Ali Zand, A. Houmansadr, G. Vigna, R. Kemmerer, Christopher Krügel
Administrators need effective tools to quickly and automatically obtain a succinct, yet informative, overview of the status of their networks to make critical administrative decisions in a timely and effective manner. While the existing tools might help in pointing out machines that are heavily used or services that are failing, more subtle relationships, such as indirect dependencies between services, are not made apparent. In this paper, we propose novel techniques to automatically provide insights into the state of a network and the importance of the network components. We developed a tool, called Paris, which receives traffic information from various off-the-shelf network monitoring devices. Paris computes an importance metric for the network's components based on which the administrators can prioritize their defensive and prohibitive actions. We evaluated Paris by running it on a mid-size, real-world network. The results show that Paris is able to automatically provide situation awareness in a timely, effective manner.
{"title":"Know Your Achilles' Heel: Automatic Detection of Network Critical Services","authors":"Ali Zand, A. Houmansadr, G. Vigna, R. Kemmerer, Christopher Krügel","doi":"10.1145/2818000.2818012","DOIUrl":"https://doi.org/10.1145/2818000.2818012","url":null,"abstract":"Administrators need effective tools to quickly and automatically obtain a succinct, yet informative, overview of the status of their networks to make critical administrative decisions in a timely and effective manner. While the existing tools might help in pointing out machines that are heavily used or services that are failing, more subtle relationships, such as indirect dependencies between services, are not made apparent. In this paper, we propose novel techniques to automatically provide insights into the state of a network and the importance of the network components. We developed a tool, called Paris, which receives traffic information from various off-the-shelf network monitoring devices. Paris computes an importance metric for the network's components based on which the administrators can prioritize their defensive and prohibitive actions. We evaluated Paris by running it on a mid-size, real-world network. The results show that Paris is able to automatically provide situation awareness in a timely, effective manner.","PeriodicalId":338725,"journal":{"name":"Proceedings of the 31st Annual Computer Security Applications Conference","volume":"40 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132671899","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Zack Coker, Michael Maass, Tianyuan Ding, Claire Le Goues, Joshua Sunshine
The ubiquitously-installed Java Runtime Environment (JRE) provides a complex, flexible set of mechanisms that support the execution of untrusted code inside a secure sandbox. However, many recent exploits have successfully escaped the sandbox, allowing attackers to infect numerous Java hosts. We hypothesize that the Java security model affords developers more flexibility than they need or use in practice, and thus its complexity compromises security without improving practical functionality. We describe an empirical study of the ways benign open-source Java applications use and interact with the Java security manager. We found that developers regularly misunderstand or misuse Java security mechanisms, that benign programs do not use all of the vast flexibility afforded by the Java security model, and that there are clear differences between the ways benign and exploit programs interact with the security manager. We validate these results by deriving two restrictions on application behavior that restrict (1) security manager modifications and (2) privilege escalation. We demonstrate that enforcing these rules at runtime stop a representative proportion of modern Java 7 exploits without breaking backwards compatibility with benign applications. These practical rules should be enforced in the JRE to fortify the Java sandbox.
