Illinois Science of Security (SoS) Lablet

Spy vs. Spy: Anonymous Messaging over Networks slides | video
Giulia Fanti, Postdoctoral Research Associate, Coordinated Science Lab, University of Illinois at Urbana-Champaign
August 30, 2016, 4:00 p.m., CSL Auditorium (B02)

Abstract: Anonymous microblogging platforms, such as Whisper, Yik Yak, and Secret have emerged as important tools for sharing one’s thoughts without fear of judgment by friends, the public, or authorities. These platforms provide anonymity by allowing users to share content (e.g., short messages) with their peers without revealing authorship information to other users. However, recent advances in rumor source detection show that existing messaging protocols, including those used in the mentioned anonymous microblogging applications, leak authorship information when the adversary has global access to metadata. For example, if an adversary can see which users of a messaging service received a particular message, or the timestamps at which a subset of users received a given message, the adversary can infer the message author’s identity with high probability. We introduce a novel anonymous messaging protocol, which we call adaptive diffusion, that is designed to resist such adversaries. We show that adaptive diffusion spreads messages quickly while achieving provably-optimal anonymity guarantees for specific classes of connectivity networks. Simulations on real social network data show that adaptive diffusion effectively hides the location of the source on real-world networks.

Oreo: Transparent Optimization to Enable Flexible Policy Enforcement in Software Defined Networks  slides | video
Santhosh Prabhu, Research Assistant, Computer Science, University of Illinois at Urbana-Champaign
October 11, 2016, 4:00 p.m., CSL Auditorium (B02)

Abstract: Commercial networks today have diverse security policies, defined by factors such as the type of traffic they carry, nature of applications they support, access control objectives, organizational principles etc. Ideally, the wide diversity in SDN controller frameworks should prove helpful in correctly and efficiently enforcing these policies. However, this has not been the case so far. By requiring the administrators to implement both security as well as performance objectives in the SDN controller, these frameworks have made the task of security policy enforcement in SDNs a challenging one. We observe that by separating security policy enforcement from performance optimization, we can facilitate the use of SDN for flexible policy management. To this end, we propose Oreo, a transparent performance enhancement layer for SDNs. Oreo allows SDN controllers to focus entirely on a correct security policy enforcement, and transparently optimizes the dataplane thus defined, reducing path stretch, switch memory consumption etc. Optimizations are performed while guaranteeing that end-to-end reachability characteristics are preserved – meaning that the security policies defined by the controller are not violated. Oreo performs these optimizations by first constructing a network-wide model describing the behavior of all traffic, and then optimizing the paths observed in the model by solving a multi-objective optimization problem. Initial experiments suggest that the techniques used by Oreo is effective, fast, and can scale to commercial-sized networks.

Automated Generation of Attack Signatures in Attack Graphs  slides | video
Phuong Cao, Research Assistant, Electrical and Computer Engineering, University of Illinois at Urbana-Champaign
November 1, 2016, 4:00 p.m., CSL Auditorium (B02)

Abstract: In this talk, we investigate applications of Factor Graphs to automatically generate attack signatures from security logs and domain expert knowledge. We demonstrate advantages of Factor Graphs over traditional probabilistic graphical models such as Bayesian Networks and Markov Random Fields in modeling security attacks. We illustrate Factor Graphs models using case studies of real attacks observed in the wild and at the National Center for Supercomputing Applications. Finally, we investigate how factor functions, a core component of Factor Graphs, can be constructed automatically to potentially improve detection accuracy and allow generalization of trained Factor Graph models in a variety of systems.

Towards Privacy-Preserving Mobile Utility Apps: A Balancing Act  slides | video
Dengfeng Li, Research Assistant, Computer Science, University of Illinois at Urbana-Champaign
November 29, 2016, 4:00 p.m., CSL Auditorium (B02)

Abstract: Among various types of mobile apps, mobile utility apps are increasingly becoming data-driven, and these apps tend to collect a significant amount of app usage data to carry out their promised utilities and enhance user experiences. A part of such app usage data often contains security-sensitive information. Thus, an important and challenging issue arises: how to balance between the user’s privacy and the utility app’s utility functionality. We propose techniques to enable users to determine what original values to keep in sanitized data in order to deliver a desirable level of utility efficacy. To accomplish our goal, we (1) incorporate user assistance for app exploration and abnormal-behavior detection, (2) support user validation of malicious-app candidates via program-repair techniques, and (3) sanitize users’ app usage data to balance between privacy preservation and utility efficacy.

Behavioral Analysis for Cyber Resilience  slides | video
Ahmed Fawaz, Research Assistant, Electrical and Computer Engineering, University of Illinois at Urbana-Champaign
December 6, 2016, 4:00 p.m., CSL Auditorium (B02)

Abstract: Systems and attacks are becoming more sophisticated; classical security methods are failing to protect and secure those systems. We believe that systems should be built to be resilient to attacks.  Cyber Resiliency is the protection strategy that will secure modern systems that control our critical infrastructure. Instead of perfectly protecting the system, a resilient system survives a cyber incident by detecting and containing attacks while maintaining service.

In this talk, we describe our proposed resiliency architecture that uses a model of the system to deploy monitors, estimate the state of the system using monitor data, and selects responses to maintain service during attacks. Then we design the essential components of the said resiliency architecture for a multitude of systems including operating systems and hosts and enterprise networks. The components we build are monitor design, monitor view generation, fusion, and response.  However, several practical and theoretical challenges hinder a cyber-resilient architecture. In particular, the architecture needs to deal with the plethora of monitoring with different semantics and time scales. Moreover, the system is dependent on the integrity of the monitoring data when estimating the state of the system. The integrity of the monitoring data is critical to making “correct” decisions that are not influenced by the attacker. Finally, the response mechanisms need to be proven effective in maintaining the resilience of the system. Proving such properties is particularly challenging because of the complexity of the systems. Our pieces address the challenges that face the cyber resiliency architecture.

First, we designed a host-level monitor, Kobra, that combines the various views of application behaviors into a signal, then learns the baseline of acceptable behaviors. We use the baseline for anomaly detection. Since our cyber resiliency architecture depends on the integrity of the monitoring data, we designed PowerAlert, an out-of-box integrity checker. PowerAlert uses CPU power measurements, measured using an external probe, to verify that the machine executed the check as expected. To prevent an attacker from evading PowerAlert, we use random initiation times and random integrity checking programs. Finally, we use Kobra’s host-level views to correlate events that happen in a network. First, we propose a fusion framework that enables us to fuse monitoring events for different sources. Then using the framework, we collect lateral movement chains across the network.  We form the chain using network causation events. Those causations are inferred using Kobra’s process communications view.