Paul Giura

A Context-Based Detection Framework for Advanced Persistent Threats

Besides a large set of malware categories such as worms and Trojan horses, Advanced Persistent Threat (APT) is another more sophisticated attack entity emerging in the cyber threats environment. In this paper we propose a model of the APT detection problem as well as a methodology to implement it on a generic organization network. From our knowledge, the proposed method is the first to address the problem of modeling an APT and to provide a possible detection framework.

Highly efficient techniques for network forensics

Given a history of packet transmissions and an excerpt of a possible packet payload, the payload attribution problem requires the identification of sources, destinations and the times of appearance on a network of all the packets that contained such payload. A module to solve this problem has recently been proposed as the core component in a network forensics system. Network forensics provides useful tools for investigating cybercrimes on the Internet, by, for example, tracing the spread of worms and viruses, identifying who has received a phishing email in an enterprise, or discovering which insider allowed an unauthorized disclosure of sensitive information. In general it is infeasible to store and query the actual packets, therefore we focus on extremely compressed digests of the packet activity. We propose several new methods for payload attribution which utilize Rabin fingerprinting, shingling, and winnowing. Our best methods allow data reduction ratios greater than 100:1 while supporting queries with very low false positive rates, and provide efficient querying capabilities given reasonably small excerpts of a payload. Our results outperform current state-of-the-art methods both in terms of false positive rates and data reduction ratio. Finally, these approaches directly allow the collected data to be stored and queried by an untrusted party without disclosing any payload information nor the contents of queries.

New payload attribution methods for network forensic investigations

Payload attribution can be an important element in network forensics. Given a history of packet transmissions and an excerpt of a possible packet payload, a payload attribution system (PAS) makes it feasible to identify the sources, destinations, and the times of appearance on a network of all the packets that contained the specified payload excerpt. A PAS, as one of the core components in a network forensics system, enables investigating cybercrimes on the Internet by, for example, tracing the spread of worms and viruses, identifying who has received a phishing e-mail in an enterprise, or discovering which insider allowed an unauthorized disclosure of sensitive information. Due to the increasing volume of network traffic in todays networks, it is infeasible to effectively store and query all the actual packets for extended periods of time in order to allow analysis of network events for investigative purposes; therefore, we focus on extremely compressed digests of the packet activity. We propose several new methods for payload attribution, which utilize Rabin fingerprinting, shingling, and winnowing. Our best methods allow building practical payload attribution systems, which provide data reduction ratios greater than 100:1 while supporting efficient queries with very low false positive rates. We demonstrate the properties of the proposed methods and specifically analyze their performance and practicality when used as modules of a network forensics system ForNet. Our experimental results outperform current state-of-the-art methods both in terms of false positives and data reduction ratio. Finally, these approaches directly allow the collected data to be stored and queried by an untrusted party without disclosing any payload information nor the contents of queries.

Mitigating SMS spam by online detection of repetitive near-duplicate messages

Short Message Service (SMS) spam is increasingly becoming a problem for many telecommunication service providers. Not only do SMS spam messages use mobile network resources abusively, but also in many cases they represent malware propagation vectors for mobile devices. In this work, we propose a network-based online detection method for SMS spam messages. The proposed scheme uses robust text signatures to identify similar messages that are sent excessively in the SMS platform and is robust against slight modifications in SMS spam messages. Additionally, the method uses a fast online algorithm which can be deployed in large carrier networks to detect spam activities before too many spam messages are delivered. It does not store SMS message contents, therefore it does not compromise the privacy of mobile subscribers.

NetStore: an efficient storage infrastructure for network forensics and monitoring

With the increasing sophistication of attacks, there is a need for network security monitoring systems that store and examine very large amounts of historical network flow data. An efficient storage infrastructure should provide both high insertion rates and fast data access. Traditional row-oriented Relational Database Management Systems (RDBMS) provide satisfactory query performance for network flow data collected only over a period of several hours. In many cases, such as the detection of sophisticated coordinated attacks, it is crucial to query days, weeks or even months worth of disk resident historical data rapidly. For such monitoring and forensics queries, row oriented databases become I/O bound due to long disk access times. Furthermore, their data insertion rate is proportional to the number of indexes used, and query processing time is increased when it is necessary to load unused attributes along with the used ones. To overcome these problems we propose a new column oriented storage infrastructure for network flow records, called NetStore. NetStore is aware of network data semantics and access patterns, and benefits from the simple column oriented layout without the need to meet general purpose RDBMS requirements. The prototype implementation of NetStore can potentially achieve more than ten times query speedup and ninety times less storage size compared to traditional row-stores, while it performs better than existing open source columnstores for network flow data.

Is it really you?: user identification via adaptive behavior fingerprinting

The increased popularity of mobile devices widens opportunities for a user either to lose the device or to have the device stolen and compromised. At the same time, user interaction with a mobile device generates a unique set of features such as dialed numbers, timestamps of communication activities, contacted base stations, etc. This work proposes several methods to identify the user based on her communications history. Specifically, the proposed methods detect an abnormality based on the behavior fingerprint generated by a set of features from the network for each user session. We present an implementation of such methods that use features from real SMS, and voice call records from a major tier 1 cellular operator. This can potentially trigger a rapid reaction upon an unauthorized user gaining control of a lost or stolen terminal, preventing data compromise and device misuse. The proposed solution can also detect background malicious traffic originated by, for example, a malicious application running on the mobile device. Our experiments with annonymized data from 10,000 users, representing over 14 million SMS and voice call detail records, show that the proposed methods are scalable and can continuously identify millions of mobile users while preserving data privacy, and achieving low false positives and high misuse detection rates with low storage and computation overhead.

The Security Cost of Content Distribution Network Architectures

Content Distribution Network (CDN) architectures face a wide range of security threats. In this paper, we compare the cost of achieving low and high security for different CDN architectures. We reviewed the existing and emerging systems, identified the threats that they face, defined the general security requirements and considered the mechanisms available to meet the requirements. To assess the security cost, we first defined the process for selecting security mechanisms, and then defined the process for ranking the mechanisms for each architecture. The security comparison result clearly shows that the more the cost of providing service is pushed to the end points, the higher the security cost. To the best of our knowledge, this study is the first effort to assess a security cost comparison of different CDN architectures. Our work is orthogonal to other studies that try to find ways of reducing the content distribution service cost, rather than quantifying the cost to provide service security.

Sapphire: using network gateways for IoT security

The increasing popularity of IoT devices in both residences and enterprises has widened the attack surface for network connected devices. Many popular IoT devices have unpatched vulnerabilities or default passwords and lack basic security mechanisms, making them easy prey for malware and botnets. In this paper, we share our experience of designing and using an experimental deployment of network gateways to provide IoT security, to both the IoT devices and the gateways themselves. We propose three approaches for framework design and collecting the network data, each providing different levels of visibility into IoT device behavior. Finally we present our methodology and experimental evaluation of a small-scale deployment of gateways and IoT devices for volumetric anomaly detection and IoT device identification using the data collected by the gateways behind the NAT, or in the cloud, outside the NAT. We believe that securing IoT devices can be more efficient and effective when there is more visibility into device activity and security capabilities are deployed close to the devices, in the gateway. However, a hybrid approach in which data is collected on the gateways and analyzed in the cloud can be more practical; special considerations regarding sensitive data storage and privacy guarantees have to be taken into account.

Safe Internet Browsing Using a Transparent Virtual Browser

With the proliferation of Internet access across the globe, as well as the advancement of many new devices and next generation networks, there is no surprise that malware infection via web browsing is still one of the most significant threats to Internet users today. Over the past several years we have also seen the increase in advanced targeted attacks against corporations which steal intellectual property and sensitive customer information. This problem is amplified as security is bypassed for work productivity and usability, while mobile devices increasingly access sensitive information. Though many organizations are beginning to invest significantly into securing their internal corporate network, users are typically given access to the Internet for web browsing purposes, leaving the enterprise vulnerable to drive-by downloads and data exfiltration attacks. In this work we propose a new method to safely browse the Internet by redirecting web requests to a cloud-based Transparent Virtual Browser. Web browsing requests are automatically redirected to the Transparent Virtual Browser via a transparent network proxy, protecting against user configuration errors or malware running on the device. The virtual browsing session is streamed back to the user securely, while maintaining a seamless user experience. Experiments show that our architecture can isolate web-attacks from a users machine, protecting enterprises from most of the attacks to which they are vulnerable today. Using a small user trial we tested our solution with several popular web browsers on various operating systems and report on their feedback. Our testing also shows that our prototype only incurs a small initial delay when browsing to a webpage while maintaining a seamless browsing experience for the rest of the browsing session.

Efficient Network-Based Enforcement of Data Access Rights

Today, databases, especially those serving/connected to the Internet need strong protection against data leakage stemming from misconfiguration, as well as from attacks, such as SQL injection.