Learning Software Behavior for Automated Diagnosis

Ori Bar-Ilan, Roni Stern and Meir Kalech

The Twenty Seventh International Workshop on Principles of Diagnosis (DX-17), 2017

Learning Software Behavior for Automated Diagnosis

Ori Bar-Ilan, Roni Stern and Meir Kalech

The Twenty Seventh International Workshop on Principles of Diagnosis (DX-17), 2017

Software diagnosis algorithms aim to identify the faulty
software components that caused a failure. A key challenges
of existing software diagnosis algorithms is how to prioritize
the outputted diagnoses. To do so, previous work proposed
a method for estimating the likelihood that each diagnosis
is correct. Computing these diagnosis likelihoods is nontrivial.
We propose to do this by learning a behavior model
of the software components and use it to identify abnormally
behaving components. In this work we show the potential
of such an approach by performing an empirical evaluation
on a synthetic behavior model of the components. The results
show that even an imperfect behavior model is useful
in improving diagnosis accuracy and minimizing wasted
troubleshooting efforts.

Download
PDF
In collaboration with IDC Herzliya + Technion and UCLA

Group-Based Secure Computation: Optimizing Rounds, Communication, and Computation

Elette Boyle, Niv Gilboa and Yuval Ishai

Advances in Cryptology - EUROCRYPT 2017, pages 163-193, 2017

In collaboration with IDC Herzliya + Technion and UCLA

Group-Based Secure Computation: Optimizing Rounds, Communication, and Computation

Elette Boyle, Niv Gilboa and Yuval Ishai

Advances in Cryptology - EUROCRYPT 2017, pages 163-193, 2017

A recent work of Boyle et al. (Crypto 2016) suggests that
“group-based” cryptographic protocols, namely ones that only rely on a cryptographically hard (Abelian) group, can be surprisingly powerful. In particular, they present succinct two-party protocols for securely computing
branching programs and NC1 circuits under the DDH assumption,
providing the first alternative to fully homomorphic encryption.
In this work we further explore the power of group-based secure computation
protocols, improving both their asymptotic and concrete effi-
ciency. We obtain the following results.
– Black-box use of group. We modify the succinct protocols of Boyle
et al. so that they only make a black-box use of the underlying group,
eliminating an expensive non-black-box setup phase.
– Round complexity. For any constant number of parties, we obtain
2-round MPC protocols based on a PKI setup under the DDH assumption.
Prior to our work, such protocols were only known using fully
homomorphic encryption or indistinguishability obfuscation.
– Communication complexity. Under DDH, we present a secure 2-
party protocol for any NC1 or log-space computation with n input bits
and m output bits using n + (1 + o(1))m + poly(λ) bits of communication,
where λ is a security parameter. In particular, our protocol
can generate n instances of bit-oblivious-transfer using (4 + o(1)) · n
bits of communication. This gives the first constant-rate OT protocol
under DDH.
– Computation complexity. We present several techniques for
improving the computational cost of the share conversion procedure of
Boyle et al., improving the concrete efficiency of group-based protocols
by several orders of magnitude.

Download
PDF
In collaboration with Technion and UCLA

Ad Hoc PSM Protocols: Secure Computation Without Coordination

Amos Beimel, Yuval Ishai, Eyal Kushilevitz

Advances in Cryptology - EUROCRYPT 2017, pages 580-608, 2017

In collaboration with Technion and UCLA

Ad Hoc PSM Protocols: Secure Computation Without Coordination

Amos Beimel, Yuval Ishai, Eyal Kushilevitz

Advances in Cryptology - EUROCRYPT 2017, pages 580-608, 2017

We study the notion of ad hoc secure computation, recently introduced by Beimel et al. (ITCS 2016), in the context of the Private Simultaneous Messages (PSM) model of Feige et al. (STOC 2004). In ad hoc secure computation we have n parties that may potentially participate in a protocol but, at the actual time of execution, only k of them, whose identity is not known in advance, actually participate. This situation is particularly challenging in the PSM setting, where protocols are non-interactive (a single message from each participating party to a special output party) and where the parties rely on pre-distributed, correlated randomness (that in the ad-hoc setting will have to take into account all possible sets of participants).

We present several different constructions of ad hoc PSM protocols from standard PSM protocols. These constructions imply, in particular, that efficient information-theoretic ad hoc PSM protocols exist for NC 11 and different classes of log-space computation, and efficient computationally-secure ad hoc PSM protocols for polynomial-time computable functions can be based on a one-way function. As an application, we obtain an information-theoretic implementation of order-revealing encryption whose security holds for two messages.

We also consider the case where the actual number of participating parties t may be larger than the minimal k for which the protocol is designed to work. In this case, it is unavoidable that the output party learns the output corresponding to each subset of k out of the t participants. Therefore, a “best possible security” notion, requiring that this will be the only information that the output party learns, is needed. We present connections between this notion and the previously studied notion of t-robust PSM (also known as “non-interactive MPC”). We show that constructions in this setting for even simple functions (like AND or threshold) can be translated into non-trivial instances of program obfuscation (such as point function obfuscation and fuzzy point function obfuscation, respectively). We view these results as a negative indication that protocols with “best possible security” are impossible to realize efficiently in the information-theoretic setting or require strong assumptions in the computational setting.

Download
PDF
In collaboration with IBM

Supervised Detection of Infected Machines Using Anti-virus Induced Labels

Tomer Cohen, Danny Hendler and Dennis Potashnik

CSCML 2017, pages 211-220

In collaboration with IBM

Supervised Detection of Infected Machines Using Anti-virus Induced Labels

Tomer Cohen, Danny Hendler and Dennis Potashnik

CSCML 2017, pages 211-220

Traditional antivirus software relies on signatures to uniquely identify malicious files. Malware writers, on the other hand, have responded by developing obfuscation techniques with the goal of evading content-based detection. A consequence of this arms race is that numerous new malware instances are generated every day, thus limiting the effectiveness of static detection approaches. For effective and timely malware detection, signature-based mechanisms must be augmented with detection approaches that are harder to evade.

We introduce a novel detector that uses the information gathered by IBM’s QRadar SIEM (Security Information and Event Management) system and leverages anti-virus reports for automatically generating a labelled training set for identifying malware. Using this training set, our detector is able to automatically detect complex and dynamic patterns of suspicious machine behavior and issue high-quality security alerts. We believe that our approach can be used for providing a detection scheme that complements signature-based detection and is harder to circumvent.

Download
PDF
In collaboration with IBM

CyberRank: Knowledge Elicitation for Risk Assessment of Database Security

H Grushka-Cohen, O Sofer, O Biller, B Shapira, L Rokach

Proceedings of the 25th ACM International on Conference on Information and Knowledge Management

In collaboration with IBM

CyberRank: Knowledge Elicitation for Risk Assessment of Database Security

H Grushka-Cohen, O Sofer, O Biller, B Shapira, L Rokach

Proceedings of the 25th ACM International on Conference on Information and Knowledge Management

Security systems for databases produce numerous alerts about
anomalous activities and policy rule violations. Prioritizing these
alerts will help security personnel focus their efforts on the most
urgent alerts. Currently, this is done manually by security experts
that rank the alerts or define static risk scoring rules. Existing
solutions are expensive, consume valuable expert time, and do not
dynamically adapt to changes in policy.
Adopting a learning approach for ranking alerts is complex due to
the efforts required by security experts to initially train such a
model. The more features used, the more accurate the model is
likely to be, but this will require the collection of a greater amount
of user feedback and prolong the calibration process. In this paper,
we propose CyberRank, a novel algorithm for automatic preference
elicitation that is effective for situations with limited experts’ time
and outperforms other algorithms for initial training of the system.
We generate synthetic examples and annotate them using a model
produced by Analytic Hierarchical Processing (AHP) to bootstrap
a preference learning algorithm. We evaluate different approaches
with a new dataset of expert ranked pairs of database transactions,
in terms of their risk to the organization. We evaluated using
manual risk assessments of transaction pairs, CyberRank outperforms all other methods for cold start scenario with error reduction of 20%.

Download
PDF

Anomaly detection for smartphone data streams

Y Mirsky, A Shabtai, B Shapira, Y Elovici, L Rokach

Pervasive and Mobile Computing 35, 83-107, 2017

Anomaly detection for smartphone data streams

Y Mirsky, A Shabtai, B Shapira, Y Elovici, L Rokach

Pervasive and Mobile Computing 35, 83-107, 2017

Smartphones centralize a great deal of users’ private information and are thus a primary target for cyber-attack. The main goal of the attacker is to try to access and exfiltrate the private information stored in the smartphone without detection. In situations where explicit information is lacking, these attackers can still be detected in an automated way by analyzing data streams (continuously sampled information such as an application’s CPU consumption, accelerometer readings, etc.). When clustered, anomaly detection techniques may be applied to the data stream in order to detect attacks in progress. In this paper we utilize an algorithm called pcStream that is well suited for detecting clusters in real world data streams and propose extensions to the pcStream algorithm designed to detect point, contextual, and collective anomalies. We provide a comprehensive evaluation that addresses mobile security issues on a unique dataset collected from 30 volunteers over eight months. Our evaluations show that the pcStream extensions can be used to effectively detect data leakage (point anomalies) and malicious activities (contextual anomalies) associated with malicious applications. Moreover, the algorithm can be used to detect when a device is being used by an unauthorized user (collective anomaly) within approximately 30 s with 1 false positive every two days.

