NDSS
1. Do Users Make Rational Security Decisions?

Elissa Redmiles, Michelle Mazurek and John Dickerson.

Accurately modeling human decision-making in security is critical to thinking about when, why, and how to recommend that users adopt certain secure behaviors. Here, we present a series of behavioral economics experiments modeling the rationality of end-user security decision-making. We ask participants to make a financially impactful security choice, in the face of transparent risks of account compromise and benefits offered by an optional security behavior (two-factor authentication). We measure the cost and utility of adopting the security behavior via measurements of time spent executing the behavior and estimates of the participant’s wage. More than 50% of our participants made rational decisions, and their behavior was boundedly rational: they made decisions based on some risks and context, but not others. Finally, we can model their behavior well (R^2=0.61) as a function of risks, context, and prior behavior.

2.  HybridGuard: A Principal-based Permission and Fine-Grained Policy Enforcement Framework for Web-based Mobile Applications

Phu H. Phung, Abhinav Mohanty, Rahul Rachapalli and Meera Sridhar.

Web-based or hybrid mobile applications (apps) are widely used and supported by various modern hybrid app development frameworks. In this architecture, any JavaScript code, local or remote, can access available APIs, including JavaScript bridges provided by the hybrid framework, to access device resources. This JavaScript inclusion capability is dangerous, since there is no mechanism to determine the origin of the code to control access, and any JavaScript code running in the mobile app can access the device resources through the exposed APIs. Previous solutions are either limited to a specific platform (e.g., Android) or a specific hybrid framework (e.g., Cordova) or only protect the device resources and disregard the sensitive elements in the web environment. Moreover, most of the solutions require the modification of the base platform.

In this paper, we present HybridGuard, a novel policy enforcement framework that can enforce principal-based, stateful policies, on multiple origins without modifying the hybrid frameworks or mobile platforms. In HybridGuard, hybrid app developers can specify principal-based permissions, and define fine-grained, stateful, and history-based policies that can mitigate a significant class of attacks caused by potentially malicious JavaScript code included from third- party domains, including ads running inside the app. HybridGuard also provides a mechanism and policy patterns for app developers to specify fine-grained policies for multiple principals. HybridGuard is implemented in JavaScript; therefore, it can be easily adapted for other hybrid frameworks or mobile platforms without modification of these frameworks or platforms. We present attack scenarios and report experimental results to demonstrate how HybridGuard can thwart attacks against hybrid mobile apps.

3.  CFIXX Object Type Integrity for C++

Nathan Burow, Derrick McKee, Scott A. Carr and Mathias Payer.

C++ relies on object type information for dynamic dispatch and casting. The association of type information to an object is implemented via the virtual table pointer, which is stored in the object itself. As C++ has neither memory nor type safety, adversaries may therefore overwrite an object’s type. If the corrupted type is used for dynamic dispatch, the attacker has hijacked the application’s control flow. This vulnerability is widespread and commonly exploited. Firefox, Chrome, and other major C++ applications are network facing, commonly attacked, and make significant use of dynamic dispatch. Control-Flow Integrity (CFI) is the state of the art policy for efficient mitigation of control-flow hijacking attacks. CFI mechanisms determine statically (i.e., at compile time) the set of functions that are valid at a given call site, based on C++ semantics. We propose an orthogonal policy, Object Type Integrity (OTI), that dynamically tracks object types. Consequently, instead of allowing a set of targets for each dynamic dispatch on an object, only the single, correct target for the object’s type is allowed.

To show the efficacy of OTI, we present CFIXX, which enforces OTI. CFIXX enforces OTI by dynamically tracking the type of each object and enforcing its integrity against arbitrary writes. CFIXX has minimal overhead on CPU bound applications such as SPEC CPU2006 – 4.98%. On key applications like Chromium, CFIXX has negligible overhead on JavaScript benchmarks: 2.03% on Octane, 1.99% on Kraken, and 2.80% on JetStream. We show that CFIXX can be deployed in conjunction with CFI, providing a significant security improvement.

4.  Trust-based Light-weight Association Protocol for 802.11 Networks

Vineeta Jain, Vijay Laxmi, Manoj Singh Gaur and Mohamed Mosbah.

