Skip to Content

    Research Proposal

    Add your abstract and contact information and we will be in touch

    Thanks We will be in touch soon

    Contact us

    Leave a massage and we’ll get back to you

      You can also reach us at:

      Cyber Security Research Center @ Ben-Gurion University of the Negev
      P.O.B. 653
      Beer Sheva, 84105,
      Israel

      +972 8 6428005
      +972 8 6428121
      cyber-labs bgu.ac.il

      The Creation and Detection of Deepfakes: A Survey

      Yisroel Mirsky, Wenke Lee

      Ben-Gurion University and Georgia Institute of Technology, May 2020

      The Creation and Detection of Deepfakes: A Survey

      Yisroel Mirsky, Wenke Lee

      Ben-Gurion University and Georgia Institute of Technology, May 2020

      A deepfake is content generated by artificial intelligence which seems authentic in the eyes of a human being. The word deepfake is a combination of the words ‘deep learning’ and ‘fake’ and primarily relates to content generated by an artificial neural network, a branch of machine learning.

      The most common form of deepfakes involves the generation and manipulation of human imagery. This technology has creative and productive applications. For example, realistic video dubbing of foreign films, education through the reanimation of historical figures, and virtually trying on clothes while shopping. There are also numerous online communities devoted to creating deepfake memes for entertainment, such as music videos portraying the face of actor Nicolas Cage.

      However, despite the positive applications of deepfakes, the technology is infamous for its unethical and malicious capabilities. At the end of 2017, a Reddit user by the name of ‘deepfakes’ used deep learning to swap faces of celebrities into pornographic videos and posted them online.

      Link

      Deployment Optimization of IoT Devices through Attack Graph Analysis

      Noga Agmon, Asaf Shabtai, Rami Puzis

      Department of Software and Information Systems Engineering, Ben-Gurion University of the Negev, 11 Apr 2019

      Deployment Optimization of IoT Devices through Attack Graph Analysis

      Noga Agmon, Asaf Shabtai, Rami Puzis

      Department of Software and Information Systems Engineering, Ben-Gurion University of the Negev, 11 Apr 2019

      The Internet of things (IoT) has become an integral part of our life
      at both work and home. However, these IoT devices are prone to vulnerability exploits due to their low cost, low resources, the diversity
      of vendors, and proprietary firmware. Moreover, short range communication protocols (e.g., Bluetooth or ZigBee) open additional
      opportunities for the lateral movement of an attacker within an organization. Thus, the type and location of IoT devices may significantly
      change the level of network security of the organizational network.
      In this paper, we quantify the level of network security based on
      an augmented attack graph analysis that accounts for the physical
      location of IoT devices and their communication capabilities. We
      use the depth-first branch and bound (DFBnB) heuristic search algorithm to solve two optimization problems: Full Deployment with
      Minimal Risk (FDMR) and Maximal Utility without Risk Deterioration (MURD). An admissible heuristic is proposed to accelerate the
      search. The proposed method is evaluated using a real network with
      simulated deployment of IoT devices. The results demonstrate (1)
      the contribution of the augmented attack graphs to quantifying the
      impact of IoT devices deployed within the organization on security,
      and (2) the effectiveness of the optimized IoT deployment.

      Link

      CT-GAN: Malicious Tampering of 3D Medical Imagery using Deep Learning

      Yisroel Mirsky, Tom Mahler, Ilan Shelef, Yuval Elovici

      Department of Information Systems Engineering, Ben-Gurion University, Israel Soroka University Medical Center. 3 Apr 2019

      CT-GAN: Malicious Tampering of 3D Medical Imagery using Deep Learning

      Yisroel Mirsky, Tom Mahler, Ilan Shelef, Yuval Elovici

      Department of Information Systems Engineering, Ben-Gurion University, Israel Soroka University Medical Center. 3 Apr 2019

      In 2018, clinics and hospitals were hit with numerous attacks
      leading to significant data breaches and interruptions in
      medical services. An attacker with access to medical records
      can do much more than hold the data for ransom or sell it on
      the black market.
      In this paper, we show how an attacker can use deeplearning to add or remove evidence of medical conditions
      from volumetric (3D) medical scans. An attacker may perform
      this act in order to stop a political candidate, sabotage research,
      commit insurance fraud, perform an act of terrorism, or
      even commit murder. We implement the attack using a 3D
      conditional GAN and show how the framework (CT-GAN)
      can be automated. Although the body is complex and 3D
      medical scans are very large, CT-GAN achieves realistic
      results which can be executed in milliseconds.
      To evaluate the attack, we focused on injecting and
      removing lung cancer from CT scans. We show how three
      expert radiologists and a state-of-the-art deep learning AI are
      highly susceptible to the attack. We also explore the attack
      surface of a modern radiology network and demonstrate one
      attack vector: we intercepted and manipulated CT scans in an
      active hospital network with a covert penetration test.

      Link

      Analysis of Location Data Leakage in the Internet Traffic of Android-based Mobile Devices

      Nir Sivan, Ron Bitton, Asaf Shabtai

      Department of Software and Information Systems Engineering Ben-Gurion University of the Negev. 12 Dec 2018

      Analysis of Location Data Leakage in the Internet Traffic of Android-based Mobile Devices

      Nir Sivan, Ron Bitton, Asaf Shabtai

      Department of Software and Information Systems Engineering Ben-Gurion University of the Negev. 12 Dec 2018

      In recent years we have witnessed a shift towards personalized, context-based applications and services for mobile device users. A key component of many of these services is the ability to infer the current location and predict the future location of users based on location sensors embedded in the devices. Such knowledge enables service providers to present relevant and timely offers to their users and better manage traffic congestion control, thus increasing customer satisfaction and engagement. However, such services suffer from location data leakage which has become one of today’s most concerning privacy issues for smartphone users.

      BGU researchers focused specifically on location data that is exposed by Android applications via Internet network traffic in plaintext (i.e., without encryption) without the user’s awareness. An empirical evaluation, involving the network traffic of real mobile device users, aimed at: (1) measuring the extent of location data leakage in the Internet traffic of Android-based smartphone devices; and (2) understanding the value of this data by inferring users’ points of interests (POIs).

      The key findings of this research center on the extent of this phenomenon in terms of both ubiquity and severity.

      Link

      Incentivized Delivery Network of IoT Software Updates Based on Trustless Proof-of-Distribution

      Oded Leiba, Yechiav Yitzchak, Ron Bitton, Asaf Nadler, Asaf Shabtai

      IEEE SECURITY & PRIVACY ON THE BLOCKCHAIN (IEEE S&B) AN IEEE EUROPEAN SYMPOSIUM ON SECURITY & PRIVACY AFFILIATED WORKSHOP 23 April 2018, University College London (UCL), London, UK

      Incentivized Delivery Network of IoT Software Updates Based on Trustless Proof-of-Distribution

      Oded Leiba, Yechiav Yitzchak, Ron Bitton, Asaf Nadler, Asaf Shabtai

      IEEE SECURITY & PRIVACY ON THE BLOCKCHAIN (IEEE S&B) AN IEEE EUROPEAN SYMPOSIUM ON SECURITY & PRIVACY AFFILIATED WORKSHOP 23 April 2018, University College London (UCL), London, UK

      The Internet of Things (IoT) network of connected devices currently contains more than 11 billion devices and is estimated to double in size within the next four years. The prevalence of these devices makes them an ideal target for attackers. To reduce the risk of attacks vendors routinely deliver security updates (patches) for their devices. The delivery of security updates becomes challenging due to the issue of scalability as the number of devices may grow much quicker than vendors’ distribution systems. Previous studies have suggested a permissionless and decentralized blockchainbased network in which nodes can host and deliver security updates, thus the addition of new nodes scales out the network. However, these studies do not provide an incentive for nodes to join the network, making it unlikely for nodes to freely contribute their hosting space, bandwidth, and computation resources.
      In this paper, we propose a novel decentralized IoT software update delivery network in which participating nodes (referred to as distributors) are compensated by vendors with digital currency for delivering updates to devices. Upon the release of a new security update, a vendor will make a commitment to provide digital currency to distributors that deliver the update; the commitment will be made with the use of smart contracts, and hence will be public, binding, and irreversible. The smart contract promises compensation to any distributor that provides proof-of-distribution, which is unforgeable proof that a single update was delivered to a single device. A distributor acquires the proof-of-distribution by exchanging a security update for a device signature using the Zero-Knowledge Contingent Payment (ZKCP) trustless data exchange protocol. Eliminating the need for trust between the security update distributor and the security consumer (IoT device) by providing fair compensation, can significantly increase the number of distributors, thus facilitating rapid scale out.

      Link

      EEG-triggered dynamic difficulty adjustment for multiplayer games

      Adi Stein, Yair Yotam, Rami Puzis, Guy Shani, Meirav Taieb-Maimon

      Entertainment Computing Volume 25, March 2018, Pages 14-25

      EEG-triggered dynamic difficulty adjustment for multiplayer games

      Adi Stein, Yair Yotam, Rami Puzis, Guy Shani, Meirav Taieb-Maimon

      Entertainment Computing Volume 25, March 2018, Pages 14-25

      In online games, gamers may become frustrated when playing against stronger players or get bored when playing against weaker players, thus losing interest in the game. Dynamic Difficulty Adjustment (DDA) has been suggested as an intelligent handicapping mechanism, by reducing the difficulty for the weaker player, or increasing the difficulty for the stronger player. A key question when using DDA, is when to activate the difficulty adjustment.

      In this paper we suggest using the Emotiv EPOC EEG headset to monitor the personal excitement level of a player and use this information to trigger DDA when the player’s excitement decreases in order to ensure that the player is engaged and enjoying the game. We experiment with an open-source third-person shooter game, in a multiplayer adversarial setting. We conduct experiments, showing that the detected excitement patterns correlate to game events. Experiments designed to evaluate the DDA triggering mechanism confirm that DDA triggered based on EEG increases the players excitement and improves the gaming experience compared to the heuristic triggered DDA and the experience of playing a game without DDA.

      Link

      Taxonomy of mobile users’ security awareness‏

      R Bitton, A Finkelshtein, L Sidi, R Puzis, L Rokach, A Shabtai

      Computers & Security Volume 73, March 2018, Pages 266-293

      Taxonomy of mobile users’ security awareness‏

      R Bitton, A Finkelshtein, L Sidi, R Puzis, L Rokach, A Shabtai

      Computers & Security Volume 73, March 2018, Pages 266-293

      The popularity of smartphones, coupled with the amount of valuable and private information they hold, make them attractive to attackers interested in exploiting the devices to harvest sensitive information. Exploiting human vulnerabilities (i.e., social engineering) is an approach widely used to achieve this goal. Improving the security awareness of users is an effective method for mitigating social engineering attacks. However, while in the domain of personal computers (PCs) the security awareness of users is relatively high, previous studies have shown that for the mobile platform, the security awareness level is significantly lower. The skills required from a mobile user to interact safely with his/her smartphone are different from those that are required for safe and responsible PC use. Therefore, the awareness of mobile users to security risks is an important aspect of information security. An essential and challenging requirement of assessing security awareness is the definition of measureable criteria for a security aware user. In this paper, we present a hierarchical taxonomy for security awareness, specifically designed for mobile device users. The taxonomy defines a set of measurable criteria that are categorized according to different technological focus areas (e.g., applications and browsing) and within the context of psychological dimensions (e.g., knowledge, attitude, and behavior). We demonstrate the applicability of the proposed taxonomy by introducing an expert-based procedure for deriving mobile security awareness models for different attack classes (each class is an aggregation of social engineering attacks that exploit a similar set of human vulnerabilities). Each model reflects the contribution (weight) of each criterion to the mitigation of the corresponding attack class. Application of the proposed procedure, based on the input of 17 security experts, to derive mobile security awareness models of four different attack classes, confirms that the skills required from a smartphone user to mitigate an attack are different for different attack classes.

      Link

      Foundations of Homomorphic Secret Sharing

      E. Boyle, N. Gilboa, Y. Ishai, R. Lin and S. Tessaro

      9th Innovations in Theoretical Computer Science Conference (ITCS 2018)

      Foundations of Homomorphic Secret Sharing

      E. Boyle, N. Gilboa, Y. Ishai, R. Lin and S. Tessaro

      9th Innovations in Theoretical Computer Science Conference (ITCS 2018)

      Homomorphic secret sharing (HSS) is the secret sharing analogue of homomorphic encryption. An HSS scheme supports a local evaluation of functions on shares of one or more secret inputs, such that the resulting shares of the output are short. Some applications require the stronger notion of additive HSS, where the shares of the output add up to the output over some finite Abelian group. While some strong positive results for HSS are known under specific cryptographic assumptions, many natural questions remain open. We initiate a systematic study of HSS, making the following contributions. – A definitional framework. We present a general framework for defining HSS schemes that unifies and extends several previous notions from the literature, and cast known results within this framework. – Limitations. We establish limitations on information-theoretic multi-input HSS with short output shares via a relation with communication complexity. We also show that additive HSS for non-trivial functions, even the AND of two input bits, implies non-interactive key exchange, and is therefore unlikely to be implied by public-key encryption or even oblivious transfer. – Applications. We present two types of applications of HSS. First, we construct 2-round protocols for secure multiparty computation from a simple constant-size instance of HSS. As a corollary, we obtain 2-round protocols with attractive asymptotic efficiency features under the Decision Diffie Hellman (DDH) assumption. Second, we use HSS to obtain nearly optimal worst-case to average-case reductions in P. This in turn has applications to fine-grained average-case hardness and verifiable computation.

      Link

      The Ergodic Capacity of the Multiple Access Channel Under Distributed Scheduling – Order Optimality of Linear Receivers

      S. Kampeas, A. Cohen and O. Gurewitz

      IEEE Transactions on Information Theory ( Volume: PP, Issue: 99 ) Page(s): 1 - 1

      The Ergodic Capacity of the Multiple Access Channel Under Distributed Scheduling – Order Optimality of Linear Receivers

      S. Kampeas, A. Cohen and O. Gurewitz

      IEEE Transactions on Information Theory ( Volume: PP, Issue: 99 ) Page(s): 1 - 1

      Consider the problem of a Multiple-Input Multiple-Output (MIMO) Multiple-Access Channel (MAC) at the limit of large number of users. Clearly, in practical scenarios, only a small subset of the users can be scheduled to utilize the channel simultaneously. Thus, a problem of user selection arises. However, since solutions which collect Channel State Information (CSI) from all users and decide on the best subset to transmit in each slot do not scale when the number of users is large, distributed algorithms for user selection are advantageous. In this paper, we analyse a distributed user selection algorithm, which selects a group of users to transmit without coordinating between users and without all users sending CSI to the base station. This threshold-based algorithm is analysed for both Zero-Forcing (ZF) and Minimum Mean Square Error (MMSE) receivers, and its expected sum-rate in the limit of large number of users is investigated. It is shown that for large number of users it achieves the same scaling laws as the optimal centralized scheme.

      Link

      Early detection of spamming accounts in large-Scale service provider networks

      Yehonatan Cohen, Daniel Gordon, Danny Hendler

      Knowledge-Based Systems Volume 142, 15 February 2018, Pages 241-255

      Early detection of spamming accounts in large-Scale service provider networks

      Yehonatan Cohen, Daniel Gordon, Danny Hendler

      Knowledge-Based Systems Volume 142, 15 February 2018, Pages 241-255

      We present ErDOS — an algorithm for the Early Detection Of Spamming accounts. The detection approach implemented by ErDOS combines content-based labelling and features based on inter-account communication patterns. We define new account features, based on the ratio between the numbers of sent and received emails, the distribution of emails received from different accounts, and the topological features of the network induced by inter-account communication. We also present ErDOS-LVS — a variant of ErDOS that targets the detection of low-volume spammers. The empirical evaluation of both detectors is based on a real-life data set collected by an email service provider, much larger than data sets previously used for outgoing spam detection research. It establishes that both are able to provide effective early detection of the spammers population, that is, they identify these accounts as spammers before they are detected as such by a content-based detector. Moreover, both detectors require only a single day of training data for providing a high-quality list of suspect accounts.

      Link

      Quantifying the resilience of machine learning classifiers used for cyber security

      Z Katzir, Y Elovici

      Expert Systems with Applications 92, 419-429, 2018

      Quantifying the resilience of machine learning classifiers used for cyber security

      Z Katzir, Y Elovici

      Expert Systems with Applications 92, 419-429, 2018

      The use of machine learning algorithms for cyber security purposes gives rise to questions of adversarial resilience, namely: Can we quantify the effort required of an adversary to manipulate a system that is based on machine learning techniques? Can the adversarial resilience of such systems be formally modeled and evaluated? Can we quantify this resilience such that different systems can be compared using empiric metrics?

      Past works have demonstrated how an adversary can manipulate a system based on machine learning techniques by changing some of its inputs. However, comparatively little work has emphasized the creation of a formal method for measuring and comparing the adversarial resilience of different machine learning models to these changes.

      In this work we study the adversarial resilience of detection systems based on supervised machine learning models. We provide a formal definition for adversarial resilience while focusing on multisensory fusion systems. We define the model robustness (MRB) score, a metric for evaluating the relative resilience of different models, and suggest two novel feature selection algorithms for constructing adversary aware classifiers. The first algorithm selects only features that cannot realistically be modified by the adversary, while the second algorithm allows control over the resilience versus accuracy tradeoff. Finally, we evaluate our approach with a real-life use case of dynamic malware classification using an extensive, up-to-date corpus of benign and malware executables. We demonstrate the potential of using adversary aware feature selection for building more resilient classifiers and provide empirical evidence supporting the inherent resilience of ensemble algorithms compared to single model algorithms.

      Link

      Detection of malicious webmail attachments based on propagation patterns

      Yehonatan Cohen, Danny Hendler, Amir Rubin

      Knowledge-Based Systems Volume 141, 1 February 2018, Pages 67-79

      Detection of malicious webmail attachments based on propagation patterns

      Yehonatan Cohen, Danny Hendler, Amir Rubin

      Knowledge-Based Systems Volume 141, 1 February 2018, Pages 67-79

      Email remains one of the key media used by cybercriminals for distributing malware. Based on a large data set consisting of antivirus telemetry reports, we conduct the first comprehensive study of the properties of malicious webmail attachments. We show that they are distinct among the general web-borne malware population in terms of the malware reach (the number of machines to which the malware is downloaded), malware type and family. Furthermore, we show that malicious webmail attachments are unique in the manner in which they propagate through the network.

      We leverage these findings for defining novel features of malware propagation patterns. These features are derived from a time-series representation of malware download rates and from the community structure of graphs that model the network paths through which malware propagates. Based on these features, we implement a detector that provides high-quality detection of malicious webmail attachments.

      Link

      Kitsune: An Ensemble of Autoencoders for Online Network Intrusion Detection

      Yisroel Mirsky, Tomer Doitshman, Yuval Elovici and Asaf Shabtai

      Network and Distributed Systems Security Symposium (NDSS), 2018

      Kitsune: An Ensemble of Autoencoders for Online Network Intrusion Detection

      Yisroel Mirsky, Tomer Doitshman, Yuval Elovici and Asaf Shabtai

      Network and Distributed Systems Security Symposium (NDSS), 2018

      Neural networks have become an increasingly popular solution for network intrusion detection systems (NIDS). Their capability of learning complex patterns and behaviors make them a suitable solution for differentiating between normal traffic and network attacks. However, a drawback of neural networks is the amount of resources needed to train them. Many network gateways and routers devices, which could potentially host an NIDS, simply do not have the memory or processing power to train and sometimes even execute such models. More importantly, the existing neural network solutions are trained in a supervised manner. Meaning that an expert must label the network traffic and update the model manually from time to time.

