首页 > 最新文献

2014 IEEE Security and Privacy Workshops最新文献

英文 中文
Collusion and Fraud Detection on Electronic Energy Meters - A Use Case of Forensics Investigation Procedures 电子电能表的合谋与欺诈侦测——法医学调查程序用例
Pub Date : 2014-05-17 DOI: 10.1109/SPW.2014.19
R. A. D. Faria, K. Fonseca, Bertoldo Schneider, S. Nguang
Smart meters (gas, electricity, water, etc.) play a fundamental role on the implementation of the Smart Grid concept. Nevertheless, the rollout of smart meters needed to achieve the foreseen benefits of the integrated network of devices is still slow. Among the reasons for the slower pace is the lack of trust on electronic devices and new kinds of frauds based on clever tampering and collusion. These facts have been challenging service providers and imposing great revenues losses. This paper presents a use case of forensics investigation procedures applied to detect electricity theft based on tampered electronic devices. The collusion fraud draw our attention for the involved amounts (losses) caused to the provider and the technique applied to hide fraud evidences.
智能电表(燃气、电力、水等)在智能电网概念的实施中发挥着基础性作用。然而,实现设备集成网络的预期效益所需的智能电表的推出仍然缓慢。速度变慢的原因之一是人们对电子设备缺乏信任,以及基于巧妙篡改和串通的新型欺诈行为。这些事实给服务提供商带来了挑战,并造成了巨大的收入损失。本文提出了一个应用于基于篡改电子设备的取证调查程序来检测电力盗窃的用例。串谋诈骗所涉及的金额(损失)以及所采用的隐藏欺诈证据的技术引起了人们的关注。
{"title":"Collusion and Fraud Detection on Electronic Energy Meters - A Use Case of Forensics Investigation Procedures","authors":"R. A. D. Faria, K. Fonseca, Bertoldo Schneider, S. Nguang","doi":"10.1109/SPW.2014.19","DOIUrl":"https://doi.org/10.1109/SPW.2014.19","url":null,"abstract":"Smart meters (gas, electricity, water, etc.) play a fundamental role on the implementation of the Smart Grid concept. Nevertheless, the rollout of smart meters needed to achieve the foreseen benefits of the integrated network of devices is still slow. Among the reasons for the slower pace is the lack of trust on electronic devices and new kinds of frauds based on clever tampering and collusion. These facts have been challenging service providers and imposing great revenues losses. This paper presents a use case of forensics investigation procedures applied to detect electricity theft based on tampered electronic devices. The collusion fraud draw our attention for the involved amounts (losses) caused to the provider and the technique applied to hide fraud evidences.","PeriodicalId":142224,"journal":{"name":"2014 IEEE Security and Privacy Workshops","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130025060","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 18
Insider Threat Identification by Process Analysis 通过过程分析识别内部威胁
Pub Date : 2014-05-17 DOI: 10.1109/SPW.2014.40
M. Bishop, H. Conboy, Huong Phan, Borislava I. Simidchieva, G. Avrunin, L. Clarke, L. Osterweil, S. Peisert
The insider threat is one of the most pernicious in computer security. Traditional approaches typically instrument systems with decoys or intrusion detection mechanisms to detect individuals who abuse their privileges (the quintessential "insider"). Such an attack requires that these agents have access to resources or data in order to corrupt or disclose them. In this work, we examine the application of process modeling and subsequent analyses to the insider problem. With process modeling, we first describe how a process works in formal terms. We then look at the agents who are carrying out particular tasks, perform different analyses to determine how the process can be compromised, and suggest countermeasures that can be incorporated into the process model to improve its resistance to insider attack.
内部威胁是计算机安全中最致命的威胁之一。传统的方法通常使用带有诱饵或入侵检测机制的仪器系统来检测滥用其特权的个人(典型的“内部人员”)。这种攻击要求这些代理能够访问资源或数据,以便破坏或泄露它们。在这项工作中,我们研究了过程建模和后续分析对内部问题的应用。通过流程建模,我们首先用形式化的术语描述流程是如何工作的。然后,我们查看执行特定任务的代理,执行不同的分析以确定流程是如何被破坏的,并建议可以合并到流程模型中的对策,以提高其对内部攻击的抵抗力。
{"title":"Insider Threat Identification by Process Analysis","authors":"M. Bishop, H. Conboy, Huong Phan, Borislava I. Simidchieva, G. Avrunin, L. Clarke, L. Osterweil, S. Peisert","doi":"10.1109/SPW.2014.40","DOIUrl":"https://doi.org/10.1109/SPW.2014.40","url":null,"abstract":"The insider threat is one of the most pernicious in computer security. Traditional approaches typically instrument systems with decoys or intrusion detection mechanisms to detect individuals who abuse their privileges (the quintessential \"insider\"). Such an attack requires that these agents have access to resources or data in order to corrupt or disclose them. In this work, we examine the application of process modeling and subsequent analyses to the insider problem. With process modeling, we first describe how a process works in formal terms. We then look at the agents who are carrying out particular tasks, perform different analyses to determine how the process can be compromised, and suggest countermeasures that can be incorporated into the process model to improve its resistance to insider attack.","PeriodicalId":142224,"journal":{"name":"2014 IEEE Security and Privacy Workshops","volume":"119 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126916986","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 47
iCOP: Automatically Identifying New Child Abuse Media in P2P Networks iCOP:在P2P网络中自动识别新的儿童虐待媒体
Pub Date : 2014-05-17 DOI: 10.1109/SPW.2014.27
Claudia Peersman, Christian Schulze, A. Rashid, M. Brennan, Carl Fischer
The increasing levels of child sex abuse (CSA) media being shared in peer-to-peer (P2P) networks pose a significant challenge for law enforcement agencies. Although a number of P2P monitoring tools to detect offender activity in such networks exist, they typically rely on hash value databases of known CSA media. Such an approach cannot detect new or previously unknown media being shared. Conversely, identifying such new previously unknown media is a priority for law enforcement - they can be indicators of recent or on-going child abuse. Furthermore, originators of such media can be hands-on abusers and their apprehension can safeguard children from further abuse. The sheer volume of activity on P2P networks, however, makes manual detection virtually infeasible. In this paper, we present a novel approach that combines sophisticated filename and media analysis techniques to automatically flag new previously unseen CSA media to investigators. The approach has been implemented into the iCOP toolkit. Our evaluation on real case data shows high degrees of accuracy while hands-on trials with law enforcement officers highlight iCOP's usability and its complementarity to existing investigative workflows.
越来越多的儿童性虐待(CSA)媒体在点对点(P2P)网络上共享,对执法机构构成了重大挑战。尽管存在许多P2P监控工具来检测此类网络中的罪犯活动,但它们通常依赖于已知CSA媒体的哈希值数据库。这种方法不能检测共享的新媒体或以前未知的媒体。相反,识别这些以前不为人知的新媒体是执法部门的优先事项——它们可能是最近或正在进行的虐待儿童的指标。此外,这种媒体的发起者可能是亲力亲为的施虐者,逮捕他们可以保护儿童免受进一步的虐待。然而,P2P网络上的大量活动使得人工检测实际上是不可行的。在本文中,我们提出了一种新颖的方法,结合了复杂的文件名和媒体分析技术,自动标记新的以前未见过的CSA媒体给调查人员。该方法已在iCOP工具包中实现。我们对真实案例数据的评估显示出高度的准确性,而与执法人员的实践试验则突出了iCOP的可用性及其对现有调查工作流程的补充。
{"title":"iCOP: Automatically Identifying New Child Abuse Media in P2P Networks","authors":"Claudia Peersman, Christian Schulze, A. Rashid, M. Brennan, Carl Fischer","doi":"10.1109/SPW.2014.27","DOIUrl":"https://doi.org/10.1109/SPW.2014.27","url":null,"abstract":"The increasing levels of child sex abuse (CSA) media being shared in peer-to-peer (P2P) networks pose a significant challenge for law enforcement agencies. Although a number of P2P monitoring tools to detect offender activity in such networks exist, they typically rely on hash value databases of known CSA media. Such an approach cannot detect new or previously unknown media being shared. Conversely, identifying such new previously unknown media is a priority for law enforcement - they can be indicators of recent or on-going child abuse. Furthermore, originators of such media can be hands-on abusers and their apprehension can safeguard children from further abuse. The sheer volume of activity on P2P networks, however, makes manual detection virtually infeasible. In this paper, we present a novel approach that combines sophisticated filename and media analysis techniques to automatically flag new previously unseen CSA media to investigators. The approach has been implemented into the iCOP toolkit. Our evaluation on real case data shows high degrees of accuracy while hands-on trials with law enforcement officers highlight iCOP's usability and its complementarity to existing investigative workflows.","PeriodicalId":142224,"journal":{"name":"2014 IEEE Security and Privacy Workshops","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131536712","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 22
Architecture, Workflows, and Prototype for Stateful Data Usage Control in Cloud 云中状态数据使用控制的体系结构、工作流和原型
Pub Date : 2014-05-17 DOI: 10.1109/SPW.2014.13
A. Lazouski, Gaetano Mancini, F. Martinelli, P. Mori
This paper deals with the problem of continuous usage control of multiple copies of data objects in distributed systems. This work defines an architecture, a set of workflows, a set of policies and an implementation for the distributed enforcement. The policies, besides including access and usage rules, also specify the parties that will be involved in the decision process. Indeed, the enforcement requires collaboration of several entities because the access decision might be evaluated on one site, enforced on another, and the attributes needed for the policy evaluation might be stored in many distributed locations.
