ShieldScatter: Improving IoT Security with Backscatter Assistance
Authors: Zhiqing Luo, Wei Wang, Jun Qu, Tao Jiang, Qian Zhang
Abstract: The lightweight protocols and low-power radio technologies open up many opportunities to facilitate Internet-of-Things (IoT) into our daily life, while their minimalist design also makes IoT devices vulnerable to many active attacks due to the lack of sophisticated security protocols. Recent advances advocate the use of an antenna array to extract fine-grained physical-layer signatures to mitigate these active attacks. However, it adds burdens in terms of energy consumption and hardware cost that IoT devices cannot afford. To overcome this predicament, we present ShieldScatter, a lightweight system that attaches battery-free backscatter tags to single-antenna devices to shield the system from active attacks. The key insight of ShieldScatter is to intentionally create multi-path propagation signatures with the careful deployment of backscatter tags. These signatures can be used to construct a sensitive profile to identify the location of the signals' arrival, and thus detect the threat. We prototype ShieldScatter with USRPs and ambient backscatter tags to evaluate our system in various environments. The experimental results show that even when the attacker is located only 15 cm away from the legitimate device, ShieldScatter with merely three backscatter tags can mitigate 97% of spoofing attack attempts while at the same time trigger false alarms on just 7% of legitimate traffic.Date: 16 Oct 2018
PDF »Main page »
Preventing DDoS using Bloom Filter: A Survey
Authors: Ripon Patgiri, Sabuzima Nayak, Samir Kumar Borgohain
Abstract: Distributed Denial-of-Service (DDoS) is a menace for service provider and prominent issue in network security. Defeating or defending the DDoS is a prime challenge. DDoS make a service unavailable for a certain time. This phenomenon harms the service providers, and hence, loss of business revenue. Therefore, DDoS is a grand challenge to defeat. There are numerous mechanism to defend DDoS, however, this paper surveys the deployment of Bloom Filter in defending a DDoS attack. The Bloom Filter is a probabilistic data structure for membership query that returns either true or false. Bloom Filter uses tiny memory to store information of large data. Therefore, packet information is stored in Bloom Filter to defend and defeat DDoS. This paper presents a survey on DDoS defending technique using Bloom Filter.Comment: 9 pages, 1 figure. This article is accepted for publication in EAI Endorsed Transactions on Scalable Information Systems
Date: 15 Oct 2018
PDF »Main page »
Bounding Entities within Dense Subtensors
Authors: Yikun Ban, Xin Liu, Ling Huang, Yitao Duan, Xue Liu, Wei Xu
Abstract: Group-based fraud detection is a promising methodology to catch frauds on the Internet because 1) it does not require a long activity history for a single user; and 2) it is difficult for fraudsters to avoid due to their economic constraints. Unfortunately, existing work does not cover the entire picture of a fraud group: they either focus on the grouping feature based on graph features like edge density, or probability-based features, but not both. To our knowledge, we are the first to combine these features into a single set of metrics: the complicity score and fraud density score. Both scores allow customization to accommodate different data types and data distributions. Even better, algorithms built around these metrics only use localized graph features, and thus scale easily on modern big data frameworks. We have applied our algorithms to a real production dataset and achieve state-of-the-art results comparing to other existing approaches.Date: 16 Oct 2018
PDF »Main page »
On the Origins and Variations of Blockchain Technologies
Authors: Alan T. Sherman, Farid Javani, Haibin Zhang, Enis Golaszewski
Abstract: We explore the origins of blockchain technologies to better understand the enduring needs they address. We identify the five key elements of a blockchain, show embodiments of these elements, and examine how these elements come together to yield important properties in selected systems. To facilitate comparing the many variations of blockchains, we also describe the four crucial roles of blockchain participants common to all blockchains. Our historical exploration highlights the 1979 work of David Chaum whose vault system embodies many of the elements of blockchains.Comment: 14 pages, 3 tables, includes all references. A short version with ten references will be submitted to IEEE Security & Privacy in October 2018
Date: 15 Oct 2018
PDF »Main page »
S-FaaS: Trustworthy and Accountable Function-as-a-Service using Intel SGX
Authors: Fritz Alder, N. Asokan, Arseny Kurnikov, Andrew Paverd, Michael Steiner
Abstract: Function-as-a-Service (FaaS) is a recent and already very popular paradigm in cloud computing. The function provider need only specify the function to be run, usually in a high-level language like JavaScript, and the service provider orchestrates all the necessary infrastructure and software stacks. The function provider is only billed for the actual computational resources used by the function invocation. Compared to previous cloud paradigms, FaaS requires significantly more fine-grained resource measurement mechanisms, e.g. to measure compute time and memory usage of a single function invocation with sub-second accuracy. Thanks to the short duration and stateless nature of functions, and the availability of multiple open-source frameworks, FaaS enables non-traditional service providers e.g. individuals or data centers with spare capacity. However, this exacerbates the challenge of ensuring that resource consumption is measured accurately and reported reliably. It also raises the issues of ensuring computation is done correctly and minimizing the amount of information leaked to service providers. To address these challenges, we introduce S-FaaS, the first architecture and implementation of FaaS to provide strong security and accountability guarantees backed by Intel SGX. To match the dynamic event-driven nature of FaaS, our design introduces a new key distribution enclave and a novel transitive attestation protocol. A core contribution of S-FaaS is our set of resource measurement mechanisms that securely measure compute time inside an enclave, and actual memory allocations. We have integrated S-FaaS into the popular OpenWhisk FaaS framework. We evaluate the security of our architecture, the accuracy of our resource measurement mechanisms, and the performance of our implementation, showing that our resource measurement mechanisms add less than 6.3% latency on standardized benchmarks.Date: 14 Oct 2018
PDF »Main page »
False Data Injection Cyber-Attack Detection
Authors: Xingpeng Li, Kory W. Hedman
Abstract: State estimation estimates the system condition in real-time and provides a base case for other energy management system (EMS) applications including real-time contingency analysis and security-constrained economic dispatch. Recent work in the literature shows malicious cyber-attack can inject false measurements that bypass traditional bad data detection and cause actual overloads. Thus, it is very important to detect such cyber-attacks. In this paper, multiple metrics are proposed to monitor abnormal load deviations and suspicious branch flow changes. A systematic two-stage approach is proposed to detect false data injection (FDI) cyber-attack. The first stage determines whether the system is under attack while the second stage identifies the target branch. Numerical simulations verify that FDI can cause severe system violations and demonstrate the effectiveness of the proposed two-stage FDI detection (FDID) method. It is concluded that the proposed FDID approach can efficiently detect FDI cyber-attacks and identify the target branch; furthermore, the associated false alarm rate and false dismissal rate are very low.Comment: 8 pages, 9 figures
Date: 13 Oct 2018
PDF »Main page »
Two Can Play That Game: An Adversarial Evaluation of a Cyber-alert Inspection System
Authors: Ankit Shah, Arunesh Sinha, Rajesh Ganesan, Sushil Jajodia, Hasan Cam
Abstract: Cyber-security is an important societal concern. Cyber-attacks have increased in numbers as well as in the extent of damage caused in every attack. Large organizations operate a Cyber Security Operation Center (CSOC), which form the first line of cyber-defense. The inspection of cyber-alerts is a critical part of CSOC operations. A recent work, in collaboration with Army Research Lab, USA proposed a reinforcement learning (RL) based approach to prevent the cyber-alert queue length from growing large and overwhelming the defender. Given the potential deployment of this approach to CSOCs run by US defense agencies, we perform a red team (adversarial) evaluation of this approach. Further, with the recent attacks on learning systems, it is even more important to test the limits of this RL approach. Towards that end, we learn an adversarial alert generation policy that is a best response to the defender inspection policy. Surprisingly, we find the defender policy to be quite robust to the best response of the attacker. In order to explain this observation, we extend the earlier RL model to a game model and show that there exists defender policies that can be robust against any adversarial policy. We also derive a competitive baseline from the game theory model and compare it to the RL approach. However, we go further to exploit assumptions made in the MDP in the RL model and discover an attacker policy that overwhelms the defender. We use a double oracle approach to retrain the defender with episodes from this discovered attacker policy. This made the defender robust to the discovered attacker policy and no further harmful attacker policies were discovered. Overall, the adversarial RL and double oracle approach in RL are general techniques that are applicable to other RL usage in adversarial environments.Date: 13 Oct 2018
PDF »Main page »
ProPatrol: Attack Investigation via Extracted High-Level Tasks
Authors: Sadegh M. Milajerdi, Birhanu Eshete, Rigel Gjomemo, V. N. Venkatakrishnan
Abstract: Kernel audit logs are an invaluable source of information in the forensic investigation of a cyber-attack. However, the coarse granularity of dependency information in audit logs leads to the construction of huge attack graphs which contain false or inaccurate dependencies. To overcome this problem, we propose a system, called ProPatrol, which leverages the open compartmentalized design in families of enterprise applications used in security-sensitive contexts (e.g., browser, chat client, email client). To achieve its goal, ProPatrol infers a model for an application's high-level tasks as input-processing compartments using purely the audit log events generated by that application. The main benefit of this approach is that it does not rely on source code or binary instrumentation, but only on a preliminary and general knowledge of an application's architecture to bootstrap the analysis. Our experiments with enterprise-level attacks demonstrate that ProPatrol significantly cuts down the forensic investigation effort and quickly pinpoints the root- cause of attacks. ProPatrol incurs less than 2% runtime overhead on a commodity operating system.Comment: The published version of this article will appear in proceedings of the 14th International Conference on Information Systems Security in Dec 2018
Date: 12 Oct 2018
PDF »Main page »