an incremental learner for language based anomaly
play

An Incremental Learner for Language-Based Anomaly Detection in XML - PowerPoint PPT Presentation

Nov 01, 2022 •315 likes •526 views

An Incremental Learner for Language-Based Anomaly Detection in XML Harald Lampesberger Department of Secure Information Systems University of Applied Sciences Upper Austria harald.lampesberger@fh-hagenberg.at LangSec Workshop, 26. May 2016

  1. An Incremental Learner for Language-Based Anomaly Detection in XML Harald Lampesberger Department of Secure Information Systems University of Applied Sciences Upper Austria harald.lampesberger@fh-hagenberg.at LangSec Workshop, 26. May 2016

  2. Motivation Extensible Markup Language (XML) • Data serialization format for many protocols • SOAP/WS-*, XMPP, SAML, XHTML, RSS, Atom, ... Schema validation is a first-line defense • A schema specifies types of elements and production rules • Validation rejects unacceptable inputs Two language-theoretic flaws 1. XML Schema (XSD) extension points are wildcards 2. References raise expressiveness beyond context free Harald Lampesberger An Incremental Learner for Language-Based Anomaly Detection in XML 1/10

  3. XSD Extension Points From http://schemas.xmlsoap.org/soap/envelope/ ... <xs:element name="Header" type="tns:Header"/> <xs:complexType name="Header"> <xs:sequence> <xs:any namespace="##other" minOccurs="0" maxOccurs="unbounded" processContents="lax"/> </xs:sequence> <xs:anyAttribute namespace="##other" processContents="lax"/> </xs:complexType> ... Harald Lampesberger An Incremental Learner for Language-Based Anomaly Detection in XML 2/10

  4. Signature Wrapping Attack Digitally signed part � = processed part • Used in WS-Security and SAML single sign-on • Somorovsky et al. (2012): 11/14 SAML implementations vulnerable soap:Envelope soap:Header wsse:Security ds:Signature ds:SignedInfo ds:Reference @URI #123 soap:Body processed verified, @wsu:Id 123 MonitorInstances Harald Lampesberger An Incremental Learner for Language-Based Anomaly Detection in XML 3/10

  5. Signature Wrapping Attack Digitally signed part � = processed part • Used in WS-Security and SAML single sign-on • Somorovsky et al. (2012): 11/14 SAML implementations vulnerable soap:Envelope soap:Envelope soap:Header soap:Header wsse:Security wsse:Security ds:Signature ds:Signature ds:SignedInfo ds:SignedInfo ds:Reference ds:Reference @URI #123 @URI #123 Wrapper soap:Body soap:Body verified processed verified, @wsu:Id 123 @wsu:Id 123 MonitorInstances MonitorInstances soap:Body processed @wsu:Id attack CreateKeyPair Jensen et al. (2011): removing extension points is hard Harald Lampesberger An Incremental Learner for Language-Based Anomaly Detection in XML 3/10

  6. Language-Based Anomaly Detection Approach: learn the acceptable language Harald Lampesberger An Incremental Learner for Language-Based Anomaly Detection in XML 4/10

  7. Language-Based Anomaly Detection Approach: learn the acceptable language 1. Datatyped XML Visibly Pushdown Automaton (dXVPA) • Mixed-content XML streaming • Datatypes generalize character data • Character-data XVPA (cXVPA) for stream validation Harald Lampesberger An Incremental Learner for Language-Based Anomaly Detection in XML 4/10

  8. Language-Based Anomaly Detection Approach: learn the acceptable language 1. Datatyped XML Visibly Pushdown Automaton (dXVPA) • Mixed-content XML streaming • Datatypes generalize character data • Character-data XVPA (cXVPA) for stream validation 2. Incremental learner for grammatical inference • Constructs a dXVPA from examples • Unlearning and sanitization against poisoning attacks Harald Lampesberger An Incremental Learner for Language-Based Anomaly Detection in XML 4/10

  9. Language-Based Anomaly Detection Approach: learn the acceptable language 1. Datatyped XML Visibly Pushdown Automaton (dXVPA) • Mixed-content XML streaming • Datatypes generalize character data • Character-data XVPA (cXVPA) for stream validation 2. Incremental learner for grammatical inference • Constructs a dXVPA from examples • Unlearning and sanitization against poisoning attacks 3. Experiments • Train and test • Two synthetic scenarios from ToXgene • Two realistic scenarios from Axis2 web service Harald Lampesberger An Incremental Learner for Language-Based Anomaly Detection in XML 4/10

  10. dXVPAs Event stream alphabets q 0 q f • Σ call . . . startElement ord / q 0 ord / q 0 • Σ ret . . . endElement • Σ int . . . datatypes e x Order Stack alphabet = states itm / e Order , itm / x Order itm / e Order States partitioned into itm / x Order modules (schema types) token , int e x Transitions in and Item between modules cXVPA representation <ord> <itm>Product A</itm> • Unified text checks <itm>8877955335</itm> • Fast validation </ord> Harald Lampesberger An Incremental Learner for Language-Based Anomaly Detection in XML 5/10

  11. Incremental Learning Step Learner computes an updated dXVPA • Datatyped event stream • A i . . . incrementally updateable automaton • ω i . . . frequencies of states and transitions Validator checks acceptance A i − 1 , ω i − 1 Learner Validator Training incWeightedVPA cXVPA i doc i A i , ω i trim accept Document genXVPA yes no . . . dXVPA i Harald Lampesberger An Incremental Learner for Language-Based Anomaly Detection in XML 6/10

  12. How Learning Works Every event stream prefix gets a unique state • A named state is a pair ( u , v ) • u . . . typing-context string • v . . . left-sibling string Merge two states if they are k - l -locally the same dealer dealer ( dealer # usedcars · newcars , ad · ad ) newcars newcars usedcars usedcars 1-1 local l ( newcars , ad ) ad ad ad ad ad k model model year VW 2014 Tesla Harald Lampesberger An Incremental Learner for Language-Based Anomaly Detection in XML 7/10

  13. How Learning Works Every event stream prefix gets a unique state • A named state is a pair ( u , v ) • u . . . typing-context string • v . . . left-sibling string Merge two states if they are k - l -locally the same dealer dealer ( dealer # usedcars · newcars , ad · ad ) newcars newcars usedcars usedcars 1-1 local l ( newcars , ad ) ad ad ad ad ad k model model year VW 2014 Tesla Harald Lampesberger An Incremental Learner for Language-Based Anomaly Detection in XML 7/10

  14. How Learning Works Every event stream prefix gets a unique state • A named state is a pair ( u , v ) • u . . . typing-context string • v . . . left-sibling string Merge two states if they are k - l -locally the same dealer dealer ( dealer # usedcars · newcars , ad · ad ) newcars newcars usedcars usedcars 1-1 local l ( newcars , ad ) ad ad ad ad ad k model model year VW 2014 Tesla Harald Lampesberger An Incremental Learner for Language-Based Anomaly Detection in XML 7/10

  15. How Learning Works Every event stream prefix gets a unique state • A named state is a pair ( u , v ) • u . . . typing-context string • v . . . left-sibling string Merge two states if they are k - l -locally the same dealer dealer ( dealer # usedcars · newcars , ad · ad ) newcars newcars usedcars usedcars 1-1 local l ( newcars , ad ) ad ad ad ad ad k model model year VW 2014 Tesla Harald Lampesberger An Incremental Learner for Language-Based Anomaly Detection in XML 7/10

  16. Poisoning Attacks ω i . . . frequencies of states and transitions from learning Unlearning • An already learned attack is later identified • Remove specific knowledge by decrementing ω i • Trim zero-weight states and transitions Sanitization • Hidden poisoning attacks • Assumption: only few of those • Decrement ω i and trim zero-weight states and transitions Harald Lampesberger An Incremental Learner for Language-Based Anomaly Detection in XML 8/10

  17. Experiments Two synthetic and two realistic datasets Learning progress • Train and test, binary classification, mind changes (MC) Catalog, k = 1 , l = 2 VulnShopAuthOrder, k = 1 , l = 2 100% 100% 80% 80% 60% 60% F 1 F 1 FPR FPR 40% 40% 20% 20% 0% 0% 60 MC MC 200 40 100 20 0 0 0 20 40 60 80 100 0 40 80 120 160 200 Training iteration Training iteration Harald Lampesberger An Incremental Learner for Language-Based Anomaly Detection in XML 9/10

  18. Conclusions Learner outperformed schema validation • All signature wrapping attacks were detected (schema validation: 0) • No false positives • False negatives resulted from coarse XSD datatypes • Fast convergence Contributions in the paper • dXVPA and cXVPA language representations • Lexical datatype system for datatype inference from text • Algorithms for the incremental learner • Details on experiments Use cases • Security mechanism for any XML-based interaction • Especially for systems using composed schemas • XML firewall Harald Lampesberger An Incremental Learner for Language-Based Anomaly Detection in XML 10/10

  19. Appendix

Recommend

NLP for Non-Canonical Language and Nature of Categories Learner Language POS example Syntax

NLP for Non-Canonical Language and Nature of Categories Learner Language POS example Syntax

NLP for Non-Canonical Language and Learner Language Detmar Meurers Why analyze Learner Language NLP for Non-Canonical Language and Nature of Categories Learner Language POS example Syntax Importance of tasks and learners Detmar

492 views • 10 slides
Lexical Syntax for Dependency-based Language Models Statistical Machine Translation Incremental

Lexical Syntax for Dependency-based Language Models Statistical Machine Translation Incremental

Hany Hassan Introduction Syntax for Phrase-based SMT Supertagged Phrase-based SMT From Supertagged to Lexical Syntax for Dependency-based Language Models Statistical Machine Translation Incremental Dependency-based Language Model (IDLM)

804 views • 67 slides
Incremental Syntactic Language Models for Phrase-based Translation Lane Schwartz Chris

Incremental Syntactic Language Models for Phrase-based Translation Lane Schwartz Chris

Incremental Syntactic Language Models for Phrase-based Translation Lane Schwartz Chris Callison-Burch William Schuler Stephen Wu Air Force Research Lab lane.schwartz@wpafb.af.mil Johns Hopkins University ccb@cs.jhu.edu Ohio State

902 views • 55 slides
IMPROVING LEARNER AUTONOMY IN LANGUAGE LEARNING THROUGH DRAMA-BASED PROJECT Presenters: Hong

IMPROVING LEARNER AUTONOMY IN LANGUAGE LEARNING THROUGH DRAMA-BASED PROJECT Presenters: Hong

IMPROVING LEARNER AUTONOMY IN LANGUAGE LEARNING THROUGH DRAMA-BASED PROJECT Presenters: Hong Th Thanh Ho (M.A.) V Th Bch o (M.A.) Nguyn Th Thu Trang (M.A.) University of Languages and International Studies, Vietnam

469 views • 28 slides
Thoughts on Learner Data and Motivation Learner Language Dependency Parsing and Dependency

Thoughts on Learner Data and Motivation Learner Language Dependency Parsing and Dependency

Thoughts on Learner Data and Dependency Parsing Niels Ott, Ramon Ziai, Julia Krivanek, Detmar Meurers Introduction and Thoughts on Learner Data and Motivation Learner Language Dependency Parsing and Dependency Annotation Approximated

812 views • 53 slides
An Inference-rules based Categorial Grammar Learner for Simulating Language Acquisition Xuchen

An Inference-rules based Categorial Grammar Learner for Simulating Language Acquisition Xuchen

Introduction Learning by Inference Rules Experiment Conclusion An Inference-rules based Categorial Grammar Learner for Simulating Language Acquisition Xuchen Yao, Jianqiang Ma, Sergio Duarte, ar ltekin University of Groningen 18

669 views • 30 slides
Investigating the scope of textual metrics for learner level discrimination and learner analytics

Investigating the scope of textual metrics for learner level discrimination and learner analytics

Learner Corpus Research 2019 - 12-14 September Investigating the scope of textual metrics for learner level discrimination and learner analytics Nicolas Ballier Thomas Gaillat Problem statement Learning a language For individuals &gt;

645 views • 26 slides
Dual Language Learner Pilot Study Progress Update and New Findings First 5 California Commission

Dual Language Learner Pilot Study Progress Update and New Findings First 5 California Commission

Item # 6 Attachment C Dual Language Learner Pilot Study Progress Update and New Findings First 5 California Commission Meeting October 22, 2020 Heather Quick, Karen Manship The American Institutes for Research Dual Language Learner r Pi

349 views • 20 slides
In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong,

In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong,

In Incorporating Feedback in into Tree-based Anomaly Detection Shubhomoy Das, Weng-Keen Wong, Alan Fern, Thomas G. Dietterich and Md Amran Siddiqui School of EECS Anomaly Detection Goal: Identify rare or strange objects 2 Anomaly

756 views • 51 slides
Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier) in a dataset is an instance that is abnormal or unlikely based on the rest of the dataset If the instances in the dataset are labeled as

760 views • 19 slides
Language Learning Tasks and Automatic Analysis of Learner Language Connecting FLTL and NLP in the

Language Learning Tasks and Automatic Analysis of Learner Language Connecting FLTL and NLP in the

Language Learning Tasks and Automatic Analysis of Learner Language Connecting FLTL and NLP in the design of ICALL materials supporting effective use in real-life instruction Mart Quixal (Ph.D. Candidate) Co-advisors: Dr. Toni Badia Prof.

710 views • 55 slides
1 Introduction Noise is a central problem facing a language learner. Any theory of language

1 Introduction Noise is a central problem facing a language learner. Any theory of language

Robust Lexical Acquisition Despite Extremely Noisy Input Jeffrey Mark Siskind, University of Toronto 1 Introduction Noise is a central problem facing a language learner. Any theory of language acquisition must explain how children robustly make

391 views • 12 slides
Extent- -based Incremental Identification based Incremental Identification Extent of Reaction

Extent- -based Incremental Identification based Incremental Identification Extent of Reaction

LABORATOIRE DAUTOMATIQUE AUTOMATIC CONTROL LABORATORY Extent- -based Incremental Identification based Incremental Identification Extent of Reaction Kinetics from Spectroscopic Data of Reaction Kinetics from Spectroscopic Data XIII

428 views • 23 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
Using Language Models to Detect Errors in Second-Language Learner Writing Nils Rethmeier Bauhaus

Using Language Models to Detect Errors in Second-Language Learner Writing Nils Rethmeier Bauhaus

Using Language Models to Detect Errors in Second-Language Learner Writing Nils Rethmeier Bauhaus Universitt Weimar Web Technology and Information Systems Group Motivation Problem: We wrote a text but do not know if and where we made errors

444 views • 30 slides
An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar,

An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar,

An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar, David Andersen, Hyong Kim, Hui Zhang Carnegie Mellon University Entropy-based Anomaly Detection Goal: detect abnormal behavior scan activity,

447 views • 34 slides
THE NEW CANAAN PUBLIC SCHOOLS K-12 WORLD LANGUAGE AND ENGLISH LANGUAGE LEARNER PROGRAMS Lizette

THE NEW CANAAN PUBLIC SCHOOLS K-12 WORLD LANGUAGE AND ENGLISH LANGUAGE LEARNER PROGRAMS Lizette

THE NEW CANAAN PUBLIC SCHOOLS K-12 WORLD LANGUAGE AND ENGLISH LANGUAGE LEARNER PROGRAMS Lizette D Amico K-12 WL/ELL Administrator K-12 English Language Learners K-12 English Language Learners Low incidence school district

315 views • 20 slides
Syntactic Alternations in Learner Language Corpora TGrep2 Research Steps First Results Julia

Syntactic Alternations in Learner Language Corpora TGrep2 Research Steps First Results Julia

Syntactic Alternations in Learner Language Julia Krivanek Introduction Levin Classification The Setup Syntactic Alternations in Learner Language Corpora TGrep2 Research Steps First Results Julia Krivanek Universit at T ubingen

195 views • 18 slides
Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and Mohammad Zulkernine School of Computing Queens University, Kingston Ontario, Canada K7L 3N6 {zhang, mzulker} @cs.queensu.ca Abstract- Anomaly

284 views • 6 slides
Outlook of Summer Rainfall Anomaly in Asia with Outlook of Summer Rainfall Anomaly in Asia with

Outlook of Summer Rainfall Anomaly in Asia with Outlook of Summer Rainfall Anomaly in Asia with

Sixteenth Session of the Forum on Regional Climate Monitoring, Assessment and Prediction for Asia (FOCRAII), May 7, 2020 ( ), y , Outlook of Summer Rainfall Anomaly in Asia with Outlook of Summer Rainfall Anomaly in Asia with SMART-based

457 views • 16 slides
PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS DAMIANO BOLZONI, SANDRO ETALLE AND PIETER HARTEL DISTRIBUTED AND EMBEDDED SECURITY GROUP TWENTE SECURITY LAB 10+ YEARS OF RESEARCH OVER ANOMALY

160 views • 14 slides
BAG 2015 1 Developing learner autonomy: Getting ALL learners involved in their own language

BAG 2015 1 Developing learner autonomy: Getting ALL learners involved in their own language

/ Dennis the Menace The best thing you can do is to become extremely good at being yourself! BAG 2015 1 Developing learner autonomy: Getting ALL learners involved in their own language learning Leni Dam, Denmark lenidam@hotmail.com Outline of

550 views • 25 slides
Incremental Morphosyntactic Disambiguation of Nouns in German-Language Law Texts ESSLLI-13

Incremental Morphosyntactic Disambiguation of Nouns in German-Language Law Texts ESSLLI-13

Institut fr Computerlinguistik Incremental Morphosyntactic Disambiguation of Nouns in German-Language Law Texts ESSLLI-13 Workshop on Extrinsic Parse Improvement (EPI) Kyoko Sugisaki and Stefan Hfler 13.08.2013 Seite 1 Background and

439 views • 16 slides
AIM OF THE PRESENTATION Learner corpora and second language acquisition: a study of the

AIM OF THE PRESENTATION Learner corpora and second language acquisition: a study of the

AIM OF THE PRESENTATION Learner corpora and second language acquisition: a study of the production of Verb-Subject structures in L2 English. To inform on the results of a study on the production of postverbal subjects (VS order) in ICAME 28

448 views • 12 slides

More recommend