{"title":"Evaluating the Flexibility of the Java Sandbox","authors":"Zack Coker, Michael Maass, Tianyuan Ding, Claire Le Goues, Joshua Sunshine","doi":"10.1145/2818000.2818003","DOIUrl":"https://doi.org/10.1145/2818000.2818003","url":null,"abstract":"The ubiquitously-installed Java Runtime Environment (JRE) provides a complex, flexible set of mechanisms that support the execution of untrusted code inside a secure sandbox. However, many recent exploits have successfully escaped the sandbox, allowing attackers to infect numerous Java hosts. We hypothesize that the Java security model affords developers more flexibility than they need or use in practice, and thus its complexity compromises security without improving practical functionality. We describe an empirical study of the ways benign open-source Java applications use and interact with the Java security manager. We found that developers regularly misunderstand or misuse Java security mechanisms, that benign programs do not use all of the vast flexibility afforded by the Java security model, and that there are clear differences between the ways benign and exploit programs interact with the security manager. We validate these results by deriving two restrictions on application behavior that restrict (1) security manager modifications and (2) privilege escalation. We demonstrate that enforcing these rules at runtime stop a representative proportion of modern Java 7 exploits without breaking backwards compatibility with benign applications. These practical rules should be enforced in the JRE to fortify the Java sandbox.","PeriodicalId":338725,"journal":{"name":"Proceedings of the 31st Annual Computer Security Applications Conference","volume":"25 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123750867","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Many of today's applications are deployed on large-scale distributed infrastructures to handle large amounts of users concurrently. When applying access control to such applications, the access control policies must be evaluated concurrently as well. However, for certain classes of policies such as history-based policies one access decision depends on the previous ones. As a result, concurrency can be exploited to achieve incorrect access decisions and privilege escalation. Moreover, general techniques for concurrency control are not able to scale to the size of current applications and at the same time provide the full consistency required for security. Therefore, we present an efficient concurrency control scheme specifically for access control. By leveraging the specific structure of a policy evaluation, this scheme is able to prevent incorrect decisions due to concurrency and at the same time scale to a large number of machines while incurring only a limited and bounded latency overhead. As such, this work facilitates the adoption of policy-based access control in realistic and large-scale applications.
{"title":"Scalable and Secure Concurrent Evaluation of History-based Access Control Policies","authors":"Maarten Decat, B. Lagaisse, W. Joosen","doi":"10.1145/2818000.2818008","DOIUrl":"https://doi.org/10.1145/2818000.2818008","url":null,"abstract":"Many of today's applications are deployed on large-scale distributed infrastructures to handle large amounts of users concurrently. When applying access control to such applications, the access control policies must be evaluated concurrently as well. However, for certain classes of policies such as history-based policies one access decision depends on the previous ones. As a result, concurrency can be exploited to achieve incorrect access decisions and privilege escalation. Moreover, general techniques for concurrency control are not able to scale to the size of current applications and at the same time provide the full consistency required for security. Therefore, we present an efficient concurrency control scheme specifically for access control. By leveraging the specific structure of a policy evaluation, this scheme is able to prevent incorrect decisions due to concurrency and at the same time scale to a large number of machines while incurring only a limited and bounded latency overhead. As such, this work facilitates the adoption of policy-based access control in realistic and large-scale applications.","PeriodicalId":338725,"journal":{"name":"Proceedings of the 31st Annual Computer Security Applications Conference","volume":"293 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114441241","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Return-Oriented Programming (ROP) is an effective attack technique that can escape modern defenses such as DEP. ROP is based on repeated abuse of existing code snippets ending with return instructions (called gadgets), as compared to using injected code. Several defense mechanisms have been proposed to counter ROP by enforcing policies on the targets of return instructions, and/or their frequency. However, these policies have been repeatedly bypassed by more advanced ROP attacks. While stricter policies have the potential to thwart ROP, they lead to incompatibilities which discourage their deployment. In this work, we address this challenge by presenting a principled approach for ROP defense. Our experimental evaluation shows that our approach enforces a strong policy, while offering better compatibility and good performance.
