Bradley Reaves

MAST: triage for market-scale mobile malware analysis

Malware is a pressing concern for mobile application market operators. While current mitigation techniques are keeping pace with the relatively infrequent presence of malicious code, the rapidly increasing rate of application development makes manual and resource-intensive automated analysis costly at market-scale. To address this resource imbalance, we present the Mobile Application Security Triage (MAST) architecture, a tool that helps to direct scarce malware analysis resources towards the applications with the greatest potential to exhibit malicious behavior. MAST analyzes attributes extracted from just the application package using Multiple Correspondence Analysis (MCA), a statistical method that measures the correlation between multiple categorical (i.e., qualitative) data. We train MAST using over 15,000 applications from Google Play and a dataset of 732 known-malicious applications. We then use MAST to perform triage on three third-party markets of different size and malware composition---36,710 applications in total. Our experiments show that MAST is both effective and performant. Using MAST ordered ranking, malware-analysis tools can find 95% of malware at the cost of analyzing 13% of the non-malicious applications on average across multiple markets, and MAST triage processes markets in less than a quarter of the time required to perform signature detection. More importantly, we show that successful triage can dramatically reduce the costs of removing malicious applications from markets.

On SCADA control system command and response injection and intrusion detection

SCADA systems are widely used in critical infrastructure sectors, including electricity generation and distribution, oil and gas production and distribution, and water treatment and distribution. SCADA process control systems are typically isolated from the internet via firewalls. However, they may still be subject to illicit cyber penetrations and may be subject to cyber threats from disgruntled insiders. We have developed a set of command injection, data injection, and denial of service attacks which leverage the lack of authentication in many common control system communication protocols including MODBUS, DNP3, and EtherNET/IP. We used these exploits to aid in development of a neural network based intrusion detection system which monitors control system physical behavior to detect artifacts of command and response injection attacks. Finally, we present intrusion detection accuracy results for our neural network based IDS which includes input features derived from physical properties of the control system.

A control system testbed to validate critical infrastructure protection concepts

Abstract This paper describes the Mississippi State University SCADA Security Laboratory and Power and Energy Research laboratory. This laboratory combines model control systems from multiple critical infrastructure industries to create a testbed with functional physical processes controlled by commercial hardware and software over common industrial control system routable and non-routable networks. Laboratory exercises, functional demonstrations, and lecture material from the testbed have been integrated into a newly developed industrial control system cybersecurity course, into multiple other engineering and computer science courses, and into a series of short courses targeted to industry. Integration into the classroom allows the testbed to provide a workforce development function, prepares graduate students for research activities, and raises the profile of this research area with students. The testbed enables a research process in which cybersecurity vulnerabilities are discovered, exploits are used to understand the implications of the vulnerability on controlled physical processes, identified problems are classified by criticality and similarities in type and effect, and finally cybersecurity mitigations are developed and validated against within the testbed. Overviews of research enabled by the testbed are provided, including descriptions of software and network vulnerability research, a description of forensic data logger capability developed using the testbed to retrofit existing serial port MODBUS and DNP3 devices, and a description of intrusion detection research which leverages unique characteristics of industrial control systems.

Engineering future cyber-physical energy systems: Challenges, research needs, and roadmap

Cyber-physical energy systems require the integration of a heterogeneous physical layers and decision control networks, mediated by decentralized and distributed local sensing/actuation structures backed by an information layer. With the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) [1] requirements and presidents visions of more secure, reliable and controllable cyber-physical system, a new paradigm for modeling and research investigation is needed. In this paper, we present common challenges and our vision of solutions to design advanced Cyber-physical energy systems with embedded security and distributed control. Finally, we present a survey of our research results in this domain.

An open virtual testbed for industrial control system security research

Industrial control system security has been a topic of scrutiny and research for several years, and many security issues are well known. However, research efforts are impeded by a lack of an open virtual industrial control system testbed for security research. This paper describes a virtual testbed framework using Python to create discrete testbed components including virtual devices and process simulators. The virtual testbed is designed such that the testbeds are inter-operable with real industrial control system devices and such that the virtual testbeds can provide comparable industrial control system network behavior to a laboratory testbed. Two virtual testbeds modeled upon actual laboratory testbeds have been developed and have been shown to be inter-operable with real industrial control system equipment and vulnerable to attacks in the same manner as a real system. Additionally, these testbeds have been quantitatively shown to produce traffic close to laboratory systems.

Analysis and mitigation of vulnerabilities in short-range wireless communications for industrial control systems

Abstract Industrial radios deployed in critical infrastructure provide a potential vector for attackers to penetrate control systems used in the food and agriculture, chemical, critical manufacturing, dams, energy, defense industrial base, government facilities, nuclear reactors, materials and waste, transportation and water sectors. Industrial radios offer convenience and flexibility in deployment while presenting cyber security challenges that wired communications do not. This paper presents a survey of literature related to wireless communications cyber security. The paper focuses on vulnerabilities and mitigations related to multiple industrial radio technologies deployed in control systems including IEEE 802.15.4, WirelessHART, ZigBee, Bluetooth, and IEEE 802.11. This paper also discusses how industrial radio vulnerabilities may be used as vectors for simple and complex attacks on control systems found in critical infrastructure. Finally, this paper provides a set of recommendations for securing wireless networks used in control systems.

Discovery, infiltration, and denial of service in a process control system wireless network

Process control systems and Supervisory Control and Data Acquisition (SCADA) systems use computers to control physical processes in many critical industries including electric power generation, electric power distribution, gas pipelines, waste treatment, water distribution, and many others. Because process control systems can be spread over large distances, wired connections become infeasible. Commercially available wireless radios are often used in place of wires to connect network nodes. In this paper we provide an overview of process control systems, discuss how process control systems differ from networks commonly found in the information technology domain, demonstrate the ability to detect and infiltrate a wireless radio network used in control systems, and finally, detail a denial of service attack against a process control system. This attack denies feedback from nodes monitoring the controlled physical process and is therefore a dangerous cyber-attack.

*droid: Assessment and Evaluation of Android Application Analysis Tools

The security research community has invested significant effort in improving the security of Android applications over the past half decade. This effort has addressed a wide range of problems and resulted in the creation of many tools for application analysis. In this article, we perform the first systematization of Android security research that analyzes applications, characterizing the work published in more than 17 top venues since 2010. We categorize each paper by the types of problems they solve, highlight areas that have received the most attention, and note whether tools were ever publicly released for each effort. Of the released tools, we then evaluate a representative sample to determine how well application developers can apply the results of our community’s efforts to improve their products. We find not only that significant work remains to be done in terms of research coverage but also that the tools suffer from significant issues ranging from lack of maintenance to the inability to produce functional output for applications with known vulnerabilities. We close by offering suggestions on how the community can more successfully move forward.

Sending Out an SMS: Characterizing the Security of the SMS Ecosystem with Public Gateways

Text messages sent via the Short Message Service (SMS) have revolutionized interpersonal communication. Recent years have also seen this service become a critical component of the security infrastructure, assisting with tasks including identity verification and second-factor authentication. At the same time, this messaging infrastructure has become dramatically more open and connected to public networks than ever before. However, the implications of this openness, the security practices of benign services, and the malicious misuse of this ecosystem are not well understood. In this paper, we provide the first longitudinal study to answer these questions, analyzing nearly 400,000 text messages sent to public online SMS gateways over the course of 14 months. From this data, we are able to identify not only a range of services sending extremely sensitive plaintext data and implementing low entropy solutions for one-use codes, but also offer insights into the prevalence of SMS spam and behaviors indicating that public gateways are primarily used for evading account creation policies that require verified phone numbers. This latter finding has significant implications for research combatting phone-verified account fraud and demonstrates that such evasion will continue to be difficult to detect and prevent.

Transparent Web Service Auditing via Network Provenance Functions

Detecting and explaining the nature of attacks in distributed web services is often difficult -- determining the nature of suspicious activity requires following the trail of an attacker through a chain of heterogeneous software components including load balancers, proxies, worker nodes, and storage services. Unfortunately, existing forensic solutions cannot provide the necessary context to link events across complex workflows, particularly in instances where application layer semantics (e.g., SQL queries, RPCs) are needed to understand the attack. In this work, we present a transparent provenance-based approach for auditing web services through the introduction of Network Provenance Functions (NPFs). NPFs are a distributed architecture for capturing detailed data provenance for web service components, leveraging the key insight that mediation of an applications protocols can be used to infer its activities without requiring invasive instrumentation or developer cooperation. We design and implement NPF with consideration for the complexity of modern cloud-based web services, and evaluate our architecture against a variety of applications including DVDStore, RUBiS, and WikiBench to show that our system imposes as little as 9.3% average end-to-end overhead on connections for realistic workloads. Finally, we consider several scenarios in which our system can be used to concisely explain attacks. NPF thus enables the hassle-free deployment of semantically rich provenance-based auditing for complex applications workflows in the Cloud.