本文研究了分布式系统中数据对象多副本的连续使用控制问题。这项工作为分布式实施定义了一个体系结构、一组工作流、一组策略和一个实现。这些策略除了包括访问和使用规则外,还指定了将参与决策过程的各方。实际上,执行需要多个实体的协作,因为访问决策可能在一个站点上进行评估,在另一个站点上执行,并且策略评估所需的属性可能存储在许多分布式位置中。
{"title":"Architecture, Workflows, and Prototype for Stateful Data Usage Control in Cloud","authors":"A. Lazouski, Gaetano Mancini, F. Martinelli, P. Mori","doi":"10.1109/SPW.2014.13","DOIUrl":"https://doi.org/10.1109/SPW.2014.13","url":null,"abstract":"This paper deals with the problem of continuous usage control of multiple copies of data objects in distributed systems. This work defines an architecture, a set of workflows, a set of policies and an implementation for the distributed enforcement. The policies, besides including access and usage rules, also specify the parties that will be involved in the decision process. Indeed, the enforcement requires collaboration of several entities because the access decision might be evaluated on one site, enforced on another, and the attributes needed for the policy evaluation might be stored in many distributed locations.","PeriodicalId":142224,"journal":{"name":"2014 IEEE Security and Privacy Workshops","volume":"17 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133724513","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 15
Towards Forensic Analysis of Attacks with DNSSEC 基于DNSSEC的攻击取证分析
Pub Date : 2014-05-17 DOI: 10.1109/SPW.2014.20
Haya Schulmann, M. Waidner
DNS cache poisoning is a stepping stone towards advanced (cyber) attacks, and can be used to monitor users' activities, for censorship, to distribute malware and spam, and even to subvert correctness and availability of Internet networks and services. The DNS infrastructure relies on challenge-response defences, which are deemed effective for thwarting attacks by (the common) off-path adversaries. Such defences do not suffice against stronger adversaries, e.g., man-in-the-middle (MitM). However, there seems to be little willingness to adopt systematic, cryptographic mechanisms, since stronger adversaries are not believed to be common. In this work we validate this assumption and show that it is imprecise. In particular, we demonstrate that: (1) attackers can frequently obtain MitM capabilities, and (2) even weaker attackers can subvert DNS security. Indeed, as we show, despite wide adoption of challenge-response defences, cache-poisoning attacks against DNS infrastructure are highly prevalent. We evaluate security of domain registrars and name servers, experimentally, and find vulnerabilities, which expose DNS infrastructure to cache poisoning. We review DNSSEC, the defence against DNS cache poisoning, and argue that, not only it is the most suitable mechanism for preventing cache poisoning attacks, but it is also the only proposed defence that enables a-posteriori forensic analysis of attacks. Specifically, DNSSEC provides cryptographic evidences, which can be presented to, and validated by, any third party and can be used in investigations and for detection of attacks even long after the attack took place.
