Luis Puche Rondon, Leonardo Babun, Ahmet Aris, K. Akkaya, A. Uluagac
Enterprise Internet of Things (E-IoT) systems allow users to control audio, video, scheduled events, lightning fixtures, door access, and relays in complex smart installations. These systems are widely used in government or smart private offices, smart buildings/homes, conference rooms, schools, hotels, and similar professional settings. However, even with their widespread use, the security of many E-IoT systems and components has not been researched in the literature. To address this research gap, we focus on E-IoT communication buses, one of the core components used to connect E-IoT devices, and introduce LightningStrike attacks that demonstrate several weaknesses with E-IoT proprietary communication protocols used in E-IoT communication buses. Specifically, we show that popular E-IoT proprietary communication protocols are susceptible to Denial-of-Service (DoS), eavesdropping, impersonation, and replay attacks. As such threats cannot be mitigated through traditional defense mechanisms due to the limitations posed by E-IoT, we propose LGuard, a defense system to protect E-IoT systems against the attacks over communication buses. LGuard uses closed-circuit television footage and computer vision techniques to detect replay attacks. For impersonation and DoS attacks, LGuard utilizes traffic analysis. Finally, LGuard obfuscates the E-IoT traffic via inserting redundant traffic to the bus against eavesdropping attacks. We evaluated the performance of LGuard in a realistic E-IoT deployment, and our detailed evaluations show that LGuard achieves an overall accuracy and precision of 99% in detecting DoS, impersonation, and replay attacks while effectively increasing the difficulty of extracting valuable information for eavesdroppers. In addition, LGuard does not incur any operational overhead or modification to the existing E-IoT system.
{"title":"LGuard: Securing Enterprise-IoT Systems against Serial-Based Attacks via Proprietary Communication Buses","authors":"Luis Puche Rondon, Leonardo Babun, Ahmet Aris, K. Akkaya, A. Uluagac","doi":"10.1145/3555721","DOIUrl":"https://doi.org/10.1145/3555721","url":null,"abstract":"Enterprise Internet of Things (E-IoT) systems allow users to control audio, video, scheduled events, lightning fixtures, door access, and relays in complex smart installations. These systems are widely used in government or smart private offices, smart buildings/homes, conference rooms, schools, hotels, and similar professional settings. However, even with their widespread use, the security of many E-IoT systems and components has not been researched in the literature. To address this research gap, we focus on E-IoT communication buses, one of the core components used to connect E-IoT devices, and introduce LightningStrike attacks that demonstrate several weaknesses with E-IoT proprietary communication protocols used in E-IoT communication buses. Specifically, we show that popular E-IoT proprietary communication protocols are susceptible to Denial-of-Service (DoS), eavesdropping, impersonation, and replay attacks. As such threats cannot be mitigated through traditional defense mechanisms due to the limitations posed by E-IoT, we propose LGuard, a defense system to protect E-IoT systems against the attacks over communication buses. LGuard uses closed-circuit television footage and computer vision techniques to detect replay attacks. For impersonation and DoS attacks, LGuard utilizes traffic analysis. Finally, LGuard obfuscates the E-IoT traffic via inserting redundant traffic to the bus against eavesdropping attacks. We evaluated the performance of LGuard in a realistic E-IoT deployment, and our detailed evaluations show that LGuard achieves an overall accuracy and precision of 99% in detecting DoS, impersonation, and replay attacks while effectively increasing the difficulty of extracting valuable information for eavesdroppers. In addition, LGuard does not incur any operational overhead or modification to the existing E-IoT system.","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":"26 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-09-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121300431","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Mengfei Ren, Xiaolei Ren, Huadong Feng, Jiang Ming, Yu Lei
Zigbee is widely adopted as a resource-efficient wireless protocol in the IoT network. IoT devices from manufacturers have recently been affected due to major vulnerabilities in Zigbee protocol implementations. Security testing of Zigbee protocol implementations is becoming increasingly important. However, applying existing vulnerability detection techniques such as fuzzing to the Zigbee protocol is not a simple task. Dealing with low-level hardware events still remains a big challenge. For the Zigbee protocol, which communicates over a radio channel, many existing protocol fuzzing tools lack a sufficient execution environment. To narrow the gap, we designed Z-Fuzzer, a device-agnostic fuzzing tool for detecting security flaws in Zigbee protocol implementations. To simulate Zigbee protocol execution, Z-Fuzzer leverages a commercial embedded device simulator with pre-defined peripherals and hardware interrupt setups to interact with the fuzzing engine. Z-Fuzzer generates more high-quality test cases with code-coverage heuristics. We compare Z-Fuzzer with advanced protocol fuzzing tools, BooFuzz and Peach fuzzer, on top of Z-Fuzzer’s simulation platform. Our findings suggest that Z-Fuzzer can achieve greater code coverage in Z-Stack, a widely used Zigbee protocol implementation. Compared to BooFuzz and Peach, Z-Fuzzer found more vulnerabilities with fewer test cases. Three of them have been assigned CVE IDs with high CVSS scores (7.5~8.2).
{"title":"Security Analysis of Zigbee Protocol Implementation via Device-agnostic Fuzzing","authors":"Mengfei Ren, Xiaolei Ren, Huadong Feng, Jiang Ming, Yu Lei","doi":"10.1145/3551894","DOIUrl":"https://doi.org/10.1145/3551894","url":null,"abstract":"Zigbee is widely adopted as a resource-efficient wireless protocol in the IoT network. IoT devices from manufacturers have recently been affected due to major vulnerabilities in Zigbee protocol implementations. Security testing of Zigbee protocol implementations is becoming increasingly important. However, applying existing vulnerability detection techniques such as fuzzing to the Zigbee protocol is not a simple task. Dealing with low-level hardware events still remains a big challenge. For the Zigbee protocol, which communicates over a radio channel, many existing protocol fuzzing tools lack a sufficient execution environment. To narrow the gap, we designed Z-Fuzzer, a device-agnostic fuzzing tool for detecting security flaws in Zigbee protocol implementations. To simulate Zigbee protocol execution, Z-Fuzzer leverages a commercial embedded device simulator with pre-defined peripherals and hardware interrupt setups to interact with the fuzzing engine. Z-Fuzzer generates more high-quality test cases with code-coverage heuristics. We compare Z-Fuzzer with advanced protocol fuzzing tools, BooFuzz and Peach fuzzer, on top of Z-Fuzzer’s simulation platform. Our findings suggest that Z-Fuzzer can achieve greater code coverage in Z-Stack, a widely used Zigbee protocol implementation. Compared to BooFuzz and Peach, Z-Fuzzer found more vulnerabilities with fewer test cases. Three of them have been assigned CVE IDs with high CVSS scores (7.5~8.2).","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-09-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128439607","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We propose APTHunter, a system for prompt detection of Advanced and Persistent Threats (APTs) in early stages. We provide an approach for representing the indicators of compromise that appear in the cyber threat intelligence reports and the relationships among them as provenance queries that capture the attacker’s malicious behavior. We use the kernel audit log as a reliable source for system activities and develop an optimized whole system provenance graph that provides the causal relationships and information flows among system entities in a compact format. Then, we model the threat hunting as a behavior match problem by applying provenance queries to the optimized provenance graph to find any hits as indicators of an APT attack. We evaluate APTHunter on adversarial engagements from DARPA over different OS platforms, as well as real-world APT campaigns. Based on our experimental results, APTHunter promptly and reliably detects attack artifacts in early stages.
{"title":"APTHunter: Detecting Advanced Persistent Threats in Early Stages","authors":"Moustafa Mahmoud, Mohammad Mannan, A. Youssef","doi":"10.1145/3559768","DOIUrl":"https://doi.org/10.1145/3559768","url":null,"abstract":"We propose APTHunter, a system for prompt detection of Advanced and Persistent Threats (APTs) in early stages. We provide an approach for representing the indicators of compromise that appear in the cyber threat intelligence reports and the relationships among them as provenance queries that capture the attacker’s malicious behavior. We use the kernel audit log as a reliable source for system activities and develop an optimized whole system provenance graph that provides the causal relationships and information flows among system entities in a compact format. Then, we model the threat hunting as a behavior match problem by applying provenance queries to the optimized provenance graph to find any hits as indicators of an APT attack. We evaluate APTHunter on adversarial engagements from DARPA over different OS platforms, as well as real-world APT campaigns. Based on our experimental results, APTHunter promptly and reliably detects attack artifacts in early stages.","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":"58 4","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-09-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"120943064","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Michael Lang, L. Connolly, Paul Taylor, Phillip J. Corner
Drawing upon direct interviews and secondary sources, this paper presents a qualitative comparative analysis of thirty-nine ransomware attacks, twenty-six of which occurred shortly before the outbreak of the COVID-19 pandemic and thirteen of which took place during the pandemic. The research objective was to gain an understanding of how ransomware attacks changed tactics across this period. Using inductive content analysis, a number of key themes emerged, namely: (1) ransomware attackers have adopted more sinister tactics and now commit multiple crimes to maximise their return, (2) the expanded attack surface caused by employees working from home has greatly aggravated the risk of malicious intrusion, (3) the preferred attack vectors have changed, with phishing and VPN exploits now to the fore, (4) failure to adapt common business processes from off-line to on-line interaction has created vulnerabilities, (5) the ongoing laissez-faire attitude towards cybersecurity and lack of preparedness continues to be a substantial problem, and (6) ransomware attacks now pose potentially severe consequences for individuals, whose personal data has become a central part of the game. Recommendations are proposed to address these issues.
{"title":"The Evolving Menace of Ransomware: A Comparative Analysis of Pre-pandemic and Mid-pandemic Attacks","authors":"Michael Lang, L. Connolly, Paul Taylor, Phillip J. Corner","doi":"10.1145/3558006","DOIUrl":"https://doi.org/10.1145/3558006","url":null,"abstract":"Drawing upon direct interviews and secondary sources, this paper presents a qualitative comparative analysis of thirty-nine ransomware attacks, twenty-six of which occurred shortly before the outbreak of the COVID-19 pandemic and thirteen of which took place during the pandemic. The research objective was to gain an understanding of how ransomware attacks changed tactics across this period. Using inductive content analysis, a number of key themes emerged, namely: (1) ransomware attackers have adopted more sinister tactics and now commit multiple crimes to maximise their return, (2) the expanded attack surface caused by employees working from home has greatly aggravated the risk of malicious intrusion, (3) the preferred attack vectors have changed, with phishing and VPN exploits now to the fore, (4) failure to adapt common business processes from off-line to on-line interaction has created vulnerabilities, (5) the ongoing laissez-faire attitude towards cybersecurity and lack of preparedness continues to be a substantial problem, and (6) ransomware attacks now pose potentially severe consequences for individuals, whose personal data has become a central part of the game. Recommendations are proposed to address these issues.","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":"20 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121924296","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Content Delivery Networks (CDNs) play a vital role in today’s Internet ecosystem. To reduce the latency of loading a website’s content, CDNs deploy edge servers in different geographic locations. CDN providers also offer important security features including protection against Denial of Service (DoS) attacks, Web Application Firewalls (WAFs), and recently, issuing and managing certificates for their customers. Many popular websites use CDNs to benefit from both the security and the performance advantages. For HTTPS websites, Transport Layer Security (TLS) security choices may differ in the connections between end-users and a CDN (front-end or user-to-CDN), and between the CDN and the origin server (back-end or CDN-to-Origin). Modern browsers can stop/warn users if weak or insecure TLS/HTTPS options are used in the front-end connections. However, such problems in the back-end connections are not visible to browsers or end-users, and lead to serious security issues (e.g., not validating the certificate can lead to MitM attacks). In this article, we primarily analyze TLS/HTTPS security issues in the back-end communication; such issues include inadequate certificate validation and support for vulnerable TLS configurations. We develop a test framework and investigate the back-end connection of 14 leading CDNs (including Cloudflare, Microsoft Azure, Amazon, and Fastly), where we could create an account. Surprisingly, for all the 14 CDNs, we found that the back-end TLS connections are vulnerable to security issues prevented/warned by modern browsers; examples include failing to validate the origin server’s certificate, and using insecure cipher suites such as RC4, MD5, SHA-1, and even allowing plain HTTP connections to the origin. We also identified 168,795 websites in the Alexa top 1 million that are potentially vulnerable to Man-in-the-Middle (MitM) attacks in their back-end connections regardless of the origin/CDN configurations chosen by the origin owner.
