical manner. Also it is impossible for NIKSUN to collect everything because they must be able to determine a proper length of time to hold data and then delete it. The presentation did not address how machine learning would be used to detect malware and new threats. In addition, he did not address how encrypted traffic or network steganography techniques were being addressed. I can conclude this would be a major problem for NIKSUN since the data needs to be readable. In summary, Mr.Merlette presentation was very interesting and he gave a strong high level overview of malware and various tactics to combat it.


More information about the cs615asa mailing list