Research Report: ICARUS: Understanding De Facto Formats by Way of Feathers and Wax

Cowger, Sam; Lee, Yerim; Schimanski, Nichole; Tullsen, Mark; Woods, Walter; Jones, Richard S.; Davis, EW; Harris, William R.; Brunson, Trent; Harmon, Carson; Larsen, Bradford; Sultanik, Evan A.

doi:10.1109/spw50608.2020.00067

Cited by 8 publications

(6 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Given a grammar, we can generate a parser for that grammar, and then apply that parser to a sentence; if the parser fails, then the sentence can be labeled as anomalous. However, it can sometimes be more natural to learn a parser, rather than a grammar, as was done in (Cowger et al, 2020;Woods, 2021). As the resulting parser successfully produces a parse tree for any sentence, it cannot be used directly for anomaly detection.…”

Section: Discussion and Future Workmentioning

confidence: 99%

“…For the specific example in Fig. 2 (left), the production rules happen to cover all sentences described by the grammar S -> '{' ('a' | 'b' | 'c' | S+) '}', referred to as the Simple-JSON grammar (Cowger et al, 2020;Woods, 2021); in particular, the '{G}' atom (appearing on the left side of the production rule '{G}' -> '{G' '}') approximately corresponds to S. However, while the rules will successfully parse any valid Simple-JSON sentence, will they also fail at parsing any sentence that is not in the Simple-JSON format, i.e., that is anomalous from the perspective of Simple-JSON? We will address this question in the following two subsections.…”

Section: Production Rule Extractionmentioning

confidence: 99%

“…Recently, Reinforcement Learning (RL) has been used as the basis for a novel, flexible grammatical inference scaffolding called RL-GRIT (Cowger et al, 2020;Woods, 2021). The goal of RL is to find a policy, defined as a mapping of observations to actions, which attempts to maximize some reward.…”

Section: Introductionmentioning

confidence: 99%

“…The primary reason for this is that the learning process benefits from a search space with progressive improvements in the measured reward, rather than the "allor-nothing" design of traditional grammars, which either accept or reject a sentence. While this approach was shown to be promising at automatically generating parsers for formats with data type recurrency (Cowger et al, 2020;Woods, 2021), it also has limitations. First, as is often the case with neural network-based approaches, there is a lack of explainability: the parser has learned some grammar, but it does not provide the production rules for that grammar.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Anomaly Detection with Neural Parsers That Never Reject

Grushin¹,

Woods²

2021

Preprint

View full text Add to dashboard Cite

Reinforcement learning has recently shown promise as a technique for training an artificial neural network to parse sentences in some unknown format. A key aspect of this approach is that rather than explicitly inferring a grammar that describes the format, the neural network learns to perform various parsing actions (such as merging two tokens) over a corpus of sentences, with the goal of maximizing the total reward, which is roughly based on the estimated frequency of the resulting parse structures. This can allow the learning process to more easily explore different action choices, since a given choice may change the optimality of the parse (as expressed by the total reward), but will not result in the failure to parse a sentence. However, the approach also exhibits limitations: first, the neural network does not provide production rules for the grammar that it uses during parsing; second, because this neural network can successfully parse any sentence, it cannot be directly used to identify sentences that deviate from the format of the training sentences, i.e., that are anomalous. In this paper, we address these limitations by presenting procedures for extracting production rules from the neural network, and for using these rules to determine whether a given sentence is nominal or anomalous, when compared to structures observed within training data. In the latter case, an attempt is made to identify the location of the anomaly. Additionally, a two pass mechanism is presented for dealing with formats containing high-entropy information. We empirically evaluate the approach on artificial formats, demonstrating effectiveness, but also identifying limitations. By further improving parser learning, and leveraging rule extraction and anomaly detection, one might begin to understand common errors, either benign or malicious, in practical formats.

show abstract

Section: Discussion and Future Workmentioning

confidence: 99%

Section: Production Rule Extractionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Anomaly Detection with Neural Parsers That Never Reject

Grushin¹,

Woods²

2021

Preprint

View full text Add to dashboard Cite

show abstract

“…1 were able to be learned automatically, solely from data. Applying RL to the grammar inference problem was initially presented at LangSec 2020 [6],…”

Section: Introductionmentioning

confidence: 99%

RL-GRIT: Reinforcement Learning for Grammar Inference

Woods¹

2021

Preprint

View full text Add to dashboard Cite

When working to understand usage of a data format, examples of the data format are often more representative than the format's specification. For example, two different applications might use very different JSON representations, or two PDF-writing applications might make use of very different areas of the PDF specification to realize the same rendered content. The complexity arising from these distinct origins can lead to large, difficult-to-understand attack surfaces, presenting a security concern when considering both exfiltration and data schizophrenia. Grammar inference can aid in describing the practical language generator behind examples of a data format. However, most grammar inference research focuses on natural language, not data formats, and fails to support crucial features such as type recursion. We propose a novel set of mechanisms for grammar inference, RL-GRIT 1 , and apply them to understanding de facto data formats. After reviewing existing grammar inference solutions, it was determined that a new, more flexible scaffold could be found in Reinforcement Learning (RL). Within this work, we lay out the many algorithmic changes required to adapt RL from its traditional, sequential-time environment to the highly interdependent environment of parsing. The result is an algorithm which can demonstrably learn recursive control structures in simple data formats, and can extract meaningful structure from fragments of the PDF format. Whereas prior work in grammar inference focused on either regular languages or constituency parsing, we show that RL can be used to surpass the expressiveness of both classes, and offers a clear path to learning context-sensitive languages. The proposed algorithm can serve as a building block for understanding the ecosystems of de facto data formats.

show abstract

An analysis of how many undiscovered vulnerabilities remain in information systems

Spring¹

2023

Computers & Security

View full text Add to dashboard Cite

Research Report: ICARUS: Understanding De Facto Formats by Way of Feathers and Wax

Cited by 8 publications

References 14 publications

Anomaly Detection with Neural Parsers That Never Reject

Anomaly Detection with Neural Parsers That Never Reject

RL-GRIT: Reinforcement Learning for Grammar Inference

An analysis of how many undiscovered vulnerabilities remain in information systems

Contact Info

Product

Resources

About