{"title":"CDNs’ Dark Side: Security Problems in CDN-to-Origin Connections","authors":"Behnam Shobiri, Mohammad Mannan, A. Youssef","doi":"10.1145/3499428","DOIUrl":"https://doi.org/10.1145/3499428","url":null,"abstract":"Content Delivery Networks (CDNs) play a vital role in today’s Internet ecosystem. To reduce the latency of loading a website’s content, CDNs deploy edge servers in different geographic locations. CDN providers also offer important security features including protection against Denial of Service (DoS) attacks, Web Application Firewalls (WAFs), and recently, issuing and managing certificates for their customers. Many popular websites use CDNs to benefit from both the security and the performance advantages. For HTTPS websites, Transport Layer Security (TLS) security choices may differ in the connections between end-users and a CDN (front-end or user-to-CDN), and between the CDN and the origin server (back-end or CDN-to-Origin). Modern browsers can stop/warn users if weak or insecure TLS/HTTPS options are used in the front-end connections. However, such problems in the back-end connections are not visible to browsers or end-users, and lead to serious security issues (e.g., not validating the certificate can lead to MitM attacks). In this article, we primarily analyze TLS/HTTPS security issues in the back-end communication; such issues include inadequate certificate validation and support for vulnerable TLS configurations. We develop a test framework and investigate the back-end connection of 14 leading CDNs (including Cloudflare, Microsoft Azure, Amazon, and Fastly), where we could create an account. Surprisingly, for all the 14 CDNs, we found that the back-end TLS connections are vulnerable to security issues prevented/warned by modern browsers; examples include failing to validate the origin server’s certificate, and using insecure cipher suites such as RC4, MD5, SHA-1, and even allowing plain HTTP connections to the origin. We also identified 168,795 websites in the Alexa top 1 million that are potentially vulnerable to Man-in-the-Middle (MitM) attacks in their back-end connections regardless of the origin/CDN configurations chosen by the origin owner.","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":"92 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-07-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134265829","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Detecting anomalously behaving devices in security-and-safety-critical applications is an important challenge. This article presents an off-device methodology for detecting the anomalous behavior of devices considering their power consumption data. The methodology takes advantage of the fact that every action on-board a device will be reflected in its power trace. This argument makes it inevitable for anomalously behaving device to go undetected. We transform the device’s one-dimensional (1D) instantaneous power consumption signals to 2D time–frequency images using Constant Q Transformation (CQT). The CQT images capture valuable information about the tasks performed on-board a device. By applying Histograms of Oriented Gradients (HOG) on the CQT images, we extract robust features that preserve the edges of time–frequency structures and capture the directionality of the edge information. Consequently, we transform the anomaly detection problem into an image classification problem. We train a Convolutional Neural Network on the HOG images to classify the power signals to detect anomaly. We validated the methodology using a wide spectrum of emulated malware scenarios, five real malware applications from the well-known Drebin dataset, Distributed Denial of Service attacks, cryptomining malware, and faulty CPU cores. Across 18 datasets, our methodology demonstrated detection performance of ∼88% accuracy and 85% F-Score, resulting in improvements of 9–17% over other methods using power signals.
{"title":"Toward Improving the Security of IoT and CPS Devices: An AI Approach","authors":"Abdurhman Albasir, Kshirasagar Naik, Ricardo Manzano","doi":"10.1145/3497862","DOIUrl":"https://doi.org/10.1145/3497862","url":null,"abstract":"Detecting anomalously behaving devices in security-and-safety-critical applications is an important challenge. This article presents an off-device methodology for detecting the anomalous behavior of devices considering their power consumption data. The methodology takes advantage of the fact that every action on-board a device will be reflected in its power trace. This argument makes it inevitable for anomalously behaving device to go undetected. We transform the device’s one-dimensional (1D) instantaneous power consumption signals to 2D time–frequency images using Constant Q Transformation (CQT). The CQT images capture valuable information about the tasks performed on-board a device. By applying Histograms of Oriented Gradients (HOG) on the CQT images, we extract robust features that preserve the edges of time–frequency structures and capture the directionality of the edge information. Consequently, we transform the anomaly detection problem into an image classification problem. We train a Convolutional Neural Network on the HOG images to classify the power signals to detect anomaly. We validated the methodology using a wide spectrum of emulated malware scenarios, five real malware applications from the well-known Drebin dataset, Distributed Denial of Service attacks, cryptomining malware, and faulty CPU cores. Across 18 datasets, our methodology demonstrated detection performance of ∼88% accuracy and 85% F-Score, resulting in improvements of 9–17% over other methods using power signals.","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":"24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-07-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130886164","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Giovanni Apruzzese, P. Laskov, Edgardo Montes de Oca, Wissam Mallouli, Luis Brdalo Rapa, A. Grammatopoulos, Fabio Di Franco
Machine Learning (ML) represents a pivotal technology for current and future information systems, and many domains already leverage the capabilities of ML. However, deployment of ML in cybersecurity is still at an early stage, revealing a significant discrepancy between research and practice. Such a discrepancy has its root cause in the current state of the art, which does not allow us to identify the role of ML in cybersecurity. The full potential of ML will never be unleashed unless its pros and cons are understood by a broad audience. This article is the first attempt to provide a holistic understanding of the role of ML in the entire cybersecurity domain—to any potential reader with an interest in this topic. We highlight the advantages of ML with respect to human-driven detection methods, as well as the additional tasks that can be addressed by ML in cybersecurity. Moreover, we elucidate various intrinsic problems affecting real ML deployments in cybersecurity. Finally, we present how various stakeholders can contribute to future developments of ML in cybersecurity, which is essential for further progress in this field. Our contributions are complemented with two real case studies describing industrial applications of ML as defense against cyber-threats.
{"title":"The Role of Machine Learning in Cybersecurity","authors":"Giovanni Apruzzese, P. Laskov, Edgardo Montes de Oca, Wissam Mallouli, Luis Brdalo Rapa, A. Grammatopoulos, Fabio Di Franco","doi":"10.1145/3545574","DOIUrl":"https://doi.org/10.1145/3545574","url":null,"abstract":"Machine Learning (ML) represents a pivotal technology for current and future information systems, and many domains already leverage the capabilities of ML. However, deployment of ML in cybersecurity is still at an early stage, revealing a significant discrepancy between research and practice. Such a discrepancy has its root cause in the current state of the art, which does not allow us to identify the role of ML in cybersecurity. The full potential of ML will never be unleashed unless its pros and cons are understood by a broad audience. This article is the first attempt to provide a holistic understanding of the role of ML in the entire cybersecurity domain—to any potential reader with an interest in this topic. We highlight the advantages of ML with respect to human-driven detection methods, as well as the additional tasks that can be addressed by ML in cybersecurity. Moreover, we elucidate various intrinsic problems affecting real ML deployments in cybersecurity. Finally, we present how various stakeholders can contribute to future developments of ML in cybersecurity, which is essential for further progress in this field. Our contributions are complemented with two real case studies describing industrial applications of ML as defense against cyber-threats.","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":"8 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131192921","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This article provides an overview of specific security considerations for multi-modal Internet-of-Things(IoT) use-case deployment. With the year-over-year exponential increase in smartdevice deployments, threat vectors continue to fall into a concise list of categories, all of which can be addressed with classic solution architectures. To provide increased business value from technology deployments, we look at applying novel additions to common deployment architectures to achieve high return-on-investment (ROI) on our deployments, while managing the security risk associated with heterogeneous device deployments.
{"title":"Field Note on IoT Security: Novel JIT Security for Large-Scale Heterogeneous IoT Deployments","authors":"Karl Mozurkewich","doi":"10.1145/3503919","DOIUrl":"https://doi.org/10.1145/3503919","url":null,"abstract":"This article provides an overview of specific security considerations for multi-modal Internet-of-Things(IoT) use-case deployment. With the year-over-year exponential increase in smartdevice deployments, threat vectors continue to fall into a concise list of categories, all of which can be addressed with classic solution architectures. To provide increased business value from technology deployments, we look at applying novel additions to common deployment architectures to achieve high return-on-investment (ROI) on our deployments, while managing the security risk associated with heterogeneous device deployments.","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":"73 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-05-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134011916","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Stefano Carnà, Serena Ferracci, F. Quaglia, Alessandro Pellegrini
We present a kernel-level infrastructure that allows systemwide detection of malicious applications attempting to exploit cache-based side-channel attacks to break the process confinement enforced by standard operating systems. This infrastructure relies on hardware performance counters to collect information at runtime from all applications running on the machine. High-level detection metrics are derived from these measurements to maximize the likelihood of promptly detecting a malicious application. Our experimental assessment shows that we can catch a large family of side-channel attacks with a significantly reduced overhead. We also discuss countermeasures that can be enacted once a process is suspected of carrying out a side-channel attack to increase the overall tradeoff between the system’s security level and the delivered performance under non-suspected process executions.
{"title":"Fight Hardware with Hardware: Systemwide Detection and Mitigation of Side-channel Attacks Using Performance Counters","authors":"Stefano Carnà, Serena Ferracci, F. Quaglia, Alessandro Pellegrini","doi":"10.1145/3519601","DOIUrl":"https://doi.org/10.1145/3519601","url":null,"abstract":"We present a kernel-level infrastructure that allows systemwide detection of malicious applications attempting to exploit cache-based side-channel attacks to break the process confinement enforced by standard operating systems. This infrastructure relies on hardware performance counters to collect information at runtime from all applications running on the machine. High-level detection metrics are derived from these measurements to maximize the likelihood of promptly detecting a malicious application. Our experimental assessment shows that we can catch a large family of side-channel attacks with a significantly reduced overhead. We also discuss countermeasures that can be enacted once a process is suspected of carrying out a side-channel attack to increase the overall tradeoff between the system’s security level and the delivered performance under non-suspected process executions.","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":"65 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-04-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128589481","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
M. Eren, Juston S. Moore, E. Skau, Elisabeth Moore, Manish Bhattarai, Gopinath Chennupati, B. Alexandrov
Distinguishing malicious anomalous activities from unusual but benign activities is a fundamental challenge for cyber defenders. Prior studies have shown that statistical user behavior analysis yields accurate detections by learning behavior profiles from observed user activity. These unsupervised models are able to generalize to unseen types of attacks by detecting deviations from normal behavior without knowledge of specific attack signatures. However, approaches proposed to date based on probabilistic matrix factorization are limited by the information conveyed in a two-dimensional space. Non-negative tensor factorization, however, is a powerful unsupervised machine learning method that naturally models multi-dimensional data, capturing complex and multi-faceted details of behavior profiles. Our new unsupervised statistical anomaly detection methodology matches or surpasses state-of-the-art supervised learning baselines across several challenging and diverse cyber application areas, including detection of compromised user credentials, botnets, spam e-mails, and fraudulent credit card transactions.
{"title":"General-purpose Unsupervised Cyber Anomaly Detection via Non-negative Tensor Factorization","authors":"M. Eren, Juston S. Moore, E. Skau, Elisabeth Moore, Manish Bhattarai, Gopinath Chennupati, B. Alexandrov","doi":"10.1145/3519602","DOIUrl":"https://doi.org/10.1145/3519602","url":null,"abstract":"Distinguishing malicious anomalous activities from unusual but benign activities is a fundamental challenge for cyber defenders. Prior studies have shown that statistical user behavior analysis yields accurate detections by learning behavior profiles from observed user activity. These unsupervised models are able to generalize to unseen types of attacks by detecting deviations from normal behavior without knowledge of specific attack signatures. However, approaches proposed to date based on probabilistic matrix factorization are limited by the information conveyed in a two-dimensional space. Non-negative tensor factorization, however, is a powerful unsupervised machine learning method that naturally models multi-dimensional data, capturing complex and multi-faceted details of behavior profiles. Our new unsupervised statistical anomaly detection methodology matches or surpasses state-of-the-art supervised learning baselines across several challenging and diverse cyber application areas, including detection of compromised user credentials, botnets, spam e-mails, and fraudulent credit card transactions.","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":"63 2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-04-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128737511","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: