CERIAS Weekly Security Seminar - Purdue University

Whether it is a spear phishing attack, social engineering, or malware specifically tailored to obtain online banking credentials, hundreds of thousands of dollars are at risk to fund transfer fraud and other cyber-crime. Beyond the financial consequences of these cyber-attacks, entities face an increasingly complex array of legal obligations and issues in the aftermath of one of these events. This presentation will give an overview of trends in cyber-crime, legal issues that may arise from these events, how responses to the events affect potential liability, and how the law allocates responsibility between parties involved.

Malicious payload injection attacks have been a serious threat to software for decades. Unfortunately, protection against these attacks remains challenging due to the ever increasing diversity and sophistication of payload injection and triggering mechanisms used by adversaries.In this talk, I will present A2C, a system that provides general protection against payload injection attacks. A2C is based on the observation that payloads are highly fragile and thus any mutation would likely break their functionalities. A2C mutates inputs from untrusted sources. Malicious payloads that reside in these inputs are hence mutated and broken. To assure that the program continues to function correctly when benign inputs are provided, A2C divides the state space into exploitable and post-exploitable sub-spaces, where the latter is much larger than the former, and decodes the mutated values only when they are transmitted from the former to the latter. A2C does not rely on any knowledge of malicious payloads or their injection and triggering mechanisms. Hence, its protection is general. We evaluate A2C with 30 real-world applications, including apache on a real-world work-load, and our results show that A2C effectively prevents a variety of payload injection attacks on these programs with reasonably low overhead. About the speaker: Yonghwi Kwon is a PhD student in the Department of Computer Science at Purdue University. His research interests include dynamic/static binary analysis, reverse-engineering, and system security. In particular, he is interested in solving security and debugging problems using dynamic binary analysis and translation techniques.

Malicious payload injection attacks have been a serious threat to software for decades. Unfortunately, protection against these attacks remains challenging due to the ever increasing diversity and sophistication of payload injection and triggering mechanisms used by adversaries. In this talk, I will present A2C, a system that provides general protection against payload injection attacks. A2C is based on the observation that payloads are highly fragile and thus any mutation would likely break their functionalities. A2C mutates inputs from untrusted sources. Malicious payloads that reside in these inputs are hence mutated and broken. To assure that the program continues to function correctly when benign inputs are provided, A2C divides the state space into exploitable and post-exploitable sub-spaces, where the latter is much larger than the former, and decodes the mutated values only when they are transmitted from the former to the latter. A2C does not rely on any knowledge of malicious payloads or their injection and triggering mechanisms. Hence, its protection is general. We evaluate A2C with 30 real-world applications, including apache on a real-world work-load, and our results show that A2C effectively prevents a variety of payload injection attacks on these programs with reasonably low overhead.

In this talk, we will leverage the framework of game theory to understand the effects of decentralized decision-making on the robustness and security of large-scale networked systems. In the first part of this talk, we will consider a setting where each node in the network is an independent decision maker who wants to protect itself, and the probability of attack on a node is a function of the security investment by the node and its immediate neighbors in the network. Accordingly, the security investment of a node depends on its position in the network and its perception of attack probability. We will investigate the impact of certain empirically established behavioral biases, that affect how users perceive probabilities of risky outcomes, on the security investment decisions of the nodes. We will further characterize the structures of networks that maximize and minimize the expected fraction of nodes that are successfully attacked at the Nash equilibrium of the game, respectively. In the second part of the talk, we will consider a setting where each decision maker is responsible for defending multiple nodes in the network, and strategic attacker(s) launch multi-stage attacks that spread through the network. We will show that the problem of computing the best response for a defender can be formulated as a convex optimization problem. We will then illustrate the application of this framework in problems that arise in networked cyber-physical systems. About the speaker: Ashish R. Hota is currently a Ph.D. candidate in the School of Electrical and Computer Engineering at Purdue University. He received B.Tech and M.Tech degrees in Electrical Engineering from Indian Institute of Technology (IIT) Kharagpur in 2012. His research interests are in the areas of game theory, network economics, behavioral decision theory, security of networked systems and queueing games.

In this talk, we will leverage the framework of game theory to understand the effects of decentralized decision-making on the robustness and security of large-scale networked systems. In the first part of this talk, we will consider a setting where each node in the network is an independent decision maker who wants to protect itself, and the probability of attack on a node is a function of the security investment by the node and its immediate neighbors in the network. Accordingly, the security investment of a node depends on its position in the network and its perception of attack probability. We will investigate the impact of certain empirically established behavioral biases, that affect how users perceive probabilities of risky outcomes, on the security investment decisions of the nodes. We will further characterize the structures of networks that maximize and minimize the expected fraction of nodes that are successfully attacked at the Nash equilibrium of the game, respectively. In the second part of the talk, we will consider a setting where each decision maker is responsible for defending multiple nodes in the network, and strategic attacker(s) launch multi-stage attacks that spread through the network. We will show that the problem of computing the best response for a defender can be formulated as a convex optimization problem. We will then illustrate the application of this framework in problems that arise in networked cyber-physical systems.

Large corporations evolve over time. The technology they produce, the services they provide, the working practices and the IT that supports are changing at an ever increasing rate. From its formation in 1906, Rolls-Royce has been synonymous will high quality engineering and currently develops power systems to propel commercial airliners to Luxury Yachts. The company strives to maintain its market leading position through considerable investment in R&D and the Intellectual Property and engineering ‘know-how' developed needs to be kept secure in Cyber Space. About the speaker: In Rolls-Royce, Neil is responsible globally for IT and Information Security. He Joined Rolls-Royce in 2015 from CERT-UK, the national Computer Emergency Response Team in the UK, where he was Deputy Director Operations. In his role at CERT-UK Neil was responsible for Cyber Incident Handling across the UK Critical National Infrastructure as well as being responsible for Situational Awareness and being the sponsor for the UK's flagship Cyber security Information Sharing Partnership (CiSP) – a Government Industry collaboration to share cyber threat intelligence. Prior to CERT-UK Neil worked for QinetiQ where he ran their Security Operations Centre and was the Operations Director for their security division. In his early career Neil was a defence operational analyst before moving into business management and running change programs.Educated at the University of Nottingham he is married with two sons.

Large corporations evolve over time. The technology they produce, the services they provide, the working practices and the IT that supports are changing at an ever increasing rate. From its formation in 1906, Rolls-Royce has been synonymous will high quality engineering and currently develops power systems to propel commercial airliners to Luxury Yachts. The company strives to maintain its market leading position through considerable investment in R&D and the Intellectual Property and engineering ‘know-how’ developed needs to be kept secure in Cyber Space.

The threat landscape is changing significantly; complexity and rate of attacks is ever increasing, and the network defender does not have enough resources (people, technology, intelligence, and context) to make informed decisions. The need for network defenders to develop and create proactive threat intelligence is on the rise. Network deception may provide analysts the ability to collect raw intelligence about threat actors as they reveal their Tools, Tactics, and Procedures (TTP). This increased understanding of the latest cyber-attacks would enable cyber defenders to better support and defend the network, thereby increasing the cost to the adversary by making it more difficult to successfully attack an enterprise. This talk will discuss our deception framework, we have created a live, unpredictable, and adaptable Deception Environment leveraging virtualization/cloud technology, software defined networking, introspection and analytics. The environment not only provides the means to identify and contain the threat, but also facilitates the ability to study, understand, and develop protections against sophisticated adversaries. By leveraging actionable data, in real-time or after a sustained engagement, the Deception Environment may be easily modified to interact with and change the perception of the adversary on-the-fly. This ability to change what and where the attacker is on the network, as well as change and modify the content of the adversary on exfiltration and infiltration, is the defining novelty of our Deception Environment.

The threat landscape is changing significantly; complexity and rate of attacks is ever increasing, and the network defender does not have enough resources (people, technology, intelligence, and context) to make informed decisions. The need for network defenders to develop and create proactive threat intelligence is on the rise. Network deception may provide analysts the ability to collect raw intelligence about threat actors as they reveal their Tools, Tactics, and Procedures (TTP). This increased understanding of the latest cyber-attacks would enable cyber defenders to better support and defend the network, thereby increasing the cost to the adversary by making it more difficult to successfully attack an enterprise. This talk will discuss our deception framework, we have created a live, unpredictable, and adaptable Deception Environment leveraging virtualization/cloud technology, software defined networking, introspection and analytics. The environment not only provides the means to identify and contain the threat, but also facilitates the ability to study, understand, and develop protections against sophisticated adversaries. By leveraging actionable data, in real-time or after a sustained engagement, the Deception Environment may be easily modified to interact with and change the perception of the adversary on-the-fly. This ability to change what and where the attacker is on the network, as well as change and modify the content of the adversary on exfiltration and infiltration, is the defining novelty of our Deception Environment. About the speaker: Vincent was raised by his grandparents, both originally from Guatemala who immigrated to the U.S. in the 1960's. As a family, they moved from Manhattan to Albuquerque, New Mexico when Vincent was six years old. Dedicated to their grandchild and his upbringing, they taught him to take responsibility for his own life, to give back to his community and to his country. A curious boy who broke things while taking them apart to see how they worked, he was also entrepreneurial starting a candy selling business in elementary school. He saved his money and bought things that his grandparents could not afford, like a soldering kit. Vincent grew up in neighborhood labeled the "War Zone" made up of hard working but largely impoverished immigrants with its share of violence and gang problems as well as remarkable diversity. Vincent stayed out of trouble becoming involved in extracurricular activities and one of those, the Upward Bound Program gave him the opportunity to spend a high school summer at the University of New Mexico taking classes in math, literature, science and electives. Vincent took advantage of many opportunities this program would offer. His entrepreneurial spirit got him taking community college classes while still in high school and in his sophomore year, he was accepted for an internship at Sandia National Laboratories in its computer support unit. With the support of mentors, he was soon one of the go-to techs fixing computers and getting networks running again. A CyberCorps Scholarship for Service allowed him to stay at Sandia after graduation. He continued to excel and taking associated undergraduate and graduate level internships while earning his bachelor's and master's degree in computer science from New Mexico Tech. Today, Vincent Urias is a computer engineer, and Principal Member of Technical Staff in Sandia's Cyber Analysis Research Development Department continuing to make major contributions to Sandia's cyber defense programs, especially in the simulation of complex networks, in developing innovative cyber security methods, and in designing exercise scenarios that test the limits of current network security. This work is helping Sandia's customers anticipate current and emerging security threats and make critical decisions about their investments. Vincent and his team use technologies to conduct cyber defense exercises in partnership with the U.S. Department of Defense, and to support national security in collaboration with colleagues at other U.S. Department of Energy national laboratories, Department of Defense national laboratories, and the U.S. military.Vincent gives back to the community in a variety of ways, providing guidance and inspiration to college interns in the lab's Center for Cyber Defenders, he supports building computer labs for local organizations and is also helping to create an Urban Wildlife Refuge in Albuquerque's South Valley among other things. Vincent is currently pursuing his Ph.D. in computer science, at New Mexico Tech. He was honored by GMiS with a HENAAC Luminary Award in October of 2016.

BGP enables as a network of networks, and is also a network of trust. The most clear instantiation of that trust is the updating of router tables based on unsubstantiated announcements. The positive result of this trust is that the network can be extremely responsive to failures, and recover quickly. Yet the very trust that enables resilience creates risks from behavior lacking either technical competence or benevolence. Threats to the control plane have included political interference, misguided network configurations, and other mischief. Our goal is to look at solutions that treat BGP as an economic political artifact that embeds trust, and change the game in BGP defense. One step is to classify route updates along a continuum of trust, exploring new algorithms that will give a measure of integrity assurance to BGP updates. We have explored the application of machine learning techniques with the variety of data available (technical, rates of change, economic, and geopolitical) as network topology is changed via BGP updates in order to generate probabilistic (not only cryptographic) trust indicators for those changes. With this understanding, we develop technologies that embed economic incentives that have immediate value to the adopting party and also have second order system-wide security properties. In this talk I begin with the definition of the problem as economic, describe empirical work in macro-economics of security, and close with the description of an example solution called Bongo.’

BGP enables as a network of networks, and is also a network of trust. The most clear instantiation of that trust is the updating of router tables based on unsubstantiated announcements. The positive result of this trust is that the network can be extremely responsive to failures, and recover quickly. Yet the very trust that enables resilience creates risks from behavior lacking either technical competence or benevolence. Threats to the control plane have included political interference, misguided network configurations, and other mischief. Our goal is to look at solutions that treat BGP as an economic political artifact that embeds trust, and change the game in BGP defense.One step is to classify route updates along a continuum of trust, exploring new algorithms that will give a measure of integrity assurance to BGP updates. We have explored the application of machine learning techniques with the variety of data available (technical, rates of change, economic, and geopolitical) as network topology is changed via BGP updates in order to generate probabilistic (not only cryptographic) trust indicators for those changes. With this understanding, we develop technologies that embed economic incentives that have immediate value to the adopting party and also have second order system-wide security properties. In this talk I begin with the definition of the problem as economic, describe empirical work in macro-economics of security, and close with the description of an example solution called Bongo.' About the speaker: Jean Camp is a Professor at the School of Informatics and Computing at Indiana University. She joined Indiana after eight years at Harvard's Kennedy School where her courses were also listed in Harvard Law, Harvard Business, and the Engineering Systems Division of MIT. She spent the year after earning her doctorate from Carnegie Mellon as a Senior Member of the Technical Staff at Sandia National Laboratories. She began her career as an engineer at Catawba Nuclear Station and with a MSEE at University of North Carolina at Charlotte. Her research focuses on the intersection of human and technical trust, levering economic models and human-centered design to create safe, secure systems. She is the author of two monographs. In addition, she has authored more than one hundred fifty publications, including more than one hundred peer-reviewed publications.

Cybersecurity threats are constantly evolving and becoming more sophisticated. This has been observed through advanced spear phishing campaigns, increase in ransomware families/variants and the use of IoT devices for DDOS attacks. As well, the tactics, techniques and procedures (TTPs) utilize by bad actors are evolving with the technology and seemingly staying one step ahead of security technologies. This presentation will look at some of the trends from the past year and look at the emerging cyber threats for 2017 and beyond.

Cybersecurity threats are constantly evolving and becoming more sophisticated. This has been observed through advanced spear phishing campaigns, increase in ransomware families/variants and the use of IoT devices for DDOS attacks. As well, the tactics, techniques and procedures (TTPs) utilize by bad actors are evolving with the technology and seemingly staying one step ahead of security technologies. This presentation will look at some of the trends from the past year and look at the emerging cyber threats for 2017 and beyond. About the speaker: Nick Sturgeon is the Manager of the Indiana Information Sharing and Analysis Center (IN-ISAC) and the Security Operations Center (SOC). As the Manager of the IN-ISAC, Nick is responsible for overall strategic planning, budget planning, project oversite, and ensures all efforts are focused on achieving the IN-ISAC's mission. Nick also provides management and oversight of the IN-ISAC's Security Awareness and Training program, as well as direction on IN-ISAC/SOC policy and procedure development. As the SOC Manager, Nick is responsible for all day to day operations of the SOC. Additionally, Nick serves as the Deputy Director for Cyber for the Indiana Intelligence Fusion Center (IIFC). As the Deputy Director for Cyber, Nick is responsible for developing and distributing cyber threat information to multiple sectors. Nick is actively involved with the Information Sharing and Analysis Organization's Standards Organization's (ISAO-SO), were he serves as a co-lead for Working Group 4 and is a member of three other ISAO-SO Working Groups. Before joining the Indiana Office of Technology, Nick spent eight years with the Indiana State Police serving various roles. Nick held ranks of Trooper, Sergeant and First Sergeant. His last assignment was in the Criminal Justice Data Division and serving as the Assistant Commander of the Information Technology Section.  Nick earned a B.S. in Management Information Systems from Indiana State University 2003, and a M.S. with a specialization in Cyber Forensics from Purdue University in 2015.

Differential privacy aims at learning information about the population as a whole, while protecting the privacy of each individual. With its quantifiable privacy and utility guarantees, differential privacy is becoming standard in the field of privacy-preserving data analysis. On the other hand, most cryptographic systems for their privacy properties rely on a stronger notion of indistinguishability, where an adversary should not be able to (non-negligibly) distinguish between two scenarios. Nevertheless, there exists some cryptographic system scenarios for which the notion of indistinguishability is known to be impossible to achieve. It is natural to ask if one can define differential privacy-motivated privacy notions to accurately quantify the privacy loss in those scenarios. In this talk, we will study two such scenarios. Our first scenario will consider (non-)uniform randomness employed in cryptographic primitives. It is well-known that indistinguishability-based definitions of cryptographic primitives are impossible to realize in systems where parties only have access to non-extractable sources of randomness. I will demonstrate that it is, nevertheless, possible to quantify this secrecy (or privacy) loss due to some non-extractable sources (such as the Santha-Vazirani sources) using a generalization of indistinguishability inspired by differential privacy. Our second scenario will capture privacy properties of anonymous communication networks (e.g., Tor). In particular, I will present our AnoA framework that relies on a novel relaxation of differential privacy to enables a unified quantitative analysis of properties such as sender anonymity, sender unlinkability, and relationship anonymity.

Differential privacy aims at learning information about the population as a whole, while protecting the privacy of each individual. With its quantifiable privacy and utility guarantees, differential privacy is becoming standard in the field of privacy-preserving data analysis. On the other hand, most cryptographic systems for their privacy properties rely on a stronger notion of indistinguishability, where an adversary should not be able to (non-negligibly) distinguish between two scenarios. Nevertheless, there exists some cryptographic system scenarios for which the notion of indistinguishability is known to be impossible to achieve. It is natural to ask if one can define differential privacy-motivated privacy notions to accurately quantify the privacy loss in those scenarios. In this talk, we will study two such scenarios.Our first scenario will consider (non-)uniform randomness employed in cryptographic primitives. It is well-known that indistinguishability-based definitions of cryptographic primitives are impossible to realize in systems where parties only have access to non-extractable sources of randomness. I will demonstrate that it is, nevertheless, possible to quantify this secrecy (or privacy) loss due to some non-extractable sources (such as the Santha-Vazirani sources) using a generalization of indistinguishability inspired by differential privacy.Our second scenario will capture privacy properties of anonymous communication networks (e.g., Tor). In particular, I will present our AnoA framework that relies on a novel relaxation of differential privacy to enables a unified quantitative analysis of properties such as sender anonymity, sender unlinkability, and relationship anonymity. About the speaker: Prof. Aniket Kate is an assistant Professor in the the computer science department at Purdue university. Before joining Purdue in 2015, Prof. Kate was a junior faculty member and an independent research group leader at Saarland University in Germany, where he was heading the Cryptographic Systems Research Group. He was a postdoctoral researcher at Max Planck Institute for Software Systems (MPI-SWS), Germany for 2010 until 2012, and he received his PhD from the University of Waterloo, Canada in 2010.Prof. Kate designs, implements, and analyzes transparency and privacy enhancing technologies. His research integrates applied cryptography and distributed systems.