search menu icon-carat-right cmu-wordmark

Posts by Jonathan Spring

Adversarial ML Threat Matrix: Adversarial Tactics, Techniques, and Common Knowledge of Machine Learning

Adversarial ML Threat Matrix: Adversarial Tactics, Techniques, and Common Knowledge of Machine Learning

• Blog
Jonathan Spring

My colleagues, Nathan VanHoudnos, April Galyardt, Allen Householder, and I would like you to know that today Microsoft and MITRE are releasing their Adversarial Machine Learning Threat Matrix. This is a collaborative effort to bring MITRE's ATT&CK framework into securing production machine learning systems. You can read more at Microsoft's blog and MITRE's blog, as well as find a complete copy of the matrix on GitHub. We hope that you will join us in providing...

Read More
Comments on NIST IR 8269: A Taxonomy and Terminology of Adversarial Machine Learning

Comments on NIST IR 8269: A Taxonomy and Terminology of Adversarial Machine Learning

• Blog
Jonathan Spring

The U.S. National Institute of Standards and Technology (NIST) recently held a public comment period on their draft report on proposed taxonomy and terminology of Adversarial Machine Learning (AML). AML sits at the intersection of many specialties of the SEI. Resilient engineering of Machine Learning (ML) systems requires good data science, good software engineering, and good cybersecurity. Our colleagues have suggested 11 foundational practices of AI engineering. In applications of ML to cybersecurity, we have...

Read More
Machine Learning in Cybersecurity

Machine Learning in Cybersecurity

• Blog
Jonathan Spring

We recently published a report that outlines relevant questions that decision makers who want to use artificial intelligence (AI) or machine learning (ML) tools as solutions in cybersecurity should ask of machine-learning practitioners to adequately prepare for implementing them. My coauthors are Joshua Fallon, April Galyardt, Angela Horneman, Leigh Metcalf, and Edward Stoner. Our goal with the report is chiefly educational, and we hope it can act like an ML-specific Heilmeier catechism and serve as...

Read More
Domain Blacklist Ecosystem - A Case Study

Domain Blacklist Ecosystem - A Case Study

• Blog
Jonathan Spring

Hi all, this is Jonathan Spring with my colleagues Leigh Metcalf and Rhiannon Weaver. We've been studying the dynamics of the Internet blacklist ecosystem for a few years now and the 2015 Verizon Data Breach Investigations Report has corroborated our general results. We get a lot of questions about which list is which and if we can recommend a list. We won't reveal which is which generally, but in this blog post we'll make a...

Read More
Blacklist Ecosystem Analysis

Blacklist Ecosystem Analysis

• Blog
Jonathan Spring

Hi all. Leigh Metcalf and I have been continuing our study of the cybersecurity ecosystem. Last year we published a long white paper telling you everything you wanted to know about blacklists. Turns out, that did not save the Internet on its own. We're extending that analysis with more blacklist ecosystem analysis this year....

Read More
Domain Name Parking

Domain Name Parking

• Blog
Jonathan Spring

Hello, this is Jonathan Spring with my colleague Leigh Metcalf. Today, we're releasing a CERT/CC whitepaper on our investigations into domain name parking. The title summarizes our findings neatly: "Domain Parking: Not as Malicious as Expected." First, let's review some definitions to make sure we're all on the same page. Domain parking is the practice of assigning a nonsense location to a domain when it is not in use to keep it ready for "live"...

Read More
Domain Blocking: The Problem of a Googol of Domains

Domain Blocking: The Problem of a Googol of Domains

• Blog
Jonathan Spring

Hi all, this is Jonathan Spring. I've written a bit about some challenges with blacklisting, such as about the dynamics of domain take-down: why e-crime pays (domains are so cheap it almost always pays) and comparisons among blacklists (they are largely disjoint, calling into question comprehensiveness)....

Read More
Probable Cache Poisoning of Mail Handling Domains

Probable Cache Poisoning of Mail Handling Domains

• Blog
Jonathan Spring

Hi, this is Jonathan Spring with my colleague Leigh Metcalf. For some time now, we've been working through a problem we found, but it's time to discuss it more broadly. Using our passive DNS data source, we can observe cache poisoning. What we really observe are changes in the answers that are returned for certain domains, but after consulting with various experts, we believe the only behavior these changes indicate is a successful cache poisoning...

Read More
Why Cybersecurity Is Not Like the Immune System

Why Cybersecurity Is Not Like the Immune System

• Blog
Jonathan Spring

The idea of a cyber-immune system sometimes circulates through the community. It seems that such proposals either do not properly frame how the immune system works, how good computer security would work, or both. I'm going to try to put both of those in context in order to make clear why cybersecurity is not like the immune system, but why it would be nice if it were....

Read More
Domains That Are Typos of Other Domains

Domains That Are Typos of Other Domains

• Blog
Jonathan Spring

Hello, this is Jonathan Spring. I've been investigating the usage of domains that are typos of other domains. For example, foogle.com is a typo of google.com, and it's a common one since 'f' is next to 'g' on the standard keyboard. The existing hypothesis has been that typo domains would be used for malicious purposes. Users would commonly mistype the domain they are going to, and some of the less scrupulous domain owners could take...

Read More
CNAME flux

CNAME flux

• Blog
Jonathan Spring

Hello this is Jonathan Spring. Recently, Leigh Metcalf and I uncovered some interesting results in our continuing work on properties of the Domain Name System (DNS). Our work involves an unconventional use of CNAME (canonical name) records. Besides an IP address, CNAME records are the only other location a domain may have in the DNS. Instead of an IP address, a CNAME record is a redirection or alias service that points to another name....

Read More
Challenges in Network Monitoring above the Enterprise

Challenges in Network Monitoring above the Enterprise

• Blog
Jonathan Spring

Recently George Jones and I attended USENIX Security '11. We hosted an evening Birds of a Feather (BoF) session where we asked a question of some significance to our CERT® Network Situational Awareness (NetSA) group: Is Large-Scale Network Security Monitoring Still Worth the Effort? One of the foundational principles behind most organizations' network security practices is still "defense in depth," which is implemented using a variety of security controls and monitoring at different locations...

Read More

Contact the Author

Jonathan Spring

SEI Digital Library

SEI Publications

Visit the SEI Digital Library to see other publications by Jonathan Spring

View publications