Peer-Reviewed Publications from NortonLifeLock Research Group

Academic Papers - 2017

Aware: Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

In Proceedings of the 26th USENIX Security Symposium (Aug 2017)

Automatic Application Identification from Billions of Files

In Proceedings of the 23rd SIGKDD Conference on Knowledge Discovery and Data Mining (KDD 2017)
Mapping binary files into software packages enables malware detection and other tasks, but is challenging. By combining installation data with file metadata that we summarize into sketches, from millions of machines and billions of files, we can use efficient approximate clustering techniques to map files to applications automatically and reliably.

Lean On Me: Mining Internet Service Dependencies From Large-Scale DNS Data

In Proceedings of the 33th Annual computer Security Applications Conference (ACSAC 2017)
To assess the security risk for a given entity, and motivated by the effects of recent service disruptions, we perform a large-scale analysis of passive and active DNS datasets including more than 2.5 trillion queries in order to discover the dependencies between websites and Internet services.

Mini-Batch Spectral Clustering

In Proceedings of the 2017 International Joint Conference on Neural Networks (IJCNN 2017)
This paper proposes a practical approach to learn spectral clustering based on adaptive stochastic gradient optimization. Crucially, the proposed approach recovers the exact spectrum of Laplacian matrices in the limit of the iterations, and the cost of each iteration is linear in the number of samples. Extensive experimental validation on data sets with up to half a million samples demonstrate its scalability and its ability to outperform state-of-the-art approximate methods to learn spectral clustering for a given computational budget.

RiskTeller: Predicting the Risk of Cyber Incidents

In Proceedings of the 24th ACM Conference on Computer and Communications Security (ACM SIGSAC 2017)

Large-Scale Identification of Malicious Singleton Files

In Proceedings of the 7th ACM Conference on Data and Application Security and Privacy (CODASPY)
94% of the software files that Symantec saw in a 1-year dataset appeared only once on a single machine. We examine the primary reasons for which both benign and malicious software files appear as singletons, and design a classifier to distinguish between these two classes of singleton software files.

Smoke Detector: Cross-Product Intrusion Detection With Weak Indicators

In Proceedings of the Annual Computer Security Applications Conference (ACSAC 2017)
Smoke Detector significantly expands upon limited collections of hand-labeled security incidents by framing event data as relationships between events and machines, and performing random walks to rank candidate security incidents. Smoke Detector significantly increases incident detection coverage for mature Managed Security Service Providers.

Predicting Cyber Threats with Virtual Security Products

In Proceedings of the 33th Annual computer Security Applications Conference (ACSAC 2017)
We set out to predict which security events and incidents a security product would have detected had it been deployed, based on the events produced by other security products that were in place. We discovered that the problem is tractable, and that some security products are much harder to model than others, which makes them more valuable.

Marmite: Spreading Malicious File Reputation Through Download Graphs

In Proceedings of the 33rd Annual Computer Security Applications Conference (ACSAC 2017)
We presented Marmite, a system that can detect malicious files by leveraging a global download graph and label propagation with Bayesian confidence.

Related News

Secure systems map

Secure Systems

Central to trust in an increasingly digital world is the ability to detect and prevent attacks in modern (and not so modern) information systems. This research includes building secure software, supporting forensics, malware analysis, browser/web/network security, and information-centric security.

machine learning image

Robust and Fair Machine Learning, Data Mining, and Artificial Intelligence

The tremendous growth in the learning capacity of Machine Learning methods has yet to be met with a corresponding growth in our ability to understand these models. Equally troubling, our ability to build robust machine learning models has not kept pace with research in adversarial attacks against machine learning. As we increasingly hand over decision making to automated machine learning and AI systems, we must find ways that the life-altering decisions made by these systems can be audited for fairness, safety, robustness to adversaries, and the preservation of privacy of any personally identifiable information over which they operate.

Woman watching large screen with stocks on it

Risk Measurement and Mitigation

Cyber incidents are unavoidable. As digitalization marches on, online security weak spots proliferate while digital footprints become more prominent. The endless stream of digital assets is even more lucrative to an evolving set of well-equipped and skillful attackers. A combination of risk analytics and risk prediction can help improve security posture by taking appropriate counter measures. Risk analytics can identify the key actors that correlate with and cause the risk. Risk prediction can forecast the elements in the ecosystem that will be attacked or infected.