Ivan Kovačević, A. Komadina, Bruno Štengl, S. Groš
Recent decades saw the development of a plethora of approaches that aim to use artificial intelligence to detect anomalies and potential signs of compromise in a computer network. These approaches have commonly been trained and evaluated using only a small number of datasets, which were often criticised in literature. Developing new datasets for this purpose tends to be very resource consuming, as they usually rely on testbeds and network emulation. While this level of details is important for anomaly detection over network traffic, which inspects details of network packets, it is superfluous in cases when such algorithms work with logs of security controls, such as in SIEM systems and approaches for alert correlation. Moreover, evaluation over a testbed generated dataset may not be relevant for the target IT system. In this paper, we propose a light-weight method to enrich existing security control logs with carefully crafted synthetic records that would be produced in case of cyber attacks. This method does not require running a dedicated testbed or comparable specialized equipment. We prepare a set of attack records with emphasis on network scans, and perform experiments with real-world firewall logs and several common anomaly detection algorithms to demonstrate that the injected records are appropriately integrated into the original logs. In the end, we propose future experiments to properly validate the quality of the datasets produced using the proposed method.
{"title":"Light-Weight Synthesis of Security Logs for Evaluation of Anomaly Detection and Security Related Experiments","authors":"Ivan Kovačević, A. Komadina, Bruno Štengl, S. Groš","doi":"10.1145/3578357.3589457","DOIUrl":"https://doi.org/10.1145/3578357.3589457","url":null,"abstract":"Recent decades saw the development of a plethora of approaches that aim to use artificial intelligence to detect anomalies and potential signs of compromise in a computer network. These approaches have commonly been trained and evaluated using only a small number of datasets, which were often criticised in literature. Developing new datasets for this purpose tends to be very resource consuming, as they usually rely on testbeds and network emulation. While this level of details is important for anomaly detection over network traffic, which inspects details of network packets, it is superfluous in cases when such algorithms work with logs of security controls, such as in SIEM systems and approaches for alert correlation. Moreover, evaluation over a testbed generated dataset may not be relevant for the target IT system. In this paper, we propose a light-weight method to enrich existing security control logs with carefully crafted synthetic records that would be produced in case of cyber attacks. This method does not require running a dedicated testbed or comparable specialized equipment. We prepare a set of attack records with emphasis on network scans, and perform experiments with real-world firewall logs and several common anomaly detection algorithms to demonstrate that the injected records are appropriately integrated into the original logs. In the end, we propose future experiments to properly validate the quality of the datasets produced using the proposed method.","PeriodicalId":158487,"journal":{"name":"Proceedings of the 16th European Workshop on System Security","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121610840","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This paper examines the phishing technique Browser-in-the-Middle and its practical implications in the context of logins protected by multi-factor authentication. We implement and analyze Browser-in-the-Middle (BitM) attacks, evaluate them and discuss suitable measures for mitigation. To facilitate a thorough analysis, we implement two variants of BitM by using two different technology stacks and compare them to a conventional phishing system based on a proxy. To evaluate BitM attacks, we test our implementations on a number of popular websites. Our results show that in practice BitM attacks are currently highly capable of stealing login information protected by more than one factor, since the difficulty to detect such an attack appears to be greater when using BitM than comparable techniques. Therefore, we propose a new entry for BitM in the Common Attack Patterns Enumeration and Classification (CAPEC). The high effectiveness of the attack technique is limited by mitigation methods such as the use of resistant factors for two-sided authentication. We conclude that BitM attacks can potentially be used for highly effective targeted phishing, but they are unlikely to scale well enough for large-scale phishing attacks aiming at a broad variety of users.
{"title":"Browser-in-the-Middle - Evaluation of a modern approach to phishing","authors":"Jonas Tzschoppe, Hans Löhr","doi":"10.1145/3578357.3589458","DOIUrl":"https://doi.org/10.1145/3578357.3589458","url":null,"abstract":"This paper examines the phishing technique Browser-in-the-Middle and its practical implications in the context of logins protected by multi-factor authentication. We implement and analyze Browser-in-the-Middle (BitM) attacks, evaluate them and discuss suitable measures for mitigation. To facilitate a thorough analysis, we implement two variants of BitM by using two different technology stacks and compare them to a conventional phishing system based on a proxy. To evaluate BitM attacks, we test our implementations on a number of popular websites. Our results show that in practice BitM attacks are currently highly capable of stealing login information protected by more than one factor, since the difficulty to detect such an attack appears to be greater when using BitM than comparable techniques. Therefore, we propose a new entry for BitM in the Common Attack Patterns Enumeration and Classification (CAPEC). The high effectiveness of the attack technique is limited by mitigation methods such as the use of resistant factors for two-sided authentication. We conclude that BitM attacks can potentially be used for highly effective targeted phishing, but they are unlikely to scale well enough for large-scale phishing attacks aiming at a broad variety of users.","PeriodicalId":158487,"journal":{"name":"Proceedings of the 16th European Workshop on System Security","volume":"49 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126320811","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Aria Mirzai, Ali Zülfükar Coban, M. Almgren, Wissam Aoudi, Tobias Bertilsson
With their inherent convenience factor, Internet of Things (IoT) devices have exploded in numbers during the last decade, but at the cost of security. Machine learning (ML) based intrusion detection systems (IDS) are increasingly proving necessary tools for attack detection, but requirements such as extensive data collection and model training make these systems computationally heavy for resource-limited IoT hardware. This paper's main contribution to the cyber security research field is a demonstration of how a dynamic user-level scheduler can improve the performance of IDS suited for lightweight and data-driven ML algorithms towards IoT. The dynamic user-level scheduler allows for more advanced computations, not intended to be executed on resource-limited IoT units, by enabling parallel model retraining locally on the IoT device without halting the IDS. It eliminates the need for any cloud resources as computations are kept locally at the edge. The experiments showed that the dynamic user-level scheduler provides several advantages compared to a previously developed baseline system. Mainly by substantially increasing the system's throughput, which reduces the time until attacks are detected, as well as dynamically allocating resources based on attack suspicion.
{"title":"Scheduling to the Rescue; Improving ML-Based Intrusion Detection for IoT","authors":"Aria Mirzai, Ali Zülfükar Coban, M. Almgren, Wissam Aoudi, Tobias Bertilsson","doi":"10.1145/3578357.3589460","DOIUrl":"https://doi.org/10.1145/3578357.3589460","url":null,"abstract":"With their inherent convenience factor, Internet of Things (IoT) devices have exploded in numbers during the last decade, but at the cost of security. Machine learning (ML) based intrusion detection systems (IDS) are increasingly proving necessary tools for attack detection, but requirements such as extensive data collection and model training make these systems computationally heavy for resource-limited IoT hardware. This paper's main contribution to the cyber security research field is a demonstration of how a dynamic user-level scheduler can improve the performance of IDS suited for lightweight and data-driven ML algorithms towards IoT. The dynamic user-level scheduler allows for more advanced computations, not intended to be executed on resource-limited IoT units, by enabling parallel model retraining locally on the IoT device without halting the IDS. It eliminates the need for any cloud resources as computations are kept locally at the edge. The experiments showed that the dynamic user-level scheduler provides several advantages compared to a previously developed baseline system. Mainly by substantially increasing the system's throughput, which reduces the time until attacks are detected, as well as dynamically allocating resources based on attack suspicion.","PeriodicalId":158487,"journal":{"name":"Proceedings of the 16th European Workshop on System Security","volume":"38 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128381354","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The Android operating system has evolved significantly since its initial release in 2008. Most importantly, in a continuing effort to increase the run-time performance of mobile applications (apps) and to reduce resource requirements, the way code is executed has transformed from being bytecode-based to a binary-based approach: Apps are still mainly distributed as Dalvik bytecode, but the Android Runtime (ART) uses an optimizing compiler to create binary code ahead-of-time (AOT), just-in-time (JIT), or as a combination of both. These changes in the build pipeline, including increasing obfuscation and optimization of the Dalvik bytecode, invalidate assumptions of bytecode-based static code analysis approaches through identifier renaming and code shrinking. Furthermore, customized apps can be distributed pre-compiled with devices' firmware, side-stepping the bytecode altogether. Finally, Android apps have always relied on native binary code libraries for performance-critical tasks. We propose to narrow the gap between bytecode and binary code by leveraging the ART compiler's capability to create well-formed ELF binaries, called OATs, as the basis for further static code analysis. To this end, we created a pipeline to automatically and efficiently compile APKs to OATs into a benchmark dataset of 1,339 apps. We then evaluate five popular disassemblers based on how well they can analyze these OATs based on how well they can detect function boundaries. Our results, in particular, compared to the success rate of two bytecode-based analyzers, demonstrate that our OAT-based approach can help to bring a wider set of code analysis tools and techniques to the area of Android app analysis.
{"title":"Of Ahead Time: Evaluating Disassembly of Android Apps Compiled to Binary OATs Through the ART","authors":"J. Bleier, Martina Lindorfer","doi":"10.1145/3578357.3591219","DOIUrl":"https://doi.org/10.1145/3578357.3591219","url":null,"abstract":"The Android operating system has evolved significantly since its initial release in 2008. Most importantly, in a continuing effort to increase the run-time performance of mobile applications (apps) and to reduce resource requirements, the way code is executed has transformed from being bytecode-based to a binary-based approach: Apps are still mainly distributed as Dalvik bytecode, but the Android Runtime (ART) uses an optimizing compiler to create binary code ahead-of-time (AOT), just-in-time (JIT), or as a combination of both. These changes in the build pipeline, including increasing obfuscation and optimization of the Dalvik bytecode, invalidate assumptions of bytecode-based static code analysis approaches through identifier renaming and code shrinking. Furthermore, customized apps can be distributed pre-compiled with devices' firmware, side-stepping the bytecode altogether. Finally, Android apps have always relied on native binary code libraries for performance-critical tasks. We propose to narrow the gap between bytecode and binary code by leveraging the ART compiler's capability to create well-formed ELF binaries, called OATs, as the basis for further static code analysis. To this end, we created a pipeline to automatically and efficiently compile APKs to OATs into a benchmark dataset of 1,339 apps. We then evaluate five popular disassemblers based on how well they can analyze these OATs based on how well they can detect function boundaries. Our results, in particular, compared to the success rate of two bytecode-based analyzers, demonstrate that our OAT-based approach can help to bring a wider set of code analysis tools and techniques to the area of Android app analysis.","PeriodicalId":158487,"journal":{"name":"Proceedings of the 16th European Workshop on System Security","volume":"67 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114789572","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Brennon Brimhall, Justin Garrard, Christopher De La Garza, Joel Coffman
Unix---and by extension, Linux---traditionally uses a discretionary access control (DAC) paradigm. DAC mechanisms are decentralized by design, which makes it difficult to audit the security of a computer system. Furthermore, Unix systems have the concept of a root user who can bypass any DAC policies in place. These issues led to the development of mandatory access control (MAC) mechanisms, such as AppArmor, Security-Enhanced Linux (SELinux), and eBPF. We compare and contrast the performance differences between two popular MAC mechanisms for the Linux kernel: SELinux and Berkeley Packet Filter (BPF)/kernel runtime security implementation (KRSI). We demonstrate that BPF policies offer superior performance, have greater expressive power, and are easier to implement than comparable SELinux policies. Our results suggest that BPF/KRSI is the leading MAC mechanism for Linux systems.
Unix——以及扩展到Linux——传统上使用自主访问控制(DAC)范式。DAC机制在设计上是分散的,这使得审计计算机系统的安全性变得困难。此外,Unix系统有一个可以绕过任何DAC策略的根用户的概念。这些问题导致了强制访问控制(MAC)机制的开发,例如AppArmor、Security-Enhanced Linux (SELinux)和eBPF。我们比较和对比了Linux内核中两种流行的MAC机制:SELinux和伯克利包过滤(BPF)/内核运行时安全实现(KRSI)之间的性能差异。我们证明了BPF策略提供了优越的性能,具有更强的表达能力,并且比类似的SELinux策略更容易实现。我们的研究结果表明,BPF/KRSI是Linux系统的主要MAC机制。
{"title":"A Comparative Analysis of Linux Mandatory Access Control Policy Enforcement Mechanisms","authors":"Brennon Brimhall, Justin Garrard, Christopher De La Garza, Joel Coffman","doi":"10.1145/3578357.3589454","DOIUrl":"https://doi.org/10.1145/3578357.3589454","url":null,"abstract":"Unix---and by extension, Linux---traditionally uses a discretionary access control (DAC) paradigm. DAC mechanisms are decentralized by design, which makes it difficult to audit the security of a computer system. Furthermore, Unix systems have the concept of a root user who can bypass any DAC policies in place. These issues led to the development of mandatory access control (MAC) mechanisms, such as AppArmor, Security-Enhanced Linux (SELinux), and eBPF. We compare and contrast the performance differences between two popular MAC mechanisms for the Linux kernel: SELinux and Berkeley Packet Filter (BPF)/kernel runtime security implementation (KRSI). We demonstrate that BPF policies offer superior performance, have greater expressive power, and are easier to implement than comparable SELinux policies. Our results suggest that BPF/KRSI is the leading MAC mechanism for Linux systems.","PeriodicalId":158487,"journal":{"name":"Proceedings of the 16th European Workshop on System Security","volume":"37 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126701988","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Ahmad T. Sheikh, Ali Shoker, Paulo Esteves-Verissimo
To cope with the ever increasing threats of dynamic and adaptive persistent attacks, Fault and Intrusion Tolerance (FIT) is being studied at the hardware level to increase critical systems resilience. Based on state-machine replication, FIT is known to be effective if replicas are compromised and fail independently. This requires different ways of diversification at the software and hardware levels. In this paper, we introduce the first FIT hardware-based rejuvenation framework, we call Samsara, that allows for creating new FIT replicas with computing cores of diverse architectures. This is made possible by taking advantage of the reconfiguration features of MPSoC with FPGAs. A persistent attack that analyzes and exploits the vulnerability of a core will not be effective as rejuvenation using a different core architecture can be done periodically. Samsara allows for both replacing and adding/removing new cores to adapt to varying levels of threat severity. We introduce this concept and discuss the feasibility using a preliminary design we propose. A more rigorous study and empirical evaluation are left for future work.
{"title":"Resilient and Secure System on Chip with Rejuvenation in the Wake of Persistent Attacks","authors":"Ahmad T. Sheikh, Ali Shoker, Paulo Esteves-Verissimo","doi":"10.1145/3578357.3589456","DOIUrl":"https://doi.org/10.1145/3578357.3589456","url":null,"abstract":"To cope with the ever increasing threats of dynamic and adaptive persistent attacks, Fault and Intrusion Tolerance (FIT) is being studied at the hardware level to increase critical systems resilience. Based on state-machine replication, FIT is known to be effective if replicas are compromised and fail independently. This requires different ways of diversification at the software and hardware levels. In this paper, we introduce the first FIT hardware-based rejuvenation framework, we call Samsara, that allows for creating new FIT replicas with computing cores of diverse architectures. This is made possible by taking advantage of the reconfiguration features of MPSoC with FPGAs. A persistent attack that analyzes and exploits the vulnerability of a core will not be effective as rejuvenation using a different core architecture can be done periodically. Samsara allows for both replacing and adding/removing new cores to adapt to varying levels of threat severity. We introduce this concept and discuss the feasibility using a preliminary design we propose. A more rigorous study and empirical evaluation are left for future work.","PeriodicalId":158487,"journal":{"name":"Proceedings of the 16th European Workshop on System Security","volume":"56 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122146990","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Floris Gorter, Cristiano Giuffrida, Erik van der Kouwe
Analyzing malicious behavior is vital to effectively safeguard computer systems against malware. However, contemporary malware frequently contains evasive behavior, which allows it to hide its malicious intent from analysis. More specifically, if the malware detects it is being executed in an analysis environment, it resorts to evasive routines that exhibit benign behavior. Manually deactivating evasive checks requires significant effort, and is therefore not a scalable technique with regards to the increasing amount of evasive malware. Unfortunately, the existing systems that automatically analyze evasive malware are impractical, computationally inefficient, or incomplete by design. In this paper, we introduce Enviral, an automatic evasive malware analysis framework that proposes a novel method to analyze evasive malware, combining the best elements of existing approaches. We achieve this by applying fuzzing techniques to repeatedly adapt the view of the execution environment, thereby iteratively defeating the evasive checks in the target application. We realize these adaptations by applying mutations to the outcomes of environment queries, which in turn leads to the exploration of multiple execution paths. Our experimental results demonstrate that Enviral can detect and overcome evasive behavior and thereby exposes previously hidden activity in malware. We evaluate our system against a similar framework, and conclude that Enviral can expose 39% more interesting hidden system call activity on average, and achieves productive explorations where previously unseen behavior is discovered in 67% more malware samples.
{"title":"Enviral: Fuzzing the Environment for Evasive Malware Analysis","authors":"Floris Gorter, Cristiano Giuffrida, Erik van der Kouwe","doi":"10.1145/3578357.3589455","DOIUrl":"https://doi.org/10.1145/3578357.3589455","url":null,"abstract":"Analyzing malicious behavior is vital to effectively safeguard computer systems against malware. However, contemporary malware frequently contains evasive behavior, which allows it to hide its malicious intent from analysis. More specifically, if the malware detects it is being executed in an analysis environment, it resorts to evasive routines that exhibit benign behavior. Manually deactivating evasive checks requires significant effort, and is therefore not a scalable technique with regards to the increasing amount of evasive malware. Unfortunately, the existing systems that automatically analyze evasive malware are impractical, computationally inefficient, or incomplete by design. In this paper, we introduce Enviral, an automatic evasive malware analysis framework that proposes a novel method to analyze evasive malware, combining the best elements of existing approaches. We achieve this by applying fuzzing techniques to repeatedly adapt the view of the execution environment, thereby iteratively defeating the evasive checks in the target application. We realize these adaptations by applying mutations to the outcomes of environment queries, which in turn leads to the exploration of multiple execution paths. Our experimental results demonstrate that Enviral can detect and overcome evasive behavior and thereby exposes previously hidden activity in malware. We evaluate our system against a similar framework, and conclude that Enviral can expose 39% more interesting hidden system call activity on average, and achieves productive explorations where previously unseen behavior is discovered in 67% more malware samples.","PeriodicalId":158487,"journal":{"name":"Proceedings of the 16th European Workshop on System Security","volume":"3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-05-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121019140","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Proceedings of the 16th European Workshop on System Security","authors":"","doi":"10.1145/3578357","DOIUrl":"https://doi.org/10.1145/3578357","url":null,"abstract":"","PeriodicalId":158487,"journal":{"name":"Proceedings of the 16th European Workshop on System Security","volume":"61 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123822638","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: