PapersCut A shortcut to recent security papers

Mix'n'Squeeze: Thwarting Adaptive Adversarial Samples Using Randomized Squeezing

Authors: Kumar Sharad, Giorgia Azzurra Marson, Hien Thi Thu Truong, Ghassan Karame

Abstract: Deep Learning (DL) has been shown to be particularly vulnerable to adversarial samples. To combat adversarial strategies, numerous defenses have been proposed in the literature. Among these, feature squeezing emerges as an effective defense by reducing unnecessary features without changing the DL model. However, feature squeezing is a static defense and does not resist adaptive attacks. Namely, feature squeezing is a deterministic process: as soon as an adversarial sample is found, this sample will always succeed against the classifier. In this work, we address this problem and introduce Mix'n'Squeeze, the first randomized feature squeezing defense that leverages key-based randomness and is secure against adaptive whitebox adversaries. Our defense consists of pre-processing the classifier inputs by embedding carefully selected randomness within each feature, before applying feature squeezing, so that an adaptive whitebox attacker can no longer predict the effect of their own perturbations on the resulting sample. We thoroughly implement and evaluate Mix'n'Squeeze in the context of image classification in light of the various reported strategies to generate adversarial samples. We also analyze the resilience of Mix'n'Squeeze with respect to state of the art adaptive strategies and we show that---in contrast to common belief---Mix'n'Squeeze does not hamper the classifier's accuracy while significantly decreasing the success probability of an adaptive whitebox adversary.

Date: 11 Dec 2018

PDF »Main page »


Intelligence-based Cybersecurity Awareness Training- an Exploratory Project

Authors: Tam n. Nguyen, Lydia Sbityakov, Samantha Scoggins

Abstract: Cybersecurity training should be adaptable to evolving the cyber threat landscape, cost effective and integrated well with other enterprise management components. Unfortunately, very few cybersecurity training platforms can satisfy such requirements. This paper proposes a new and novel model for conducting cybersecurity training with three main objectives: (i) training should be initiated by emerging relevant threats and delivered first to the most vulnerable members (ii) the process has to be agile (iii) training results must be able to provide actionable intelligence. For the first time, this paper establishes a type system (ontology and associated relationships) that links the domain of cybersecurity awareness training with that of cyber threat intelligence. Powered by IBM Watson Knowledge Studio platform, the proposed method was found to be practical and scalable. Main contributions such as exports of the type system, the manually annotated corpus of 100 threat reports and 127 cybersecurity assessment results, the dictionaries for pre-annotation, etc were made publicly available.

Comment: 8 pages, 3 figures

Date: 11 Dec 2018

PDF »Main page »


Privacy-preserving data aggregation in resource-constrained sensor nodes in Internet of Things: A review

Authors: Inayat Ali, Sonia Sabir, Eraj Khan

Abstract: Privacy problems are lethal and getting more attention than any other issue with the notion of the Internet of Things (IoT). Since IoT has many application areas including smart home, smart grids, smart healthcare system, smart and intelligent transportation and many more. Most of these applications are fueled by the resource-constrained sensor network, such as Smart healthcare system is powered by Wireless Body Area Network (WBAN) and Smart home and weather monitoring systems are fueled by Wireless Sensor Networks (WSN). In the mentioned application areas sensor node life is a very important aspect of these technologies as it explicitly effects the network life and performance. Data aggregation techniques are used to increase sensor node life by decreasing communication overhead. However, when the data is aggregated at intermediate nodes to reduce communication overhead, data privacy problems becomes more vulnerable. Different Privacy-Preserving Data Aggregation (PPDA) techniques have been proposed to ensure data privacy during data aggregation in resource-constrained sensor nodes. We provide a review and comparative analysis of the state of the art PPDA techniques in this paper. The comparative analysis is based on Computation Cost, Communication overhead, Privacy Level, resistance against malicious aggregator, sensor node life and energy consumption by the sensor node. We have studied the most recent techniques and provide in-depth analysis of the minute steps involved in these techniques. To the best of our knowledge, this survey is the most recent and comprehensive study of PPDA techniques.

Comment: 9 pages

Date: 11 Dec 2018

PDF »Main page »


Code-less Patching for Heap Vulnerabilities Using Targeted Calling Context Encoding

Authors: Qiang Zeng, Golam Kayas, Emil Mohammed, Lannan Luo, Xiaojiang Du, Junghwan Rhee

Abstract: Exploitation of heap vulnerabilities has been on the rise, leading to many devastating attacks. Conventional heap patch generation is a lengthy procedure, requiring intensive manual efforts. Worse, fresh patches tend to harm system dependability, hence deterring users from deploying them. We propose a heap patching system that simultaneously has the following prominent advantages: (1) generating patches without manual efforts; (2) installing patches without altering the code (so called code-less patching); (3) handling various heap vulnerability types; (4) imposing a very low overhead; and (5) no dependency on specific heap allocators. As a separate contribution, we propose targeted calling context encoding, which is a suite of algorithms for optimizing calling context encoding, an important technique with applications in many areas. The system properly combines heavyweight offline attack analysis with lightweight online defense generation, and provides a new countermeasure against heap attacks. The evaluation shows that the system is effective and efficient.

Date: 11 Dec 2018

PDF »Main page »


Secure and Private Implementation of Dynamic Controllers Using Semi-Homomorphic Encryption

Authors: Carlos Murguia, Farhad Farokhi, Iman Shames

Abstract: This paper presents a secure and private implementation of linear time-invariant dynamic controllers using Paillier's encryption, a semi-homomorphic encryption method. To avoid overflow or underflow within the encryption domain, the state of the controller is reset periodically. A control design approach is presented to ensure stability and optimize performance of the closed-loop system with encrypted controller.

Date: 11 Dec 2018

PDF »Main page »


Private Polynomial Computation from Lagrange Encoding

Authors: Netanel Raviv, David A. Karpuk

Abstract: Private computation is a generalization of private information retrieval, in which a user is able to compute a function on a distributed dataset without revealing the identity of that function to the servers. In this paper it is shown that Lagrange encoding, a powerful technique for encoding Reed-Solomon codes, enables private computation in many cases of interest. In particular, we present a scheme that enables private computation of polynomials of any degree on Lagrange encoded data, while being robust to Byzantine and straggling servers, and to servers colluding to attempt to deduce the identities of the functions to be evaluated. Moreover, incorporating ideas from the well-known Shamir secret sharing scheme allows the data itself to be concealed from the servers as well. Our results extend private computation to high degree polynomials and to data-privacy, and reveal a tight connection between private computation and coded computation.

Date: 10 Dec 2018

PDF »Main page »


Deep Program Reidentification: A Graph Neural Network Solution

Authors: Shen Wang, Zhengzhang Chen, Ding Li, Lu-An Tang, Jingchao Ni, Zhichun Li, Junghwan Rhee, Haifeng Chen, Philip S. Yu

Abstract: Program or process is an integral part of almost every IT/OT system. Can we trust the identity/ID (e.g., executable name) of the program? To avoid detection, malware may disguise itself using the ID of a legitimate program, and a system tool (e.g., PowerShell) used by the attackers may have the fake ID of another common software, which is less sensitive. However, existing intrusion detection techniques often overlook this critical program reidentification problem (i.e., checking the program's identity). In this paper, we propose an attentional multi-channel graph neural network model (DeepRe-ID) to verify the program's identity based on its system behaviors. The key idea is to leverage the representation learning of the program behavior graph to guide the reidentification process. We formulate the program reidentification as a graph classification problem and develop an effective multi-channel attentional graph embedding algorithm to solve it. Extensive experiments --- using real-world enterprise monitoring data and real attacks --- demonstrate the effectiveness of DeepRe-ID across multiple popular metrics and the robustness to the normal dynamic changes like program version upgrades.

Date: 10 Dec 2018

PDF »Main page »


On legitimate mining of cryptocurrency in the browser - a feasibility study

Authors: Saulius Venskutonis, Feng Hao, Matthew Collison

Abstract: Cryptocurrency mining in the browser has the potential to provide a new pay-as-you-go monetisation mechanism for consuming digital media over the Web. However, browser mining has recently received strong criticism due to illegitimate use of mining scripts in several popular websites (a practice called cryptojacking). Here we provide the first feasibility study of browser mining as a legitimate means of monetisation in terms of revenue, user consent and user experience within a specially built website. Our results compare browser mining to display advertisement and indicate browser mining provides a preferable user experience to advertising when the hash rate is user-adjustable. Furthermore, over60% of participants would select browser mining over advertisement if they were invested in the ecosystem by obtaining half of the mined cryptocurrency. Our estimations show that browser mining currently generates revenue at a rate 46 times less than advertisement, however we would expect that gap to decrease as we observed a significant drop in mining difficulty after our tested cryptocurrency implemented ASIC-resistant mining measures. Overall, based on our results we find browser mining to be a legitimate alternative to display advertisement and conclude by discussing its current limitations and potential applications.

Date: 10 Dec 2018

PDF »Main page »


IoTC2: A Formal Method Approach for Detecting Conflicts in Large Scale IoT Systems

Authors: Abdullah Al Farooq, Ehab Al-Shaer, Thomas Moyer, Krishna Kant

Abstract: Internet of Things (IoT) has become a common paradigm for different domains such as health care, transportation infrastructure, smart home, smart shopping, and e-commerce. With its interoperable functionality, it is now possible to connect all domains of IoT together for providing competent services to the users. Because numerous IoT devices can connect and communicate at the same time, there can be events that trigger conflicting actions to an actuator or an environmental feature. However, there have been very few research efforts made to detect conflicting situation in IoT system using formal method. This paper provides a formal method approach, IoT Confict Checker (IoTC2), to ensure safety of controller and actuators' behavior with respect to conflicts. Any policy violation results in detection of the conflicts. We defined the safety policies for controller, actions, and triggering events and implemented the those with Prolog to prove the logical completeness and soundness. In addition to that, we have implemented the detection policies in Matlab Simulink Environment with its built-in Model Verification blocks. We created smart home environment in Simulink and showed how the conflicts affect actions and corresponding features. We have also experimented the scalability, efficiency, and accuracy of our method in the simulated environment.

Date: 10 Dec 2018

PDF »Main page »


Aggregation and Embedding for Group Membership Verification

Authors: Marzieh Gheisari, Teddy Furon, Laurent Amsaleg, Behrooz Razeghi, Slava Voloshynovskiy

Abstract: This paper proposes a group membership verification protocol preventing the curious but honest server from reconstructing the enrolled signatures and inferring the identity of querying clients. The protocol quantizes the signatures into discrete embeddings, making reconstruction difficult. It also aggregates multiple embeddings into representative values, impeding identification. Theoretical and experimental results show the trade-off between the security and the error rates.

Comment: Submitted to ICASSP 2019

Date: 10 Dec 2018

PDF »Main page »


Loading ...