We present a light-weighted trust based low band- width association protocol named ETAnalyst for 802.11 networks that would empower clients to assess the legitimacy of access points (APs) and detect Evil Twins (ETs) before associating with them. An ET can be defined as a rogue AP created by hackers to resemble the authentic AP in a network zone. ETs are easy to launch and can be extremely fatal as they can execute attacks such as spoofing, Man-in-the-middle (MITM) attack, etc., which may lead to information loss, financial loss, remote control, etc. The existing IEEE 802.1X protocol is considered robust against ET attacks, but the deployment is expensive and non-trivial as it requires meticulous setup for initial handshake and X.509 public key certificate issued by a trusted certification authority (CA). It puts an additional cost on network operators, particularly existing ones, who have no incentive to provide this facility. ETAnalyst operates by padding surplus information named as trust bytes in 802.11 management frames. These bytes are evaluated by clients to judge the genuineness of APs. ETAnalyst abides by the existing 802.11 standards by not appending information greater than the permissible management frame size. The approach is light-weight considering it does not employ any encryption. The approach does not use any pre-shared keys or strings; thus it is scalable. No additional hardware and certificates are required, making ETAnalyst a low-cost technique. Since it abides by existing 802.11 standards, a minor adaptation at driver level of AP and client is needed to implement in real networks; thus ensure negligible overhead.

5.  The Petri Dish Attack – Guessing Secrets Based on Bacterial Growth

Katharina Krombholz, Adrian Dabrowski, Peter Purgathofer and Edgar Weippl.

PINs and unlock patterns remain by far the most common knowledge-based authentication methods on mobile devices. Biometric authentication methods such as fingerprints also rely on PINs and unlock patterns as fallback methods. In recent years, several attacks on knowledge-based mobile authentication have been presented, e.g., shoulder-surfing, smudge attacks and thermal attacks. In this poster, we present the Petri dish attack, a novel attack to guess secrets based on bacterial growth. We conducted a series of lab experiments with 20 Petri dishes to evaluate the feasibility of this new attack and unfortunately were not able to successfully conduct the attack on off-the-shelf smartphones. However, we still believe that our results are valuable to the scientific community and provide a baseline to explore future cross- domain attack vectors and interdisciplinary approaches on smartphone security.

6.  Stylometry of Author-Specific and Country-Specific Style Features in JavaScript

Dennis Röllke, Aviel Stein, Edwin Dauber, Mosfiqur Rahman, Michael Weisman, Gregory Shearer, Frederica Nelson, Aylin Caliskan, Richard Harang and Rachel Greenstadt.

Stylometry is the study of writing style, and is often used for authorship attribution. Published papers have shown the usefulness of this technique for code and compiled programs written in languages such as C++. We show that these abstract syntax tree focused techniques can be adapted to JavaScript, an interpreted scripting language common on the World Wide Web. Using Google Code Jam submissions, we show that individual authors from a small suspect set (17 authors) can be attributed with over 99% accuracy. We also present a proof-of-concept experiment which shows that we can differentiate the country of origin of a code author with over 91% accuracy, using Canada and China as our example countries.

7.  Towards Scaling Privacy Strength

Joshua Joy and Mario Gerla.

In this paper, we introduce a privacy mechanism that improves the privacy strength while preserving utility. That is, we perform query expansion to reduce the information leakage due to an individual’s participation.

8.  TinPal: An Enhanced Interface for Pattern Locks

Harshal Tupsamudre, Sukanya Vaddepalli, Vijayanand Banahatti and Sachin Lodha.

Pattern lock scheme in which users connect 4-9 dots in a 3X3 grid is one of the most popular authentication methods on mobile devices. However, numerous research studies show that users choose patterns from a small space which makes them vulnerable to a variety of attacks such as guessing attacks, shoulder-surfing attacks and smudge attacks.

In this work, we enhance the existing 3X3 interface with a visual indicator mechanism and demonstrate how this slight modification can influence users’ pattern choices, thereby improving the security of the pattern lock scheme. We refer to this enhanced interface as TinPal. As users draw their pattern, TinPal highlights the next set of unconnected dots that can be reached from the currently connected dot. We gauge the impact of this highlighting mechanism on users’ pattern choices by performing a comparative study of two groups, where one group creates pattern using the existing interface while the other group creates pattern using TinPal. The study results show that participants who used the TinPal interface created more secure patterns than participants who used the existing interface.

9.  Practicing a Science of Security: A Philosophy of Science Perspective

Jonathan M Spring, Tyler Moore and David Pym.

Our goal is to refocus the question about cybersecurity research from ‘is this process scientific’ to ‘why is this scientific process producing unsatisfactory results’. We focus on five common complaints that claim cybersecurity is not or cannot be scientific. Many of these complaints presume views associated with the philosophical school known as Logical Empiricism that more recent scholarship has largely modified or rejected. Modern philosophy of science, supported by mathematical modeling methods, provides constructive resources to mitigate all purported challenges to a science of security. Therefore, we argue the community currently practices a science of cybersecurity. A philosophy of science perspective suggests the following form of practice: structured observation to seek intelligible explanations of phenomena, evaluating explanations in many ways, with specialized fields (including engineering and forensics) constraining explanations within their own expertise, inter-translating where necessary. A natural question to pursue in future work is how collecting, evaluating, and analyzing evidence for such explanations is different in security than other sciences.

10.  Machine Learning-Based Fingerprinting of Network Traffic Using Programmable Forwarding Engines

Greg Cusack, Oliver Michel and Eric Keller.

With the recent development of programmable forwarding engines (PFEs), systems designers are now able to extract information-rich, flow records at high rates of speed. The growth of PFEs and rich flow generation systems, provide us with the data and speed necessary for network, flow-based fingerprinting and classification. In this project, we explore the efficacy of classifying large amounts of network traffic using PFE-generated, rich flow records. We write a stream processor and use a random forest, binary classifier to utilize these flow records in fingerprinting ransomware and Shadowsocks, a censorship circumvention tool, without requiring deep packet inspection. Our ransomware classification model achieves a detection rate in excess of 0.86, while our Shadowsocks classifier achieves a detection rate close to 0.987. Our initial results show the efficacy of utilizing high-rate, PFE-generated, rich flow records to fingerprint various types of web traffic.

11.  On Predicting BGP Anomalous Incidents: A Bayesian Approach

Clint McElroy, Pablo Moriano and Jean Camp.

Despite multiple efforts to secure the Internet control plane, Border Gateway Protocol (BGP) anomalous incidents have been increasing in both frequency and impact over the past several years. These anomalies are events in which Internet traffic is accidentally or maliciously routed incorrectly. Here, we examine a popular public dataset of BGP anomalies to develop Bayesian Generalized Linear Models (BGLMs) that capture the frequency and impact of BGP anomalies. We find that the daily frequency can be modeled by a lognormal distribution while their impact is better captured by a discrete Laplace distribution. Knowing these distributions can provide insights into the generative mechanisms of these anomalies and inform future predictions.

12.  Sonification in Security Operations Centres: What do Security Practitioners Think?

Louise Axon, Bushra Alahmadi, Jason Nurse, Michael Goldsmith and Sadie Creese.

In Security Operations Centres (SOCs) security practitioners work using a range of tools to detect and mitigate malicious computer-network activity. Sonification, in which data is represented as sound, is said to have potential as an approach to addressing some of the unique challenges faced by SOCs. For example, sonification has been shown to enable peripheral monitoring of processes, which could aid practitioners multitasking in busy SOCs. The perspectives of security practitioners on incorporating sonification into their actual working environments have not yet been examined, however. The aim of this paper therefore is to address this gap by exploring attitudes to using sonification in SOCs. We report on the results of a study consisting of an online survey (N=20) and interviews (N=21) with security practitioners working in a range of different SOCs. Our contribution is a refined appreciation of the contexts in which sonification could aid in SOC working practice, and an understanding of the areas in which sonification may not be beneficial or may even be problematic. We also analyse the critical requirements for the design of sonification systems and their integration into the SOC setting. Our findings clarify insights into the potential benefits and challenges of introducing sonification to support work in this vital security-monitoring environment.

13.  Data Protection of IoT End Device

Jinseong Kim, Chang-O Eun and Im Jung.

Recently, many vulnerabilities of IoT end devices appear. One example is IP camera vulnerability. IP camera can be attacked through bypassing IP camera authentication and authorization, analyzing and reusing the packets of IP camera video stream and so on. However, the countermeasures to these attacks are dependent on each manufacturer of IP camera. In this paper, we propose a solution to protect the data stream of IP camera at home network, which does not depend on the manufacturer.

14.  Community Engagement for Cybersecurity Experimentation of the Future

David Balenson, Laura Tinnel and Terry Benzel.

The ever-increasing cyber threat landscape demands new forms of advanced research and development coupled with new revolutionary approaches to cyber experimentation. SRI International (SRI) and USC Information Sciences Institute (USC-ISI) conducted the Cybersecurity Experimentation of the Future (CEF) study and produced a strategic plan and roadmap intended to catalyze generational advances in the field of experimental cybersecurity research. These results represented the conclusions of our CEF study, conducted with broad participation by the cybersecurity research, research sponsor, and customer communities.

