Biblio

For a long time, the most important approach for detecting malicious applications was the use of static, hash-based signatures. This approach provides a fast response time, has a low performance overhead and is very stable due to its simplicity. However, with the rapid growth in the number of malware, as well as their increased complexity in terms of polymorphism and evasion, the era of reactive security solutions started to fade in favor of new, proactive approaches such as behavior based detection. We propose a novel approach that uses an interpreter virtual machine to run proactive behavior heuristics from bytecode signatures, thus combining the advantages of behavior based detection with those of signatures. Based on our approximation, using this approach we succeeded to reduce by 85% the time required to update a behavior based detection solution to detect new threats, while continuing to benefit from the versatility of behavior heuristics.

Misuse of APIs happens frequently due to misunderstanding of API semantics and lack of documentation. An important category of API-related defects is the error handling defects, which may result in security and reliability flaws. These defects can be detected with the help of static program analysis, provided that error specifications are known. The error specification of an API function indicates how the function can fail. Writing error specifications manually is time-consuming and tedious. Therefore, automatic inferring the error specification from API usage code is preferred. In this paper, we present Ares, a tool for automatic inferring error specifications for C code through static analysis. We employ multiple heuristics to identify error handling blocks and infer error specifications by analyzing the corresponding condition logic. Ares is evaluated on 19 real world projects, and the results reveal that Ares outperforms the state-of-the-art tool APEx by 37% in precision. Ares can also identify more error specifications than APEx. Moreover, the specifications inferred from Ares help find dozens of API-related bugs in well-known projects such as OpenSSL, among them 10 bugs are confirmed by developers. Video: https://youtu.be/nf1QnFAmu8Q. Repository: https://github.com/lc3412/Ares.

Present networks within safety-critical systems rely on complex and inflexible network configurations. New technologies such as software-defined networking are more dynamic and offer more flexibility, but due care needs to be exercised to ensure that safety and security are not compromised by incorrect configurations. To this end, this paper proposes the use of pre-generated and optimized configuration templates. These provide alternate routes for traffic considering availability, resilience and timing constraints where network components fail due to attacks or faults.To obtain these templates, two heuristics based on Dijkstra's algorithm and an optimization algorithm providing the maximum resilience were investigated. While the configurations obtained through optimization yield appropriate templates, the heuristics investigated are not suitable to obtain configuration templates, since they cannot fulfill all requirements.

Phishing is a criminal offense which involves theft of user's sensitive data. The phishing websites target individuals, organizations, the cloud storage hosting sites and government websites. Currently, hardware based approaches for anti-phishing is widely used but due to the cost and operational factors software based approaches are preferred. The existing phishing detection approaches fails to provide solution to problem like zero-day phishing website attacks. To overcome these issues and precisely detect phishing occurrence a three phase attack detection named as Web Crawler based Phishing Attack Detector(WC-PAD) has been proposed. It takes the web traffics, web content and Uniform Resource Locator(URL) as input features, based on these features classification of phishing and non phishing websites are done. The experimental analysis of the proposed WC-PAD is done with datasets collected from real phishing cases. From the experimental results, it is found that the proposed WC-PAD gives 98.9% accuracy in both phishing and zero-day phishing attack detection.

This study proposes a method for ECG signals quality assessment (SQA) by using temporal feature, and heuristic rule. The ECG signal will be classified as acceptable or unacceptable. Seven types of noise were able to be detected by the prosed method. The noises are: FL, TVN, BW, AB, MA, PLI and AWGN. The proposed method is aimed to have better performance for SQA than classical machine learning method. The experiment is conducted by using 1000 instances ECG signal. The experiment result shows that db8 has the best performance with 0.86, 0.85 and 85.6% on lead-1 signal and 0.69, 0.79, and 74% on lead-5 signal for specificity, sensitivity and accuracy respectively. Compared to the classical machine learning, the proposed heuristic method has same accuracy but has 48% and 31% better specificity for lead-1 and lead-5. It means that the proposed method has far better ability to detect noise.

Cross-Site Request Forgery (CSRF) is one of the oldest and simplest attacks on the Web, yet it is still effective on many websites and it can lead to severe consequences, such as economic losses and account takeovers. Unfortunately, tools and techniques proposed so far to identify CSRF vulnerabilities either need manual reviewing by human experts or assume the availability of the source code of the web application. In this paper we present Mitch, the first machine learning solution for the black-box detection of CSRF vulnerabilities. At the core of Mitch there is an automated detector of sensitive HTTP requests, i.e., requests which require protection against CSRF for security reasons. We trained the detector using supervised learning techniques on a dataset of 5,828 HTTP requests collected on popular websites, which we make available to other security researchers. Our solution outperforms existing detection heuristics proposed in the literature, allowing us to identify 35 new CSRF vulnerabilities on 20 major websites and 3 previously undetected CSRF vulnerabilities on production software already analyzed using a state-of-the-art tool.

Multi-Agent Task Allocation is a pre-requisite for many autonomous, real-world systems because of the need for intelligent task assignment amongst a team for maximum efficiency. Similarly, agent failure, task, failure, and a lack of state information are inherent challenges when operating in complex environments. Many existing solutions make simplifying assumptions regarding the modeling of these factors, e.g., Markovian state information. However, it is not clear that this is always the appropriate approach or that results from these approaches are necessarily representative of performance in the natural world. In this work, we demonstrate that there exists a class of problems for which non-Markovian state modeling is beneficial. Furthermore, we present and characterize a novel heuristic for task allocation that incorporates realistic state and uncertainty modeling in order to improve performance. Our quantitative analysis, when tested in a simulated search and rescue (SAR) mission, shows a decrease in performance of more than 57% when a representative method with Markovian assumptions is tested in a non-Markovian setting. Our novel heuristic has shown an improvement in performance of 3-15%, in the same non-Markovian setting, by modeling probabilistic failure and making fewer assumptions.

With the rapid development of sophisticated attack techniques, individual security systems that base all of their decisions and actions of attack prevention and response on their own observations and knowledge become incompetent. To cope with this problem, collaborative security in which a set of security entities are coordinated to perform specific security actions is proposed in literature. In collaborative security schemes, multiple entities collaborate with each other by sharing threat evidence or analytics to make more effective decisions. Nevertheless, the anticipated information exchange raises privacy concerns, especially for those privacy-sensitive entities. In order to obtain a quantitative understanding of the fundamental tradeoff between the effectiveness of collaboration and the entities' privacy, a repeated two-layer single-leader multi-follower game is proposed in this work. Based on our game-theoretic analysis, the expected behaviors of both the attacker and the security entities are derived and the utility-privacy tradeoff curve is obtained. In addition, the existence of Nash equilibrium (NE) for the collaborative entities is proven, and an asynchronous dynamic update algorithm is proposed to compute the optimal collaboration strategies of the entities. Furthermore, the existence of Byzantine entities is considered and its influence is investigated. Finally, simulation results are presented to validate the analysis.

Insider threats can cause immense damage to organizations of different types, including government, corporate, and non-profit organizations. Being an insider, however, does not necessarily equate to being a threat. Effectively identifying valid threats, and assessing the type of threat an insider presents, remain difficult challenges. In this work, we propose a novel breakdown of eight insider threat types, identified by using three insider traits: predictability, susceptibility, and awareness. In addition to presenting this framework for insider threat types, we implement a computational model to demonstrate the viability of our framework with synthetic scenarios devised after reviewing real world insider threat case studies. The results yield useful insights into how further investigation might proceed to reveal how best to gauge predictability, susceptibility, and awareness, and precisely how they relate to the eight insider types.

Safety applications are currently being developed in next generation vehicular networks to provide road safety. Broadcasting of safety messages unveils the need of reliability assessment since there are no request-to-send (RTS)/clear-to-send (CTS) handshaking and acknowledgment packets in broadcast vehicular communications. Therefore, the reliability of broadcast messages suffer from hidden terminal problem, interference and high mobility. To overcome these challenges, Signal-to-Interference-and-Noise Ratio (SINR) estimation is a key solution so that we can foresee the transmission collisions caused by hidden terminals and prevent its transmissions. Then, we can build a model to improve reliability of broadcast messages. Towards this aim, in this paper, we propose a SINR based hidden terminal estimation model. First, we introduce a method to specify hidden terminals and their transmissions, then we estimate accurate SINR level at the receiver in the near future. Second, we formulate the successfully received packets with a heuristic algorithm and, calculate throughput and hidden terminal radius. Our approach enables significant improvement in the reliability of broadcast vehicular communications.

Different applications concurrently running on modern MPSoCs can interfere with each other when they use shared resources. This interference can cause side channels, i.e., sources of unintended information flow between applications. To prevent such side channels, we propose a hybrid mapping methodology that attempts to ensure spatial isolation, i.e., a mutually-exclusive allocation of resources to applications in the MPSoC. At design time and as a first step, we compute compact and connected application mappings (called shapes). In a second step, run-time management uses this information to map multiple spatially segregated shapes to the architecture. We present and evaluate a (fast) heuristic and an (exact) SAT-based mapper, demonstrating the viability of the approach.

This tutorial will introduce participants to Grounded Theory, which is a qualitative framework to discover new theory from an empirical analysis of data. This form of analysis is particularly useful when analyzing text, audio or video artifacts that lack structure, but contain rich descriptions. We will frame Grounded Theory in the context of qualitative methods and case studies, which complement quantitative methods, such as controlled experiments and simulations. We will contrast the approaches developed by Glaser and Strauss, and introduce coding theory - the most prominent qualitative method for performing analysis to discover Grounded Theory. Topics include coding frames, first- and second-cycle coding, and saturation. We will use examples from security interview scripts to teach participants: developing a coding frame, coding a source document to discover relationships in the data, developing heuristics to resolve ambiguities between codes, and performing second-cycle coding to discover relationships within categories. Then, participants will learn how to discover theory from coded data. Participants will further learn about inter-rater reliability statistics, including Cohen's and Fleiss' Kappa, Krippendorf's Alpha, and Vanbelle's Index. Finally, we will review how to present Grounded Theory results in publications, including how to describe the methodology, report observations, and describe threats to validity.

Security-constrained optimal power flow (SCOPF) studies are used for assessing network performance during both planning and operational stages. The requirements for increased flexibility and improved security necessitate to use robust and computationally efficient SCOPF methods, which are crucial for "smart grid" applications requiring (close to) real-time network control. Conventional SCOPF methods solve the corresponding nonlinear power flow equations using gradient-based iterative approaches and are computationally efficient, but sensitive to selection of initial values and might suffer from convergence problems. Metaheuristic SCOPF methods are based on various approaches that search over the system state space and do not suffer from convergence problems, but are more computationally demanding. While network planners and operators regularly use conventional SCOPF methods, meta-heuristic methods are rarely implemented in practice, even for off-line analysis during the planning stage. Using as an example the IEEE 30-bus test network, this paper analyses and compares conventional and meta-heuristic methods for security-constrained OPF studies, showing that meta-heuristic methods can be used when conventional methods fail to converge and/or to provide a global optimum solution.

We conducted a series of in-depth focus groups wherein users provided rationales for their own online privacy behaviors. Our data suggest that individuals often take action with little thought or evaluation, even showing surprise when confronted with their own behaviors. Our analysis yielded a battery of cognitive heuristics, i.e., mental shortcuts / rules of thumb, that users seem to employ when they disclose or withhold information at the spur of the moment. A total of 4 positive heuristics (promoting disclosure) and 4 negative heuristics (inhibiting disclosure) were discovered. An understanding of these heuristics can be valuable for designing interfaces that promote secure and trustworthy computing.