Download
PDF

The Curious Case of the Curious Case: Detecting touchscreen events using a smartphone case

Tomer Glick, Yossi Oren, Rami Puzis, Asaf Shabtai

SEMS (2017)

The Curious Case of the Curious Case: Detecting touchscreen events using a smartphone case

Tomer Glick, Yossi Oren, Rami Puzis, Asaf Shabtai

SEMS (2017)

Security-conscious users are very careful with software
they allow their phone to run. They are much less
careful with the choices they make regarding accessories such
as headphones or chargers and only few, if any, care about
cyber security threats coming from the phone’s protective
case. We show how a malicious smartphone protective case
can be used to detect and monitor the victim’s interaction
with the phone’s touchscreen, opening the door to keyloggerlike
attacks, threatening the user’s security and privacy. This
feat is achieved by implementing a hidden capacitive sensing
mechanism inside the case. Our attack is both sensitive enough
to track the user’s finger location across the screen, and
simple and cheap enough to be mass-produced and deployed en
masse. We discuss the theoretical principles behind this attack,
present a preliminary proof-of-concept, and discuss potential
countermeasures and mitigations.

Download
PDF

Creation and Management of Social Network Honeypots for Detecting Targeted Cyber Attacks

Abigail Paradise, Rami Puzis, Aviad Elyashar, Yuval Elovici, Asaf Shabtai

IEEE Transactions on Computational Social Systems (IEEE T-CSS), accepted (2017)

Creation and Management of Social Network Honeypots for Detecting Targeted Cyber Attacks

Abigail Paradise, Rami Puzis, Aviad Elyashar, Yuval Elovici, Asaf Shabtai

IEEE Transactions on Computational Social Systems (IEEE T-CSS), accepted (2017)

Reconnaissance is the initial and essential phase
of a successful advanced persistent threat (APT). In many
cases, attackers collect information from social media, such as
professional social networks. This information is used to select
members that can be exploited to penetrate the organization.
Detecting such reconnaissance activity is extremely hard because
it is performed outside the organization premises. In this paper,
we propose a framework for management of social network
honeypots to aid in detection of APTs at the reconnaissance
phase. We discuss the challenges that such a framework faces,
describe its main components, and present a case study based
on the results of a field trial conducted with the cooperation of
a large European organization. In the case study, we analyze the
deployment process of the social network honeypots and their
maintenance in real social networks. The honeypot profiles were
successfully assimilated into the organizational social network
and received suspicious friend requests and mail messages that
revealed basic indications of a potential forthcoming attack.
In addition, we explore the behavior of employees in professional
social networks, and their resilience and vulnerability toward
social network infiltration.

Download
PDF

Scalable Attack Path Finding for Increased Security

Tom Gonda, Rami Puzis, and Bracha Shapira

International Conference on Cyber Security Cryptography and Machine Learning (CSCML), 2017, 234-249

Scalable Attack Path Finding for Increased Security

Tom Gonda, Rami Puzis, and Bracha Shapira

International Conference on Cyber Security Cryptography and Machine Learning (CSCML), 2017, 234-249

Software vulnerabilities can be leveraged by attackers to gain control of a host. Attackers can then use the controlled hosts as stepping stones for compromising other hosts until they create a path to the critical assets. Consequently, network administrators must examine the protected network as a whole rather than each vulnerable host independently. To this end, various methods were suggested in order to analyze the multitude of attack paths in a given organizational network, for example, to identify the optimal attack paths. The down side of many of those methods is that they do not scale well to medium-large networks with hundreds or thousands of hosts. We suggest using graph reduction techniques in order to simplify the task of searching and eliminating optimal attacker paths. Results on an attack graph extracted from a network of a real organization with more than 300 hosts and 2400 vulnerabilities show that using the proposed graph reductions can improve the search time by a factor of 4 while maintaining the quality of the results.

Download
PDF
In collaboration with Paulson School of Engineering and Applied Sciences, Harvard University

CRADLE: An Online Plan Recognition Algorithm for Exploratory Domains

Reuth Mirsky, Ya'akov Gal, Stuart Shieber

ACM Transactions on Intelligent Systems and Technology 8 (3), 2017, 45

In collaboration with Paulson School of Engineering and Applied Sciences, Harvard University

CRADLE: An Online Plan Recognition Algorithm for Exploratory Domains

Reuth Mirsky, Ya'akov Gal, Stuart Shieber

ACM Transactions on Intelligent Systems and Technology 8 (3), 2017, 45

In exploratory domains, agents’ behaviors include switching between activities, extraneous actions, and mistakes.
Such settings are prevalent in real world applications such as interaction with open-ended software,
collaborative office assistants, and integrated development environments. Despite the prevalence of such
settings in the real world, there is scarce work in formalizing the connection between high-level goals and
low-level behavior and inferring the former from the latter in these settings. We present a formal grammar
for describing users’ activities in such domains. We describe a new top-down plan recognition algorithm
called CRADLE (Cumulative Recognition of Activities and Decreasing Load of Explanations) that uses this
grammar to recognize agents’ interactions in exploratory domains. We compare the performance of CRADLE
with state-of-the-art plan recognition algorithms in several experimental settings consisting of real and
simulated data. Our results show that CRADLE was able to output plans exponentially more quickly than
the state-of-the-art without compromising its correctness, as determined by domain experts. Our approach
can form the basis of future systems that use plan recognition to provide real-time support to users in a
growing class of interesting and challenging domains

Download
PDF
In collaboration with The Jerusalem College of Technology

Shortest path for K-Goals

Roni Stern, Meir Goldenberg, Ariel Felner

SoCS-2017 short paper

In collaboration with The Jerusalem College of Technology

Shortest path for K-Goals

Roni Stern, Meir Goldenberg, Ariel Felner

SoCS-2017 short paper

The k-goal problem is a generalization of the Shortest
Path Problem (SPP) in which the task is to solve k SPP problems,
such that all the problems share the same start vertex.
kGP was introduced to the heuristic search community for
building an Incremental Roadmap Spanner technique (Dobson
and Bekris 2014), which is a useful construct in motion
plannin for robotics. But kGP has many other applications,
e.g., when path planning for multiple drones flying from a
central dispatcher location to k target locations.

Download
PDF
In collaboration with PayPal

Session Analysis using Plan Recognition

Reuth Mirsky, Kobi Gal and David Tolpin

Interfaces and Scheduling and Planning (UISP)  ICAPS (2017)

In collaboration with PayPal

Session Analysis using Plan Recognition

Reuth Mirsky, Kobi Gal and David Tolpin

Interfaces and Scheduling and Planning (UISP)  ICAPS (2017)

This paper presents preliminary results of our work
with a major financial company, where we try to use
methods of plan recognition in order to investigate the
interactions of a costumer with the company’s online
interface. In this paper, we present the first steps of
integrating a plan recognition algorithm in a real-world
application for detecting and analyzing the interactions
of a costumer. It uses a novel approach for plan recognition
from bare-bone UI data, which reasons about
the plan library at the lowest recognition level in order
to define the relevancy of actions in our domain, and
then uses it to perform plan recognition.
We present preliminary results of inference on three different
use-cases modeled by domain experts from the
company, and show that this approach manages to decrease
the overload of information required from an analyst
to evaluate a costumer’s session — whether this
is a malicious or benign session, whether the intended
tasks were completed, and if not — what actions are
expected next.

Download
PDF
In collaboration with Sapir Academic College, Ashkelon, Israel

Advanced Flow Models for Computing the Reputation of Internet Domains

Hussien Othman, Ehud Gudes, Nurit Gal-Oz

IFIPTM 2017: 119-134

In collaboration with Sapir Academic College, Ashkelon, Israel

Advanced Flow Models for Computing the Reputation of Internet Domains

Hussien Othman, Ehud Gudes, Nurit Gal-Oz

IFIPTM 2017: 119-134

The Domain Name System (DNS) is an essential component of the Internet infrastructure that translates domain names into IP addresses. Recent incidents verify the enormous damage of malicious activities utilizing DNS such as bots that use DNS to locate their command & control servers. We believe that a domain that is related to malicious domains is more likely to be malicious as well and therefore detecting malicious domains using the DNS network topology is a key challenge.
In this work we improve the flow model presented by Mishsky etal. [12] for computing the reputation of domains. This flow model is applied on a graph of domains and IPs and propagates their reputation scores through the edges that connect them to express the impact of
malicious domains on related domains. We propose the use of clustering to guide the flow of reputation in the graph and examine two different clustering methods to identify groups of domains and IPs that are
strongly related. The flow algorithms use these groups to emphasize the influence of nodes within the same cluster on each other. We evaluate the algorithms using a large database received from a commercial company.
The experimental evaluation of our work have shown the expected improvement over previous work [12] in detecting malicious domains

12. Mishsky, I., Gal-Oz, N., Gudes, E.: A topology based flow model for computing
domain reputation. In: Samarati, P. (ed.) DBSec 2015. LNCS, vol. 9149, pp. 277–
292. Springer, Cham (2015). doi:10.1007/978-3-319-20810-7 20

Download
PDF

Cryptographically Enforced Role-Based Access Control for NoSQL Distributed Databases

Yossif Shalabi, Ehud Gudes

DBSec 2017: 3-19

Cryptographically Enforced Role-Based Access Control for NoSQL Distributed Databases

Yossif Shalabi, Ehud Gudes

DBSec 2017: 3-19

The support for Role-Based Access Control (RBAC) using cryptography for NOSQL distributed databases is investigated. Cassandra is a NoSQL DBMS that efficiently supports very large databases, but provides rather simple security measures (an agent having physical access to a Cassandra cluster is usually assumed to have access to all data therein). Support for RBAC had been added almost as an afterthought, with the Node Coordinator having to mediate all requests to read and write data, in order to ensure that only the requests allowed by the Access Control Policy (ACP) are allowed through. In this paper, we propose a model and protocols for cryptographic enforcement of an ACP in a cassandra like system, which would ease the load on the Node Coordinator, thereby taking the bottleneck out of the existing security implementation. We allow any client to read the data from any storage node(s) – provided that only the clients whom the ACP grants access to a datum, would hold the encryption keys that enable these clients to decrypt the data.

Download
PDF
In collaboration with Dept. of Mathematics and Computer Science, The Open University, Raanana, Israel

Brief Announcement: Privacy Preserving Mining of Distributed Data Using a Trusted and Partitioned Third Party

Nir Maoz, Ehud Gudes

CSCML 2017: 193-195

In collaboration with Dept. of Mathematics and Computer Science, The Open University, Raanana, Israel

Brief Announcement: Privacy Preserving Mining of Distributed Data Using a Trusted and Partitioned Third Party

Nir Maoz, Ehud Gudes

CSCML 2017: 193-195

We like to discuss the usability of new architecture of partitioned third party, offered in [1] for conducting a new protocols for data mining algorithms over shared data base between multiple data holders. Current solution for data mining over partitioned data base are: Data anonimization [4], homomorphic encryption [5], trusted third party [2] or secure multiparty computation algorithms [3]. Current solutions suffer from different problems such as expensive algorithms in terms of computation overhead and required communication rounds, revealing private information to third party. The new architecture offered by Sherman et al. allow the data holders to use simple masking techniques that are not expensive in computation nor assume trust in the third party, yet allow to perform simple and complex data mining algorithms between multiple data owners while private data is not revealed. That come with the assumption of no collude between the two parts of the PTTP.

1: Q sends the query to DBi, 1 ≤ i ≤ M, and the query type (either intersection or
union) to R.
2: Q sends R which private column participate in the query (e.g. the age column).
3: R generates a random permutation σ on the set of integers {1,…, 2|Ω|} and sends
it to DBi, 1 ≤ i ≤ M.
4: for all 1 ≤ i ≤ M do
5: DBi sets a Boolean vector Vi={vi,1,. . . ,vi,|Ω|} where
vi,j =
1 ifDBi hold private value j
0 otherwise

Download
PDF
In collaboration with Dept. of Mathematics and Computer Science, The Open University, Raanana, Israel

Crowdsourced Data Integrity Verification for Key-Value Stores in the Cloud

Grisha Weintraub, Ehud Gudes

CCGrid 2017: 498-503

In collaboration with Dept. of Mathematics and Computer Science, The Open University, Raanana, Israel

Crowdsourced Data Integrity Verification for Key-Value Stores in the Cloud

Grisha Weintraub, Ehud Gudes

CCGrid 2017: 498-503

Abstract—Thanks to their high availability, scalability, and
usability, cloud databases have become one of the dominant
cloud services. However, since cloud users do not physically
possess their data, data integrity may be at risk. In this
paper, we present a novel protocol that utilizes crowdsourcing
paradigm to provide practical data integrity assurance in keyvalue
cloud databases. The main advantage of our protocol
over previous work is its high applicability – as opposed to
existing approaches, our scheme does not require any system
changes on the cloud side and thus can be applied directly
to any existing system. We demonstrate the feasibility of our
scheme by a prototype implementation and its evaluation.

Download
PDF

From Smashed Screens to Smashed Stacks: Attacking Mobile Phones using Malicious Aftermarket Parts

Shwartz, O., Shitrit, G., Shabtai, A., Oren, Y.

Workshop on Security for Embedded and Mobile Systems (SEMS'17), Paris, France (April 30, 2017)

From Smashed Screens to Smashed Stacks: Attacking Mobile Phones using Malicious Aftermarket Parts

Shwartz, O., Shitrit, G., Shabtai, A., Oren, Y.

Workshop on Security for Embedded and Mobile Systems (SEMS'17), Paris, France (April 30, 2017)

In this preliminary study we present the
first practical attack on a modern smartphone which
is mounted through a malicious aftermarket replacement
part (specifically, a replacement touchscreen).
Our attack exploits the lax security checks on the
packets traveling between the touchscreen’s embedded
controller and the phone’s main CPU, and is
able to achieve kernel-level code execution privileges
on modern Android phones protected by SELinux.
This attack is memory independent and survives data
wipes and factory resets. We evaluate two phones
from major vendors and present a proof-of-concept
attack in actual hardware on one phone and an emulation
level attack on the other. Through a semiautomated
source code review of 26 recent Android
phones from 8 different vendors, we believe that our
attack vector can be applied to many other phones,
and that it is very difficult to protect against. Similar
attacks should also be possible on other smart devices
such as printers, cameras and cars, which similarly
contain user-replaceable sub-units.

Download
PDF
In collaboration with SUTD+ CSRC, Ben-Gurion University of the Negev

POSTER: Towards Exposing Internet of Things: A Roadmap

Sachidananda, V., Toh, J., Siboni, S., Shabtai, A. and Elovici

In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (pp. 1820-1822) (2016)

In collaboration with SUTD+ CSRC, Ben-Gurion University of the Negev

POSTER: Towards Exposing Internet of Things: A Roadmap

Sachidananda, V., Toh, J., Siboni, S., Shabtai, A. and Elovici

In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (pp. 1820-1822) (2016)

Considering the exponential increase of Internet of Things
(IoT) devices there is also unforeseen vulnerabilities associated
with these IoT devices. One of the major problems
in the IoT is the security testing and analysis due to the
heterogeneous nature of deployments. Currently, there is no
mechanism that performs security testing for IoT devices in
different contexts. In addition, there is a missing framework
to be able to adapt and tune accordingly with various security
testing perspectives. In this paper, we propose an
innovative security testbed targeted at IoT devices and also
briefly introduce Adaptable and Tunable Framework (ATF)
for testing IoT devices.

Download
PDF
In collaboration with SUTD + CSRC, Ben-Gurion University of the Negev

Let the Cat Out of the Bag: A Holistic Approach Towards Security Analysis of the Internet of Things

Sachidananda, V., Siboni, S., Shabtai, A., Toh, J., Bhairav, S. and Elovici, Y.

In Proceedings of the 3rd ACM International Workshop on IoT Privacy, Trust, and Security (pp. 3-10) (2017)

In collaboration with SUTD + CSRC, Ben-Gurion University of the Negev

Let the Cat Out of the Bag: A Holistic Approach Towards Security Analysis of the Internet of Things

Sachidananda, V., Siboni, S., Shabtai, A., Toh, J., Bhairav, S. and Elovici, Y.

In Proceedings of the 3rd ACM International Workshop on IoT Privacy, Trust, and Security (pp. 3-10) (2017)

The exponential increase of Internet of Things (IoT) devices have
resulted in a range of new and unanticipated vulnerabilities
associated with their use. IoT devices from smart homes to smart enterprises can easily be compromised. One of the major problems associated with the IoT is maintaining security; the
vulnerable nature of IoT devices poses a challenge to many
aspects of security, including security testing and analysis. It is
trivial to perform the security analysis for IoT devices to
understand the loop holes and very nature of the devices itself.
Given these issues, there has been less emphasis on security
testing and analysis of the IoT. In this paper, we show our
preliminary efforts in the area of security analysis for IoT devices
and introduce a security IoT testbed for performing security
analysis. We also discuss the necessary design, requirements and the architecture to support our security analysis conducted via the proposed testbed.

Download
PDF
In collaboration with Singapore University of Technology and Design, Singapore (SUTD) + Daegu Gyeongbuk Institute of Science and Technology, Daegu, South Korea (DGIST)

Advanced security testbed framework for wearable IoT devices

Siboni, S., Shabtai, A., Tippenhauer, N.O., Lee, J. and Elovici, Y.

ACM Transactions on Internet Technology (TOIT), 16(4), p.26 (2016)

In collaboration with Singapore University of Technology and Design, Singapore (SUTD) + Daegu Gyeongbuk Institute of Science and Technology, Daegu, South Korea (DGIST)

Advanced security testbed framework for wearable IoT devices

Siboni, S., Shabtai, A., Tippenhauer, N.O., Lee, J. and Elovici, Y.

ACM Transactions on Internet Technology (TOIT), 16(4), p.26 (2016)

Analyzing the security of Wearable Internet-of-Things (WIoT) devices is considered a complex task due to
their heterogeneous nature. In addition, there is currently no mechanism that performs security testing
for WIoT devices in different contexts. In this article, we propose an innovative security testbed framework
targeted at wearable devices, where a set of security tests are conducted, and a dynamic analysis is performed
by realistically simulating environmental conditions in which WIoT devices operate. The architectural design
of the proposed testbed and a proof-of-concept, demonstrating a preliminary analysis and the detection of
context-based attacks executed by smartwatch devices, are presented.

Download
PDF

Ranking Vulnerability Fixes Using Planning Graph Analysis

Tom Gonda, Rami Puzis, Bracha Shapira, Guy Shani

International Workshop on Artificial Intelligence and Security (2017)

Ranking Vulnerability Fixes Using Planning Graph Analysis

Tom Gonda, Rami Puzis, Bracha Shapira, Guy Shani

International Workshop on Artificial Intelligence and Security (2017)

During the past years logical attack graphs were
used to find the most critical vulnerabilities and
devise efficient hardening strategies for organizational
networks. Most techniques for ranking vulnerabilities
either do not scale well, e.g. brute-force
attack plan enumeration, or are not well suited for
the analysis of logical attack graphs, e.g. centrality
measures.
In this paper we suggest an analysis of the planning
graph (from classical planning) derived from
the logical attack graph to improve the accuracy
of centrality-based vulnerability ranking metrics.
The planning graph also allows efficient enumeration
of the set of possible attack plans that use a
given vulnerability on a specific machine. We suggest
a set of centrality based heuristics for reducing
the number of attack plans and compare with
previously suggested vulnerability ranking metrics.
Results show that metrics computed over the planning
graph are superior to metrics computed over
the logical attack graph or the network connectivity
graph.