{"title":"A Principled Approach for ROP Defense","authors":"Rui Qiao, Mingwei Zhang, R. Sekar","doi":"10.1145/2818000.2818021","DOIUrl":"https://doi.org/10.1145/2818000.2818021","url":null,"abstract":"Return-Oriented Programming (ROP) is an effective attack technique that can escape modern defenses such as DEP. ROP is based on repeated abuse of existing code snippets ending with return instructions (called gadgets), as compared to using injected code. Several defense mechanisms have been proposed to counter ROP by enforcing policies on the targets of return instructions, and/or their frequency. However, these policies have been repeatedly bypassed by more advanced ROP attacks. While stricter policies have the potential to thwart ROP, they lead to incompatibilities which discourage their deployment. In this work, we address this challenge by presenting a principled approach for ROP defense. Our experimental evaluation shows that our approach enforces a strong policy, while offering better compatibility and good performance.","PeriodicalId":338725,"journal":{"name":"Proceedings of the 31st Annual Computer Security Applications Conference","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122608130","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We propose a new way to verify the integrity and freshness of footage from security cameras by sending visual challenges to the area being monitored by the camera. We study the effectiveness of periodically updating plain text and QR code visual challenges, propose attack detection statistics for each of them, and study their performance under normal conditions (without attack) and against a variety of adversaries. Our implementation results show that visual challenges are an effective method to add defense-in-depth mechanisms to improve the trustworthiness of security cameras.
{"title":"Using Visual Challenges to Verify the Integrity of Security Cameras","authors":"J. Valente, A. Cárdenas","doi":"10.1145/2818000.2818045","DOIUrl":"https://doi.org/10.1145/2818000.2818045","url":null,"abstract":"We propose a new way to verify the integrity and freshness of footage from security cameras by sending visual challenges to the area being monitored by the camera. We study the effectiveness of periodically updating plain text and QR code visual challenges, propose attack detection statistics for each of them, and study their performance under normal conditions (without attack) and against a variety of adversaries. Our implementation results show that visual challenges are an effective method to add defense-in-depth mechanisms to improve the trustworthiness of security cameras.","PeriodicalId":338725,"journal":{"name":"Proceedings of the 31st Annual Computer Security Applications Conference","volume":"66 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122717408","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
To survive reboots, 802.15.4 security normally requires an 802.15.4 node to store both its anti-replay data and its frame counter in non-volatile memory. However, the only non-volatile memory on most 802.15.4 nodes is flash memory, which is energy consuming, slow, as well as prone to wear. Establishing session keys frees 802.15.4 nodes from storing anti-replay data and frame counters in non-volatile memory. For establishing pairwise session keys for use in 802.15.4 security in particular, Krentz et al. proposed the Adaptable Pairwise Key Establishment Scheme (APKES). Yet, APKES neither supports reboots nor mobile nodes. In this paper, we propose the Adaptive Key Establishment Scheme (AKES) to overcome these limitations of APKES. Above all, AKES makes 802.15.4 security survive reboots without storing data in non-volatile memory. Also, we implemented AKES for Contiki and demonstrate its memory and energy efficiency. Of independent interest, we resolve the issue that 802.15.4 security stops to work if a node's frame counter reaches its maximum value, as well as propose a technique for reducing the security-related per frame overhead.
{"title":"Handling Reboots and Mobility in 802.15.4 Security","authors":"Konrad-Felix Krentz, C. Meinel","doi":"10.1145/2818000.2818002","DOIUrl":"https://doi.org/10.1145/2818000.2818002","url":null,"abstract":"To survive reboots, 802.15.4 security normally requires an 802.15.4 node to store both its anti-replay data and its frame counter in non-volatile memory. However, the only non-volatile memory on most 802.15.4 nodes is flash memory, which is energy consuming, slow, as well as prone to wear. Establishing session keys frees 802.15.4 nodes from storing anti-replay data and frame counters in non-volatile memory. For establishing pairwise session keys for use in 802.15.4 security in particular, Krentz et al. proposed the Adaptable Pairwise Key Establishment Scheme (APKES). Yet, APKES neither supports reboots nor mobile nodes. In this paper, we propose the Adaptive Key Establishment Scheme (AKES) to overcome these limitations of APKES. Above all, AKES makes 802.15.4 security survive reboots without storing data in non-volatile memory. Also, we implemented AKES for Contiki and demonstrate its memory and energy efficiency. Of independent interest, we resolve the issue that 802.15.4 security stops to work if a node's frame counter reaches its maximum value, as well as propose a technique for reducing the security-related per frame overhead.","PeriodicalId":338725,"journal":{"name":"Proceedings of the 31st Annual Computer Security Applications Conference","volume":"46 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117262879","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
S. Mutti, Y. Fratantonio, Antonio Bianchi, L. Invernizzi, Jacopo Corbetta, Dhilung Kirat, Christopher Krügel, G. Vigna
To protect Android users, researchers have been analyzing unknown, potentially-malicious applications by using systems based on emulators, such as the Google's Bouncer and Andrubis. Emulators are the go-to choice because of their convenience: they can scale horizontally over multiple hosts, and can be reverted to a known, clean state in a matter of seconds. Emulators, however, are fundamentally different from real devices, and previous research has shown how it is possible to automatically develop heuristics to identify an emulated environment, ranging from simple flag checks and unrealistic sensor input, to fingerprinting the hypervisor's handling of basic blocks of instructions. Aware of this aspect, malware authors are starting to exploit this fundamental weakness to evade current detection systems. Unfortunately, analyzing apps directly on bare metal at scale has been so far unfeasible, because the time to restore a device to a clean snapshot is prohibitive: with the same budget, one can analyze an order of magnitude less apps on a physical device than on an emulator. In this paper, we propose BareDroid, a system that makes bare-metal analysis of Android apps feasible by quickly restoring real devices to a clean snapshot. We show how BareDroid is not detected as an emulated analysis environment by emulator-aware malware or by heuristics from prior research, allowing BareDroid to observe more potentially malicious activity generated by apps. Moreover, we provide a cost analysis, which shows that replacing emulators with BareDroid requires a financial investment of less than twice the cost of the servers that would be running the emulators. Finally, we release BareDroid as an open source project, in the hope it can be useful to other researchers to strengthen their analysis systems.
{"title":"BareDroid: Large-Scale Analysis of Android Apps on Real Devices","authors":"S. Mutti, Y. Fratantonio, Antonio Bianchi, L. Invernizzi, Jacopo Corbetta, Dhilung Kirat, Christopher Krügel, G. Vigna","doi":"10.1145/2818000.2818036","DOIUrl":"https://doi.org/10.1145/2818000.2818036","url":null,"abstract":"To protect Android users, researchers have been analyzing unknown, potentially-malicious applications by using systems based on emulators, such as the Google's Bouncer and Andrubis. Emulators are the go-to choice because of their convenience: they can scale horizontally over multiple hosts, and can be reverted to a known, clean state in a matter of seconds. Emulators, however, are fundamentally different from real devices, and previous research has shown how it is possible to automatically develop heuristics to identify an emulated environment, ranging from simple flag checks and unrealistic sensor input, to fingerprinting the hypervisor's handling of basic blocks of instructions. Aware of this aspect, malware authors are starting to exploit this fundamental weakness to evade current detection systems. Unfortunately, analyzing apps directly on bare metal at scale has been so far unfeasible, because the time to restore a device to a clean snapshot is prohibitive: with the same budget, one can analyze an order of magnitude less apps on a physical device than on an emulator. In this paper, we propose BareDroid, a system that makes bare-metal analysis of Android apps feasible by quickly restoring real devices to a clean snapshot. We show how BareDroid is not detected as an emulated analysis environment by emulator-aware malware or by heuristics from prior research, allowing BareDroid to observe more potentially malicious activity generated by apps. Moreover, we provide a cost analysis, which shows that replacing emulators with BareDroid requires a financial investment of less than twice the cost of the servers that would be running the emulators. Finally, we release BareDroid as an open source project, in the hope it can be useful to other researchers to strengthen their analysis systems.","PeriodicalId":338725,"journal":{"name":"Proceedings of the 31st Annual Computer Security Applications Conference","volume":"113 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132402904","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
L. Cojocar, Jonas Zaddach, Roel Verdult, H. Bos, Aurélien Francillon, D. Balzarotti
Embedded systems are responsible for the security and safety of modern societies, controlling the correct operation of cars and airplanes, satellites and medical equipment, military units and all critical infrastructures. Being integrated in large and complex environments, embedded systems need to support several communication protocols to interact with other devices or with their users. Interestingly, embedded software often implements protocols that deviate from their original specifications. Some are extended with additional features, while others are completely undocumented. Furthermore, embedded parsers often consist of complex C code which is optimized to improve performance and reduce size. However, this code is rarely designed with security in mind, and often lacks proper input validation, making those devices vulnerable to memory corruption attacks. Furthermore, most embedded designs are closed source and third party security evaluations are only possible by looking at the binary firmware. In this paper we propose a methodology to identify parsers and complex processing logic present in binary code without access to their source code or documentation. Specifically we establish and evaluate a heuristic for detecting this type of code by means of static analysis. Afterwards we demonstrate the utility of this heuristic to identify firmware components treating input, perform reverse engineering to extract protocols, and discover and analyze bugs on four widely used devices: a GPS receiver, a power meter, a hard disk drive (HDD) and a Programmable Logic Controller (PLC).
{"title":"PIE: Parser Identification in Embedded Systems","authors":"L. Cojocar, Jonas Zaddach, Roel Verdult, H. Bos, Aurélien Francillon, D. Balzarotti","doi":"10.1145/2818000.2818035","DOIUrl":"https://doi.org/10.1145/2818000.2818035","url":null,"abstract":"Embedded systems are responsible for the security and safety of modern societies, controlling the correct operation of cars and airplanes, satellites and medical equipment, military units and all critical infrastructures. Being integrated in large and complex environments, embedded systems need to support several communication protocols to interact with other devices or with their users. Interestingly, embedded software often implements protocols that deviate from their original specifications. Some are extended with additional features, while others are completely undocumented. Furthermore, embedded parsers often consist of complex C code which is optimized to improve performance and reduce size. However, this code is rarely designed with security in mind, and often lacks proper input validation, making those devices vulnerable to memory corruption attacks. Furthermore, most embedded designs are closed source and third party security evaluations are only possible by looking at the binary firmware. In this paper we propose a methodology to identify parsers and complex processing logic present in binary code without access to their source code or documentation. Specifically we establish and evaluate a heuristic for detecting this type of code by means of static analysis. Afterwards we demonstrate the utility of this heuristic to identify firmware components treating input, perform reverse engineering to extract protocols, and discover and analyze bugs on four widely used devices: a GPS receiver, a power meter, a hard disk drive (HDD) and a Programmable Logic Controller (PLC).","PeriodicalId":338725,"journal":{"name":"Proceedings of the 31st Annual Computer Security Applications Conference","volume":"81 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116066196","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Existing malware defenses are primarily reactive in nature, with defenses effective only on malware that has previously been observed. Unfortunately, we are witnessing a generation of stealthy, highly targeted exploits and malware that these defenses are unprepared for. Thwarting such malware requires new defenses that are, by design, secure against unknown malware. In this paper, we present Spif, an approach that defends against malware by tracking code and data origin, and ensuring that any process that is influenced by code or data from untrusted sources will be prevented from modifying important system resources, and interacting with benign processes. Spif is designed for Windows, the most widely deployed desktop OS, and the primary platform targeted by malware. Spif is compatible with all recent Windows versions (Windows XP to Windows 10), and supports a wide range of feature rich, unmodified applications, including all popular browsers, office software and media players. Spif imposes minimal performance overheads while being able to stop a variety of malware attacks, including Stuxnet and the recently reported Sandworm malware. An open-source implementation of our system is available.
{"title":"Provenance-based Integrity Protection for Windows","authors":"Wai-Kit Sze, R. Sekar","doi":"10.1145/2818000.2818011","DOIUrl":"https://doi.org/10.1145/2818000.2818011","url":null,"abstract":"Existing malware defenses are primarily reactive in nature, with defenses effective only on malware that has previously been observed. Unfortunately, we are witnessing a generation of stealthy, highly targeted exploits and malware that these defenses are unprepared for. Thwarting such malware requires new defenses that are, by design, secure against unknown malware. In this paper, we present Spif, an approach that defends against malware by tracking code and data origin, and ensuring that any process that is influenced by code or data from untrusted sources will be prevented from modifying important system resources, and interacting with benign processes. Spif is designed for Windows, the most widely deployed desktop OS, and the primary platform targeted by malware. Spif is compatible with all recent Windows versions (Windows XP to Windows 10), and supports a wide range of feature rich, unmodified applications, including all popular browsers, office software and media players. Spif imposes minimal performance overheads while being able to stop a variety of malware attacks, including Stuxnet and the recently reported Sandworm malware. An open-source implementation of our system is available.","PeriodicalId":338725,"journal":{"name":"Proceedings of the 31st Annual Computer Security Applications Conference","volume":"32 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116211684","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Botnets are one of the primary threats in computer security today. They are used for launching denial of service attacks, sending spam and phishing emails, and collecting private information. However, every botnet requires coordination. In order to initiate an attack, a botmaster must communicate to all of the bots in the network. In this paper, we present a steganographic system that demonstrates the feasibility of the social networking website Twitter as a botnet command and control center that an attacker could use to reliably communicate messages to a botnet with low latency and nearly perfect rate of transmission. Our system generates plausible cover messages based on a required tweet length determined by an encoding map that has been constructed based on the structure of the secret messages. The system considers both the input symbol frequencies (e.g. English letter frequencies) as well as the tweet length posting frequencies for constructing the encoding maps. A technique for automatically generating Twitter account names based on Markov chains is also presented so that the bots can connect to new accounts if the existing botmaster account is unavailable. All the experiments were performed using the 7.3M actual tweets from 3.7K verified accounts collected by the tweet parser developed by us. We have evaluated the efficacy of the system using Emulab and usability of the system through Amazon's Mechanical Turk with promising results. An analysis of the steganographic security of the proposed system has also been provided. By demonstrating how a botmaster might perform such communication using online social networks, our work provides the basis to detect and prevent emerging botnet activities.
{"title":"Covert Botnet Command and Control Using Twitter","authors":"Nicholas Pantic, M. Husain","doi":"10.1145/2818000.2818047","DOIUrl":"https://doi.org/10.1145/2818000.2818047","url":null,"abstract":"Botnets are one of the primary threats in computer security today. They are used for launching denial of service attacks, sending spam and phishing emails, and collecting private information. However, every botnet requires coordination. In order to initiate an attack, a botmaster must communicate to all of the bots in the network. In this paper, we present a steganographic system that demonstrates the feasibility of the social networking website Twitter as a botnet command and control center that an attacker could use to reliably communicate messages to a botnet with low latency and nearly perfect rate of transmission. Our system generates plausible cover messages based on a required tweet length determined by an encoding map that has been constructed based on the structure of the secret messages. The system considers both the input symbol frequencies (e.g. English letter frequencies) as well as the tweet length posting frequencies for constructing the encoding maps. A technique for automatically generating Twitter account names based on Markov chains is also presented so that the bots can connect to new accounts if the existing botmaster account is unavailable. All the experiments were performed using the 7.3M actual tweets from 3.7K verified accounts collected by the tweet parser developed by us. We have evaluated the efficacy of the system using Emulab and usability of the system through Amazon's Mechanical Turk with promising results. An analysis of the steganographic security of the proposed system has also been provided. By demonstrating how a botmaster might perform such communication using online social networks, our work provides the basis to detect and prevent emerging botnet activities.","PeriodicalId":338725,"journal":{"name":"Proceedings of the 31st Annual Computer Security Applications Conference","volume":"8 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-12-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117181160","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: