Mihai Christodorescu

What matters to users?: factors that affect users' willingness to share information with online advertisers

Much of the debate surrounding online behavioral advertising (OBA) has centered on how to provide users with notice and choice. An important element left unexplored is how advertising companies privacy practices affect users attitudes toward data sharing. We present the results of a 2,912-participant online study investigating how facets of privacy practices---data retention, access to collected data, and scope of use---affect users willingness to allow the collection of behavioral data. We asked participants to visit a health website, explained OBA to them, and outlined policies governing data collection for OBA purposes. These policies varied by condition. We then asked participants about their willingness to permit the collection of 30 types of information. We identified classes of information that most participants would not share, as well as classes that nearly half of participants would share. More restrictive data-retention and scope-of-use policies increased participants willingness to allow data collection. In contrast, whether the data was collected on a well-known site and whether users could review and modify their data had minimal impact. We discuss public policy implications and improvements to user interfaces to align with users privacy preferences.

(Do Not) Track Me Sometimes: Users’ Contextual Preferences for Web Tracking

Abstract Online trackers compile profiles on users for targeting ads, customizing websites, and selling users’ information. In this paper, we report on the first detailed study of the perceived benefits and risks of tracking-and the reasons behind them-conducted in the context of users’ own browsing histories. Prior work has studied this in the abstract; in contrast, we collected browsing histories from and interviewed 35 people about the perceived benefits and risks of online tracking in the context of their own browsing behavior. We find that many users want more control over tracking and think that controlled tracking has benefits, but are unwilling to put in the effort to control tracking or distrust current tools. We confirm previous findings that users’ general attitudes about tracking are often at odds with their comfort in specific situations. We also identify specific situational factors that contribute to users’ preferences about online tracking and explore how and why. Finally, we examine a sample of popular tools for controlling tracking and show that they only partially address the situational factors driving users’ preferences.We suggest opportunities to improve such tools, and explore the use of a classifier to automatically determine whether a user would be comfortable with tracking on a particular page visit; our results suggest this is a promising direction for future work.

Learning Execution Contexts from System Call Distribution for Anomaly Detection in Smart Embedded System

Existing techniques used for anomaly detection do not fully utilize the intrinsic properties of embedded devices. In this paper, we propose a lightweight method for detecting anomalous executions using a distribution of system call frequencies. We use a cluster analysis to learn the legitimate execution contexts of embedded applications and then monitor them at run-time to capture abnormal executions. Our prototype applied to a real-world open-source embedded application shows that the proposed method can effectively detect anomalous executions without relying on sophisticated analyses or affecting the critical execution paths.

PIFT: Predictive Information-Flow Tracking

Phones today carry sensitive information and have a great number of ways to communicate that data. As a result, malware that steal money, information, or simply disable functionality have hit the app stores. Current security solutions for preventing undesirable data leaks are mostly high-overhead and have not been practical enough for smartphones. In this paper, we show that simply monitoring just some instructions (only memory loads and stores) it is possible to achieve low overhead, highly accurate information flow tracking. Our method achieves 98% accuracy (0% false positive and 2% false negative) over DroidBench and was able to successfully catch seven real-world malware instances that steal phone number, location, and device ID using SMS messages and HTTP connections.

Stream computing for large-scale, multi-channel cyber threat analytics

The cyber threat landscape, controlled by organized crime and nation states, is evolving rapidly towards evasive, multi-channel attacks, as impressively shown by malicious operations such as GhostNet, Aurora, Stuxnet, Night Dragon, or APT1. As threats blend across diverse data channels, their detection requires scalable distributed monitoring and cross-correlation with a substantial amount of contextual information. With threats evolving more rapidly, the classical defense life cycle of post-mortem detection, analysis, and signature creation becomes less effective. In this paper, we present a highly-scalable, dynamic cybersecurity analytics platform extensible at runtime. It is specifically designed and implemented to deliver generic capabilities as a basis for future cybersecurity analytics that effectively detect threats across multiple data channels while recording relevant context information, and that support automated learning and mining for new and evolving malware behaviors. Our implementation is based on stream computing middleware that has proven high scalability, and that enables cross-correlation and analysis of millions of events per second with millisecond latency. We report the lessons we have learned from applying stream computing to monitoring malicious activity across multiple data channels (e.g., DNS, NetFlow, ARP, DHCP, HTTP) in a production network of about fifteen thousand nodes.

The DragonBeam Framework: Hardware-Protected Security Modules for In-Place Intrusion Detection

The sophistication of malicious adversaries is increasing every day and most defenses are often easily overcome by such attackers. Many existing defensive mechanisms often make differing assumptions about the underlying systems and use varied architectures to implement their solutions. This often leads to fragmentation among solutions and could even open up additional vulnerabilities in the system. We present the DragonBeam Framework that enables system designers to implement their own monitoring methods and analyses engines to detect intrusions in modern operating systems. It is built upon a novel hardware/software mechanism. Depending on the type of monitoring that is implemented using this framework, the impact on the monitored system is very low. This is demonstrated by the use cases presented in this paper that also showcase how the DragonBeam framework can be used to detect different types of attack.

Passive security intelligence to analyze the security risks of mobile/BYOD activities

As enterprises embrace mobile technologies and enable their employees to bring their own devices, traditional security mechanisms are challenged by the col-location of personal and business activities on employee-owned mobile devices on the enterprise network. This presents a new risk to enterprises as employee-owned devices can now be used as stepping stones for bypassing traditional enterprise perimeter security. Current Bring Your Own device (BYOD) programs usually either do not manage employee-owned devices or are limited by self-enrollment and device heterogeneity challenges. In this paper, we introduce a novel, nonintrusive big data analytics methodology to obtain visibility into mobile device usage. At the heart of the methodology is an inference algorithm that uses a dynamic decision tree in near real-time to fingerprint mobile devices and their usage by analyzing passively collected network data. Information, such as device type, device model, and operating systems/versions, as well as applications and their patch level, can be inferred—all without an agent installed on the devices. We correlate such information with supplemental security intelligence (e.g., vulnerability information) to discover previously unknown mobile devices on an organizations network and to establish their security posture and risk. Our evaluation on a major corporate network indicates that mobile devices can be reliably identified while mitigating their potential threats, thus demonstrating that our methodology provides valuable insights to enterprise security administrators

TroGuard: context-aware protection against web-based socially engineered trojans

Despite the increasing number of social engineering attacks through web browser applications, detection of socially engineered trojan downloads by enticed victim users remains a challenging endeavor. In this paper, we present TroGuard, a semi-automated web-based trojan detection solution, that notifies the user if the application she downloaded behaves differently than what she expected at download time. TroGuard builds on the hypothesis that in spite of millions of currently downloadable executables on the Internet, almost all of them provide functionalities from a limited set. Additionally, because each functionality, e.g., text editor, requires particular system resources, it exhibits a unique system-level activity pattern. During an offline process, TroGuard creates a profile dictionary of various functionalities. This profile dictionary is then used to warn the user if she downloads an executable whose observed activity does not match its advertised functionality (extracted through automated analysis of the download website). Our experimental results prove the above mentioned premise empirically and show that TroGuard can identify real-world socially engineered trojan download attacks effectively.