DNS缓存中毒是高级(网络)攻击的垫脚石,可用于监视用户的活动,进行审查,分发恶意软件和垃圾邮件,甚至破坏Internet网络和服务的正确性和可用性。DNS基础设施依赖于挑战-响应防御,这被认为是有效的挫败(常见的)非路径对手的攻击。这样的防御不足以对付更强大的对手,例如中间人(MitM)。然而,似乎很少有人愿意采用系统的加密机制,因为更强大的对手并不常见。在这项工作中,我们验证了这一假设,并表明它是不精确的。特别是,我们证明:(1)攻击者可以频繁地获得MitM功能,(2)即使是较弱的攻击者也可以破坏DNS安全性。事实上,正如我们所示,尽管广泛采用了挑战-响应防御,但针对DNS基础设施的缓存中毒攻击非常普遍。我们通过实验评估了域名注册商和名称服务器的安全性,并发现了将DNS基础设施暴露于缓存中毒的漏洞。我们回顾了DNSSEC,对DNS缓存中毒的防御,并认为,它不仅是防止缓存中毒攻击的最合适的机制,而且也是唯一提出的防御,能够对攻击进行事后取证分析。具体来说,DNSSEC提供了加密证据,这些证据可以提交给任何第三方并由第三方验证,即使在攻击发生很久之后也可以用于调查和检测攻击。
{"title":"Towards Forensic Analysis of Attacks with DNSSEC","authors":"Haya Schulmann, M. Waidner","doi":"10.1109/SPW.2014.20","DOIUrl":"https://doi.org/10.1109/SPW.2014.20","url":null,"abstract":"DNS cache poisoning is a stepping stone towards advanced (cyber) attacks, and can be used to monitor users' activities, for censorship, to distribute malware and spam, and even to subvert correctness and availability of Internet networks and services. The DNS infrastructure relies on challenge-response defences, which are deemed effective for thwarting attacks by (the common) off-path adversaries. Such defences do not suffice against stronger adversaries, e.g., man-in-the-middle (MitM). However, there seems to be little willingness to adopt systematic, cryptographic mechanisms, since stronger adversaries are not believed to be common. In this work we validate this assumption and show that it is imprecise. In particular, we demonstrate that: (1) attackers can frequently obtain MitM capabilities, and (2) even weaker attackers can subvert DNS security. Indeed, as we show, despite wide adoption of challenge-response defences, cache-poisoning attacks against DNS infrastructure are highly prevalent. We evaluate security of domain registrars and name servers, experimentally, and find vulnerabilities, which expose DNS infrastructure to cache poisoning. We review DNSSEC, the defence against DNS cache poisoning, and argue that, not only it is the most suitable mechanism for preventing cache poisoning attacks, but it is also the only proposed defence that enables a-posteriori forensic analysis of attacks. Specifically, DNSSEC provides cryptographic evidences, which can be presented to, and validated by, any third party and can be used in investigations and for detection of attacks even long after the attack took place.","PeriodicalId":142224,"journal":{"name":"2014 IEEE Security and Privacy Workshops","volume":"57 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128854562","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 17
Constructing and Analyzing Criminal Networks 构建和分析犯罪网络
Pub Date : 2014-05-17 DOI: 10.1109/SPW.2014.22
Hamed Sarvari, Ehab A. Abozinadah, Alex V. Mbaziira, Damon McCoy
Analysis of criminal social graph structures can enable us to gain valuable insights into how these communities are organized. Such as, how large scale and centralized these criminal communities are currently? While these types of analysis have been completed in the past, we wanted to explore how to construct a large scale social graph from a smaller set of leaked data that included only the criminal's email addresses. We begin our analysis by constructing a 43 thousand node social graph from one thousand publicly leaked criminals' email addresses. This is done by locating Facebook profiles that are linked to these same email addresses and scraping the public social graph from these profiles. We then perform a large scale analysis of this social graph to identify profiles of high rank criminals, criminal organizations and large scale communities of criminals. Finally, we perform a manual analysis of these profiles that results in the identification of many criminally focused public groups on Facebook. This analysis demonstrates the amount of information that can be gathered by using limited data leaks.
