Fareed Zaffar

Identifying the provenance of correlated anomalies

Identifying when anomalous activity is correlated in a distributed system is useful for a range of applications from intrusion detection to tracking quality of service. The more specific the logs, the more precise the analysis they allow. However, collecting detailed logs from across a distributed system can deluge the network fabric. We present an architecture that allows fine-grained auditing on individual hosts, space-efficient representation of anomalous activity that can be centrally correlated, and tracing anomalies back to individual files and processes in the system. A key contribution is the design of an anomaly-provenance bridge that allows opaque digests of anomalies to be mapped back to their associated provenance.

Sketching Distributed Data Provenance

Users can determine the precise origins of their data by collecting detailed provenance records. However, auditing at a finer grain produces large amounts of metadata. To efficiently manage the collected provenance, several provenance management systems, including SPADE, record provenance on the hosts where it is generated. Distributed provenance raises the issue of efficient reconstruction during the query phase. Recursively querying provenance metadata or computing its transitive closure is known to have limited scalability and cannot be used for large provenance graphs. We present matrix filters, which are novel data structures for representing graph information, and demonstrate their utility for improving query efficiency with experiments on provenance metadata gathered while executing distributed workflow applications.

Fine-grained tracking of Grid infections

Previous distributed anomaly detection efforts have operated on summary statistics gathered from each node. This has the advantage that the audit trail is limited in size since event sets can be succinctly represented. While this minimizes the bandwidth consumed and helps scale the detection to a large number of nodes, it limits the infrastructures ability to identify the source of anomalies. We describe three optimizations that together allow fine-grained tracking of the sources of anomalous activity in a Grid, thereby facilitating precise responses. We demonstrate the schemes scalability in terms of storage and network bandwidth overhead with an implementation on nodes running BOINC. The results generalize to other types of Grids as well.

Mining on Someone Else’s Dime: Mitigating Covert Mining Operations in Clouds and Enterprises

Covert cryptocurrency mining operations are causing notable losses to both cloud providers and enterprises. Increased power consumption resulting from constant CPU and GPU usage from mining, inflated cooling and electricity costs, and wastage of resources that could otherwise benefit legitimate users are some of the factors that contribute to these incurred losses. Affected organizations currently have no way of detecting these covert, and at times illegal miners and often discover the abuse when attackers have already fled and the damage is done.

Characterizing key stakeholders in an online black-hat marketplace

Over the past few years, many black-hat marketplaces have emerged that facilitate access to reputation manipulation services such as fake Facebook likes, fraudulent search engine optimization (SEO), or bogus Amazon reviews. In order to deploy effective technical and legal countermeasures, it is important to understand how these black-hat marketplaces operate, shedding light on the services they offer, who is selling, who is buying, what are they buying, who is more successful, why are they successful, etc. Toward this goal, in this paper, we present a detailed micro-economic analysis of a popular online black-hat marketplace, namely, SEOClerks.com. As the site provides non-anonymized transaction information, we set to analyze selling and buying behavior of individual users, propose a strategy to identify key users, and study their tactics as compared to other (non-key) users. We find that key users: (1) are mostly located in Asian countries, (2) are focused more on selling black-hat SEO services, (3) tend to list more lower priced services, and (4) sometimes buy services from other sellers and then sell at higher prices. Finally, we discuss the implications of our analysis with respect to devising effective economic and legal intervention strategies against marketplace operators and key users.

Field evaluation of a blood based test for active tuberculosis in endemic settings

Over 9 million new active tuberculosis (TB) cases emerge each year from an enormous pool of 2 billion individuals latently infected with Mycobacterium tuberculosis (M. tb.) worldwide. About 3 million new TB cases per year are unaccounted for, and 1.5 million die. TB, however, is generally curable if diagnosed correctly and in a timely manner. The current diagnostic methods for TB, including state-of-the-art molecular tests, have failed in delivering the capacity needed in endemic countries to curtail this ongoing pandemic. Efficient, cost effective and scalable diagnostic approaches are critically needed. We report a multiplex TB serology panel using microbead suspension array containing a combination of 11 M.tb. antigens that demonstrated overall sensitivity of 91% in serum/plasma samples from TB patients confirmed by culture. Group wise sensitivities for sputum smear positive and negative patients were 95%, and 88%, respectively. Specificity of the test was 96% in untreated COPD patients and 91% in general healthy population. The sensitivity of this test is superior to that of the frontline sputum smear test with a comparable specificity (30–70%, and 93–99%, respectively). The multiplex serology test can be performed with scalability from 1 to 360 patients per day, and is amenable to automation for higher (1000s per day) throughput, thus enabling a scalable clinical work flow model for TB endemic countries. Taken together, the above results suggest that well defined antibody profiles in blood, analyzed by an appropriate technology platform, offer a valuable approach to TB diagnostics in endemic countries.

Sneak-Peek: High speed covert channels in data center networks

With the advent of big data, modern businesses face an increasing need to store and process large volumes of sensitive customer information on the cloud. In these environments, resources are shared across a multitude of mutually untrusting tenants increasing propensity for data leakage. This problem stands to grow further in severity with increasing use of clouds in all aspects of our daily lives and the recent spate of high-profile data exfiltration attacks are evidence. To highlight this serious issue, we present a novel and highspeed network-based covert channel that is robust and circumvents a broad set of security mechanisms currently deployed by cloud vendors. We successfully test our channel on numerous network environments, including commercial clouds such as EC2 and Azure. Using an information theoretic model of the channel, we derive an upper bound on the maximum information rate and propose an optimal coding scheme. Our adaptive decoding algorithm caters to the cross traffic in the channel and maintains high bit rates and extremely low error rates. Finally, we discuss several effective avenues for mitigation of the aforementioned channel and provide insights into how data exfiltration can be prevented in such shared environments.

Optimized Rollback and Re-computation

Large data processing tasks can be effected using workflow management systems. When either the input data or the programs in the pipeline are modified, the workflow must be re-executed to ensure that the final output data is updated to reflect the changes. Since such re-computation can consume substantial resources, optimizing the system to avoid redundant computation is desirable. In the case of a workflow, the dependency relationships between files are specified at the outset and can be leveraged to track which programs need to be re-executed when particular files change. Current distributed systems cannot provide such functionality when no predefined workflows exist. In this paper, we present an architecture that provides functionality to produce both correct output as well as fast re-execution by leveraging the provenance of data to propagate changes along an implicit dependency graph. We explore the tradeoff between storage and availability by presenting a performance analysis of our rollback and re-execution scheme.

Covert channels in online rogue-like games

Covert channels allow two parties to exchange secret data in the presence of adversaries without disclosing the fact that there is any secret data in their communications. We propose and implement EEDGE, an improved method for steganography in mazes that builds upon the work done by Lee et al; and has a significantly higher embedding capacity. We apply EEDGE to the setting of online rogue-like games, which have randomly generated mazes as the levels for players; and show that this can be used to successfully create an efficient, error-free, high bit-rate covert channel.

Finding Needle in the Case-Stack: Effective Remote Monitoring of Courts

Delay in the judicial processes and pendency of existing cases is an old problem that has defied easy solutions in Pakistan. Most cases are trapped in the system due to a huge backlog of cases, excessive litigation in urban areas, corruption by the court staff and lack of proper monitoring of the functioning of courts. Efficient supervision and monitoring of courts can help in resolving some of the key problems in the system. We present preliminary results from a novel case record-keeping, management and monitoring solution that is able to meet several key performance goals of the National Judicial Policy. The overall aim of the work is to facilitate the work of the monitoring judges by helping them find the proverbial needle in the haystack and not get deluged by the volume of data routinely produced by the typical case-management systems. In this paper, we explore the application of intrusion detection techniques, such as the statistical anomaly detection schemes, to case management systems and present the results from our extensive case studies. Our proposed system, now in pilot, shows high accuracy in flagging anomalous cases, reduces the overall volume of information generated by the system and can help target several of the key reasons behind case pendency while bringing much needed transparency to the overall case-flow.