Download
PDF

Partially Observable Contingent Planning for Penetration Testing

Dorin Shmaryahu, Tom Gonda, Joerg Hoffman, Guy Shani

28th International Workshop on Principles of Diagnosis (DX) (2017)

Partially Observable Contingent Planning for Penetration Testing

Dorin Shmaryahu, Tom Gonda, Joerg Hoffman, Guy Shani

28th International Workshop on Principles of Diagnosis (DX) (2017)

Penetration Testing (pentesting), where network administrators
automatically attack their own network to identify
and fix vulnerabilities, has recently received attention
from the AI community. Smart algorithms that can
identify robust and efficient attack plans may imitate
human hackers better than simple protocols. Classical
planning methods for pentesting model poorly the real
world, where the attacker has only partial information
concerning the network. On the other hand POMDPbased
approaches provide a strong model, but fail to
scale up to reasonable model sizes. In this paper we offer
a middle ground, allowing for partial observability
and non-deterministic action effects, by modeling pentesting
as a partially observable contingent problem. We
experiment with a real network of a large organization,
showing our solver to scale to realistic problem sizes.
We also experiment with sub-sampled networks, comparing
the expected reward of a contingent plan graph
to that of a POMDP policy.

Download
PDF
In collaboration with Ariel University

I Know What You Saw Last Minute – Encrypted HTTP Adaptive Video Streaming Title Classification

R. DubinS, A. DvirPI, O. PelePI and O. HadarPI

accepted to IEEE Transactions on Information Forensics & Security, July 2017

In collaboration with Ariel University

I Know What You Saw Last Minute – Encrypted HTTP Adaptive Video Streaming Title Classification

R. DubinS, A. DvirPI, O. PelePI and O. HadarPI

accepted to IEEE Transactions on Information Forensics & Security, July 2017

Desktops and laptops can be maliciously exploited to violate privacy. There are two main types of attack scenarios: active and passive. In this paper, we consider the passive scenario where the adversary does not interact actively with the device, but he is able to eavesdrop on the network traffic of the device from the network side. Most of the Internet traffic is encrypted and thus passive attacks are challenging. Previous research has shown that information can be extracted from encrypted multimedia streams. This includes video title classification of non HTTP adaptive streams (non-HAS). This paper presents an algorithm for encrypted HTTP adaptive video streaming title classification. We show that an external attacker can identify the video title from video HTTP adaptive streams (HAS) sites such as YouTube. To the best of our knowledge, this is the first work that shows this. We provide a large data set of 10000 YouTube video streams of 100 popular video titles (each title downloaded 100 times) as examples for this task. The dataset was collected under real-world network conditions. We present several machine algorithms for the task and run a through set of experiments, which shows that our classification accuracy is more than 95%. We also show that our algorithms are able to classify video titles that are not in the training set as unknown and some of the algorithms are also able to eliminate false prediction of video titles and instead report unknown. Finally, we evaluate our algorithms robustness to delays and packet losses at test time and show that a solution that uses SVM is the most robust against these changes given enough training data. We provide the dataset and the crawler for future research.

Download
PDF
In collaboration with Princeton University

Physical Layer Security over Wiretap Channels with Random Parameters

Z. Goldfeld, P. Cuff and H. H. Permuter.

Accepted to the 2017 International Symposium on Cyber Security Cryptography and Machine Learning (CSCML-2017), Beer-Sheva, Israel, June 2017

In collaboration with Princeton University

Physical Layer Security over Wiretap Channels with Random Parameters

Z. Goldfeld, P. Cuff and H. H. Permuter.

Accepted to the 2017 International Symposium on Cyber Security Cryptography and Machine Learning (CSCML-2017), Beer-Sheva, Israel, June 2017

We study the trade-off between secret message (SM) and secret key (SK) rates, simultaneously achievable over a state-dependent (SD) wiretap channel (WTC) with non-causal channel state information (CSI) at the encoder. This model subsumes other instances of CSI availability as special cases, and calls for efficient utilization of the state sequence for both reliability and security purposes. An inner bound on the semantic-security (SS) SM-SK capacity region is derived based on a superposition coding scheme inspired by a past work of the authors. The region is shown to attain capacity for a certain class of SD-WTCs. SS is established by virtue of two versions of the strong soft-covering lemma. The derived region yields an improvement upon the previously best known SM-SK trade-off result reported by Prabhakaran et al., and, to the best of our knowledge, upon all other existing lower bounds for either SM or SK for this setup, even if the semantic security requirement is relaxed to weak secrecy. It is demonstrated that our region can be strictly larger than those reported in the preceding works.

Download
PDF
In collaboration with Princeton University

The Gelfand-Pinsker wiretap channel: strictly higher secrecy rates via a novel superposition code

Z. Goldfeld, P. Cuff and H. H. Permuter

Accepted to the 2017 IEEE International Symposium on Information Theory (ISIT-2017), Aachen, Germany, June 2017

In collaboration with Princeton University

The Gelfand-Pinsker wiretap channel: strictly higher secrecy rates via a novel superposition code

Z. Goldfeld, P. Cuff and H. H. Permuter

Accepted to the 2017 IEEE International Symposium on Information Theory (ISIT-2017), Aachen, Germany, June 2017

To be considered for the 2017 IEEE Jack Keil
Wolf ISIT Student Paper Award. We study the state-dependent
(SD) wiretap channel (WTC) with non-causal channel state
information (CSI) at the encoder. This model subsumes all other
instances of CSI availability as special cases, and calls for an
efficient utilization of the state sequence both for reliability and
security purposes. A lower bound on the secrecy-capacity, that
improves upon the previously best known result by Chen and
Han Vinck, is derived based on a novel superposition coding
scheme. The improvement over the Chen and Han Vinck result
is strict for some SD-WTCs. Specializing the lower bound to the
case where CSI is also available to the decoder reveals that it
is at least as good as the achievable formula by Chia and ElGamal,
which is already known to outperform the adaptation
of the Chen and Han Vinck code to the encoder and decoder
CSI scenario. The results are derived under the strict semanticsecurity
metric that requires negligible information leakage for
all message distributions. The proof of achievability relies on
a stronger version of the soft-covering lemma for superposition
codes.

Download
PDF
In collaboration with Princeton University

Semantically-Secured Message-Key Trade-off over Wiretap Channels with Random Parameters

A. Bunin, Z. Goldfeld, H. H. Permuter, S. Shamai, P. Cuff and P. Piantanida

In Proceedings of the 2nd Workshop on Communication Security affiliated with EUROCRYPT, Paris, France, April 2017

In collaboration with Princeton University

Semantically-Secured Message-Key Trade-off over Wiretap Channels with Random Parameters

A. Bunin, Z. Goldfeld, H. H. Permuter, S. Shamai, P. Cuff and P. Piantanida

In Proceedings of the 2nd Workshop on Communication Security affiliated with EUROCRYPT, Paris, France, April 2017

We study the trade-off between secret message (SM) and secret key (SK) rates, simultaneously achievable over
a state-dependent (SD) wiretap channel (WTC) with non-causal channel state information (CSI) at the encoder. This
model subsumes other instances of CSI availability as special cases, and calls for efficient utilization of the state
sequence for both reliability and security purposes. An inner bound on the semantic-security (SS) SM-SK capacity
region is derived based on a superposition coding scheme inspired by a past work of the authors. The region is
shown to attain capacity for a certain class of SD-WTCs. SS is established by virtue of two versions of the strong
soft-covering lemma. The derived region yields an improvement upon the previously best known SM-SK trade-off
result reported by Prabhakaran et al., and, to the best of our knowledge, upon all other existing lower bounds for
either SM or SK for this setup, even if the semantic security requirement is relaxed to weak secrecy. It is demonstrated
that our region can be strictly larger than those reported in the preceding works.

Download
PDF
In collaboration with SUTD + CSRC

ProfilIoT: A Machine Learning Approach for IoT Device Identification Based on Network Traffic Analysis

Meidan Yair, Bohadana Michael, Shabtai Asaf, Guarnizo Juan-David, Ochoa Martin, Tippenhauer Nils-Ole, Elovici Yuval

In Proceedings of The 32nd ACM Symposium On Applied Computing (SAC'17), Marrakesh, Morocco, April 3-7 2017

In collaboration with SUTD + CSRC

ProfilIoT: A Machine Learning Approach for IoT Device Identification Based on Network Traffic Analysis

Meidan Yair, Bohadana Michael, Shabtai Asaf, Guarnizo Juan-David, Ochoa Martin, Tippenhauer Nils-Ole, Elovici Yuval

In Proceedings of The 32nd ACM Symposium On Applied Computing (SAC'17), Marrakesh, Morocco, April 3-7 2017

In this work we apply machine learning algorithms on network
traffic data for accurate identification of IoT devices
connected to a network. To train and evaluate the classi-
fier, we collected and labeled network traffic data from nine
distinct IoT devices, and PCs and smartphones. Using supervised
learning, we trained a multi-stage meta classifier; in
the first stage, the classifier can distinguish between traffic
generated by IoT and non-IoT devices. In the second stage,
each IoT device is associated a specific IoT device class. The
overall IoT classification accuracy of our model is 99.281%.

Download
PDF
In collaboration with Princeton University

Strong secrecy for cooperative broadcast channels

Z. Goldfeld, G. Kramer, H. H. Permuter and P. Cuff

IEEE Transactions on Information Theory, vol. 63, no. 1, pp. 469-495, January 2017

In collaboration with Princeton University

Strong secrecy for cooperative broadcast channels

Z. Goldfeld, G. Kramer, H. H. Permuter and P. Cuff

IEEE Transactions on Information Theory, vol. 63, no. 1, pp. 469-495, January 2017

A broadcast channel (BC) where the decoders cooperate via a one-sided link is considered. One common and two private messages are transmitted and the private message to the cooperative user should be kept secret from the cooperationaided user. The secrecy level is measured in terms of strong secrecy, i.e., a vanishing information leakage. An inner bound on the capacity region is derived by using a channel-resolvabilitybased code that double-bins the codebook of the secret message, and by using a likelihood encoder to choose the transmitted codeword. The inner bound is shown to be tight for semideterministic
and physically degraded BCs, and the results are compared with those of the corresponding BCs without a secrecy constraint. Blackwell and Gaussian BC examples illustrate the impact of secrecy on the rate regions. Unlike the case without secrecy, where sharing information about both private messages via the cooperative link is optimal, our protocol conveys parts of the common and non-confidential messages only. This restriction reduces the transmission rates more than the usual rate loss due to secrecy requirements. An example that illustrates this loss is provided.

Download
PDF

Arbitrarily varying wiretap channels with type constrained states

Z. Goldfeld, P. Cuff, and H. H. Permuter

In Proceedings of the 2016 IEEE GLOBECOM Workshop on Physical Layer Security, Washington DC, WA, USA, December 2016

Arbitrarily varying wiretap channels with type constrained states

Z. Goldfeld, P. Cuff, and H. H. Permuter

In Proceedings of the 2016 IEEE GLOBECOM Workshop on Physical Layer Security, Washington DC, WA, USA, December 2016

—The arbitrarily varying wiretap channel (AVWTC) is an open problem largely because of two main challenges. Not only does it capture the difficulty of the compound wiretap channel (another open problem) as a special case, it also requires that secrecy is ensured with respect to exponentially many possible channel state sequences. This work overcomes the second aforementioned difficulty. To that end, we consider an AVWTC with a type constraint on the allowed state sequences, and derive a single-letter characterization of its correlated-random (CR) assisted semantic-security (SS) capacity. The allowed state sequences are the ones in a typical set around a single constraining type. SS is established by showing that the mutual information between the message and the eavesdropper’s observations is negligible even when maximized over all message distributions, choices of state sequences and realizations of the CR-code. Both the achievability and the converse proofs of the type constrained coding theorem rely on stronger claims than actually required. The direct part establishes a novel single-letter lower bound on the CR-assisted SS-capacity of an AVWTC with state sequences constrained by any convex and closed set of state probability mass functions. This bound achieves the best known single-letter secrecy rates for a corresponding compound wiretap channel over the same constraint set. In contrast to other singleletter results in the AVWTC literature, the derivation does not assume the existence of a best channel to the eavesdropper. Optimality is a consequence of an max-inf upper bound on the CR-assisted SS-capacity of an AVWTC with state sequences constrained to any collection of type-classes. When adjusted to the aforementioned compound WTC, the upper bound simplifies to a max-min structure, thus strengthening the previously best known single-letter upper bound by Liang et al. that has a minmax form.

Download
PDF
In collaboration with Princeton University

Arbitrarily varying wiretap channels with type constrained states

Z. Goldfeld, P. Cuff and H. H. Permuter

IEEE Transactions on Information Theory, vol. 62, no. 12, pp. 7216-7244, December 2016

In collaboration with Princeton University

Arbitrarily varying wiretap channels with type constrained states

Z. Goldfeld, P. Cuff and H. H. Permuter

IEEE Transactions on Information Theory, vol. 62, no. 12, pp. 7216-7244, December 2016

Determining a single-letter secrecy-capacity formula for the arbitrarily varying wiretap channel (AVWTC) is an open problem largely because of two main challenges. Not only does it capture the difficulty of the compound wiretap channel (another open problem), it also requires that secrecy is ensured with respect to exponentially many possible channel state sequences. By extending the strong soft-covering lemma, recently derived by the authors, to the heterogeneous scenario, this paper accounts for the exponential number of secrecy constraints while only imposing single-letter constraints on the communication rate. Through this approach, we derive a single-letter characterization of the correlated-random (CR)-assisted semanticsecurity (SS) capacity of an AVWTC with a type constraint on the allowed state sequences. The allowed state sequences are the ones in a typical set around a single constraining type. The stringent SS requirement is established by showing that the mutual information between the message and the eavesdropper’s observations is negligible even when maximized over all message distributions, choices of state sequences, and realizations of the CR-code. Both the achievability and the converse proofs of the type-constrained coding theorem rely on stronger claims than actually required. The direct part establishes a novel single-letter lower bound on the CR-assisted SS-capacity of an AVWTC with state sequences constrained by any convex and closed set of state probability mass functions. This bound achieves the best known single-letter secrecy rates for a corresponding compound wiretap channel over the same constraint set. In contrast to other single-letter results in the AVWTC literature, this paper does not assume the existence of a best channel to the eavesdropper. Instead, SS follows by leveraging the heterogeneous version of the strong soft-covering lemma and a CR-code reduction argument. Optimality is a consequence of a max-inf upper bound on the CR-assisted SS-capacity of an AVWTC with state sequences constrained to any collection of type-classes. When adjusted to the aforementioned compound WTC, the upper bound simplifies to a max–min structure, thus strengthening the previously best known single-letter upper bound by Liang et al. that has a Manuscript received January 14, 2016; revised September 25, 2016; accepted October 15, 2016. Date of publication October 20, 2016; date of current version November 18, 2016. Z. Goldfeld and H. H. Permuter were supported in part by the Cyber Security Research Center within Ben-Gurion University of the Negev, in part by the European Research Council under the European Union’s Seventh Framework Programme (FP7/2007-2013)/ERC under Grant n°337752, and in part by the Israel Science Foundation. P. Cuff was supported in part by the National Science Foundation under Grant CCF-1350595 and in part by the Air Force Office of Scientific Research under Grant FA9550-15-1-0180. This paper was presented at the 2016 International Conference on the Science of Electrical Engineers. Z. Goldfeld and H. H. Permuter are with the Department of Electrical and Computer Engineering, Ben-Gurion University of the Negev, Beersheba 8410501, Israel (e-mail: gziv@post.bgu.ac.il; haimp@bgu.ac.il). P. Cuff is with the Department of Electrical Engineering, Princeton University, Princeton, NJ 08544 USA (e-mail: cuff@princeton.edu). Communicated by A. Khisti, Associate Editor for Shannon Theory. Color versions of one or more of the figures in this paper are available online at http://ieeexplore.ieee.org. Digital Object Identifier 10.1109/TIT.2016.2619701 min–max form. The proof of the upper bound uses a novel distribution coupling argument. The capacity formula shows that the legitimate users effectively see an averaged main channel, while security must be ensured versus an eavesdropper with perfect channel state information. An example visualizes our single-letter results, and their relation to the past multi-letter secrecy-capacity characterization of the AVWTC is highlighted.

Download
PDF

I Know What You Saw Last Minute – The Chrome Browser Case

R. Dubin. A. Dvir, O. Pele, and O. Hadar

in Blackhat Europe 2016, 1st-4th November 2016, London, UK

I Know What You Saw Last Minute – The Chrome Browser Case

R. Dubin. A. Dvir, O. Pele, and O. Hadar

in Blackhat Europe 2016, 1st-4th November 2016, London, UK

Download
PDF
In collaboration with Princeton University

Wiretap channel with random states non-causally available at the encoder

Z. Goldfeld, P. Cuff, and H. H. Permuter

In Proceedings of the 2016 IEEE International Conference on the Science of Electrical Engineers (ICSEE-2016), Eilat, Israel, November 2016

In collaboration with Princeton University

Wiretap channel with random states non-causally available at the encoder

Z. Goldfeld, P. Cuff, and H. H. Permuter

In Proceedings of the 2016 IEEE International Conference on the Science of Electrical Engineers (ICSEE-2016), Eilat, Israel, November 2016

We study the state-dependent (SD) wiretap channel (WTC) with non-causal channel state information (CSI) at the encoder. This model subsumes all other instances of CSI availability as special cases, and calls for an efficient utilization of the state sequence both for reliability and security purposes. A lower bound on the secrecy-capacity, that improves upon the previously best known result by Chen and Han Vinck, is derived based on a novel superposition coding scheme. The improvement over the Chen and Han Vinck result is strict for some SD-WTCs. Specializing the lower bound to the case where CSI is also available to the decoder reveals that it is at least as good as the achievable formula by Chia and El-Gamal, which is already known to outperform the adaptation of the Chen and Han Vinck code to the encoder and decoder CSI scenario. The results are derived under the strict semantic-security metric that requires negligible information leakage for all message distributions.

Download
PDF

Data-Augmented Software Diagnosis

Amir Elmishali, Roni Stern, Meir Kalech

AAAI 2016: 4003-4009

Data-Augmented Software Diagnosis

Amir Elmishali, Roni Stern, Meir Kalech

AAAI 2016: 4003-4009

Software fault prediction algorithms predict which software
components is likely to contain faults using machine learning
techniques. Software diagnosis algorithm identify the faulty
software components that caused a failure using model-based
or spectrum based approaches. We show how software fault
prediction algorithms can be used to improve software diagnosis.
The resulting data-augmented diagnosis algorithm
overcomes key problems in software diagnosis algorithms:
ranking diagnoses and distinguishing between diagnoses with
high probability and low probability. We demonstrate the ef-
ficiency of the proposed approach empirically on three open
sources domains, showing significant increase in accuracy of
diagnosis and efficiency of troubleshooting. These encouraging
results suggests broader use of data-driven methods to
complement and improve existing model-based methods.

Download
PDF
In collaboration with IDC Herzliya + Technion and UCLA

Function Secret Sharing Improvements and Extensions

Elette Boyle, Niv Gilboa and Yuval Ishai

ACM CCS 2016, pages 1292-1303, 2016

In collaboration with IDC Herzliya + Technion and UCLA

Function Secret Sharing Improvements and Extensions

Elette Boyle, Niv Gilboa and Yuval Ishai

ACM CCS 2016, pages 1292-1303, 2016

Function Secret Sharing (FSS), introduced by Boyle et al.
(Eurocrypt 2015), provides a way for additively secret-sharing
a function from a given function family F. More concretely,
an m-party FSS scheme splits a function f : {0, 1}
n → G, for some abelian group G, into functions f1, . . . , fm, described by keys k1, . . . , km, such that f = f1 + . . . + fm and every
strict subset of the keys hides f. A Distributed Point Function
(DPF) is a special case where F is the family of point
functions, namely functions fα,β that evaluate to β on the
input α and to 0 on all other inputs. FSS schemes are useful for applications that involve privately reading from or writing to distributed databases while
minimizing the amount of communication. These include
different flavors of private information retrieval (PIR), as
well as a recent application of DPF for large-scale anonymous
messaging. We improve and extend previous results in several ways:
• Simplified FSS constructions. We introduce a tensoring
operation for FSS which is used to obtain a conceptually
simpler derivation of previous constructions
and present our new constructions.
• Improved 2-party DPF. We reduce the key size of
the PRG-based DPF scheme of Boyle et al. roughly
by a factor of 4 and optimize its computational cost.
The optimized DPF significantly improves the concrete
costs of 2-server PIR and related primitives.
• FSS for new function families. We present an ef-
ficient PRG-based 2-party FSS scheme for the family
of decision trees, leaking only the topology of the tree
and the internal node labels. We apply this towards
FSS for multi-dimensional intervals. We also present
a general technique for extending FSS schemes by increasing
the number of parties.
• Verifiable FSS. We present efficient protocols for verifying
that keys (k ∗ 1 , . . . , k∗ m), obtained from a potentially
malicious user, are consistent with some f ∈ F.
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for profit or commercial advantage and that copies bear this notice and the full citation
on the first page. Copyrights for components of this work owned by others than the
author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or
republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org.
CCS’16, October 24 – 28, 2016, Vienna, Austria

c 2016 Copyright held by the owner/author(s). Publication rights licensed to ACM.
ISBN 978-1-4503-4139-4/16/10. . . $15.00
DOI: http://dx.doi.org/10.1145/2976749.2978429
Such a verification may be critical for applications that
involve private writing or voting by many users.
Keywords: Function secret sharing, private information
retrieval, secure multiparty computation, homomorphic encryption

Download
PDF
In collaboration with IDC Herzliya + Technion and UCLA

Breaking the Circuit Size Barrier for Secure Computation under DDH

Elette Boyle, Niv Gilboa and Yuval Ishai

Crypto 2016, pages 509-539, 2016

In collaboration with IDC Herzliya + Technion and UCLA

Breaking the Circuit Size Barrier for Secure Computation under DDH

Elette Boyle, Niv Gilboa and Yuval Ishai

Crypto 2016, pages 509-539, 2016

Under the Decisional Diffie-Hellman (DDH) assumption, we present a 2-out-of-2 secret sharing scheme that supports a compact evaluation of branching programs on the shares. More concretely, there is an evaluation algorithm Eval with a single bit of output, such that if an input w ∈ {0, 1}n is shared into (w0, w1), then for any deterministic branching program P of size S we have that Eval(P, w0) ⊕ Eval(P, w1) = P(w) except with at most δ failure probability. The running time of the sharing algorithm is polynomial in n and the security parameter λ, and that of Eval is polynomial in S, λ, and 1/δ. This applies as a special case to boolean formulas of size S or boolean circuits of depth log S. We also present a public-key variant that enables homomorphic computation on inputs contributed by multiple clients. The above result implies the following DDH-based applications: – A secure 2-party computation protocol for evaluating any branching program or formula of size S, where the communication complexity is linear in the input size and only the running time grows with S. – A secure 2-party computation protocol for evaluating layered boolean circuits of size S with communication complexity O(S/ log S). – A 2-party function secret sharing scheme, as defined by Boyle et al. (Eurocrypt 2015), for general branching programs (with inverse polynomial error probability). – A 1-round 2-server private information retrieval scheme supporting general searches expressed by branching programs. Prior to our work, similar results could only be achieved using fully homomorphic encryption. We hope that our approach will lead to more practical alternatives to known fully homomorphic encryption schemes in the context of low-communication secure computation.

Download
PDF

Node-Centric Detection of Overlapping Communities in Social Networks

Yehonatan Cohen, Danny Hendler and Amir Rubin

12th International Conference and School on Advances in Network Science (NetSci-X16) pp 2016

Node-Centric Detection of Overlapping Communities in Social Networks

Yehonatan Cohen, Danny Hendler and Amir Rubin

12th International Conference and School on Advances in Network Science (NetSci-X16) pp 2016

We present NECTAR, a community detection algorithm that generalizes Louvain method’s local search heuristic for overlapping community structures. NECTAR chooses dynamically which objective function to optimize based on the network on which it is invoked. Our experimental evaluation on both synthetic benchmark graphs and real-world networks, based on ground-truth communities, shows that NECTAR provides excellent results as compared with state of the art community detection algorithms.

Download
PDF
In collaboration with Telekom Innovation Laboratories

Identifying Attack Propagation Patterns in Honeypots Using Markov Chains Modeling and Complex Networks Analysis

Bar, Ariel and Shapira, Bracha and Rokach, Lior and Unger, Moshe

Software Science, 2016 IEEE International Conference on Technology and Engineering (SWSTE), 28-36

In collaboration with Telekom Innovation Laboratories

Identifying Attack Propagation Patterns in Honeypots Using Markov Chains Modeling and Complex Networks Analysis

Bar, Ariel and Shapira, Bracha and Rokach, Lior and Unger, Moshe

Software Science, 2016 IEEE International Conference on Technology and Engineering (SWSTE), 28-36

Honey pots are computer resources that are used to detect and deflect network attacks on a protected system. The data collected from honey pots can be utilized to better understand cyber-attacks and provide insights for improving security measures, such as intrusion detection systems. In recent years, attackers’ sophistication has increased significantly, thus additional and more advanced analytical models are required. In this paper we suggest several unique methods for detecting attack propagation patterns using Markov Chains modeling and complex networks analysis. These methods can be applied on attack datasets collected from honey pots. The results of these models shed light on different attack profiles and interaction patterns between the deployed sensors in the honey pot system. We evaluate the suggested methods on a massive data set which includes over 167 million observed attacks on a globally distributed honey pot system. Analyzing the results reveals interesting patterns regarding attack correlations between the honey pots. We identify central honey pots which enable the propagation of attacks, and present how attack profiles may vary according to the attacking country. These patterns can be used to better understand existing or evolving attacks, and may aid security experts to better deploy honey pots in their system.

Download
PDF

SherLock vs Moriarty: A Smartphone Dataset for Cybersecurity

Mirsky, A Shabtai, L Rokach, B Shapira, Y Elovici

Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security

SherLock vs Moriarty: A Smartphone Dataset for Cybersecurity

Mirsky, A Shabtai, L Rokach, B Shapira, Y Elovici

Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security

In this paper we describe and share with the research community,
a significant smartphone dataset obtained from an
ongoing long-term data collection experiment. The dataset
currently contains 10 billion data records from 30 users collected
over a period of 1.6 years and an additional 20 users for
6 months (totaling 50 active users currently participating in
the experiment).
The experiment involves two smartphone agents: SherLock
and Moriarty. SherLock collects a wide variety of software and
sensor data at a high sample rate. Moriarty perpetrates various
attacks on the user and logs its activities, thus providing
labels for the SherLock dataset.
The primary purpose of the dataset is to help security professionals
and academic researchers in developing innovative
methods of implicitly detecting malicious behavior in smartphones.
Specifically, from data obtainable without superuser
(root) privileges. To demonstrate possible uses of the dataset,
we perform a basic malware analysis and evaluate a method
of continuous user authentication.

Download
PDF

Scalable attack propagation model and algorithms for honeypot systems

A Bar, B Shapira, L Rokach, M Unger

Big Data (Big Data), 2016 IEEE International Conference on, 1130-1135

Scalable attack propagation model and algorithms for honeypot systems

A Bar, B Shapira, L Rokach, M Unger

Big Data (Big Data), 2016 IEEE International Conference on, 1130-1135

Attack propagation models within honeypot systems aim at providing insights about attack strategies that target multiple honeypots, rather than analyzing attacks on each honeypot separately. Traditional attack propagation models focus on building a single probabilistic model. This modeling approach may be misleading, since it does not take into consideration contextual information such as the country from which the attack is initiated. In addition, with the massive increase in the magnitude of attacks on honeypots, a scalable modeling approach is required. In this work we present a novel attack propagation model that can utilize contextual information about the attacks by training multiple Markov Chain models. Moreover, we add additional layers of analysis: first, we present a likelihood estimation procedure that can identify new and evolving attack patterns; and second, we introduce a method for generating simulated attack sequences that can be used for training or sensitivity analysis. Lastly, we present, in details, a MapReduce design for all suggested algorithms in order to address scalability issues. We evaluate our methods on a massive dataset which includes approximately 170 million attacks on an operational honeypot system. Results indicate that contextual modeling is important for explaining attack propagation that may vary by country. In addition, we show the effectiveness of the suggested method for generating simulated sequences by comparing the attack propagation patterns we learned in the generated dataset and the original one. Finally, we demonstrate the scalability of all of the proposed algorithms on real and synthetic datasets that include over a billion records.

Download
PDF

Spot the Hotspot: Wi-Fi Hotspot Classification from Internet Traffic

Andrey Finkelshtein, Rami Puzis, Asaf Shabtai, Bronislav Sidik

SBP-BRiMS (2016)

Spot the Hotspot: Wi-Fi Hotspot Classification from Internet Traffic

Andrey Finkelshtein, Rami Puzis, Asaf Shabtai, Bronislav Sidik

SBP-BRiMS (2016)

The meteoric progress of Internet technologies and PDA (personal digital assistant) devices has made public Wi-Fi hotspots very popular. Nowadays, hotspots can be found almost anywhere: organizations, home networks, public transport systems, restaurants, etc. The Internet usage patterns (e.g. browsing) differ with the hotspot venue. This insight introduces new traffic profiling opportunities. Using machine learning techniques we show that it is possible to infer types of venues that provide Wi-Fi access (e.g., organizations and hangout places) by analyzing the Internet traffic of connected mobile phones. We show that it is possible to infer the user’s current venue type disclosing his/her current context. This information can be used for improving personalized and context aware services such as web search engines or online shops, without the presence on user’s device. In this paper we evaluate venue type inference based on mobile phone traffic collected from 115 college students and analyze their Internet behavior across the different venues types.

Download
PDF

MIMO Gaussian broadcast channels with common, private and confidential messages

Z. Goldfeld

In Proceedings of the 2016 IEEE Information Theory Workshop (ITW-2016), Cambridge, UK, September 2016

MIMO Gaussian broadcast channels with common, private and confidential messages

Z. Goldfeld

In Proceedings of the 2016 IEEE Information Theory Workshop (ITW-2016), Cambridge, UK, September 2016

The two-user multiple-input multiple-output
(MIMO) Gaussian broadcast channel (BC) with common,
private and confidential messages is considered. The transmitter
sends a common message to both users, a confidential message
to User 1 and a private (non-confidential) message to User
2. The secrecy-capacity region is characterized by showing
that certain inner and outer bounds coincide and that the
boundary points are achieved by Gaussian inputs. The proof
relies on factorization of upper concave envelopes and a variant
of dirty-paper coding (DPC). The entire region is exhausted
by using DPC to cancel out the signal of the non-confidential
message at Receiver 1, making DPC against the signal of the
confidential message unnecessary. The secrecy-capacity results
are visualized using a numerical example.

Download
PDF
In collaboration with Technische Universit¨at M¨unchen

Broadcast channels with privacy leakage constraints

Z. Goldfeld, G. Kramer and H. H. Permuter

Accepted to the IEEE Transactions on Information Theory, August 2016

In collaboration with Technische Universit¨at M¨unchen

Broadcast channels with privacy leakage constraints

Z. Goldfeld, G. Kramer and H. H. Permuter

Accepted to the IEEE Transactions on Information Theory, August 2016

The broadcast channel (BC) with one common and two private messages with leakage constraints is studied, where leakage refers to the normalized mutual information between a message and a channel symbol string. Each private message is destined for a different user and the leakage to the other receiver must satisfy a constraint. This model captures several scenarios concerning secrecy, i.e., when both, either or neither of the private messages are secret. Inner and outer bounds on the leakage-capacity region are derived. Without leakage constraints the inner bound recovers Marton’s region and the outer bound reduces to the UVW-outer bound. The bounds match for semi-deterministic (SD) and physically degraded (PD) BCs, as well as for BCs with a degraded message set. The leakage-capacity regions of the SD-BC and the BC with a degraded message set recover past results for different secrecy scenarios. A Blackwell BC example illustrates the results and shows how its leakage-capacity region changes from the capacity region without secrecy to the secrecy-capacity regions for different secrecy scenarios.

Download
PDF
In collaboration with Princeton University

Semantic-security capacity for wiretap channels of type II

Z. Goldfeld, P. Cuff and H. H. Permuter

In Proceedings of the 2016 IEEE International Symposium on Information Theory (ISIT-2016), Barcelona, July 2016

In collaboration with Princeton University

Semantic-security capacity for wiretap channels of type II

Z. Goldfeld, P. Cuff and H. H. Permuter

In Proceedings of the 2016 IEEE International Symposium on Information Theory (ISIT-2016), Barcelona, July 2016

The secrecy capacity of the type II wiretap channel (WTC II) with a noisy main channel is currently an open problem. Herein its secrecy-capacity is derived and shown to be equal to its semantic-security (SS) capacity. In this setting, the legitimate users communicate via a discrete-memoryless (DM) channel in the presence of an eavesdropper that has perfect access to a subset of its choosing of the transmitted symbols, constrained to a fixed fraction of the blocklength. The secrecy criterion is achieved simultaneously for all possible eavesdropper subset choices. On top of that, SS requires negligible mutual information between the message and the eavesdropper’s observations even when maximized over all message distributions. A key tool for the achievability proof is a novel and stronger version of Wyner’s soft covering lemma. Specifically, the lemma shows that a random codebook achieves the soft-covering phenomenon with high probability. The probability of failure is doubly-exponentially small in the blocklength. Since the combined number of messages and subsets grows only exponentially with the blocklength, SS for the WTC II is established by using the union bound and invoking the stronger soft-covering lemma. The direct proof shows that rates up to the weak-secrecy capacity of the classic WTC with a DM erasure channel (EC) to the eavesdropper are achievable. The converse follows by establishing the capacity of this DM wiretap EC as an upper bound for the WTC II.

Download
PDF
In collaboration with Princeton University

Semantic-security capacity for wiretap channels of type II

Z. Goldfeld, P. Cuff and H. H. Permuter

IEEE Transactions on Information Theory, vol. 62, no. 7, pp. 3863-3879, July 2016

In collaboration with Princeton University

Semantic-security capacity for wiretap channels of type II

Z. Goldfeld, P. Cuff and H. H. Permuter

IEEE Transactions on Information Theory, vol. 62, no. 7, pp. 3863-3879, July 2016

The secrecy capacity of the type II wiretap channel (WTC II) with a noisy main channel is currently an open problem. Herein its secrecy-capacity is derived and shown to be equal to its semantic-security (SS) capacity. In this setting, the legitimate users communicate via a discrete-memoryless (DM) channel in the presence of an eavesdropper that has perfect access to a subset of its choosing of the transmitted symbols, constrained to a fixed fraction of the blocklength. The secrecy criterion is achieved simultaneously for all possible eavesdropper subset choices. The SS criterion demands negligible mutual information between the message and the eavesdropper’s observations even when maximized over all message distributions. A key tool for the achievability proof is a novel and stronger version of Wyner’s soft covering lemma. Specifically, a random codebook is shown to achieve the soft-covering phenomenon with high probability. The probability of failure is doubly exponentially small in the blocklength. Since the combined number of messages and subsets grows only exponentially with the blocklength, SS for the WTC II is established by using the union bound and invoking the stronger soft-covering lemma. The direct proof shows that rates up to the weak-secrecy capacity of the classic WTC with a DM erasure channel (EC) to the eavesdropper are achievable. The converse follows by establishing the capacity of this DM wiretap EC as an upper bound for the WTC II. From a broader perspective, the stronger soft-covering lemma constitutes a tool for showing the existence of codebooks that satisfy exponentially many constraints, a beneficial ability for many other applications in information theoretic security.

Download
PDF
In collaboration with Princeton University

Semantic-Security Capacity for the Physical Layer via Information Theory

Z. Goldfeld, P. Cuff and H. H. Permuter

In Proceedings of the IEEE CS International Conference on Software Science, Technology, and Engineering (SwSTE-2016), Beer-Sheva, Israel, June 2016

In collaboration with Princeton University

Semantic-Security Capacity for the Physical Layer via Information Theory

Z. Goldfeld, P. Cuff and H. H. Permuter

In Proceedings of the IEEE CS International Conference on Software Science, Technology, and Engineering (SwSTE-2016), Beer-Sheva, Israel, June 2016

Physical layer security can ensure secure communication over noisy channels in the presence of an eavesdropper with unlimited computational power. We adopt an information theoretic variant of semantic-security (SS) (a cryptographic gold standard), as our secrecy metric and study the open problem of the type II wiretap channel (WTC II) with a noisy main channel is, whose secrecy-capacity is unknown even under looser metrics than SS. Herein the secrecy-capacity is derived and shown to be equal to its SS capacity. In this setting, the legitimate users communicate via a discrete-memoryless (DM) channel in the presence of an eavesdropper that has perfect access to a subset of its choosing of the transmitted symbols, constrained to a fixed fraction of the blocklength. The secrecy criterion is achieved simultaneously for all possible eavesdropper subset choices. On top of that, SS requires negligible mutual information between the message and the eavesdropper’s observations even when maximized over all message distributions. A key tool for the achievability proof is a novel and stronger version of Wyner’s soft covering lemma. Specifically, the lemma shows that a random codebook achieves the soft-covering phenomenon with high probability. The probability of failure is doubly-exponentially small in the blocklength. Since the combined number of messages and subsets grows only exponentially with the blocklength, SS for the WTC II is established by using the union bound and invoking the stronger soft-covering lemma. The direct proof shows that rates up to the weak-secrecy capacity of the classic WTC with a DM erasure channel (EC) to the eavesdropper are achievable. The converse follows by establishing the capacity of this DM wiretap EC as an upper bound for the WTC II. From a broader perspective, the stronger soft-covering lemma constitutes a tool for showing the existence of codebooks that satisfy exponentially many constraints, a beneficial ability for many other applications in information theoretic security. Index Terms—Erasure wiretap channel, information theoretic security, physical-layer security, semantic-security, soft-covering lemma, wiretap channel of type II, wiretap codes.

Download
PDF
In collaboration with Technische Universit¨at M¨unchen + Princeton University

Strong secrecy for cooperative broadcast channels

Z. Goldfeld, G. Kramer, P. Cuff and H. H. Permuter

In Proceedings of the 2016 International Zurich Seminar on Communications (IZS-2016), Zurich, Switzerland, March 2016

In collaboration with Technische Universit¨at M¨unchen + Princeton University

Strong secrecy for cooperative broadcast channels

Z. Goldfeld, G. Kramer, P. Cuff and H. H. Permuter

In Proceedings of the 2016 International Zurich Seminar on Communications (IZS-2016), Zurich, Switzerland, March 2016

The broadcast channel (BC) with one confidential message and where the decoders cooperate via a one-sided link is considered. A messages triple with one common and two private messages is transmitted. The private message to the cooperative user is kept secret from the cooperation-aided user. An inner bound on the strong-secrecy-capacity region of the BC is derived. The inner bound is achieved by a channel-resolvability-based Marton code construction that double-bins the codebook of the secret message. Both the resolvability and the BC codes use
the likelihood encoder to choose the transmitted codeword. The protocol uses the cooperation link to convey information on a portion of the non-confidential message and the common message. The inner bound is shown to be tight for the semi-deterministic and physically degraded cases

Download
PDF
In collaboration with Ministry of Science and Technology of Israel

Search problems in the domain of multiplication: Case study on anomaly detection using markov chains

Y Mirsky, A Cohen, R Stern, A Felner, L Rokack, Y Elovici, B Shapira

Eighth Annual Symposium on Combinatorial Search, 2015

In collaboration with Ministry of Science and Technology of Israel

Search problems in the domain of multiplication: Case study on anomaly detection using markov chains

Y Mirsky, A Cohen, R Stern, A Felner, L Rokack, Y Elovici, B Shapira

Eighth Annual Symposium on Combinatorial Search, 2015

Most work in heuristic search focused on path finding problems
in which the cost of a path in the state space is the sum
of its edges’ weights. This paper addresses a different class
of path finding problems in which the cost of a path is the
product of its weights. We present reductions from different
classes of multiplicative path finding problems to suitable
classes of additive path finding problems. As a case study,
we consider the problem of finding least and most probable
paths in a Markov Chain, where path cost corresponds to the
probability of traversing it. The importance of this problem
is demonstrated in an anomaly detection application for cyberspace
security. Three novel anomaly detection metrics for
Markov Chains are presented, where computing these metrics
require finding least and most probable paths. The underlying
Markov Chain is dynamically changing, and so fast methods
for computing least and most probable paths are needed. We
propose such methods based on the proposed reductions and
using heuristic search algorithms.

Download
PDF
In collaboration with Ministry of Science and Technology

pcstream: A stream clustering algorithm for dynamically detecting and managing temporal contexts

Y Mirsky, B Shapira, L Rokach, Y Elovici

Pacific-Asia Conference on Knowledge Discovery and Data Mining, 119-133, 2015

In collaboration with Ministry of Science and Technology

pcstream: A stream clustering algorithm for dynamically detecting and managing temporal contexts

Y Mirsky, B Shapira, L Rokach, Y Elovici

Pacific-Asia Conference on Knowledge Discovery and Data Mining, 119-133, 2015

The clustering of unbounded data-streams is a difficult problem since the observed instances cannot be stored for future clustering decisions. Moreover, the probability distribution of streams tends to change over time, making it challenging to differentiate between a concept-drift and an anomaly. Although many excellent data-stream clustering algorithms have been proposed in the past, they are not suitable for capturing the temporal contexts of an entity.

In this paper, we propose pcStream; a novel data-stream clustering algorithm for dynamically detecting and managing sequential temporal contexts. pcStream takes into account the properties of sensor-fused data-streams in order to accurately infer the present concept, and dynamically detect new contexts as they occur. Moreover, the algorithm is capable of detecting point anomalies and can operate with high velocity data-streams. Lastly, we show in our evaluation that pcStream outperforms state-of-the-art stream clustering algorithms in detecting real world contexts from sensor-fused datasets. We also show how pcStream can be used as an analysis tool for contextual sensor streams.

Download
PDF
In collaboration with

JoKER: Trusted Detection of Kernel Rootkits in Android Devices via JTAG Interface

M Guri, Y Poliak, B Shapira, Y Elovici

Trustcom/BigDataSE/ISPA, 2015 IEEE 1, 65-73

In collaboration with

JoKER: Trusted Detection of Kernel Rootkits in Android Devices via JTAG Interface

M Guri, Y Poliak, B Shapira, Y Elovici

Trustcom/BigDataSE/ISPA, 2015 IEEE 1, 65-73

Smartphones and tablets have become prime
targets for malware, due to the valuable private and corporate
information they hold. While Anti-Virus (AV) program may
successfully detect malicious applications (apps), they remain
ineffective against low-level rootkits that evade detection
mechanisms by masking their own presence. Furthermore, any
detection mechanism run on the same physical device as the
monitored OS can be compromised via application, kernel or
boot-loader vulnerabilities. Consequentially, trusted detection of
kernel rootkits in mobile devices is a challenging task in practice.
In this paper we present ‘JoKER’ – a system which aims at
detecting rootkits in the Android kernel by utilizing the
hardware’s Joint Test Action Group (JTAG) interface for
trusted memory forensics. Our framework consists of
components that extract areas of a kernel’s memory and
reconstruct it for further analysis. We present the overall
architecture along with its implementation, and demonstrate that
the system can successfully detect the presence of stealthy
rootkits in the kernel. The results show that although JTAG’s
main purpose is system testing, it can also be used for malware
detection where traditional methods fail.

Download
PDF
In collaboration with Ministry of Economy under the Magnet Program

Unknown malware detection using network traffic classification

D Bekerman, B Shapira, L Rokach, A Bar

Communications and Network Security (CNS), 2015 IEEE Conference on, 134-142

In collaboration with Ministry of Economy under the Magnet Program

Unknown malware detection using network traffic classification

D Bekerman, B Shapira, L Rokach, A Bar

Communications and Network Security (CNS), 2015 IEEE Conference on, 134-142

We present an end-to-end supervised based system
for detecting malware by analyzing network traffic. The
proposed method extracts 972 behavioral features across
different protocols and network layers, and refers to different
observation resolutions (transaction, session, flow and
conversation windows). A feature selection method is then used
to identify the most meaningful features and to reduce the data
dimensionality to a tractable size. Finally, various supervised
methods are evaluated to indicate whether traffic in the network
is malicious, to attribute it to known malware “families” and to
discover new threats. A comparative experimental study using
real network traffic from various environments indicates that the
proposed system outperforms existing state-of-the-art rule-based
systems, such as Snort and Suricata. In particular, our
chronological evaluation shows that many unknown malware
incidents could have been detected at least a month before their
static rules were introduced to either the Snort or Suricata
systems.

Download
PDF
In collaboration with Technische Universit¨at M¨unchen

Cooperative broadcast channels with a secret message

Z. Goldfeld, G. Kramer and H. H. Permuter

In Proceedings of the 2015 IEEE International Symposium on Information Theory (ISIT-2015), Hong-Kong, June 2015

In collaboration with Technische Universit¨at M¨unchen

Cooperative broadcast channels with a secret message

Z. Goldfeld, G. Kramer and H. H. Permuter

In Proceedings of the 2015 IEEE International Symposium on Information Theory (ISIT-2015), Hong-Kong, June 2015

The broadcast channel (BC) with one confidential message and where the decoders cooperate via a one-sided link is considered. A pair of messages is transmitted, one message for
each user. The message to the cooperative user is confidential and is kept secret from the cooperation-aided user. The secrecy level is measured by the equivocation rate. An inner bound on the secrecy-capacity region of the BC is derived. The inner bound is achieved by double-binning the codebook of the secret message. The inner bound is tight for the semi-deterministic (SD) and physically degraded (PD) cases. The secrecy results are compared to those of the corresponding BCs without a secrecy constraint. A cooperative Blackwell channel example illustrates the impact of secrecy on the rate regions.

Download
PDF
In collaboration with Telekom Innovation Laboratories

Mobile malware detection through analysis of deviations in application network behavior

A Shabtai, L Tenenboim-Chekina, D Mimran, L Rokach, B Shapira

Computers & Security 43, 2014, 1-18

In collaboration with Telekom Innovation Laboratories

Mobile malware detection through analysis of deviations in application network behavior

A Shabtai, L Tenenboim-Chekina, D Mimran, L Rokach, B Shapira

Computers & Security 43, 2014, 1-18

In this paper we present a new behavior-based anomaly detection system for detecting meaningful deviations in a mobile application’s network behavior. The main goal of the proposed system is to protect mobile device users and cellular infrastructure companies from malicious applications by: (1) identification of malicious attacks or masquerading applications installed on a mobile device, and (2) identification of republished popular applications injected with a malicious code (i.e., repackaging). More specifically, we attempt to detect a new type of mobile malware with self-updating capabilities that were recently found on the official Google Android marketplace. Malware of this type cannot be detected using the standard signatures approach or by applying regular static or dynamic analysis methods. The detection is performed based on the application’s network traffic patterns only. For each application, a model representing its specific traffic pattern is learned locally (i.e., on the device). Semi-supervised machine-learning methods are used for learning the normal behavioral patterns and for detecting deviations from the application’s expected behavior. These methods were implemented and evaluated on Android devices. The evaluation experiments demonstrate that: (1) various applications have specific network traffic patterns and certain application categories can be distinguished by their network patterns; (2) different levels of deviation from normal behavior can be detected accurately; (3) in the case of self-updating malware, original (benign) and infected versions of an application have different and distinguishable network traffic patterns that in most cases, can be detected within a few minutes after the malware is executed while presenting very low false alarms rate; and (4) local learning is feasible and has a low performance overhead on mobile devices.

Download
PDF
In collaboration with Telekom Innovation Laboratories

CoBAn: A context based model for data leakage prevention

G Katz, Y Elovici, B Shapira

Information sciences 262, 137-158, 2014

In collaboration with Telekom Innovation Laboratories

CoBAn: A context based model for data leakage prevention

G Katz, Y Elovici, B Shapira

Information sciences 262, 137-158, 2014

A new context-based model (CoBAn) for accidental and intentional data leakage prevention (DLP) is proposed. Existing methods attempt to prevent data leakage by either looking for specific keywords and phrases or by using various statistical methods. Keyword-based methods are not sufficiently accurate since they ignore the context of the keyword, while statistical methods ignore the content of the analyzed text. The context-based approach we propose leverages the advantages of both these approaches. The new model consists of two phases: training and detection. During the training phase, clusters of documents are generated and a graph representation of the confidential content of each cluster is created. This representation consists of key terms and the context in which they need to appear in order to be considered confidential. During the detection phase, each tested document is assigned to several clusters and its contents are then matched to each cluster’s respective graph in an attempt to determine the confidentiality of the document. Extensive experiments have shown that the model is superior to other methods in detecting leakage attempts, where the confidential information is rephrased or is different from the original examples provided in the learning set.

Download
PDF