Filters








15 Hits in 1.1 sec

Website Detection Using Remote Traffic Analysis [article]

Xun Gong, Negar Kiyavash, Nabíl Schear, Nikita Borisov
2011 arXiv   pre-print
Recent work in traffic analysis has shown that traffic patterns leaked through side channels can be used to recover important semantic information. For instance, attackers can find out which website, or which page on a website, a user is accessing simply by monitoring the packet size distribution. We show that traffic analysis is even a greater threat to privacy than previously thought by introducing a new attack that can be carried out remotely. In particular, we show that, to perform traffic
more » ... nalysis, adversaries do not need to directly observe the traffic patterns. Instead, they can gain sufficient information by sending probes from a far-off vantage point that exploits a queuing side channel in routers. To demonstrate the threat of such remote traffic analysis, we study a remote website detection attack that works against home broadband users. Because the remotely observed traffic patterns are more noisy than those obtained using previous schemes based on direct local traffic monitoring, we take a dynamic time warping (DTW) based approach to detecting fingerprints from the same website. As a new twist on website fingerprinting, we consider a website detection attack, where the attacker aims to find out whether a user browses a particular web site, and its privacy implications. We show experimentally that, although the success of the attack is highly variable, depending on the target site, for some sites very low error rates. We also show how such website detection can be used to deanonymize message board users.
arXiv:1109.0097v1 fatcat:xheg2phwpbbgffkwlnwlcorzau

Retrofitting Applications with Provenance-Based Security Monitoring [article]

Adam Bates, Kevin Butler, Alin Dobra, Brad Reaves, Patrick Cable, Thomas Moyer, Nabil Schear
2016 arXiv   pre-print
Data provenance is a valuable tool for detecting and preventing cyber attack, providing insight into the nature of suspicious events. For example, an administrator can use provenance to identify the perpetrator of a data leak, track an attacker's actions following an intrusion, or even control the flow of outbound data within an organization. Unfortunately, providing relevant data provenance for complex, heterogenous software deployments is challenging, requiring both the tedious
more » ... of many application components as well as a unified architecture for aggregating information between components. In this work, we present a composition of techniques for bringing affordable and holistic provenance capabilities to complex application workflows, with particular consideration for the exemplar domain of web services. We present DAP, a transparent architecture for capturing detailed data provenance for web service components. Our approach leverages a key insight that minimal knowledge of open protocols can be leveraged to extract precise and efficient provenance information by interposing on application components' communications, granting DAP compatibility with existing web services without requiring instrumentation or developer cooperation. We show how our system can be used in real time to monitor system intrusions or detect data exfiltration attacks while imposing less than 5.1 ms end-to-end overhead on web requests. Through the introduction of a garbage collection optimization, DAP is able to monitor system activity without suffering from excessive storage overhead. DAP thus serves not only as a provenance-aware web framework, but as a case study in the non-invasive deployment of provenance capabilities for complex applications workflows.
arXiv:1609.00266v1 fatcat:4spvnliyz5avpakkh5wcpkxvhe

Website Detection Using Remote Traffic Analysis [chapter]

Xun Gong, Nikita Borisov, Negar Kiyavash, Nabil Schear
2012 Lecture Notes in Computer Science  
Recent work in traffic analysis has shown that traffic patterns leaked through side channels can be used to recover important semantic information. For instance, attackers can find out which website, or which page on a website, a user is accessing simply by monitoring the packet size distribution. We show that traffic analysis is even a greater threat to privacy than previously thought by introducing a new attack that can be carried out remotely. In particular, we show that, to perform traffic
more » ... nalysis, adversaries do not need to directly observe the traffic patterns. Instead, they can gain sufficient information by sending probes from a far-off vantage point that exploits a queuing side channel in routers. To demonstrate the threat of such remote traffic analysis, we study a remote website detection attack that works against home broadband users. Because the remotely observed traffic patterns are more noisy than those obtained using previous schemes based on direct local traffic monitoring, we take a dynamic time warping (DTW) based approach to detecting fingerprints from the same website. As a new twist on website fingerprinting, we consider a website detection attack, where the attacker aims to find out whether a user browses a particular web site, and its privacy implications. We show experimentally that, although the success of the attack is highly variable, depending on the target site, for some sites very low error rates. We also show how such website detection can be used to deanonymize message board users.
doi:10.1007/978-3-642-31680-7_4 fatcat:nyb6rnozfzakvnawms3jhoriva

