Connect with us

A primitive method for detecting deepfakes is presented, but it’s not so simple

Published

on

As it turned out, in the faces generated artificially, not everything is in order with the shape of the pupils.

Deepfakes are becoming more realistic and dangerous every year, and machine learning experts are looking for new methods to combat the growing threat. A team of American scientists have presented a reliable way to identify artificially generated faces by analyzing the shape of the pupils, but not everything is as simple as we would like.

Deepfakes are created using generative adversarial networks (GANs), and over the years this technology has become so advanced that it becomes almost impossible to distinguish a real human face from a model created using machine learning. Although deepfakes are quite legally used for commercial purposes, they can also be used by criminals.

Last year, Microsoft released the Microsoft Video Authenticator tool for detecting deepfake content in videos. A few months later, Facebook revealed its new system based on artificial intelligence (AI) technologies, capable of not only recognizing deepfakes, but also tracking the software used to create them.

However, technologies for detecting deepfakes are not always available to the general public, and they are not universal, that is, they cannot be implemented on all platforms with media content. This is where a recent collaborative study by researchers from the universities of Albany and Buffalo and specialists from the technology company Keya Medical can come to the rescue.

Study titled Eyes Tell All: Irregular Pupil Shapes Reveal GAN-Generated Faces describes a method for detecting deepfake faces by examining the shape of the pupil.

The main idea is that the pupil of the human eye has the correct rounded shape, but the shape of the artificially created pupils is not correct and is usually distorted. As the researchers found, distorted pupils are quite common even in very high-quality deepfakes and are visible to the naked eye. The researchers called them artifacts that arise from the lack of “physiological limitations” in the models used to create deepfakes.

The study created an automated system that downloaded images of thousands of real and GAN-generated faces to investigate how the marker described above could be used as a reliable method for detecting deepfake images.

The team developed the Boundary Intersection-Over-Union (BIoU) scoring formula based on a formula for scoring an image according to the shape of the pupil. Real faces with regular elliptical pupils scored high on the BIoU scale, while artificially generated images scored low.

However, there are two problems. The first minor obstacle is that some diseases and infections can affect the shape of the pupil, which can lead to a failure of the method. But such cases are, rather, an exception that does not negate the general rule.

The more pressing issue is that attackers can learn from the results of this public domain study and improve their GANs. They will begin to pay attention to the shape of the pupils of their deepfakes and make the fake even more believable.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Security

Biden: the US does not want to unleash a new cold war

Published

on

But cyberattacks will be answered

The United States does not seek to unleash a new Cold War and does not want to see the world split into tough blocs, said US President Joe Biden at the general political debate of the 76th session of the UN General Assembly (GA).

“We do not want a return of the Cold War or a world divided into blocs,” Biden said in his first US presidential address from the UN rostrum.

“The United States is ready to cooperate with any state that is ready to solve existing problems,” the American leader added.

Biden also noted that Washington is in favor of developing uniform rules for the safe behavior of states in cyberspace. The US is strengthening its infrastructure to better defend against foreign hackers.

Biden stressed that the country reserves the right to respond to hacker attacks in the strongest possible way because they threaten the people and interests of the United States.

Continue Reading

Security

Security Vision 5.0: The Swiss Knife in Information Security

Published

on

In this article, we will talk about the mechanisms that underlie the Security Vision 5.0 platform and allow you to automate any formalized process in the field of IT and information security.

Recently, the globally updated information security process management platform Security Vision 5.0 has entered the market. The changes have affected many aspects, from design and architecture to filling modules and principles of working with data, while the flexibility of the platform has not only been preserved, but also increased. In this article, we will talk about the mechanisms that underlie the platform and allow you to automate any formalized process in the field of IT and information security.

Object Oriented Approach

Most IRP / SOAR systems today are focused around one single object: the “incident”. Best practices recommend using CMDB for asset control, and Vulnerability Management System for vulnerability control. IDM will be responsible for accounts and GRC will be responsible for risks. Even if all these systems are in the company and each of them copes with its tasks, to obtain a comprehensive picture it will be necessary to do a lot of work: unload all the results of interest, bring them to a single data model and, based on this data, generate the necessary analytics. As a result, you never have a really up-to-date picture of what is happening – the situation can change dramatically immediately after you load the data into Excel. Needless to say

When it counts for minutes, and sometimes for seconds, incident response specialists simply do not have time for consolidated analytics from dozens of different sources, some of which are available only by calling the “possessor of sacred knowledge”. The owner of the system left for lunch – and now Initial Access turns into Lateral Movement .

But the list of types of objects of control in IB is not at all limited to the above. certifications, software and licenses, external service providers, user awareness companies, hardware inventory and obsolescence, changes, projects, Shadow IT and more. All this requires accounting and a special life cycle, for the successful functioning of which a well-coordinated interaction of employees and systems is required. It is for this reason that there are no restrictions on the types of control objects in our product, and it has become simple and convenient to create them.

The Security Vision platform can be delivered with pre-installed modules for managing incidents, assets, vulnerabilities, risks, specialized conformity assessments such as CII, PCI DSS, SWIFT, etc. These modules contain all the necessary objects, directories, dashboard workflows and reports.

But even the best analysts will not be able to think through every nuance of the customer’s infrastructure, take into account the peculiarities of the company’s internal processes, the requirements of regulators and business. For this reason, the main focus of our product is on the flexibility of any of the system elements. And this flexibility is available to the average user, without the involvement of a vendor or integrators. Without external scripts, right in the platform interface in NoCode or LowCode mode (in the case of integrations).

What does this flexibility look like in reality? Let’s consider several customization scenarios.

Incidents

Undoubtedly, the constantly growing number of incidents is becoming the main driver in information security automation. The process of their processing for the analyst should be as simple and clear as possible. He does not have time to read the string of incident properties in the hope of finding meaningful information. Depending on the type of incident, the focus should be on completely different inputs. For this reason, different types of incidents in the platform have completely different views in Security Vision.

Your existing incident handling process can be modified as part of your existing incident handling policy or procedure. For example, let’s add the attribute “Closing reason” to the incident card, which will be required to be filled in only if the status is “Waiting for closing confirmation”, and the ability to edit it will be available only to a user with the role “Information security incident manager”.

The calculation of the criticality of an incident can take into account any parameters of both the event itself and the objects involved in it.

In our case, the initial criticality of the incident and the criticality of the asset are used to calculate the criticality of the incident. For each of the incident types and information enrichment tools, you can assign your own criticality parameters and significance weights. You can use qualitative metrics or link the calculation to a quantitative risk assessment built in the company.

The field reflecting the quantitative assessment of potential damage can be hidden for employees of the first lines of support, making it available only to managers.

Properties of objects are available for layout in the card relative to each other, as well as for combining into semantic blocks and tabs. The data output form allows you to replace the values ​​with color indicators or icons for greater clarity.

One of the most interesting features of the platform interface is the ability to add graphic widgets directly to object cards. Chart the number of incidents by device or user involved in the incident, broken down by severity? See the timeline of a user’s VPN connection over the past month? No problem, adding such analytics to a specific type of incident has never been easier.

Most incident handling systems operate with tree-structured workflows. This means that our object can only move forward and never backward. However, it is often impossible to identify all involved accounts, hosts, IoCs in one pass. All stages of containment have already been carried out and it seems that the incident can be closed, but the Sandbox report reveals new objects, and the picture of the investigation completely changes. In such a situation, it is quite logical to return the incident to work.

In Securty Viison, incident handling reports are available for generation directly from the card. You can use ready-made report templates, such as the NKTsKI format, or customize your own, within the existing methodology in the company.

Integration

However, all of the above was mainly related to the interface. But the incident handling process gains real power thanks to the integration designer.

Today, a huge number of both paid and free services for enriching the available information are available for a SOC specialist. VirusTotal, Threat Crowd, Hybrid Analytics: – all these integrations are available by default in most IRP \ SOAR platforms. But let’s consider a situation where we want to add a new enrichment framework or just handle a new property that returns the API of the service we are interested in. To do this, you do not need to wait for a vendor’s response or write Python scripts. In Security Vision, we literally set up a connection in a couple of iterations and get the desired value.

All that remains is to add data retrieval to the incident handling workflow, choosing whether this action will be fully automatic or require manual activation of the function by the analyst.

But integrations aren’t just about friendly external APIs. Many infrastructure components are still difficult to integrate into automated procedures. For example, a Cisco cluster in Active-Passive mode will require access to the active IP address. How does the system know about the required connection parameters? The functionality of redundant connector configurations allows you to create additional configurations that will be applied if the main system is unavailable.

It is not always enough to get the data you need in just one step. Quite often, for example, in Sandbox systems, the following scenario occurs: 1. send the file being examined 2. get the request id 3. apply for the analysis status at regular intervals 4. and, finally, get the analysis results. But there are also more complex interactions, in which the data for authorization in the system must be obtained from Privileged Access Management and only after that the operations of interest must be carried out. The connector steps mechanism allows you to cope with such difficulties. The data from one step can be used as input parameters for the next. In Security Vision, functions of data transformation are available to the “meeting”: text, numeric, operations with arrays and structures.

If the company already has ready-made response tools in the form of scripts in PowerShell, Bash, Python or other scripting programming languages, then it will not be a problem to implement them into the platform. The script receives static values ​​or variables from system objects. The built-in regex, jpath, xpath and a number of other handlers will help you cope with any format of the returned data.

Many companies are faced with the problem of processing large reports, for example, from vulnerability scanners. The infrastructure scan file can be several gigabytes in size, but most systems are capable of processing files no larger than 100 MB. Security Vision connectors are able to cope even with such a task that is not solvable for many.

Complex report structures are another non-trivial task. For example, the scan policy and the credentials used are in one NameSpace, the plugins used are in the other, and the scan results are in the third. How to turn a report into a single table instead of 3 different ones? In Security Vision, this is very easy to do.

All the integrations described above can be performed both within the workflow and on a regular basis in the task scheduler. The results can be stored in the properties of objects, reference books or the platform can create new objects based on them: indicators of compromise, vulnerabilities, assets, or save their own types created by the user.

Assets

Having considered the functionality of creating objects, let’s now take a closer look at the part of it that is responsible for inventory and working with assets. In Security Vision, data sources about the assets being created can be any information storage available for integration: Active Directory, CMDB, virtualization management tools, or SIEM system asset models. Most often, the built-in mechanism of non-agentless scanning is used to identify systems.

In the absence of an account or unsuccessful authentication, the host can be identified by indirect signs: responses from services, information in Active Directory, or using custom rules (for example, based on the specifics of host names).

If authorization is successful, inventory scripts collect information about configuration, security status, software, updates, and other system components. All inventory scripts are written in bash and PowerShell, which allows any technician to familiarize themselves with their content, modify them to suit their needs, or search for problems in case of any errors and incorrect data received.

We have provided Security Vision with the ability to obtain information about user and groups, virtualization, startup and much more. However, if this information is not enough, the system allows you to add the retrieval of any system properties available for machine collection. Such custom operations can be implemented both by adding the necessary calls to the regular inventory process, or by creating a manual operation available from the asset card.

Our customers are often faced with the fact that inventory data is not enough even in disparate systems. What is the criticality of this system? Is it a productive environment or a test environment? Who is the business owner and who is the technical administrator? The collection of this kind of information from users can be built directly in Security Vision. The workflow will independently send a letter to the employee responsible for the inventory and the owner of the system with a reminder that it is necessary to fill in the required parameters. The system interface for such user roles can be configured in such a way that only the necessary menus and objects will be available for viewing and filling.

Any information contained in Security Vision can be presented in the form of reports and dashboards. The dashboard builder allows you to customize drill-down actions, for example, display a detailed description of a selected category or navigate to another related dashboard. The use of this designer does not require technical knowledge: the formation of analytics is similar to pivot tables and graphs in Excel. However, for more advanced statistics, we left the possibility of writing your own SQL queries right in the designer interface.

This is just a small list of tools that enable the Security Vision platform to optimize and automate almost any information security process. The flexibility of each of the elements allows you to implement scenarios for specific tasks of your company, without resting on the limits of the product and contractual individual revision.

Security Vision brings people and systems together in a single solution. This approach allows to achieve an unprecedented level of automation even in those processes that previously required significant human resources. Stay tuned for updates on our website: in the following articles we will tell you more about the SGRC module and its functions for working with audits, risks and compliance assessment, we will tell you how you can build a process for managing vulnerabilities and updates in the Security Vision platform, and also explain how the data, uploaded to the platform as part of the MITER ATT & CK framework and related projects can help increase the maturity level of your SOC division.

Continue Reading

Security

Counterfeit chips are increasingly being identified in supply chains

Published

on

Many manufacturers are faced with the supply of counterfeit, substandard or used microcircuits.

Fighting the unprecedented global chip crisis, more and more electronics manufacturers are turning to third-party supply chains to meet demand. Many manufacturers are faced with the supply of counterfeit, substandard or used microcircuits.

According to Nikkei Asia, Japanese electronics manufacturer Jenesis was one of the hardest hit. Since the company could not purchase microcomputers from conventional sources, it placed an order through the website of the Chinese e-commerce giant Alibaba. Unfortunately, the chips that arrived did not turn on and were completely different from those ordered by Jenesis. Jenesis representatives were unable to contact the supplier following this incident.

This trend should be a warning to electronics manufacturers looking to buy chips. Manufacturers and authorized distributors keep records of chips sold by third parties, but no manufacturer guarantees these chips. In most cases, it is unclear how and where vendors store the chips. These situations make it easier for suspicious goods to enter supply chains, but it is difficult to trace the true source.

These can be chips taken from discarded equipment or recycled chips that do not meet quality standards, including chips with a forged manufacturer name or model number.

As of August, experts from Oki Electric Industry, a company specializing in the provision of chip validation services, said they had received about 150 requests for chip analysis. Many of them were from manufacturers of industrial and medical equipment. According to the results of 70 checks, it turned out that about 30% of the microcircuits were faulty.

Continue Reading

Most Popular