      In this paper, we present Kitsune: a plug and play NIDS which can learn to detect attacks on the local network, without supervision, and in an efficient online manner. Kitsune’s core algorithm (KitNET) uses an ensemble of neural networks called autoencoders to collectively differentiate between normal and abnormal traffic patterns. KitNET is supported by a feature extraction framework which efficiently tracks the patterns of every network channel. Our evaluations show that  Kitsune can detect various attacks with a performance comparable to offline anomaly detectors, even on a Raspberry PI. This demonstrates that Kitsune can be a practical and economic NIDS.

      Link

      EVALUATION OF ADDITIVE AND SUBTRACTIVE MANUFACTURING FROM THE SECURITY PERSPECTIVE

      Mark Yampolskiy , Wayne King, Gregory Pope, Sofia Belikovetsky, Yuval Elovici

      ICCIP 2017: Critical Infrastructure Protection XI pp 23-44

      EVALUATION OF ADDITIVE AND SUBTRACTIVE MANUFACTURING FROM THE SECURITY PERSPECTIVE

      Mark Yampolskiy , Wayne King, Gregory Pope, Sofia Belikovetsky, Yuval Elovici

      ICCIP 2017: Critical Infrastructure Protection XI pp 23-44

      Additive manufacturing involves a new class of cyber-physical systems that manufacture 3D objects incrementally by depositing and fusing together thin layers of source material. In 2015, the global additive manufacturing industry had $5.165 billion in revenue, with 32.5% of all manufactured objects used as functional parts. Because of their reliance on computerization, additive manufacturing devices (or 3D printers) are susceptible to a broad range of attacks. The rapid adoption of additive manufacturing in aerospace, automotive and other industries makes it an attractive attack target and a critical asset to be protected.

      This chapter compares emerging additive manufacturing and traditional subtractive manufacturing from the security perspective. While the discussion compares the two manufacturing technologies, the emphasis is on additive manufacturing due to its expected dominance as the manufacturing technology of the future. The chapter outlines the additive and subtractive manufacturing workflows, proposes a framework for analyzing attacks on or using additive manufacturing systems and presents the major threat categories. In order to compare the two manufacturing paradigms from the security perspective, the differences between the two workflows are identified and the attack analysis framework is applied to demonstrate how the differences translate into threats. The analysis reveals that, while there is significant overlap with regard to security, fundamental differences in the two manufacturing paradigms require a separate investigation of additive manufacturing security.

      Link
      Cooperation with IBM

      Rational deployment of multiple heuristics in optimal state-space search‏

      E Karpas, O Betzalel, SE Shimony, D Tolpin, A Felner

      Cooperation with IBM

      Rational deployment of multiple heuristics in optimal state-space search‏

      E Karpas, O Betzalel, SE Shimony, D Tolpin, A Felner

      The obvious way to use several admissible heuristics in searching for an optimal solution is to take their maximum. In this paper, we aim to reduce the time spent on computing heuristics within the context of A⁎ and IDA⁎ . We discuss Lazy A⁎ and Lazy IDA⁎ , variants of A⁎ and IDA⁎ , respectively, where heuristics are evaluated lazily: only when they are essential to a decision to be made in the search process. While these lazy algorithms outperform naive maximization, we can do even better by intelligently deciding when to compute the more expensive heuristic. We present a new rational metareasoning based scheme which decides whether to compute the more expensive heuristics at all, based on a myopic regret estimate. This scheme is used to create rational lazy A⁎ and rational lazy IDA⁎ . We also present different methods for estimating the parameters necessary for making such decisions. An empirical evaluation in several domains supports the theoretical results, and shows that the rational variants, rational lazy A⁎ and rational lazy IDA⁎ , are better than their non-rational counterparts.

      Link

      Homomorphic Secret Sharing: Optimizations and Applications

      E. Boyle, G. Couteau, N. Gilboa and Y. Ishai and M. Orru

      CCS '17 Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security Pages 2105-2122

      Homomorphic Secret Sharing: Optimizations and Applications

      E. Boyle, G. Couteau, N. Gilboa and Y. Ishai and M. Orru

      CCS '17 Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security Pages 2105-2122

      We continue the study of Homomorphic Secret Sharing (HSS), recently introduced by Boyle et al. (Crypto 2016, Eurocrypt 2017). A (2-party) HSS scheme splits an input x into shares (x0,x1) such that (1) each share computationally hides x, and (2) there exists an efficient homomorphic evaluation algorithm $\Eval$ such that for any function (or “program”) from a given class it holds that Eval(x0,P)+Eval(x1,P)=P(x). Boyle et al. show how to construct an HSS scheme for branching programs, with an inverse polynomial error, using discrete-log type assumptions such as DDH.

      We make two types of contributions.

      Optimizations. We introduce new optimizations that speed up the previous optimized implementation of Boyle et al. by more than a factor of 30, significantly reduce the share size, and reduce the rate of leakage induced by selective failure.

      Applications. Our optimizations are motivated by the observation that there are natural application scenarios in which HSS is useful even when applied to simple computations on short inputs. We demonstrate the practical feasibility of our HSS implementation in the context of such applications.

      Link

      Learning Software Behavior for Automated Diagnosis

      Ori Bar-Ilan, Roni Stern and Meir Kalech

      The Twenty Seventh International Workshop on Principles of Diagnosis (DX-17), 2017

      Learning Software Behavior for Automated Diagnosis

      Ori Bar-Ilan, Roni Stern and Meir Kalech

      The Twenty Seventh International Workshop on Principles of Diagnosis (DX-17), 2017

      Software diagnosis algorithms aim to identify the faulty
      software components that caused a failure. A key challenges
      of existing software diagnosis algorithms is how to prioritize
      the outputted diagnoses. To do so, previous work proposed
      a method for estimating the likelihood that each diagnosis
      is correct. Computing these diagnosis likelihoods is nontrivial.
      We propose to do this by learning a behavior model
      of the software components and use it to identify abnormally
      behaving components. In this work we show the potential
      of such an approach by performing an empirical evaluation
      on a synthetic behavior model of the components. The results
      show that even an imperfect behavior model is useful
      in improving diagnosis accuracy and minimizing wasted
      troubleshooting efforts.

      Link
      In collaboration with IDC Herzliya + Technion and UCLA

      Group-Based Secure Computation: Optimizing Rounds, Communication, and Computation

      Elette Boyle, Niv Gilboa and Yuval Ishai

      Advances in Cryptology - EUROCRYPT 2017, pages 163-193, 2017

      In collaboration with IDC Herzliya + Technion and UCLA

      Group-Based Secure Computation: Optimizing Rounds, Communication, and Computation

      Elette Boyle, Niv Gilboa and Yuval Ishai

      Advances in Cryptology - EUROCRYPT 2017, pages 163-193, 2017

      A recent work of Boyle et al. (Crypto 2016) suggests that
      “group-based” cryptographic protocols, namely ones that only rely on a cryptographically hard (Abelian) group, can be surprisingly powerful. In particular, they present succinct two-party protocols for securely computing
      branching programs and NC1 circuits under the DDH assumption,
      providing the first alternative to fully homomorphic encryption.
      In this work we further explore the power of group-based secure computation
      protocols, improving both their asymptotic and concrete effi-
      ciency. We obtain the following results.
      – Black-box use of group. We modify the succinct protocols of Boyle
      et al. so that they only make a black-box use of the underlying group,
      eliminating an expensive non-black-box setup phase.
      – Round complexity. For any constant number of parties, we obtain
      2-round MPC protocols based on a PKI setup under the DDH assumption.
      Prior to our work, such protocols were only known using fully
      homomorphic encryption or indistinguishability obfuscation.
      – Communication complexity. Under DDH, we present a secure 2-
      party protocol for any NC1 or log-space computation with n input bits
      and m output bits using n + (1 + o(1))m + poly(λ) bits of communication,
      where λ is a security parameter. In particular, our protocol
      can generate n instances of bit-oblivious-transfer using (4 + o(1)) · n
      bits of communication. This gives the first constant-rate OT protocol
      under DDH.
      – Computation complexity. We present several techniques for
      improving the computational cost of the share conversion procedure of
      Boyle et al., improving the concrete efficiency of group-based protocols
      by several orders of magnitude.