Secure Multiparty Computation for Cooperative Cyber Risk Assessment

Kyle Hogan, Noah Luther, Nabil Schear, Emily Shen, David Stott, Sophia Yakoubov, Arkady Yerukhimovich
2016 2016 IEEE Cybersecurity Development (SecDev)  
A common problem organizations face is determining which security updates to perform and patches to apply to minimize the risk of potential vulnerabilities in their infrastructure. Limited budgets and resources constrain organizations to select
doi:10.1109/secdev.2016.028 dblp:conf/secdev/HoganLSSSYY16 fatcat:lnc6tptzdjakbeucvslm3ky4my

Neon

Qing Zhang, John McCullough, Justin Ma, Nabil Schear, Michael Vrable, Amin Vahdat, Alex C. Snoeren, Geoffrey M. Voelker, Stefan Savage
2010 Proceedings of the 6th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments - VEE '10  
Modern organizations face increasingly complex information management requirements. A combination of commercial needs, legal liability and regulatory imperatives has created a patchwork of mandated policies. Among these, personally identifying customer records must be carefully access-controlled, sensitive files must be encrypted on mobile computers to guard against physical theft, and intellectual property must be protected from both exposure and "poisoning." However, enforcing such policies
more » ... n be quite difficult in practice since users routinely share data over networks and derive new files from these inputs-incidentally laundering any policy restrictions. In this paper, we describe a virtual machine monitor system called Neon that transparently labels derived data using bytelevel "tints" and tracks these labels end to end across commodity applications, operating systems and networks. Our goal with Neon is to explore the viability and utility of transparent information flow tracking within conventional networked systems when used in the manner in which they were intended. We demonstrate that this mechanism allows the enforcement of a variety of data management policies, including data-dependent confinement, mandatory I/O encryption, and intellectual property management.
doi:10.1145/1735997.1736008 dblp:conf/vee/ZhangMMSVVSVS10 fatcat:p43x53m4kzca7gpofn3yg53sgi

MAVMM: Lightweight and Purpose Built VMM for Malware Analysis

Anh M. Nguyen, Nabil Schear, HeeDong Jung, Apeksha Godiyal, Samuel T. King, Hai D. Nguyen
2009 2009 Annual Computer Security Applications Conference  
Malicious software is rampant on the Internet and costs billions of dollars each year. Safe and thorough analysis of malware is key to protecting vulnerable systems and cleaning those that have already been infected. Most current state-of-the-art analysis platforms run alongside the malware, increasing their detectability. This reduces the value of analysis because some malware is known to behave differently when being analyzed. Virtualization offers a compelling platform for malware analysis,
more » ... ith strong isolation and the ability to save and restore guest state. Current virtual machine monitors (VMMs), however, are not designed for malware analysis. Due to their complexity, they often fail to provide transparency and even expose vulnerabilities which could be exploited by the malware running inside guest system. We propose a lightweight VMM (namely MAVMM) that is designed specially for a single job: malware analysis. MAVMM does not implement unnecessary virtualization features commonly found in general purpose hypervisors, including virtual device emulation. We take advantage of hardware virtualization support to make MAVMM more simple, secure and transparent. In this paper, we describe the design and implementation of MAVMM, and the features that we can extract from programs running inside the guest OS. We evaluate our platform in three aspects: functionality, detectability and performance. We show that our system can extract useful information from malicious software, and that it is not susceptible to known virtualization detection techniques.
doi:10.1109/acsac.2009.48 dblp:conf/acsac/NguyenSJGKN09 fatcat:4li7gyf6cfahjlhxp4muo56vwe

Transparent Web Service Auditing via Network Provenance Functions

Adam Bates, Wajih Ul Hassan, Kevin Butler, Alin Dobra, Bradley Reaves, Patrick Cable, Thomas Moyer, Nabil Schear
2017 Proceedings of the 26th International Conference on World Wide Web - WWW '17  
Detecting and explaining the nature of attacks in distributed web services is often difficult -determining the nature of suspicious activity requires following the trail of an attacker through a chain of heterogeneous software components including load balancers, proxies, worker nodes, and storage services. Unfortunately, existing forensic solutions cannot provide the necessary context to link events across complex workflows, particularly in instances where application layer semantics (e.g.,
more » ... queries, RPCs) are needed to understand the attack. In this work, we present a transparent provenance-based approach for auditing web services through the introduction of Network Provenance Functions (NPFs). NPFs are a distributed architecture for capturing detailed data provenance for web service components, leveraging the key insight that mediation of an application's protocols can be used to infer its activities without requiring invasive instrumentation or developer cooperation. We design and implement NPF with consideration for the complexity of modern cloud-based web services, and evaluate our architecture against a variety of applications including DVDStore, RUBiS, and WikiBench to show that our system imposes as little as 9.3% average end-to-end overhead on connections for realistic workloads. Finally, we consider several scenarios in which our system can be used to concisely explain attacks. NPF thus enables the hassle-free deployment of semantically rich provenance-based auditing for complex applications workflows in the Cloud.
doi:10.1145/3038912.3052640 dblp:conf/www/BatesHBDRCMS17 fatcat:vplzmesjqnfl3c6vt6wsya7m2m

A survey of cryptographic approaches to securing big-data analytics in the cloud

Sophia Yakoubov, Vijay Gadepally, Nabil Schear, Emily Shen, Arkady Yerukhimovich
2014 2014 IEEE High Performance Extreme Computing Conference (HPEC)  
The growing demand for cloud computing motivates the need to study the security of data received, stored, processed, and transmitted by a cloud. In this paper, we present a framework for such a study. We introduce a cloud computing model that captures a rich class of big-data use-cases and allows reasoning about relevant threats and security goals. We then survey three cryptographic techniques -homomorphic encryption, verifiable computation, and multi-party computation -that can be used to
more » ... ve these goals. We describe the cryptographic techniques in the context of our cloud model and highlight the differences in performance cost associated with each.
doi:10.1109/hpec.2014.7040943 dblp:conf/hpec/YakoubovGSSY14 fatcat:jinnrastevhkzn5y4plfkh7baq

Bootstrapping and maintaining trust in the cloud

Nabil Schear, Patrick T. Cable, Thomas M. Moyer, Bryan Richard, Robert Rudd
2016 Proceedings of the 32nd Annual Conference on Computer Security Applications - ACSAC '16  
Today's infrastructure as a service (IaaS) cloud environments rely upon full trust in the provider to secure applications and data. Cloud providers do not offer the ability to create hardware-rooted cryptographic identities for IaaS cloud resources or sufficient information to verify the integrity of systems. Trusted computing protocols and hardware like the TPM have long promised a solution to this problem. However, these technologies have not seen broad adoption because of their complexity of
more » ... implementation, low performance, and lack of compatibility with virtualized environments. In this paper we introduce keylime, a scalable trusted cloud key management system. keylime provides an end-to-end solution for both bootstrapping hardware rooted cryptographic identities for IaaS nodes and for system integrity monitoring of those nodes via periodic attestation. We support these functions in both bare-metal and virtualized IaaS environments using a virtual TPM. keylime provides a clean interface that allows higher level security services like disk encryption or configuration management to leverage trusted computing without being trusted computing aware. We show that our bootstrapping protocol can derive a key in less than two seconds, we can detect system integrity violations in as little as 110ms, and that keylime can scale to thousands of IaaS cloud nodes.
doi:10.1145/2991079.2991104 fatcat:ibvgie3rkzcwjlfkoq6p6u3jia

Computing on masked data: a high performance method for improving big data veracity

Jeremy Kepner, Vijay Gadepally, Pete Michaleas, Nabil Schear, Mayank Varia, Arkady Yerukhimovich, Robert K. Cunningham
2014 2014 IEEE High Performance Extreme Computing Conference (HPEC)  
The growing gap between data and users calls for innovative tools that address the challenges faced by big data volume, velocity and variety. Along with these standard three V's of big data, an emerging fourth "V" is veracity, which addresses the confidentiality, integrity, and availability of the data. Traditional cryptographic techniques that ensure the veracity of data can have overheads that are too large to apply to big data. This work introduces a new technique called Computing on Masked
more » ... ata (CMD), which improves data veracity by allowing computations to be performed directly on masked data and ensuring that only authorized recipients can unmask the data. Using the sparse linear algebra of associative arrays, CMD can be performed with significantly less overhead than other approaches while still supporting a wide range of linear algebraic operations on the masked data. Databases with strong support of sparse operations, such as SciDB or Apache Accumulo, are ideally suited to this technique. Examples are shown for the application of CMD to a complex DNA matching algorithm and to database operations over social media data.
doi:10.1109/hpec.2014.7040946 dblp:conf/hpec/KepnerGMSVYC14 fatcat:6ih6eru33zh55awm24lfguekmy

High-Speed Matching of Vulnerability Signatures [chapter]

Nabil Schear, David R. Albrecht, Nikita Borisov
Lecture Notes in Computer Science  
Vulnerability signatures offer better precision and flexibility than exploit signatures when detecting network attacks. We show that it is possible to detect vulnerability signatures in high-performance network intrusion detection systems, by developing a matching architecture that is specialized to the task of vulnerability signatures. Our architecture is based upon: i) the use of high-speed pattern matchers, together with control logic, instead of recursive parsing, ii) the limited nature and
more » ... careful management of implicit state, and iii) the ability to avoid parsing large fragments of the message not relevant to a vulnerability. We have built a prototype implementation of our architecture and vulnerability specification language, called VESPA, capable of detecting vulnerabilities in both text and binary protocols. We show that, compared to full protocol parsing, we can achieve 3x or better speedup, and thus detect vulnerabilities in most protocols at a speed of 1 Gbps or more. Our architecture is also well-adapted to being integrated with network processors or other special-purpose hardware. We show that for text protocols, pattern matching dominates our workload and great performance improvements can result from hardware acceleration.
doi:10.1007/978-3-540-87403-4_9 fatcat:ur6g2gtudzfdnbt5hscee5skpu

Computing on Masked Data to improve the Security of Big Data [article]

Vijay Gadepally, Braden Hancock and Benjamin Kaiser, Jeremy Kepner, Pete Michaleas, Mayank Varia, Arkady Yerukhimovich
2015 arXiv   pre-print
ACKNOWLEDGEMENTS The authors would like to acknowledge the anonymous reviewers, Nabil Schear, Rob Cunningham, and the LLGrid operations team at MIT Lincoln Laboratory for their support in developing and  ... 
arXiv:1504.01287v1 fatcat:vl4o5rdioja37i6wtfzhkgmg5e

Cumulative Attestation Kernels for Embedded Systems [chapter]

Michael LeMay, Carl A. Gunter
2009 Lecture Notes in Computer Science  
King, Nabil Schear, Ellick Chan, the researchers in the Illinois Security Lab, and the anonymous reviewers for their feedback. We are grateful to the TCIP Center for its support of our efforts.  ... 
doi:10.1007/978-3-642-04444-1_40 fatcat:urwe5ddzbfd6bfji7kv75r2x6e

Cumulative Attestation Kernels for Embedded Systems

Michael LeMay, Carl A. Gunter
2012 IEEE Transactions on Smart Grid  
King, Nabil Schear, Ellick Chan, the researchers in the Illinois Security Lab, and the anonymous reviewers for their feedback. We are grateful to the TCIP Center for its support of our efforts.  ... 
doi:10.1109/tsg.2011.2174811 fatcat:ycoa6zcygzazxoivqhqorcznuy

Smart Companies: Company & board members liability in the age of AI

Iakovina Kindylidi
2020 Unio - EU Law Journal  
Later … the verifier can use the commitment to check that the statement is in fact the one the prover committed to earlier" in Ariel Hamlin, Nabil Schear, Emily Shen, Mayank Varia, Sophia Yakoubov, and  ... 
doi:10.21814/unio.6.1.2704 fatcat:bf7nw7lo3vhgblqq46u7ht74ba