Visible to the public Biblio

Found 2411 results

Filters: First Letter Of Last Name is K  [Clear All Filters]
Presentation
Mohammad Noureddine, University of Illinois at Urbana-Champaign, Masooda Bashir, University of Illinois at Urbana-Champaign, Ken Keefe, University of Illinois at Urbana-Champaign, Andrew Marturano, University of Illinois at Urbana-Champaign, William H. Sanders, University of Illinois at Urbana-Champaign.  2015.  Accounting for User Behavior in Predictive Cyber Security Models.

The human factor is often regarded as the weakest link in cybersecurity systems. The investigation of several security breaches reveals an important impact of human errors in exhibiting security vulnerabilities. Although security researchers have long observed the impact of human behavior, few improvements have been made in designing secure systems that are resilient to the uncertainties of the human element.

In this talk, we discuss several psychological theories that attempt to understand and influence the human behavior in the cyber world. Our goal is to use such theories in order to build predictive cyber security models that include the behavior of typical users, as well as system administrators. We then illustrate the importance of our approach by presenting a case study that incorporates models of human users. We analyze our preliminary results and discuss their challenges and our approaches to address them in the future.

Presented at the ITI Joint Trust and Security/Science of Security Seminar, October 20, 2016.

Ken Keefe, University of Illinois at Urbana-Champaign.  2014.  Making Sound Design Decisions Using Quantitative Security Metrics.

Presented at the Illinois SoS Bi-weekly Meeting, December 2014.

Miscellaneous
Hussain, M. S., Khan, K. U. R..  2020.  Network-based Anomaly Intrusion Detection System in MANETS. 2020 Fourth International Conference on Inventive Systems and Control (ICISC). :881—886.

In the communication model of wired and wireless Adhoc networks, the most needed requirement is the integration of security. Mobile Adhoc networks are more aroused with the attacks compared to the wired environment. Subsequently, the characteristics of Mobile Adhoc networks are also influenced by the vulnerability. The pre-existing unfolding solutions are been obtained for infrastructure-less networks. However, these solutions are not always necessarily suitable for wireless networks. Further, the framework of wireless Adhoc networks has uncommon vulnerabilities and due to this behavior it is not protected by the same solutions, therefore the detection mechanism of intrusion is combinedly used to protect the Manets. Several intrusion detection techniques that have been developed for a fixed wired network cannot be applied in this new environment. Furthermore, The issue of intensity in terms of energy is of a major kind due to which the life of the working battery is very limited. The objective this research work is to detect the Anomalous behavior of nodes in Manet's and Experimental analysis is done by making use of Network Simulator-2 to do the comparative analysis for the existing algorithm, we enhanced the previous algorithm in order to improve the Energy efficiency and results shown the improvement of energy of battery life and Throughput is checked with respect to simulation of test case analysis. In this paper, the proposed algorithm is compared with the existing approach.

Journal Article
Ghazo, A. T. Al, Ibrahim, M., Ren, H., Kumar, R..  2020.  A2G2V: Automatic Attack Graph Generation and Visualization and Its Applications to Computer and SCADA Networks. IEEE Transactions on Systems, Man, and Cybernetics: Systems. 50:3488–3498.
Securing cyber-physical systems (CPS) and Internet of Things (IoT) systems requires the identification of how interdependence among existing atomic vulnerabilities may be exploited by an adversary to stitch together an attack that can compromise the system. Therefore, accurate attack graphs play a significant role in systems security. A manual construction of the attack graphs is tedious and error-prone, this paper proposes a model-checking-based automated attack graph generator and visualizer (A2G2V). The proposed A2G2V algorithm uses existing model-checking tools, an architecture description tool, and our own code to generate an attack graph that enumerates the set of all possible sequences in which atomic-level vulnerabilities can be exploited to compromise system security. The architecture description tool captures a formal representation of the networked system, its atomic vulnerabilities, their pre-and post-conditions, and security property of interest. A model-checker is employed to automatically identify an attack sequence in the form of a counterexample. Our own code integrated with the model-checker parses the counterexamples, encodes those for specification relaxation, and iterates until all attack sequences are revealed. Finally, a visualization tool has also been incorporated with A2G2V to generate a graphical representation of the generated attack graph. The results are illustrated through application to computer as well as control (SCADA) networks.
Fridman, L., Weber, S., Greenstadt, R., Kam, M..  2017.  Active Authentication on Mobile Devices via Stylometry, Application Usage, Web Browsing, and GPS Location. IEEE Systems Journal. 11:513–521.

Active authentication is the problem of continuously verifying the identity of a person based on behavioral aspects of their interaction with a computing device. In this paper, we collect and analyze behavioral biometrics data from 200 subjects, each using their personal Android mobile device for a period of at least 30 days. This data set is novel in the context of active authentication due to its size, duration, number of modalities, and absence of restrictions on tracked activity. The geographical colocation of the subjects in the study is representative of a large closed-world environment such as an organization where the unauthorized user of a device is likely to be an insider threat: coming from within the organization. We consider four biometric modalities: 1) text entered via soft keyboard, 2) applications used, 3) websites visited, and 4) physical location of the device as determined from GPS (when outdoors) or WiFi (when indoors). We implement and test a classifier for each modality and organize the classifiers as a parallel binary decision fusion architecture. We are able to characterize the performance of the system with respect to intruder detection time and to quantify the contribution of each modality to the overall performance.

Hyesook Lim, Kyuhee Lim, Nara Lee, Kyong-Hye Park.  2014.  On Adding Bloom Filters to Longest Prefix Matching Algorithms. Computers, IEEE Transactions on. 63:411-423.

High-speed IP address lookup is essential to achieve wire-speed packet forwarding in Internet routers. Ternary content addressable memory (TCAM) technology has been adopted to solve the IP address lookup problem because of its ability to perform fast parallel matching. However, the applicability of TCAMs presents difficulties due to cost and power dissipation issues. Various algorithms and hardware architectures have been proposed to perform the IP address lookup using ordinary memories such as SRAMs or DRAMs without using TCAMs. Among the algorithms, we focus on two efficient algorithms providing high-speed IP address lookup: parallel multiple-hashing (PMH) algorithm and binary search on level algorithm. This paper shows how effectively an on-chip Bloom filter can improve those algorithms. A performance evaluation using actual backbone routing data with 15,000-220,000 prefixes shows that by adding a Bloom filter, the complicated hardware for parallel access is removed without search performance penalty in parallel-multiple hashing algorithm. Search speed has been improved by 30-40 percent by adding a Bloom filter in binary search on level algorithm.
 

Abura'ed, Nour, Khan, Faisal Shah, Bhaskar, Harish.  2017.  Advances in the Quantum Theoretical Approach to Image Processing Applications. ACM Comput. Surv.. 49:75:1–75:49.
In this article, a detailed survey of the quantum approach to image processing is presented. Recently, it has been established that existing quantum algorithms are applicable to image processing tasks allowing quantum informational models of classical image processing. However, efforts continue in identifying the diversity of its applicability in various image processing domains. Here, in addition to reviewing some of the critical image processing applications that quantum mechanics have targeted, such as denoising, edge detection, image storage, retrieval, and compression, this study will also highlight the complexities in transitioning from the classical to the quantum domain. This article shall establish theoretical fundamentals, analyze performance and evaluation, draw key statistical evidence to support claims, and provide recommendations based on published literature mostly during the period from 2010 to 2015.
Dainotti, A., King, A., Claffy, K., Papale, F., Pescape, A..  2015.  Analysis of a #x201c;/0 #x201d; Stealth Scan From a Botnet. Networking, IEEE/ACM Transactions on. 23:341-354.

Botnets are the most common vehicle of cyber-criminal activity. They are used for spamming, phishing, denial-of-service attacks, brute-force cracking, stealing private information, and cyber warfare. Botnets carry out network scans for several reasons, including searching for vulnerable machines to infect and recruit into the botnet, probing networks for enumeration or penetration, etc. We present the measurement and analysis of a horizontal scan of the entire IPv4 address space conducted by the Sality botnet in February 2011. This 12-day scan originated from approximately 3 million distinct IP addresses and used a heavily coordinated and unusually covert scanning strategy to try to discover and compromise VoIP-related (SIP server) infrastructure. We observed this event through the UCSD Network Telescope, a /8 darknet continuously receiving large amounts of unsolicited traffic, and we correlate this traffic data with other public sources of data to validate our inferences. Sality is one of the largest botnets ever identified by researchers. Its behavior represents ominous advances in the evolution of modern malware: the use of more sophisticated stealth scanning strategies by millions of coordinated bots, targeting critical voice communications infrastructure. This paper offers a detailed dissection of the botnet's scanning behavior, including general methods to correlate, visualize, and extrapolate botnet behavior across the global Internet.
 

Yoon, S., Cho, J.-H., Kim, D. S., Moore, T. J., Free-Nelson, F., Lim, H..  2020.  Attack Graph-Based Moving Target Defense in Software-Defined Networks. IEEE Transactions on Network and Service Management. 17:1653–1668.
Moving target defense (MTD) has emerged as a proactive defense mechanism aiming to thwart a potential attacker. The key underlying idea of MTD is to increase uncertainty and confusion for attackers by changing the attack surface (i.e., system or network configurations) that can invalidate the intelligence collected by the attackers and interrupt attack execution; ultimately leading to attack failure. Recently, the significant advance of software-defined networking (SDN) technology has enabled several complex system operations to be highly flexible and robust; particularly in terms of programmability and controllability with the help of SDN controllers. Accordingly, many security operations have utilized this capability to be optimally deployed in a complex network using the SDN functionalities. In this paper, by leveraging the advanced SDN technology, we developed an attack graph-based MTD technique that shuffles a host's network configurations (e.g., MAC/IP/port addresses) based on its criticality, which is highly exploitable by attackers when the host is on the attack path(s). To this end, we developed a hierarchical attack graph model that provides a network's vulnerability and network topology, which can be utilized for the MTD shuffling decisions in selecting highly exploitable hosts in a given network, and determining the frequency of shuffling the hosts' network configurations. The MTD shuffling with a high priority on more exploitable, critical hosts contributes to providing adaptive, proactive, and affordable defense services aiming to minimize attack success probability with minimum MTD cost. We validated the out performance of the proposed MTD in attack success probability and MTD cost via both simulation and real SDN testbed experiments.
Miller, Andrew, Hicks, Michael, Katz, Jonathan, Shi, Elaine.  2014.  Authenticated Data Structures, Generically. SIGPLAN Not.. 49:411–423.

An authenticated data structure (ADS) is a data structure whose operations can be carried out by an untrusted prover, the results of which a verifier can efficiently check as authentic. This is done by having the prover produce a compact proof that the verifier can check along with each operation's result. ADSs thus support outsourcing data maintenance and processing tasks to untrusted servers without loss of integrity. Past work on ADSs has focused on particular data structures (or limited classes of data structures), one at a time, often with support only for particular operations.

This paper presents a generic method, using a simple extension to a ML-like functional programming language we call λ• (lambda-auth), with which one can program authenticated operations over any data structure defined by standard type constructors, including recursive types, sums, and products. The programmer writes the data structure largely as usual and it is compiled to code to be run by the prover and verifier. Using a formalization of λ• we prove that all well-typed λ• programs result in code that is secure under the standard cryptographic assumption of collision-resistant hash functions. We have implemented λ• as an extension to the OCaml compiler, and have used it to produce authenticated versions of many interesting data structures including binary search trees, red-black+ trees, skip lists, and more. Performance experiments show that our approach is efficient, giving up little compared to the hand-optimized data structures developed previously.

Kleinmann, Amit, Wool, Avishai.  2017.  Automatic Construction of Statechart-Based Anomaly Detection Models for Multi-Threaded Industrial Control Systems. ACM Trans. Intell. Syst. Technol.. 8:55:1–55:21.

Traffic of Industrial Control System (ICS) between the Human Machine Interface (HMI) and the Programmable Logic Controller (PLC) is known to be highly periodic. However, it is sometimes multiplexed, due to asynchronous scheduling. Modeling the network traffic patterns of multiplexed ICS streams using Deterministic Finite Automata (DFA) for anomaly detection typically produces a very large DFA and a high false-alarm rate. In this article, we introduce a new modeling approach that addresses this gap. Our Statechart DFA modeling includes multiple DFAs, one per cyclic pattern, together with a DFA-selector that de-multiplexes the incoming traffic into sub-channels and sends them to their respective DFAs. We demonstrate how to automatically construct the statechart from a captured traffic stream. Our unsupervised learning algorithms first build a Discrete-Time Markov Chain (DTMC) from the stream. Next, we split the symbols into sets, one per multiplexed cycle, based on symbol frequencies and node degrees in the DTMC graph. Then, we create a sub-graph for each cycle and extract Euler cycles for each sub-graph. The final statechart is comprised of one DFA per Euler cycle. The algorithms allow for non-unique symbols, which appear in more than one cycle, and also for symbols that appear more than once in a cycle. We evaluated our solution on traces from a production ICS using the Siemens S7-0x72 protocol. We also stress-tested our algorithms on a collection of synthetically-generated traces that simulated multiplexed ICS traces with varying levels of symbol uniqueness and time overlap. The algorithms were able to split the symbols into sets with 99.6% accuracy. The resulting statechart modeled the traces with a median false-alarm rate of as low as 0.483%. In all but the most extreme scenarios, the Statechart model drastically reduced both the false-alarm rate and the learned model size in comparison with the naive single-DFA model.

He, Yu-Lin, Wang, Ran, Kwong, Sam, Wang, Xi-Zhao.  2014.  Bayesian Classifiers Based on Probability Density Estimation and Their Applications to Simultaneous Fault Diagnosis. Inf. Sci.. 259:252–268.

A key characteristic of simultaneous fault diagnosis is that the features extracted from the original patterns are strongly dependent. This paper proposes a new model of Bayesian classifier, which removes the fundamental assumption of naive Bayesian, i.e., the independence among features. In our model, the optimal bandwidth selection is applied to estimate the class-conditional probability density function (p.d.f.), which is the essential part of joint p.d.f. estimation. Three well-known indices, i.e., classification accuracy, area under ROC curve, and probability mean square error, are used to measure the performance of our model in simultaneous fault diagnosis. Simulations show that our model is significantly superior to the traditional ones when the dependence exists among features.

Ke, Liyiming, Li, Bo, Vorobeychik, Yevgeniy.  2016.  Behavioral Experiments in Email Filter Evasion.

Despite decades of effort to combat spam, unwanted and even malicious emails, such as phish which aim to deceive recipients into disclosing sensitive information, still routinely find their way into one’s mailbox. To be sure, email filters manage to stop a large fraction of spam emails from ever reaching users, but spammers and phishers have mastered the art of filter evasion, or manipulating the content of email messages to avoid being filtered. We present a unique behavioral experiment designed to study email filter evasion. Our experiment is framed in somewhat broader terms: given the widespread use of machine learning methods for distinguishing spam and non-spam, we investigate how human subjects manipulate a spam template to evade a classification-based filter. We find that adding a small amount of noise to a filter significantly reduces the ability of subjects to evade it, observing that noise does not merely have a short-term impact, but also degrades evasion performance in the longer term. Moreover, we find that greater coverage of an email template by the classifier (filter) features significantly increases the difficulty of evading it. This observation suggests that aggressive feature reduction—a common practice in applied machine learning—can actually facilitate evasion. In addition to the descriptive analysis of behavior, we develop a synthetic model of human evasion behavior which closely matches observed behavior and effectively replicates experimental findings in simulation.

Ti, Y., Wu, C., Yu, C., Kuo, S..  2020.  Benchmarking Dynamic Searchable Symmetric Encryption Scheme for Cloud-Internet of Things Applications. IEEE Access. 8:1715–1732.
Recently, the rapid development of Internet of things (IoT) has resulted in the generation of a considerable amount of data, which should be stored. Therefore, it is necessary to develop methods that can easily capture, save, and modify these data. The data generated using IoT contain private information; therefore sufficient security features should be incorporated to ensure that potential attackers cannot access the data. Researchers from various fields are attempting to achieve data security. One of the major challenges is that IoT is a paradigm of how each device in the Internet infrastructure is interconnected to a globally dynamic network. When searching in dynamic cloud-stored data, sensitive data can be easily leaked. IoT data storage and retrieval from untrusted cloud servers should be secure. Searchable symmetric encryption (SSE) is a vital technology in the field of cloud storage. SSE allows users to use keywords to search for data in an untrusted cloud server but the keywords and the data content are concealed from the server. However, an SSE database is seldom used by cloud operators because the data stored on the cloud server is often modified. The server cannot update the data without decryption because the data are encrypted by the user. Therefore, dynamic SSE (DSSE) has been developed in recent years to support the aforementioned requirements. Instead of decrypting the data stored by customers, DSSE adds or deletes encrypted data on the server. A number of DSSE systems based on linked list structures or blind storage (a new primitive) have been proposed. From the perspective of functionality, extensibility, and efficiency, these DSSE systems each have their own advantages and drawbacks. The most crucial aspect of a system that is used in the cloud industry is the trade-off between performance and security. Therefore, we compared the efficiency and security of multiple DSSE systems and identified their shortcomings to develop an improved system.
Kounelis, I., Baldini, G., Neisse, R., Steri, G., Tallacchini, M., Guimaraes Pereira, A..  2014.  Building Trust in the Human?Internet of Things Relationship Technology and Society Magazine, IEEE. 33:73-80.

Our vision in this paper is that agency, as the individual ability to intervene and tailor the system, is a crucial element in building trust in IoT technologies. Following up on this vision, we will first address the issue of agency, namely the individual capability to adopt free decisions, as a relevant driver in building trusted human-IoT relations, and how agency should be embedded in digital systems. Then we present the main challenges posed by existing approaches to implement this vision. We show then our proposal for a model-based approach that realizes the agency concept, including a prototype implementation.