This work presents a new class of Covert Hardware Trojan Horses (Covert HTHs), which can be algorithmically implanted with no change to their host circuit's functional behavior and without the need for additional unrelated logic. As a result, Covert HTHs are invulnerable to functional detection methods. This work also proposes a formal methodology for implantation of Covert HTHs, which allows covert hardware to be embedded in any sufficiently-sized synchronous circuit. Synthesis results indicate that covert implantation results in nearly a 75% reduction in integrated circuit area used by the HTH. Furthermore, the covert implantation causes no increase in the host circuit's delay and, compared to the effect of an overtly implanted HTH on its host, the covert implantation results in a significantly lower dynamic and leakage power. These significant reductions in area, delay and power make a covertly implanted HTH highly resistant to existing non-functional detection methods.
{"title":"An Algorithmic Method for the Implantation of Detection-Resistant Covert Hardware Trojans","authors":"Kyle J. Temkin, D. Summerville","doi":"10.1145/2897795.2897811","DOIUrl":"https://doi.org/10.1145/2897795.2897811","url":null,"abstract":"This work presents a new class of Covert Hardware Trojan Horses (Covert HTHs), which can be algorithmically implanted with no change to their host circuit's functional behavior and without the need for additional unrelated logic. As a result, Covert HTHs are invulnerable to functional detection methods. This work also proposes a formal methodology for implantation of Covert HTHs, which allows covert hardware to be embedded in any sufficiently-sized synchronous circuit. Synthesis results indicate that covert implantation results in nearly a 75% reduction in integrated circuit area used by the HTH. Furthermore, the covert implantation causes no increase in the host circuit's delay and, compared to the effect of an overtly implanted HTH on its host, the covert implantation results in a significantly lower dynamic and leakage power. These significant reductions in area, delay and power make a covertly implanted HTH highly resistant to existing non-functional detection methods.","PeriodicalId":427043,"journal":{"name":"Proceedings of the 11th Annual Cyber and Information Security Research Conference","volume":"100 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-04-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126464774","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The threshold scheme, the monotone circuit construction, and the vector space construction are some of the well-known secret sharing schemes in cryptography. The threshold and monotone circuit secret sharing schemes are fairly easy to construct for any given access structure Γ. The construction of a secret sharing scheme realizing a given access structure Γ with Vector Space Construction requires the existence of a function φ from a set of participants into a vector space, that is, φ: P → (Zp)d. This function φ must satisfy certain conditions in order to recover the secret key. There is no known algorithm to construct such a function φ in general. Constructions are mainly done by trial and error. In this paper, we develop polynomial algorithm to construct such φ function(s) for given access structures. Using the φ function, we also give an algorithm to construct secret sharing scheme for the access structures.
{"title":"Efficient Algorithm to Construct Perfect Secret Sharing Scheme for a Given Access Structure","authors":"M. Atici","doi":"10.1145/2897795.2897810","DOIUrl":"https://doi.org/10.1145/2897795.2897810","url":null,"abstract":"The threshold scheme, the monotone circuit construction, and the vector space construction are some of the well-known secret sharing schemes in cryptography. The threshold and monotone circuit secret sharing schemes are fairly easy to construct for any given access structure Γ. The construction of a secret sharing scheme realizing a given access structure Γ with Vector Space Construction requires the existence of a function φ from a set of participants into a vector space, that is, φ: P → (Zp)d. This function φ must satisfy certain conditions in order to recover the secret key. There is no known algorithm to construct such a function φ in general. Constructions are mainly done by trial and error. In this paper, we develop polynomial algorithm to construct such φ function(s) for given access structures. Using the φ function, we also give an algorithm to construct secret sharing scheme for the access structures.","PeriodicalId":427043,"journal":{"name":"Proceedings of the 11th Annual Cyber and Information Security Research Conference","volume":"43 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-04-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122244335","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
SCADA security is an increasingly important research area as these systems, used for process control and automation, are being exposed to the Internet due to their use of TCP/IP protocols as a transport mechanism for control messages. Most of the existing research work on SCADA systems has focused on addressing SCADA security by monitoring attacks or anomalies at the network level. The main issue affecting these systems today is that by focusing our attention on network-level monitoring needs, security practitioners may remain unaware of process level constraints. The proposed framework helps ensure that a mechanism is in place to help map process level constraints, as described by process engineers, to network level monitoring needs. Existing solutions have tried to address this problem but have not been able to fully bridge the gap between the process and the network. The goal of this research is to provide a solution that (i) leverages the knowledge process engineers have about the system (to help strengthen cyber security) and that has the ability to (ii) seamlessly monitors process constraints at the network level using standard network security tools. A prototype system for the Modbus TCP protocol and the Bro IDS has been built to validate the approach.
