Search for: All records

Static binary analysis is critical to various security tasks such as vulnerability discovery and malware detection. In recent years, binary analysis has faced new challenges as vendors of the Internet of Things (IoT) and Industrial Control Systems (ICS) continue to introduce customized or non-standard binary formats that existing tools cannot readily process. Reverse-engineering each of the new formats is costly as it requires extensive expertise and analysts’ time. In this paper, we investigate the first step to automate the analysis of non-standard binaries, which is to recognize the bytes representing “code” from “data” (i.e., data-code separation). We propose Loadstar, and its key idea is to use the abundant labeled data from standard binaries to train a classifier and adapt it for processing unlabeled non-standard binaries. We use a pseudo-label-based method for domain adaption and leverage knowledge-inspired rules for pseudo-label correction, which serves as the guardrail for the adaption process. A key advantage of the system is that it does not require labeling any non-standard binaries. Using three datasets of non-standard PLC binaries, we evaluate Loadstar and show it outperforms existing tools in terms of both accuracy and processing speed. We will share the tool (open source) with the community. 

With the introduction of Cyber-Physical Systems (CPS) and Internet of Things (IoT) technologies, the automation industry is undergoing significant changes, particularly in improving production efficiency and reducing maintenance costs. Industrial automation applications often need to transmit time- and safety-critical data to closely monitor and control industrial processes. Several Ethernet-based fieldbus solutions, such as PROFINET IRT, EtherNet/IP, and EtherCAT, are widely used to ensure real-time communications in industrial automation systems. These solutions, however, commonly incorporate additional mechanisms to provide latency guarantees, making their interoperability a grand challenge. The IEEE 802.1 Time-Sensitive Networking (TSN) task group was formed to enhance and optimize IEEE 802.1 network standards, particularly for Ethernet-based networks. These solutions can be evolved and adapted for cross-industry scenarios, such as large-scale distributed industrial plants requiring multiple industrial entities to work collaboratively. This paper provides a comprehensive review of current advances in TSN standards for industrial automation. It presents the state-of-the-art IEEE TSN standards and discusses the opportunities and challenges of integrating TSN into the automation industry. Some promising research directions are also highlighted for applying TSN technologies to industrial automation applications. 

Restaurants are increasingly relying on on-demand delivery platforms (e.g., DoorDash, Grubhub, and Uber Eats) to reach customers and fulfill takeout orders. Although on-demand delivery is a valuable option for consumers, whether restaurants benefit from or are being hurt by partnering with these platforms remains unclear. This paper investigates whether and to what extent the platform delivery channel substitutes restaurants’ own takeout/dine-in channels and the net impact on restaurant revenue. Empirical analyses show that restaurants overall benefit from on-demand delivery platforms—these platforms increase restaurants’ total takeout sales while creating positive spillovers to customer dine-in visits. However, the platform effects are substantially heterogeneous, depending on the type of restaurants (independent versus chain) and the type of customer channels (takeout versus dine-in). The overall positive effect on fast-food chains is four times as large as that on independent restaurants. For takeout, delivery platforms substitute independent restaurants’ but complement chain restaurants’ own takeout sales. For dine-in, delivery platforms increase both independent and chain restaurants’ dine-in visits by a similar magnitude. Therefore, the value of delivery platforms to independent restaurants mostly comes from the increase in dine-in visits, whereas the value to chain restaurants primarily comes from the gain in takeout sales. Further, the platform delivery channel facilitates price competition and reduces the opportunity for independent restaurants to differentiate with premium services and dine-in experience, which may explain why independent restaurants do not benefit as much from on-demand delivery platforms. This paper was accepted by D. J. Wu, information systems. Funding: Z. Li is grateful to the National Science Foundation Division of Social and Economic Sciences for support provided through the CAREER award [Grant 2243736]. Supplemental Material: The online appendix and data files are available at https://doi.org/10.1287/mnsc.2021.01010 . 

MITRE ATT&CK is an open-source taxonomy of adversary tactics, techniques, and procedures based on real-world observations. Increasingly, organizations leverage ATT&CK technique "coverage" as the basis for evaluating their security posture, while Endpoint Detection and Response (EDR) and Security Indicator and Event Management (SIEM) products integrate ATT&CK into their design as well as marketing. However, the extent to which ATT&CK coverage is suitable to serve as a security metric remains unclear— Does ATT&CK coverage vary meaningfully across different products? Is it possible to achieve total coverage of ATT&CK? Do endpoint products that detect the same attack behaviors even claim to cover the same ATT&CK techniques? In this work, we attempt to answer these questions by conducting a comprehensive (and, to our knowledge, the first) analysis of endpoint detection products' use of MITRE ATT&CK. We begin by evaluating 3 ATT&CK-annotated detection rulesets from major commercial providers (Carbon Black, Splunk, Elastic) and a crowdsourced ruleset (Sigma) to identify commonalities and underutilized regions of the ATT&CK matrix. We continue by performing a qualitative analysis of unimplemented ATT&CK techniques to determine their feasibility as detection rules. Finally, we perform a consistency analysis of ATT&CK labeling by examining 37 specific threat entities for which at least 2 products include specific detection rules. Combined, our findings highlight the limitations of overdepending on ATT&CK coverage when evaluating security posture; most notably, many techniques are unrealizable as detection rules, and coverage of an ATT&CK technique does not consistently imply coverage of the same real-world threats.