Jian Chang

Analyzing and defending against web-based malware

Web-based malware is a growing threat to todays Internet security. Attacks of this type are prevalent and lead to serious security consequences. Millions of malicious URLs are used as distribution channels to propagate malware all over the Web. After being infected, victim systems fall in the control of attackers, who can utilize them for various cyber crimes such as stealing credentials, spamming, and distributed denial-of-service attacks. Moreover, it has been observed that traditional security technologies such as firewalls and intrusion detection systems have only limited capability to mitigate this new problem. In this article, we survey the state-of-the-art research regarding the analysis of—and defense against—Web-based malware attacks. First, we study the attack model, the root cause, and the vulnerabilities that enable these attacks. Second, we analyze the status quo of the Web-based malware problem. Third, three categories of defense mechanisms are discussed in detail: (1) building honeypots with virtual machines or signature-based detection system to discover existing threats; (2) using code analysis and testing techniques to identify the vulnerabilities of Web applications; and (3) constructing reputation-based blacklists or smart sandbox systems to protect end-users from attacks. We show that these three categories of approaches form an extensive solution space to the Web-based malware problem. Finally, we compare the surveyed approaches and discuss possible future research directions.

Spam mitigation using spatio-temporal reputations from blacklist history

IP blacklists are a spam filtering tool employed by a large number of email providers. Centrally maintained and well regarded, blacklists can filter 80+% of spam without having to perform computationally expensive content-based filtering. However, spammers can vary which hosts send spam (often in intelligent ways), and as a result, some percentage of spamming IPs are not actively listed on any blacklist. Blacklists also provide a previously untapped resource of rich historical information. Leveraging this history in combination with spatial reasoning, this paper presents a novel reputation model (PreSTA), designed to aid in spam classification. In simulation on arriving email at a large university mail system, PreSTA is capable of classifying up to 50% of spam not identified by blacklists alone, and 93% of spam on average (when used in combination with blacklists). Further, the system is consistent in maintaining this blockage-rate even during periods of decreased blacklist performance. PreSTA is scalable and can classify over 500,000 emails an hour. Such a system can be implemented as a complementary blacklist service or used as a first-level filter or prioritization mechanism on an email server.

Trust in collaborative web applications

Collaborative functionality is increasingly prevalent in web applications. Such functionality permits individuals to add-and sometimes modify-web content, often with minimal barriers-to-entry. Ideally, large bodies of knowledge can be amassed and shared in this manner. However, such software also provide a medium for nefarious persons to operate. By determining the extent to which participating content/agents can be trusted, one can identify useful contributions. In this work, we define the notion of trust for collaborative web applications and survey the state-of-the-art for calculating, interpreting, and presenting trust values. Though techniques can be applied broadly, Wikipedias archetypal nature makes it a focal point for discussion.

QuanTM: a quantitative trust management system

Quantitative Trust Management (QTM) provides a dynamic interpretation of authorization policies for access control decisions based on upon evolving reputations of the entities involved. QuanTM, a QTM system, selectively combines elements from trust management and reputation management to create a novel method for policy evaluation. Trust management, while effective in managing access with delegated credentials (as in PolicyMaker and KeyNote), needs greater flexibility in handling situations of partial trust. Reputation management provides a means to quantify trust, but lacks delegation and policy enforcement. This paper reports on QuanTMs design decisions and novel policy evaluation procedure. A representation of quantified trust relationships, the trust dependency graph, and a sample QuanTM application specific to the KeyNote trust management language, are also proposed.

A trust model for vehicular network-based incident reports

Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I) networks are ephemeral, short-duration wireless networks designed for improving the overall driving experience through the exchange of multitude information among vehicles and the infrastructure. Real-time incident report is an important application domain that can leverage the advantage of vehicular networks to greatly improve driving safety. However, given the presence of malicious entities, blindly trusting such incident report (even the one received through a cryptographically secure channel) can lead to undesirable consequences. In this paper, we propose an approach to determine the likelihood of the accuracy of V2V incident reports based on the trustworthiness of the report originator and those vehicles that forward it. The proposed approach takes advantage of existing V2I communication facilities deployed and managed by central traffic authorities, which can be used to collect vehicle behavior information in a crowd-sourcing fashion for constructing a more comprehensive view of vehicle trustworthiness. For validating our scheme, we implemented a V2V/V2I trust simulator by extending an existing V2V simulator with trust management capabilities. Preliminary analysis of the model shows promising results. By combining our trust modeling technique with a threshold-based decision strategy, we observed on average 85% accuracy.

Reputation-based networked control with data-corrupting channels

We examine the problem of reliable networked control when the communication channel between the controller and the actuator periodically drops packets and is faulty (i.e., corrupts/alters data). We first examine the use of a standard triple modular redundancy scheme (where the control input is sent via three independent channels) with majority voting to achieve mean square stability. While such a scheme is able to tolerate a single faulty channel when there are no packet drops, we show that the presence of lossy channels prevents a simple majority-voting approach from stabilizing the system. Moreover, the number of redundant channels that are required in order to maintain stability under majority voting increases with the probability of packet drops. We then propose the use of a reputation management scheme to overcome this problem, where each channel is assigned a reputation score that predicts its potential accuracy based on its past behavior. The reputation system builds on the majority voting scheme and improves the overall probability of applying correct (stabilizing) inputs to the system. Finally, we provide analytical conditions on the probabilities of packet drops and corrupted control inputs under which mean square stability can be maintained, generalizing existing results on stabilization under packet drops.

AS-TRUST: a trust quantification scheme for autonomous systems in BGP

The Border Gateway Protocol (BGP) works by frequently exchanging updates that disseminate reachability information about IP prefixes (i.e., IP address blocks) between Autonomous Systems (ASes) on the Internet. The ideal operation of BGP relies on three major behavioral assumptions (BAs): (1) information contained in the update is legal and correct, (2) a route to a prefix is stable, and (3) the route adheres to the valley free routing policy. The current operation of BGP implicitly trusts all ASes to adhere to these assumptions. However, several documented violation of these assumptions attest to the fact that such an assumption of trust is perilous. This paper presents AS-TRUST, a scheme that comprehensively characterizes the trustworthiness of ASes with respect to their adherence of the behavioral assumptions. AS-TRUST quantifies trust using the notion of AS reputation. To compute reputation, AS-TRUST analyzes updates received in the past. It then classifies the resulting observations into multiple types of feedback. The feedback is used by a reputation function that uses Bayesian statistics to compute a probabilistic view of AS trustworthiness. This information can then be used for improving quotidian BGP operation by enabling improved route preference and dampening decision making at the ASes. Our implementation of AS-TRUST scheme using publicly available BGP traces demonstrates: (1) the number of ASes involved in violating the BGP behavioral assumptions is significant, and (2) the proposed reputation mechanism provides multi-fold improvement in the ability of ASes to operate in the presence of BA violations.

Link spamming Wikipedia for profit

Collaborative functionality is an increasingly prevalent web technology. To encourage participation, these systems usually have low barriers-to-entry and permissive privileges. Unsurprisingly, ill-intentioned users try to leverage these characteristics for nefarious purposes. In this work, a particular abuse is examined -- link spamming -- the addition of promotional or otherwise inappropriate hyperlinks. Our analysis focuses on the wiki model and the collaborative encyclopedia, Wikipedia, in particular. A principal goal of spammers is to maximize exposure, the quantity of people who view a link. Creating and analyzing the first Wikipedia link spam corpus, we find that existing spam strategies perform quite poorly in this regard. The status quo spamming model relies on link persistence to accumulate exposures, a strategy that fails given the diligence of the Wikipedia community. Instead, we propose a model that exploits the latency inherent in human anti-spam enforcement. Statistical estimation suggests our novel model would produce significantly more link exposures than status quo techniques. More critically, the strategy could prove economically viable for perpetrators, incentivizing its exploitation. To this end, we address mitigation strategies.

TrustForge: Flexible access control for collaborative crowd-sourced environment

Observing the success of the open source software movement, the Adaptive Vehicle Make (AVM) is a program run by the Defense Advanced Project Agency (DARPA) with the goal of applying crowd-sourced and component-based engineering to the design of military vehicles. In this paper, we present a credentialing system called TrustForge, which enables effective and flexible access control for the AVMcrowd-sourced repository. Credentialing systems are essential in crowdsourcing to ensure quality, since it is potentially open to contributions made by anyone. The open source software community has developed elaborate manual approaches of managing its contributor community, which are often very labor-intensive and inefficient. Our aim with TrustForge is to improve the automation of the credentialing and access control process in the context of component-based systems, where users contribute components at various levels of abstraction. TrustForge takes a hybrid approach that combines trust policy and reputation to address this problem. In TrustForge, a policy language is used to specify the access control rules for users in the system to contribute components. In addition, reputation values computed for users based on the quality of their past component contributions are used to tune the static policies to enable flexibility and adaptiveness. The contributions of this work are as follows: (1) the design of TrustForge - an effective and flexible access control mechanism that combines policy and reputation approaches; (2) the identification of heuristics for component quality measurement and a novel reputation computation algorithm for evaluating user trustworthiness; (3) a data model based on provenance graphs that allows efficient repository information storage and retrieve. We have implemented TrustForge system and integrate it with the VehicleForge repository system to support the operation of the AVM challenge program. The evaluation results based on realworld deployment and systematic simulation demonstrate that TrustForge can effectively discern the trustworthiness of users within the crowd-sourced system.

HMM-based characterization of channel behavior for networked control systems

We study the problem of characterizing the behavior of lossy and data corrupting communication channels in a networked control setting, where the channels behavior exhibits temporal correlation. We propose a behavior characterization mechanism based on a hidden Markov model (HMM). The use of a HMM in this regard presents multiple challenges including dealing with incomplete observation sequences (due to data losses and corruptions) and the lack of a priori information about the model complexity (number of states in the model). We address the first challenges by using the plant state information and history of received/applied control inputs to fill in the gaps in the observation sequences, and by enhancing the HMM learning algorithm to deal with missing observations. Further, we adopt two model quality criteria for determining behavior model complexity. The contributions of this paper include: (1) an enhanced learning algorithm for refining the HMM model parameters to handle missing observations, and (2) simultaneous use of two well-defined model quality criteria to determine the model complexity. Simulation results demonstrate over 90% accuracy in predicting the output of a channel at a given time step, when compared to a traditional HMM based model that requires complete knowledge of the model complexity and observation sequence.