对犯罪社会图谱结构的分析可以使我们对这些社区的组织方式获得有价值的见解。比如,目前这些犯罪团体的规模和集中度有多大?虽然这些类型的分析在过去已经完成,但我们想探索如何从一小部分仅包含罪犯电子邮件地址的泄露数据中构建大规模的社交图谱。我们通过从1000个公开泄露的罪犯的电子邮件地址中构建一个4.3万个节点的社交图谱来开始我们的分析。这是通过定位链接到这些相同电子邮件地址的Facebook个人资料,并从这些个人资料中抓取公共社交图谱来实现的。然后,我们对这个社会图谱进行大规模分析,以识别高级罪犯、犯罪组织和大规模罪犯社区的概况。最后,我们对这些个人资料进行手动分析,从而识别出Facebook上许多以犯罪为重点的公共团体。此分析演示了通过使用有限的数据泄漏可以收集到的信息量。
{"title":"Constructing and Analyzing Criminal Networks","authors":"Hamed Sarvari, Ehab A. Abozinadah, Alex V. Mbaziira, Damon McCoy","doi":"10.1109/SPW.2014.22","DOIUrl":"https://doi.org/10.1109/SPW.2014.22","url":null,"abstract":"Analysis of criminal social graph structures can enable us to gain valuable insights into how these communities are organized. Such as, how large scale and centralized these criminal communities are currently? While these types of analysis have been completed in the past, we wanted to explore how to construct a large scale social graph from a smaller set of leaked data that included only the criminal's email addresses. We begin our analysis by constructing a 43 thousand node social graph from one thousand publicly leaked criminals' email addresses. This is done by locating Facebook profiles that are linked to these same email addresses and scraping the public social graph from these profiles. We then perform a large scale analysis of this social graph to identify profiles of high rank criminals, criminal organizations and large scale communities of criminals. Finally, we perform a manual analysis of these profiles that results in the identification of many criminally focused public groups on Facebook. This analysis demonstrates the amount of information that can be gathered by using limited data leaks.","PeriodicalId":142224,"journal":{"name":"2014 IEEE Security and Privacy Workshops","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130183233","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 57
Insider Attack Identification and Prevention Using a Declarative Approach 使用声明性方法识别和预防内部攻击
Pub Date : 2014-05-17 DOI: 10.1109/SPW.2014.41
A. Sarkar, Sven Köhler, S. Riddle, Bertram Ludäscher, M. Bishop
A process is a collection of steps, carried out using data, by either human or automated agents, to achieve a specific goal. The agents in our process are insiders, they have access to different data and annotations on data moving in between the process steps. At various points in a process, they can carry out attacks on privacy and security of the process through their interactions with different data and annotations, via the steps which they control. These attacks are sometimes difficult to identify as the rogue steps are hidden among the majority of the usual non-malicious steps of the process. We define process models and attack models as data flow based directed graphs. An attack A is successful on a process P if there is a mapping relation from A to P that satisfies a number of conditions. These conditions encode the idea that an attack model needs to have a corresponding similarity match in the process model to be successful. We propose a declarative approach to vulnerability analysis. We encode the match conditions using a set of logic rules that define what a valid attack is. Then we implement an approach to generate all possible ways in which agents can carry out a valid attack A on a process P, thus informing the process modeler of vulnerabilities in P. The agents, in addition to acting by themselves, can also collude to carry out an attack. Once A is found to be successful against P, we automatically identify improvement opportunities in P and exploit them, eliminating ways in which A can be carried out against it. The identification uses information about which steps in P are most heavily attacked, and try to find improvement opportunities in them first, before moving onto the lesser attacked ones. We then evaluate the improved P to check if our improvement is successful. This cycle of process improvement and evaluation iterates until A is completely thwarted in all possible ways.
流程是由人工或自动代理使用数据执行的步骤集合,以实现特定目标。流程中的代理是内部人员,它们可以访问在流程步骤之间移动的数据上的不同数据和注释。在流程的不同阶段,他们可以通过与不同数据和注释的交互,通过他们控制的步骤,对流程的隐私和安全性进行攻击。这些攻击有时很难识别,因为恶意步骤隐藏在流程的大多数通常的非恶意步骤中。我们将过程模型和攻击模型定义为基于有向图的数据流。如果存在从A到P的映射关系且满足若干条件,则攻击A对进程P是成功的。这些条件表示攻击模型需要在流程模型中具有相应的相似性匹配才能成功。我们提出了一种声明性的脆弱性分析方法。我们使用一组定义有效攻击的逻辑规则对匹配条件进行编码。然后,我们实现了一种方法来生成所有可能的方法,在这些方法中,代理可以对进程P进行有效的攻击a,从而通知流程建模者P中的漏洞。代理除了自己行动外,还可以串通进行攻击。一旦发现A可以成功地对抗P,我们就会自动识别P中的改进机会并利用它们,消除A可以对抗它的方法。识别使用关于P中哪些步骤受到最严重攻击的信息,并尝试首先在这些步骤中找到改进机会,然后再转向受攻击较少的步骤。然后我们评估改进后的P来检查我们的改进是否成功。这个过程改进和评估的循环迭代,直到A以所有可能的方式被完全挫败。
{"title":"Insider Attack Identification and Prevention Using a Declarative Approach","authors":"A. Sarkar, Sven Köhler, S. Riddle, Bertram Ludäscher, M. Bishop","doi":"10.1109/SPW.2014.41","DOIUrl":"https://doi.org/10.1109/SPW.2014.41","url":null,"abstract":"A process is a collection of steps, carried out using data, by either human or automated agents, to achieve a specific goal. The agents in our process are insiders, they have access to different data and annotations on data moving in between the process steps. At various points in a process, they can carry out attacks on privacy and security of the process through their interactions with different data and annotations, via the steps which they control. These attacks are sometimes difficult to identify as the rogue steps are hidden among the majority of the usual non-malicious steps of the process. We define process models and attack models as data flow based directed graphs. An attack A is successful on a process P if there is a mapping relation from A to P that satisfies a number of conditions. These conditions encode the idea that an attack model needs to have a corresponding similarity match in the process model to be successful. We propose a declarative approach to vulnerability analysis. We encode the match conditions using a set of logic rules that define what a valid attack is. Then we implement an approach to generate all possible ways in which agents can carry out a valid attack A on a process P, thus informing the process modeler of vulnerabilities in P. The agents, in addition to acting by themselves, can also collude to carry out an attack. Once A is found to be successful against P, we automatically identify improvement opportunities in P and exploit them, eliminating ways in which A can be carried out against it. The identification uses information about which steps in P are most heavily attacked, and try to find improvement opportunities in them first, before moving onto the lesser attacked ones. We then evaluate the improved P to check if our improvement is successful. This cycle of process improvement and evaluation iterates until A is completely thwarted in all possible ways.","PeriodicalId":142224,"journal":{"name":"2014 IEEE Security and Privacy Workshops","volume":"7 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122707724","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 17
The Tricks of the Trade: What Makes Spam Campaigns Successful? 交易的技巧:是什么让垃圾邮件活动成功?
Pub Date : 2014-05-17 DOI: 10.1109/SPW.2014.21
Jane Iedemska, G. Stringhini, R. Kemmerer, Christopher Krügel, G. Vigna
Spam is a profitable business for cyber criminals, with the revenue of a spam campaign that can be in the order of millions of dollars. For this reason, a wealth of research has been performed on understanding how spamming botnets operate, as well as what the economic model behind spam looks like. Running a spamming botnet is a complex task: the spammer needs to manage the infected machines, the spam content being sent, and the email addresses to be targeted, among the rest. In this paper, we try to understand which factors influence the spam delivery process and what characteristics make a spam campaign successful. To this end, we analyzed the data stored on a number of command and control servers of a large spamming botnet, together with the guidelines and suggestions that the botnet creators provide to spammers to improve the performance of their botnet.
对于网络罪犯来说,垃圾邮件是一项有利可图的业务,垃圾邮件活动的收入可以达到数百万美元。出于这个原因,人们进行了大量的研究来了解垃圾邮件僵尸网络是如何运作的,以及垃圾邮件背后的经济模型是什么样子的。运行垃圾邮件僵尸网络是一项复杂的任务:垃圾邮件发送者需要管理受感染的机器、发送的垃圾邮件内容以及要针对的电子邮件地址等。在本文中,我们试图了解哪些因素会影响垃圾邮件的传递过程,以及哪些特征使垃圾邮件活动成功。为此,我们分析了存储在一个大型垃圾邮件僵尸网络的多个命令和控制服务器上的数据,以及僵尸网络创建者为垃圾邮件发送者提供的指导方针和建议,以提高其僵尸网络的性能。
{"title":"The Tricks of the Trade: What Makes Spam Campaigns Successful?","authors":"Jane Iedemska, G. Stringhini, R. Kemmerer, Christopher Krügel, G. Vigna","doi":"10.1109/SPW.2014.21","DOIUrl":"https://doi.org/10.1109/SPW.2014.21","url":null,"abstract":"Spam is a profitable business for cyber criminals, with the revenue of a spam campaign that can be in the order of millions of dollars. For this reason, a wealth of research has been performed on understanding how spamming botnets operate, as well as what the economic model behind spam looks like. Running a spamming botnet is a complex task: the spammer needs to manage the infected machines, the spam content being sent, and the email addresses to be targeted, among the rest. In this paper, we try to understand which factors influence the spam delivery process and what characteristics make a spam campaign successful. To this end, we analyzed the data stored on a number of command and control servers of a large spamming botnet, together with the guidelines and suggestions that the botnet creators provide to spammers to improve the performance of their botnet.","PeriodicalId":142224,"journal":{"name":"2014 IEEE Security and Privacy Workshops","volume":"105 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124791434","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 17
Can We Identify NAT Behavior by Analyzing Traffic Flows? 我们可以通过分析流量来识别NAT行为吗?
Pub Date : 2014-05-17 DOI: 10.1109/SPW.2014.28
Yasemin Gokcen, V. A. Foroushani, A. N. Zincir-Heywood
It is shown in the literature that network address translation devices have become a convenient way to hide the source of malicious behaviors. In this research, we explore how far we can push a machine learning (ML) approach to identify such behaviors using only network flows. We evaluate our proposed approach on different traffic data sets against passive fingerprinting approaches and show that the performance of a machine learning approach is very promising even without using any payload (application layer) information.
文献表明,网络地址转换设备已经成为隐藏恶意行为来源的一种便捷方式。在这项研究中,我们探索了我们可以在多大程度上推动机器学习(ML)方法,仅使用网络流来识别此类行为。我们针对被动指纹方法在不同的流量数据集上评估了我们提出的方法,并表明即使不使用任何有效负载(应用层)信息,机器学习方法的性能也非常有希望。
{"title":"Can We Identify NAT Behavior by Analyzing Traffic Flows?","authors":"Yasemin Gokcen, V. A. Foroushani, A. N. Zincir-Heywood","doi":"10.1109/SPW.2014.28","DOIUrl":"https://doi.org/10.1109/SPW.2014.28","url":null,"abstract":"It is shown in the literature that network address translation devices have become a convenient way to hide the source of malicious behaviors. In this research, we explore how far we can push a machine learning (ML) approach to identify such behaviors using only network flows. We evaluate our proposed approach on different traffic data sets against passive fingerprinting approaches and show that the performance of a machine learning approach is very promising even without using any payload (application layer) information.","PeriodicalId":142224,"journal":{"name":"2014 IEEE Security and Privacy Workshops","volume":"27 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114734664","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 14
Combining Generated Data Models with Formal Invalidation for Insider Threat Analysis 将生成数据模型与形式失效相结合用于内部威胁分析
Pub Date : 2014-05-17 DOI: 10.1109/SPW.2014.45
F. Kammüller, Christian W. Probst
In this paper we revisit the advances made on invalidation policies to explore attack possibilities in organizational models. One aspect that has so far eloped systematic analysis of insider threat is the integration of data into attack scenarios and its exploitation for analyzing the models. We draw from recent insights into generation of insider data to complement a logic based mechanical approach. We show how insider analysis can be traced back to the early days of security verification and the Lowe-attack on NSPK. The invalidation of policies allows modelchecking organizational structures to detect insider attacks. Integration of higher order logic specification techniques allows the use of data refinement to explore attack possibilities beyond the initial system specification. We illustrate this combined invalidation technique on the classical example of the naughty lottery fairy. Data generation techniques support the automatic generation of insider attack data for research. The data generation is however always based on human generated insider attack scenarios that have to be designed based on domain knowledge of counter-intelligence experts. Introducing data refinement and invalidation techniques here allows the systematic exploration of such scenarios and exploit data centric views into insider threat analysis.
在本文中,我们回顾了在无效策略方面取得的进展,以探索组织模型中的攻击可能性。迄今为止,对内部威胁进行系统分析的一个方面是将数据集成到攻击场景中,并利用数据分析模型。我们借鉴了最近对内部数据生成的见解,以补充基于逻辑的机械方法。我们展示了内部分析如何可以追溯到早期的安全验证和对NSPK的low攻击。策略的无效允许对组织结构进行模型检查以检测内部攻击。高阶逻辑规范技术的集成允许使用数据细化来探索超出初始系统规范的攻击可能性。我们用顽皮的彩票仙女的经典例子来说明这种组合无效技术。数据生成技术支持自动生成内部攻击数据以供研究。然而,数据生成总是基于人工生成的内部攻击场景,这些场景必须基于反情报专家的领域知识来设计。在这里引入数据细化和失效技术,可以系统地探索这些场景,并利用以数据为中心的视图进行内部威胁分析。
{"title":"Combining Generated Data Models with Formal Invalidation for Insider Threat Analysis","authors":"F. Kammüller, Christian W. Probst","doi":"10.1109/SPW.2014.45","DOIUrl":"https://doi.org/10.1109/SPW.2014.45","url":null,"abstract":"In this paper we revisit the advances made on invalidation policies to explore attack possibilities in organizational models. One aspect that has so far eloped systematic analysis of insider threat is the integration of data into attack scenarios and its exploitation for analyzing the models. We draw from recent insights into generation of insider data to complement a logic based mechanical approach. We show how insider analysis can be traced back to the early days of security verification and the Lowe-attack on NSPK. The invalidation of policies allows modelchecking organizational structures to detect insider attacks. Integration of higher order logic specification techniques allows the use of data refinement to explore attack possibilities beyond the initial system specification. We illustrate this combined invalidation technique on the classical example of the naughty lottery fairy. Data generation techniques support the automatic generation of insider attack data for research. The data generation is however always based on human generated insider attack scenarios that have to be designed based on domain knowledge of counter-intelligence experts. Introducing data refinement and invalidation techniques here allows the systematic exploration of such scenarios and exploit data centric views into insider threat analysis.","PeriodicalId":142224,"journal":{"name":"2014 IEEE Security and Privacy Workshops","volume":"107 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-05-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130747093","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 25
期刊
2014 IEEE Security and Privacy Workshops
全部 Acc. Chem. Res. ACS Applied Bio Materials ACS Appl. Electron. Mater. ACS Appl. Energy Mater. ACS Appl. Mater. Interfaces ACS Appl. Nano Mater. ACS Appl. Polym. Mater. ACS BIOMATER-SCI ENG ACS Catal. ACS Cent. Sci. ACS Chem. Biol. ACS Chemical Health & Safety ACS Chem. Neurosci. ACS Comb. Sci. ACS Earth Space Chem. ACS Energy Lett. ACS Infect. Dis. ACS Macro Lett. ACS Mater. Lett. ACS Med. Chem. Lett. ACS Nano ACS Omega ACS Photonics ACS Sens. ACS Sustainable Chem. Eng. ACS Synth. Biol. Anal. Chem. BIOCHEMISTRY-US Bioconjugate Chem. BIOMACROMOLECULES Chem. Res. Toxicol. Chem. Rev. Chem. Mater. CRYST GROWTH DES ENERG FUEL Environ. Sci. Technol. Environ. Sci. Technol. Lett. Eur. J. Inorg. Chem. IND ENG CHEM RES Inorg. Chem. J. Agric. Food. Chem. J. Chem. Eng. Data J. Chem. Educ. J. Chem. Inf. Model. J. Chem. Theory Comput. J. Med. Chem. J. Nat. Prod. J PROTEOME RES J. Am. Chem. Soc. LANGMUIR MACROMOLECULES Mol. Pharmaceutics Nano Lett. Org. Lett. ORG PROCESS RES DEV ORGANOMETALLICS J. Org. Chem. J. Phys. Chem. J. Phys. Chem. A J. Phys. Chem. B J. Phys. Chem. C J. Phys. Chem. Lett. Analyst Anal. Methods Biomater. Sci. Catal. Sci. Technol. Chem. Commun. Chem. Soc. Rev. CHEM EDUC RES PRACT CRYSTENGCOMM Dalton Trans. Energy Environ. Sci. ENVIRON SCI-NANO ENVIRON SCI-PROC IMP ENVIRON SCI-WAT RES Faraday Discuss. Food Funct. Green Chem. Inorg. Chem. Front. Integr. Biol. J. Anal. At. Spectrom. J. Mater. Chem. A J. Mater. Chem. B J. Mater. Chem. C Lab Chip Mater. Chem. Front. Mater. Horiz. MEDCHEMCOMM Metallomics Mol. Biosyst. Mol. Syst. Des. Eng. Nanoscale Nanoscale Horiz. Nat. Prod. Rep. New J. Chem. Org. Biomol. Chem. Org. Chem. Front. PHOTOCH PHOTOBIO SCI PCCP Polym. Chem.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1