{"title":"A SCADA Intrusion Detection Framework that Incorporates Process Semantics","authors":"Jeyasingam Nivethan, M. Papa","doi":"10.1145/2897795.2897814","DOIUrl":"https://doi.org/10.1145/2897795.2897814","url":null,"abstract":"SCADA security is an increasingly important research area as these systems, used for process control and automation, are being exposed to the Internet due to their use of TCP/IP protocols as a transport mechanism for control messages. Most of the existing research work on SCADA systems has focused on addressing SCADA security by monitoring attacks or anomalies at the network level. The main issue affecting these systems today is that by focusing our attention on network-level monitoring needs, security practitioners may remain unaware of process level constraints. The proposed framework helps ensure that a mechanism is in place to help map process level constraints, as described by process engineers, to network level monitoring needs. Existing solutions have tried to address this problem but have not been able to fully bridge the gap between the process and the network. The goal of this research is to provide a solution that (i) leverages the knowledge process engineers have about the system (to help strengthen cyber security) and that has the ability to (ii) seamlessly monitors process constraints at the network level using standard network security tools. A prototype system for the Modbus TCP protocol and the Bro IDS has been built to validate the approach.","PeriodicalId":427043,"journal":{"name":"Proceedings of the 11th Annual Cyber and Information Security Research Conference","volume":"46 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-04-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121070443","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A. Buczak, Paul A. Hanke, G. Cancro, Michael K. Toma, Lanier A Watkins, Jeffrey S. Chavis
This paper describes an approach for detecting the presence of domain name system (DNS) tunnels in network traffic. DNS tunneling is a common technique hackers use to establish command and control nodes and to exfiltrate data from networks. To generate the training data sufficient to build models to detect DNS tunneling activity, a penetration testing effort was employed. We extracted features from this data and trained random forest classifiers to distinguish normal DNS activity from tunneling activity. The classifiers successfully detected the presence of tunnels we trained on, and four other types of tunnels that were not a part of the training set.
{"title":"Detection of Tunnels in PCAP Data by Random Forests","authors":"A. Buczak, Paul A. Hanke, G. Cancro, Michael K. Toma, Lanier A Watkins, Jeffrey S. Chavis","doi":"10.1145/2897795.2897804","DOIUrl":"https://doi.org/10.1145/2897795.2897804","url":null,"abstract":"This paper describes an approach for detecting the presence of domain name system (DNS) tunnels in network traffic. DNS tunneling is a common technique hackers use to establish command and control nodes and to exfiltrate data from networks. To generate the training data sufficient to build models to detect DNS tunneling activity, a penetration testing effort was employed. We extracted features from this data and trained random forest classifiers to distinguish normal DNS activity from tunneling activity. The classifiers successfully detected the presence of tunnels we trained on, and four other types of tunnels that were not a part of the training set.","PeriodicalId":427043,"journal":{"name":"Proceedings of the 11th Annual Cyber and Information Security Research Conference","volume":"5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-04-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121026405","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In the recent years, silicon based Physical Unclonable Function (PUF) has evolved as one of the popular hardware security primitives. PUFs are a class of circuits that use the inherent variations in the Integrated Circuit (IC) manufacturing process to create unique and unclonable IDs. There are various security related applications of PUFs such as IC counterfeiting, piracy detection, secure key management etc. In this paper, we are presenting a novel QUasi-Adiabatic Logic based PUF (QUALPUF) which is designed using energy recovery technique. To the best of our knowledge, this is the first work on the hardware design of PUF using adiabatic logic. The proposed design is energy efficient compared to recent designs of hardware PUFs proposed in the literature. Further, we are proposing a novel bit extraction method for our proposed PUF which improves the space set of challenge-response pairs. QUALPUF is evaluated in security metrics including reliability, uniqueness, uniformity and bit-aliasing. Power and area of QUALPUF is also presented. SPICE simulations show that QUALPUF consumes 0.39μ Watt of power to generate a response bit.
{"title":"QUALPUF: A Novel Quasi-Adiabatic Logic based Physical Unclonable Function","authors":"S. D. Kumar, H. Thapliyal","doi":"10.1145/2897795.2897798","DOIUrl":"https://doi.org/10.1145/2897795.2897798","url":null,"abstract":"In the recent years, silicon based Physical Unclonable Function (PUF) has evolved as one of the popular hardware security primitives. PUFs are a class of circuits that use the inherent variations in the Integrated Circuit (IC) manufacturing process to create unique and unclonable IDs. There are various security related applications of PUFs such as IC counterfeiting, piracy detection, secure key management etc. In this paper, we are presenting a novel QUasi-Adiabatic Logic based PUF (QUALPUF) which is designed using energy recovery technique. To the best of our knowledge, this is the first work on the hardware design of PUF using adiabatic logic. The proposed design is energy efficient compared to recent designs of hardware PUFs proposed in the literature. Further, we are proposing a novel bit extraction method for our proposed PUF which improves the space set of challenge-response pairs. QUALPUF is evaluated in security metrics including reliability, uniqueness, uniformity and bit-aliasing. Power and area of QUALPUF is also presented. SPICE simulations show that QUALPUF consumes 0.39μ Watt of power to generate a response bit.","PeriodicalId":427043,"journal":{"name":"Proceedings of the 11th Annual Cyber and Information Security Research Conference","volume":"87 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-04-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122621499","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Joseph P. Trien, S. Prowell, J. Goodall, R. A. Bridges
This volume contains the papers presented at CISRC: Cyber and Information Security Research Conference held on April 5-7, 2016 at Oak Ridge National Laboratory in Oak Ridge, Tennessee.
{"title":"Proceedings of the 11th Annual Cyber and Information Security Research Conference","authors":"Joseph P. Trien, S. Prowell, J. Goodall, R. A. Bridges","doi":"10.1145/2897795","DOIUrl":"https://doi.org/10.1145/2897795","url":null,"abstract":"This volume contains the papers presented at CISRC: Cyber and Information Security Research Conference held on April 5-7, 2016 at Oak Ridge National Laboratory in Oak Ridge, Tennessee.","PeriodicalId":427043,"journal":{"name":"Proceedings of the 11th Annual Cyber and Information Security Research Conference","volume":"38 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-04-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129742788","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Instruction set randomization (ISR) provides a strong defense against all types of injection attacks, especially in interpreted environments. However, fully enabling a system to benefit from language interpreters that support programs diversified with ISR requires several alterations and considerations. In this paper we identify core challenges related to enabling system-wide interpreter diversification. We also propose possible solutions to each challenge and expand upon the existing diversification schemes for interpreted languages.
{"title":"Practical implications and requirements of diversifying interpreted languages","authors":"J. Uitto, Sampsa Rauti, V. Leppänen","doi":"10.1145/2897795.2897796","DOIUrl":"https://doi.org/10.1145/2897795.2897796","url":null,"abstract":"Instruction set randomization (ISR) provides a strong defense against all types of injection attacks, especially in interpreted environments. However, fully enabling a system to benefit from language interpreters that support programs diversified with ISR requires several alterations and considerations. In this paper we identify core challenges related to enabling system-wide interpreter diversification. We also propose possible solutions to each challenge and expand upon the existing diversification schemes for interpreted languages.","PeriodicalId":427043,"journal":{"name":"Proceedings of the 11th Annual Cyber and Information Security Research Conference","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-04-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131902057","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Jeffrey A. Nichols, Benjamin A. Taylor, Laura Curtis
We investigated the security resilience of the current Windows Active Directory (AD) environments to Pass-the-Hash and Pass-the-Ticket, two prominent post-exploitation, credential theft attacks. An operating system's security resilience consists of its native features that allow for containing a detected attack. Post-exploitation refers to an attacker's activities subsequent to penetration. Specifically, we discovered a way to trigger the removal of all previously issued authentication credentials for a client, thus preventing its use by attackers. After triggered, the user is forced to contact the domain administrators to re-authenticate to the Domain Controller (DC) to continue. This could become the basis for a response Windows system administrators could use to halt the spread of a detected attack. Operating in a virtualized XenServer environment, we were able to carefully determine and recreate the conditions necessary to cause this response.
我们调查了当前Windows Active Directory (AD)环境对Pass-the-Hash和Pass-the-Ticket这两种突出的利用后凭证盗窃攻击的安全弹性。操作系统的安全弹性由允许包含检测到的攻击的本机功能组成。后利用是指攻击者在渗透之后的活动。具体来说,我们发现了一种方法,可以触发删除以前为客户端发布的所有身份验证凭据,从而防止攻击者使用它。触发后,用户必须联系域管理员重新认证到DC (domain Controller)才能继续。这可能成为响应的基础,Windows系统管理员可以使用它来阻止检测到的攻击的传播。在虚拟化的XenServer环境中,我们能够仔细确定并重新创建导致此响应的必要条件。
{"title":"Security Resilience: Exploring Windows Domain-Level Defenses Against Post-Exploitation Authentication Attacks","authors":"Jeffrey A. Nichols, Benjamin A. Taylor, Laura Curtis","doi":"10.1145/2897795.2897800","DOIUrl":"https://doi.org/10.1145/2897795.2897800","url":null,"abstract":"We investigated the security resilience of the current Windows Active Directory (AD) environments to Pass-the-Hash and Pass-the-Ticket, two prominent post-exploitation, credential theft attacks. An operating system's security resilience consists of its native features that allow for containing a detected attack. Post-exploitation refers to an attacker's activities subsequent to penetration. Specifically, we discovered a way to trigger the removal of all previously issued authentication credentials for a client, thus preventing its use by attackers. After triggered, the user is forced to contact the domain administrators to re-authenticate to the Domain Controller (DC) to continue. This could become the basis for a response Windows system administrators could use to halt the spread of a detected attack. Operating in a virtualized XenServer environment, we were able to carefully determine and recreate the conditions necessary to cause this response.","PeriodicalId":427043,"journal":{"name":"Proceedings of the 11th Annual Cyber and Information Security Research Conference","volume":"45 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-04-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114032646","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This paper presents the results of a linear cryptanalysis of quasigroup block cipher. The quasigroup block cipher is being developed for resource constrained environments, especially SCADA systems. Here we determine if any key material can be found by conducting a linear cryptanalysis on a simplified quasigroup block cipher. Using Matsui's algorithm we seek to determine a suitable linear approximation of the quasigroup block cipher, the number of plaintext-ciphertext pairs to test, and the amount of time and space required to mount a known-plaintext attack on the quasigroup block cipher. Since the quasigroup does not use a Feistel network, the focus of the linear cryptanalysis is on the keyed transformation during table lookup operations of the quasigroup in order to 1) determine how the key bits used during encryption impact the ciphertext and from this 2) find a linear approximation that is non-negligible. Our results showed that no key material is recovered using linear cryptanalysis and consequently quasigroup cipher is resistant to such an attack.
{"title":"Linear Cryptanalysis of Quasigroup Block Cipher","authors":"Leonora Gerlock, Abhishek Parakh","doi":"10.1145/2897795.2897818","DOIUrl":"https://doi.org/10.1145/2897795.2897818","url":null,"abstract":"This paper presents the results of a linear cryptanalysis of quasigroup block cipher. The quasigroup block cipher is being developed for resource constrained environments, especially SCADA systems. Here we determine if any key material can be found by conducting a linear cryptanalysis on a simplified quasigroup block cipher. Using Matsui's algorithm we seek to determine a suitable linear approximation of the quasigroup block cipher, the number of plaintext-ciphertext pairs to test, and the amount of time and space required to mount a known-plaintext attack on the quasigroup block cipher. Since the quasigroup does not use a Feistel network, the focus of the linear cryptanalysis is on the keyed transformation during table lookup operations of the quasigroup in order to 1) determine how the key bits used during encryption impact the ciphertext and from this 2) find a linear approximation that is non-negligible. Our results showed that no key material is recovered using linear cryptanalysis and consequently quasigroup cipher is resistant to such an attack.","PeriodicalId":427043,"journal":{"name":"Proceedings of the 11th Annual Cyber and Information Security Research Conference","volume":"34 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-04-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124684068","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
It seems that computer network defenders are always two steps behind attackers. This is due in part to the need for defenders to protect against the exploitation of zero-day vulnerabilities which they may not yet know exist. If network defenders were able to forecast the location and severity of zero-day vulnerabilities that would be discovered in the near future, this would be a valuable tool. This paper describes ongoing research that seeks to develop Vulnerability Discovery Models that will provide forecasts for zero-day vulnerability discovery rates. The initial work addresses forecasts at the global and category (web browser, operating system, and video player) levels, and this will be extended to individual software applications in the future. This research has developed three distinct zero-day vulnerability forecast suites, one based on regression and two based on machine learning. The accuracy of several of the forecast models from each forecast suite is evaluated, and the results are promising for the future development of these forecast models. Future work in this area will involve combining individual forecast models into a consensus forecast model, as well as extending the forecast models to the software application level.
{"title":"Forecasting Zero-Day Vulnerabilities","authors":"David C. Last","doi":"10.1145/2897795.2897813","DOIUrl":"https://doi.org/10.1145/2897795.2897813","url":null,"abstract":"It seems that computer network defenders are always two steps behind attackers. This is due in part to the need for defenders to protect against the exploitation of zero-day vulnerabilities which they may not yet know exist. If network defenders were able to forecast the location and severity of zero-day vulnerabilities that would be discovered in the near future, this would be a valuable tool. This paper describes ongoing research that seeks to develop Vulnerability Discovery Models that will provide forecasts for zero-day vulnerability discovery rates. The initial work addresses forecasts at the global and category (web browser, operating system, and video player) levels, and this will be extended to individual software applications in the future. This research has developed three distinct zero-day vulnerability forecast suites, one based on regression and two based on machine learning. The accuracy of several of the forecast models from each forecast suite is evaluated, and the results are promising for the future development of these forecast models. Future work in this area will involve combining individual forecast models into a consensus forecast model, as well as extending the forecast models to the software application level.","PeriodicalId":427043,"journal":{"name":"Proceedings of the 11th Annual Cyber and Information Security Research Conference","volume":"63 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-04-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126414303","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: