This paper focuses on the use of forensic methodologies and methods for detecting subversions, an approach that may help to mitigate risk in a substantial portion of cases of types characterized to date. In essence, we look for the telltale signs of cover-ups.
{"title":"Forensic Methods for Detecting Insider Turning Behaviors","authors":"F. Cohen","doi":"10.1109/SPW.2012.21","DOIUrl":"https://doi.org/10.1109/SPW.2012.21","url":null,"abstract":"This paper focuses on the use of forensic methodologies and methods for detecting subversions, an approach that may help to mitigate risk in a substantial portion of cases of types characterized to date. In essence, we look for the telltale signs of cover-ups.","PeriodicalId":201519,"journal":{"name":"2012 IEEE Symposium on Security and Privacy Workshops","volume":"47 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-05-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124310012","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Cloud computing promises to significantly change the way we use computers and access and store our personal and business information. With these new computing and communications paradigms arise new data security challenges. Existing data protection mechanisms such as encryption have failed in preventing data theft attacks, especially those perpetrated by an insider to the cloud provider. We propose a different approach for securing data in the cloud using offensive decoy technology. We monitor data access in the cloud and detect abnormal data access patterns. When unauthorized access is suspected and then verified using challenge questions, we launch a disinformation attack by returning large amounts of decoy information to the attacker. This protects against the misuse of the user's real data. Experiments conducted in a local file setting provide evidence that this approach may provide unprecedented levels of user data security in a Cloud environment.
{"title":"Fog Computing: Mitigating Insider Data Theft Attacks in the Cloud","authors":"S. Stolfo, M. B. Salem, A. Keromytis","doi":"10.1109/SPW.2012.19","DOIUrl":"https://doi.org/10.1109/SPW.2012.19","url":null,"abstract":"Cloud computing promises to significantly change the way we use computers and access and store our personal and business information. With these new computing and communications paradigms arise new data security challenges. Existing data protection mechanisms such as encryption have failed in preventing data theft attacks, especially those perpetrated by an insider to the cloud provider. We propose a different approach for securing data in the cloud using offensive decoy technology. We monitor data access in the cloud and detect abnormal data access patterns. When unauthorized access is suspected and then verified using challenge questions, we launch a disinformation attack by returning large amounts of decoy information to the attacker. This protects against the misuse of the user's real data. Experiments conducted in a local file setting provide evidence that this approach may provide unprecedented levels of user data security in a Cloud environment.","PeriodicalId":201519,"journal":{"name":"2012 IEEE Symposium on Security and Privacy Workshops","volume":"40 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-05-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116966161","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Mehrdad Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, S. Devadas
We introduce Slender PUF protocol, an efficient and secure method to authenticate the responses generated from a Strong Physical Unclonable Function (PUF). The new method is lightweight, and suitable for energy constrained platforms such as ultra-low power embedded systems for use in identification and authentication applications. The proposed protocol does not follow the classic paradigm of exposing the full PUF responses (or a transformation of the full string of responses) on the communication channel. Instead, random subsets of the responses are revealed and sent for authentication. The response patterns are used for authenticating the prover device with a very high probability. We perform a thorough analysis of the method's resiliency to various attacks which guides adjustment of our protocol parameters for an efficient and secure implementation. We demonstrate that Slender PUF protocol, if carefully designed, will be resilient against all known machine learning attacks. In addition, it has the great advantage of an inbuilt PUF error tolerance. Thus, Slender PUF protocol is lightweight and does not require costly additional error correction, fuzzy extractors, and hash modules suggested in most previously known PUF-based robust authentication techniques. The low overhead and practicality of the protocol are confirmed by a set of hardware implementation and evaluations.
{"title":"Slender PUF Protocol: A Lightweight, Robust, and Secure Authentication by Substring Matching","authors":"Mehrdad Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, S. Devadas","doi":"10.1109/SPW.2012.30","DOIUrl":"https://doi.org/10.1109/SPW.2012.30","url":null,"abstract":"We introduce Slender PUF protocol, an efficient and secure method to authenticate the responses generated from a Strong Physical Unclonable Function (PUF). The new method is lightweight, and suitable for energy constrained platforms such as ultra-low power embedded systems for use in identification and authentication applications. The proposed protocol does not follow the classic paradigm of exposing the full PUF responses (or a transformation of the full string of responses) on the communication channel. Instead, random subsets of the responses are revealed and sent for authentication. The response patterns are used for authenticating the prover device with a very high probability. We perform a thorough analysis of the method's resiliency to various attacks which guides adjustment of our protocol parameters for an efficient and secure implementation. We demonstrate that Slender PUF protocol, if carefully designed, will be resilient against all known machine learning attacks. In addition, it has the great advantage of an inbuilt PUF error tolerance. Thus, Slender PUF protocol is lightweight and does not require costly additional error correction, fuzzy extractors, and hash modules suggested in most previously known PUF-based robust authentication techniques. The low overhead and practicality of the protocol are confirmed by a set of hardware implementation and evaluations.","PeriodicalId":201519,"journal":{"name":"2012 IEEE Symposium on Security and Privacy Workshops","volume":"102 4","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-05-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"120976848","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Effective mitigation of the Insider Threat in complex organizations is not simply a matter of 'fire-and-forget'. Thorough routines are required to minimize the chances of malicious insiders going undetected. While detecting policy violations and signatures of known-bad behavior are essential to a broader threat mitigation strategy, it is clear that behavior-based measurements, including anomaly detection and social network analysis, will be crucial to detecting technically savvy malicious users with legitimate network and data access. Due to the large number of potentially malicious behaviors users may display, the main thrust of detection falls in the hands of an analyst capable of correlating these behaviors. Based on our BANDIT system, we offer a 10-step analyst program, which offers a common-sense approach to limiting the damage a malicious trusted user can achieve.
{"title":"Decision Support Procedure in the Insider Threat Domain","authors":"J. P. Murphy, V. Berk, Ian D. Gregorio-De Souza","doi":"10.1109/SPW.2012.17","DOIUrl":"https://doi.org/10.1109/SPW.2012.17","url":null,"abstract":"Effective mitigation of the Insider Threat in complex organizations is not simply a matter of 'fire-and-forget'. Thorough routines are required to minimize the chances of malicious insiders going undetected. While detecting policy violations and signatures of known-bad behavior are essential to a broader threat mitigation strategy, it is clear that behavior-based measurements, including anomaly detection and social network analysis, will be crucial to detecting technically savvy malicious users with legitimate network and data access. Due to the large number of potentially malicious behaviors users may display, the main thrust of detection falls in the hands of an analyst capable of correlating these behaviors. Based on our BANDIT system, we offer a 10-step analyst program, which offers a common-sense approach to limiting the damage a malicious trusted user can achieve.","PeriodicalId":201519,"journal":{"name":"2012 IEEE Symposium on Security and Privacy Workshops","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-05-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131186822","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Social sites frequently ask for rich sets of user identity properties before granting access. Users are given the freedom to fail to respond to some of these requests, or can choose to submit fake identity properties, so as to reduce the risk of identification, surveillance or observation of any kind. However, this freedom has led to serious security and privacy incidents, due to the role users' identities play in establishing social and privacy settings. In this paper, we take a step toward addressing this open problem, by analyzing the dynamics of social identity verification protocols. Based on some real-world data, we develop a deception model for online users. The model takes a game theoretic approach to characterizing a user's willingness to release, withhold or lie about information depending on the behavior of individuals within the user's circle of friends. We provide an illustrative example and conjecture a relationship between the qualitative structure of Nash equilibria in the game and the auto orphism group of the social network.
{"title":"Toward a Game Theoretic Model of Information Release in Social Media with Experimental Results","authors":"C. Griffin, A. Squicciarini","doi":"10.1109/SPW.2012.24","DOIUrl":"https://doi.org/10.1109/SPW.2012.24","url":null,"abstract":"Social sites frequently ask for rich sets of user identity properties before granting access. Users are given the freedom to fail to respond to some of these requests, or can choose to submit fake identity properties, so as to reduce the risk of identification, surveillance or observation of any kind. However, this freedom has led to serious security and privacy incidents, due to the role users' identities play in establishing social and privacy settings. In this paper, we take a step toward addressing this open problem, by analyzing the dynamics of social identity verification protocols. Based on some real-world data, we develop a deception model for online users. The model takes a game theoretic approach to characterizing a user's willingness to release, withhold or lie about information depending on the behavior of individuals within the user's circle of friends. We provide an illustrative example and conjecture a relationship between the qualitative structure of Nash equilibria in the game and the auto orphism group of the social network.","PeriodicalId":201519,"journal":{"name":"2012 IEEE Symposium on Security and Privacy Workshops","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-05-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129045682","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We report on the development of Blue Jay, a hybrid Rabin-based public key encryption cryptosystem that is suitable for ultra-lightweight (total 2000-3000 GE) platforms such as micro sensors and RFID authentication tags. The design is related to authors Passerine and the Oren-Feldhofer WIPR proposals, but is suitable to a wider array of applications. The encryption mechanism is significantly faster and the implementation more lightweight than RSA (even with public exponent 3) and ECC with the same security level. Hardware implementations of the asymmetric encryption component of the hybrid cryptosystem require less than a thousand gate equivalents in addition to the memory storage required for the payload and public key data. An inexpensive, mill scale MCU SoC Blue Jay implementation is reported and compared to RSA-AES on the same platform. The private key operation (not performed by the light-weight device but by the sensor network base station or a data acquisition reader) has roughly the same complexity as the RSA private key operation.
我们报告了Blue Jay的开发,这是一种基于rabin的混合公钥加密密码系统,适用于超轻量级(总计2000-3000 GE)平台,如微传感器和RFID认证标签。该设计与作者Passerine和Oren-Feldhofer的WIPR提案有关,但适用于更广泛的应用。与具有相同安全级别的RSA(即使具有公共指数3)和ECC相比,该加密机制明显更快,并且实现更轻量化。混合密码系统的非对称加密组件的硬件实现除了有效负载和公钥数据所需的内存存储外,还需要不到一千个门当量。报告了一种廉价的工厂级MCU SoC Blue Jay实现,并将其与同一平台上的RSA-AES进行了比较。私钥操作(不是由轻量级设备执行,而是由传感器网络基站或数据采集读取器执行)与RSA私钥操作具有大致相同的复杂性。
{"title":"The BlueJay Ultra-Lightweight Hybrid Cryptosystem","authors":"Markku-Juhani O. Saarinen","doi":"10.1109/SPW.2012.11","DOIUrl":"https://doi.org/10.1109/SPW.2012.11","url":null,"abstract":"We report on the development of Blue Jay, a hybrid Rabin-based public key encryption cryptosystem that is suitable for ultra-lightweight (total 2000-3000 GE) platforms such as micro sensors and RFID authentication tags. The design is related to authors Passerine and the Oren-Feldhofer WIPR proposals, but is suitable to a wider array of applications. The encryption mechanism is significantly faster and the implementation more lightweight than RSA (even with public exponent 3) and ECC with the same security level. Hardware implementations of the asymmetric encryption component of the hybrid cryptosystem require less than a thousand gate equivalents in addition to the memory storage required for the payload and public key data. An inexpensive, mill scale MCU SoC Blue Jay implementation is reported and compared to RSA-AES on the same platform. The private key operation (not performed by the light-weight device but by the sensor network base station or a data acquisition reader) has roughly the same complexity as the RSA private key operation.","PeriodicalId":201519,"journal":{"name":"2012 IEEE Symposium on Security and Privacy Workshops","volume":"49 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-05-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133221287","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Until recently, known fault attacks against (non-CRT) exponentiation-based cryptosystems were supposed to be of rather theoretical nature, as they require a precise fault injection, e.g., a bit flip. However, Schmidt and Herbst (FDTC 2008) reported practical fault-attacks against RSA in standard mode using low-cost equipment. Although their attacks were described against RSA, they readily extend to any other exponentiation-based cryptosystem. This paper describes an efficient method to prevent those new attacks.
{"title":"A Method for Preventing \"Skipping\" Attacks","authors":"M. Joye","doi":"10.1109/SPW.2012.14","DOIUrl":"https://doi.org/10.1109/SPW.2012.14","url":null,"abstract":"Until recently, known fault attacks against (non-CRT) exponentiation-based cryptosystems were supposed to be of rather theoretical nature, as they require a precise fault injection, e.g., a bit flip. However, Schmidt and Herbst (FDTC 2008) reported practical fault-attacks against RSA in standard mode using low-cost equipment. Although their attacks were described against RSA, they readily extend to any other exponentiation-based cryptosystem. This paper describes an efficient method to prevent those new attacks.","PeriodicalId":201519,"journal":{"name":"2012 IEEE Symposium on Security and Privacy Workshops","volume":"28 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-05-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131817388","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We propose a mixed logical and game theoretic framework for modeling decision making under the potential for deception. This framework is most appropriate for online communities in which a decision maker must act upon information being provided by various sources with various different motivations. We show that in the simple three-player game we propose there are always equilibria in pure strategies. We then extend the three player game to a case where there are mixed strategy equilibria. We discuss how to approximate the truth of a given statement using a logical construct and how this can be used as a proxy in payoff functions. Finally we discuss as future directions the use of regret functions and live play.
{"title":"A Framework for Modeling Decision Making and Deception with Semantic Information","authors":"C. Griffin, K. Moore","doi":"10.1109/SPW.2012.25","DOIUrl":"https://doi.org/10.1109/SPW.2012.25","url":null,"abstract":"We propose a mixed logical and game theoretic framework for modeling decision making under the potential for deception. This framework is most appropriate for online communities in which a decision maker must act upon information being provided by various sources with various different motivations. We show that in the simple three-player game we propose there are always equilibria in pure strategies. We then extend the three player game to a case where there are mixed strategy equilibria. We discuss how to approximate the truth of a given statement using a logical construct and how this can be used as a proxy in payoff functions. Finally we discuss as future directions the use of regret functions and live play.","PeriodicalId":201519,"journal":{"name":"2012 IEEE Symposium on Security and Privacy Workshops","volume":"108 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-05-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131824343","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This work provides a detailed study of two finalists of the SHA-3 competition from the side-channel analysis point of view. For both functions when used as a MAC, this paper presents detected strategies for performing a power analysis. Besides the classical MAC mode, two additionally proposed constructions, the envelope MAC for Grøstl and the Skein-MAC for Skein, are analyzed. Consequently, examples of software countermeasures thwarting first-order DPA or CPA are given. For the validation of our choices, we implemented HMAC-Grøstl, HMAC-Skein as well as countermeasure son a 32-bit ARM-based smart card. We also mounted power analysis attacks in practice on both unprotected and protected implementations. Finally, the performance difference between both versions is discussed.
{"title":"Side-Channel Analysis of Grøstl and Skein","authors":"Christina Boura, Sylvain Lévêque, David Vigilant","doi":"10.1109/SPW.2012.13","DOIUrl":"https://doi.org/10.1109/SPW.2012.13","url":null,"abstract":"This work provides a detailed study of two finalists of the SHA-3 competition from the side-channel analysis point of view. For both functions when used as a MAC, this paper presents detected strategies for performing a power analysis. Besides the classical MAC mode, two additionally proposed constructions, the envelope MAC for Grøstl and the Skein-MAC for Skein, are analyzed. Consequently, examples of software countermeasures thwarting first-order DPA or CPA are given. For the validation of our choices, we implemented HMAC-Grøstl, HMAC-Skein as well as countermeasure son a 32-bit ARM-based smart card. We also mounted power analysis attacks in practice on both unprotected and protected implementations. Finally, the performance difference between both versions is discussed.","PeriodicalId":201519,"journal":{"name":"2012 IEEE Symposium on Security and Privacy Workshops","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-05-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116928583","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This paper presents work on automatically characterizing typical user activities across multiple sources (or views) of data, as well as finding anomalous users who engage in unusual combinations of activities across different views of data. This approach can be used to detect malicious insiders who may abuse their privileged access to systems in order to accomplish goals that are detrimental to the organizations that grant those privileges. To avoid detection, these malicious insiders want to appear as normal as possible with respect to the activities of other users with similar privileges and tasks. Therefore, given a single type or view of audit data, the activities of the malicious insider may appear normal. An anomaly may only be apparent when analyzing multiple sources of data. We propose and test domain-independent methods that combine consensus clustering and anomaly detection techniques. We benchmark the efficacy of these methods on simulated insider threat data. Experimental results show that combining anomaly detection and consensus clustering produces more accurate results than sequentially performing the two tasks independently.
{"title":"Using Consensus Clustering for Multi-view Anomaly Detection","authors":"Alexander Y. Liu, D. Lam","doi":"10.1109/SPW.2012.18","DOIUrl":"https://doi.org/10.1109/SPW.2012.18","url":null,"abstract":"This paper presents work on automatically characterizing typical user activities across multiple sources (or views) of data, as well as finding anomalous users who engage in unusual combinations of activities across different views of data. This approach can be used to detect malicious insiders who may abuse their privileged access to systems in order to accomplish goals that are detrimental to the organizations that grant those privileges. To avoid detection, these malicious insiders want to appear as normal as possible with respect to the activities of other users with similar privileges and tasks. Therefore, given a single type or view of audit data, the activities of the malicious insider may appear normal. An anomaly may only be apparent when analyzing multiple sources of data. We propose and test domain-independent methods that combine consensus clustering and anomaly detection techniques. We benchmark the efficacy of these methods on simulated insider threat data. Experimental results show that combining anomaly detection and consensus clustering produces more accurate results than sequentially performing the two tasks independently.","PeriodicalId":201519,"journal":{"name":"2012 IEEE Symposium on Security and Privacy Workshops","volume":"220 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-05-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115786260","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: