Haixin Duan

When HTTPS Meets CDN: A Case of Authentication in Delegated Service

Content Delivery Network (CDN) and Hypertext Transfer Protocol Secure (HTTPS) are two popular but independent web technologies, each of which has been well studied individually and independently. This paper provides a systematic study on how these two work together. We examined 20 popular CDN providers and 10,721 of their customer web sites using HTTPS. Our study reveals various problems with the current HTTPS practice adopted by CDN providers, such as widespread use of invalid certificates, private key sharing, neglected revocation of stale certificates, and insecure back-end communication. While some of those problems are operational issues only, others are rooted in the fundamental semantic conflict between the end-to-end nature of HTTPS and the man-in-the-middle nature of CDN involving multiple parties in a delegated service. To address the delegation problem when HTTPS meets CDN, we proposed and implemented a lightweight solution based on DANE (DNS-based Authentication of Named Entities), an emerging IETF protocol complementing the current Web PKI model. Our implementation demonstrates that it is feasible for HTTPS to work with CDN securely and efficiently. This paper intends to provide a context for future discussion within security and CDN community on more preferable solutions.

IntentFuzzer: detecting capability leaks of android applications

Capability leak is a vulnerability in Android applications, which violates the enforcement of permission model and threatens the secure usage of Android phone users. Malicious applications can launch permission escalation attacks with this vulnerability. In this paper, we propose a dynamic Intent fuzzing mechanism to uncover vulnerable applications in both Android markets and closed source ROMs. We built a prototype called IntentFuzzer. With it, we analyzed more than 2000 Android applications in Google Play and hundreds of in-rom applications inside two closed source ROMs. We found that 161 applications in Google Play have at least one permission leak, and 26 permissions in Xiaomi Hongmi phone and 19 permissions in Lenovo K860i stock phone are leaked. Finally, we give several cases of exploitation to verify our analysis result.

An empirical reexamination of global DNS behavior

The performance and operational characteristics of the DNS protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query-response pairs collected from more than 600 globally distributed recursive DNS resolvers. We use this dataset to reaffirm findings in published work and notice some significant differences that could be attributed both to the evolving nature of DNS traffic and to our differing perspective. For example, we find that although characteristics of DNS traffic vary greatly across networks, the resolvers within an organization tend to exhibit similar behavior. We further find that more than 50% of DNS queries issued to root servers do not return successful answers, and that the primary cause of lookup failures at root servers is malformed queries with invalid TLDs. Furthermore, we propose a novel approach that detects malicious domain groups using temporal correlation in DNS queries. Our approach requires no comprehensive labeled training set, which can be difficult to build in practice. Instead, it uses a known malicious domain as anchor, and identifies the set of previously unknown malicious domains that are related to the anchor domain. Experimental results illustrate the viability of this approach, i.e. , we attain a true positive rate of more than 96%, and each malicious anchor domain results in a malware domain group with more than 53 previously unknown malicious domains on average.

IPGroupRep: A Novel Reputation Based System for Anti-Spam

While reputation systems have already been applied into the field of anti-spam, they still have some shortcomings,in terms of reputation database scale and vulnerable to be evaded by the adverse users. To solve these problems,we present a novel reputation system named IPGroupRep.The performance of this system is evaluated on some real world dataset, and compared to the existing reputation systems. The experimental results show that IPGroupRep could effectively separate spam from legitimate messages .

Behavior-Based Malware Analysis and Detection

Malware, such as Trojan Horse, Worms and Spy ware severely threatens Internet. We observed that although malware and its variants may vary a lot from content signatures, they share some behavior features at a higher level which are more precise in revealing the real intent of malware. This paper investigates the technique of malware behavior extraction, presents the formal Malware Behavior Feature (MBF) extraction method, and proposes the malicious behavior feature based malware detection algorithm. Finally we designed and implemented the MBF based malware detection system, and the experimental results show that it can detect newly appeared unknown malwares.

Measuring query latency of top level DNS servers

We surveyed the latency of upper DNS hierarchy from 19593 vantage points around the world to investigate the impact of uneven distribution of top level DNS servers on end-user latency. Our findings included: 1) generally top level DNS servers served Internet users efficiently, with median latency 20.26ms for root, 42.64ms for .com/.net, 39.07ms for .org; 2) quality of service was uneven, Europe and North America were the best while Africa and South America were 3 to 6 times worse; 3) most of the root servers performed well in Europe and North America, but only F, J, L roots showed low query latency in other continents; 4) query latency of F and L roots showed that only about 60 resolvers were routed to the nearest anycast instances. We also revealed two problems that lead to constantly large query latency (6s~18s) for resolvers. One was buggy implementation of some resolvers on IPv4/IPv6 dual-stack hosts, the other was misconfigured middle-boxes that filtered large or fragmented DNSSEC packets.

RRM: An incentive reputation model for promoting good behaviors in distributed systems

Reputation systems represent soft security mechanisms that complement traditional information security mechanisms. They are now widely used in online e-commerce markets and communities in order to stimulate good behaviors as well as to restrain adverse behaviors. This paper analyzes the limitations of the conversational reputation models and proposes an incentive reputation model called the resilient reputation model (RRM) for the distributed reputation systems. The objective of this reputation model is not only to encourage the users to provide good services and, therefore, to maximize the probability of good transaction outcomes, but also to punish those adverse users who are trying to manipulate the application systems. The simulation results indicate that the proposed reputation model (RRM) could effectively resist against the common adverse behaviors, while protecting the profits of sincere users from being blemished by those adversaries.

Identification of P2P traffic based on the content redistribution characteristic

Identification of P2P traffic is very useful for many network management tasks such as application-specific traffic engineering, network planning and monitoring. However, this is a challenging issue because many P2P applications use dynamic port numbers, and deriving signatures that can be used for reliable detection manually is time consuming and difficult. In this paper, we propose a novel approach to detect P2P traffic without any application-specific signatures. It is based on the content redistribution characteristic of P2P protocol: every peer acts both as a server and a client, so it will redistribute the content received to other peers. To evaluate our approach, we use traces collected in our campus network and a signature-based classifier is also implemented. Experiment results show that the approach can be used to identify known and unknown P2P traffic with very low false positive rate, and achieves high accuracy when detecting P2P streaming traffic.

Anonymity analysis of P2P anonymous communication systems

Compared with traditional static Client/Server architecture, the P2P architecture is more suitable for anonymous communication systems because it is more flexible and can keep load balance better. However, in order to make the system usable and reliable, some system designs make tradeoffs between anonymity and performance such as reliability, latency and throughput. Tradeoffs are sometimes unavoidable in system design, but which tradeoffs are acceptable and which are not is very important for developers. This paper models the P2P anonymous communications and takes quantitative analysis of anonymity by information theory with entropy. Based on this analysis, it studies the effect of key system design strategies on anonymity in network architecture, routing and message relay, and measures which strategies should be used in anonymous communications and which are unreasonable. Some analysis results are contrary to our intuition. For example, it quantitatively concludes that in some cases the anonymity is not enhanced when the system scale increases, and too long an anonymous tunnel may not provide higher anonymity but lowers performance. These analysis results are valuable for developers of P2P anonymous communication systems. Besides, this paper also discusses some possible strategies such as trust and reputation to enhance the P2P anonymous communications.

Reexamining DNS from a global recursive resolver perspective

The performance and operational characteristics of the Domain Name System (DNS) protocol are of deep interest to the research and network operations community. In this paper, we present measurement results from a unique dataset containing more than 26 billion DNS query-response pairs collected from more than 600 globally distributed recursive DNS resolvers. We use this dataset to reaffirm findings in published work and notice some significant differences that could be attributed both to the evolving nature of DNS traffic and to our differing perspective. For example, we find that although characteristics of DNS traffic vary greatly across networks, the resolvers within an organization tend to exhibit similar behavior. We further find that more than 50% of DNS queries issued to root servers do not return successful answers, and that the primary cause of lookup failures at root servers is malformed queries with invalid top-level domains (TLDs). Furthermore, we propose a novel approach that detects malicious domain groups using temporal correlation in DNS queries. Our approach requires no comprehensive labeled training set, which can be difficult to build in practice. Instead, it uses a known malicious domain as anchor and identifies the set of previously unknown malicious domains that are related to the anchor domain. Experimental results illustrate the viability of this approach, i.e., we attain a true positive rate of more than 96%, and each malicious anchor domain results in a malware domain group with more than 53 previously unknown malicious domains on average.