USC-ISI, SRI, and the community have continued to advance the concepts behind the CEF study both through organized efforts such as the NSF Accessible Remote Testbeds (ART) Workshop and the Sandia Workshop on Research Directions for Cyber Experimentation, and through the development of advanced experimentation infrastructure and capabilities.

Since the release of the CEF Final Report, the community has seen extensive growth in experimentation infrastructure, methods, and results across an ever-growing diversity of domains of interest. This proliferation of experimental infrastructures has matured the field beyond first generation testbeds. This diversity points to an increasing need for broad community engagement in order to realize transformational change as envisioned by the CEF study.

Consequently, SRI and USC-ISI launched the CEF Community Engagement Initiative. This large community undertaking will benefit from coordination, collaboration and establishment of open source development efforts. USC-ISI, SRI and colleagues have initiated work on the design of a CEF framework, development of a reference implementation, and establishment of community working groups. Central to expanding the CEF work is the engagement of the larger community, including research infrastructure developers, tool builders, and research experimental users. We are holding a series of Community Engagement Events in Spring 2018 and are in the process of establishing working groups that will jointly mature the CEF concepts as realized across the broad range of experimental infrastructure.

15.  Exploring Family Features for Classification and Lineage Inference of Packed Malware

Leo Hyun Park, Jungbeen Yu and Taekyoung Kwon.

Both classification and lineage inference are important subjects for handling a tremendous amount of malware variants emerging today. Many previous studies have been done in this respect, classifying variants into families, while they lacked in considering packed malware in lineage inference and applied the common features to all lineages. In this study, with regard to malware lineage inference, we consider packed malware that accounts for the majority of today’s malware variants. To improve accuracy, our basic idea is applying each of different features, saying, family features derived through classification and feature selection phases, to identify each malware family. Our experimental study shows that family features are effective and also practical compared to the common features in lineage inference. We also discuss our on-going work and future directions.

16.  Towards Reverse Engineering FPGA Bitstreams for Static Hardware Trojan Detection

Yezee Seo, Junghwan Yoon, Jaedong Jang, Mingi Cho, Hoon-Kyu Kim and Taekyoung Kwon.

FPGAs are field-programmable and reconfigurable integrated circuits, aiming at both hardware and software advantages. They recently tend to combine with microprocessors in the form of all programmable SoCs. A security problem in FPGAs is that the configuration data called a bitstream, which must be loaded to circuits, is susceptible to both malicious fabrication and modification attacks due to flexibility. That is, a hardware Trojan can be loaded to the circuits. In this study, we consider a reverse engineering of bitstreams promising for hardware Trojan detection in a static manner because modern techniques relying on dynamic signal analysis are not cost-effective nor precise. A challenge is that the reverse engineering of bitstreams is not relatively easy and that the detailed format of the bitstream is proprietary to the FPGA vendors. As a preliminary study, we design the general architecture of bitstream reverse engineering for hardware Trojan detection in this respect, and present a detailed method for reverse engineering the core resources of FPGAs. We also discuss our on-going work and future directions.

17.  Risks of Transferring Knowledge from Deep Models

Bolun Wang, Yuanshun Yao, Bimal Viswanath, Heather Zheng and Ben Y. Zhao.

With deep learning (DL) showing promise in various domains, there is a huge demand to adopt DL to solve a variety of tasks. However, building a DL-based system is hard in practice. Developing DL models require tremendous amount of computational resources, data, as well as machine learning expertise, which is out of reach for many users. An effective solution is transfer learning, where a high quality pre-trained model is re-used, and with some minor effort, adapted for a new task. Transfer learning is being promoted by online services as the go-to solution and more users are adopting it. Hence, it is crucial to understand the underlying security risks of such a practice. In this work, we propose a novel attack that exploits the transfer learning scenario to generate adversarial samples targeting new models generated by this practice. We launch an attack on a Face Recognition model, trained using transfer learning and successfully trigger misclassification in 92.6% of cases, by adding unnoticeable changes to images.

18.  DDoS Detection at an ISP

Rajat Tandon and Jelena Mirkovic.

Distributed denial-of-service (DDoS) detection and signature generation at an ISP level must be both light on resources, and accurate enough to minimize collateral damage to legitimate traffic. This is challenging because ISPs often serve many diverse clients, and cannot afford to build and maintain an accurate profile for each client.

We propose Asym – a scalable, low-impact detection tool, which models information about volume and asymmetry of flows per destination. To save memory, this information is stored in a fixed-size hash map. Asym detects an attack when both volume and asymmetry measures exceed their historical values. We show how this approach helps detect both high-rate and low-rate attacks, and filter them with high accuracy.