      Link
      In collaboration with Technion and UCLA

      Ad Hoc PSM Protocols: Secure Computation Without Coordination

      Amos Beimel, Yuval Ishai, Eyal Kushilevitz

      Advances in Cryptology - EUROCRYPT 2017, pages 580-608, 2017

      In collaboration with Technion and UCLA

      Ad Hoc PSM Protocols: Secure Computation Without Coordination

      Amos Beimel, Yuval Ishai, Eyal Kushilevitz

      Advances in Cryptology - EUROCRYPT 2017, pages 580-608, 2017

      We study the notion of ad hoc secure computation, recently introduced by Beimel et al. (ITCS 2016), in the context of the Private Simultaneous Messages (PSM) model of Feige et al. (STOC 2004). In ad hoc secure computation we have n parties that may potentially participate in a protocol but, at the actual time of execution, only k of them, whose identity is not known in advance, actually participate. This situation is particularly challenging in the PSM setting, where protocols are non-interactive (a single message from each participating party to a special output party) and where the parties rely on pre-distributed, correlated randomness (that in the ad-hoc setting will have to take into account all possible sets of participants).

      We present several different constructions of ad hoc PSM protocols from standard PSM protocols. These constructions imply, in particular, that efficient information-theoretic ad hoc PSM protocols exist for NC 11 and different classes of log-space computation, and efficient computationally-secure ad hoc PSM protocols for polynomial-time computable functions can be based on a one-way function. As an application, we obtain an information-theoretic implementation of order-revealing encryption whose security holds for two messages.

      We also consider the case where the actual number of participating parties t may be larger than the minimal k for which the protocol is designed to work. In this case, it is unavoidable that the output party learns the output corresponding to each subset of k out of the t participants. Therefore, a “best possible security” notion, requiring that this will be the only information that the output party learns, is needed. We present connections between this notion and the previously studied notion of t-robust PSM (also known as “non-interactive MPC”). We show that constructions in this setting for even simple functions (like AND or threshold) can be translated into non-trivial instances of program obfuscation (such as point function obfuscation and fuzzy point function obfuscation, respectively). We view these results as a negative indication that protocols with “best possible security” are impossible to realize efficiently in the information-theoretic setting or require strong assumptions in the computational setting.

      Link
      In collaboration with IBM

      Supervised Detection of Infected Machines Using Anti-virus Induced Labels

      Tomer Cohen, Danny Hendler and Dennis Potashnik

      CSCML 2017, pages 211-220

      In collaboration with IBM

      Supervised Detection of Infected Machines Using Anti-virus Induced Labels

      Tomer Cohen, Danny Hendler and Dennis Potashnik

      CSCML 2017, pages 211-220

      Traditional antivirus software relies on signatures to uniquely identify malicious files. Malware writers, on the other hand, have responded by developing obfuscation techniques with the goal of evading content-based detection. A consequence of this arms race is that numerous new malware instances are generated every day, thus limiting the effectiveness of static detection approaches. For effective and timely malware detection, signature-based mechanisms must be augmented with detection approaches that are harder to evade.

      We introduce a novel detector that uses the information gathered by IBM’s QRadar SIEM (Security Information and Event Management) system and leverages anti-virus reports for automatically generating a labelled training set for identifying malware. Using this training set, our detector is able to automatically detect complex and dynamic patterns of suspicious machine behavior and issue high-quality security alerts. We believe that our approach can be used for providing a detection scheme that complements signature-based detection and is harder to circumvent.

      Link
      In collaboration with IBM

      CyberRank: Knowledge Elicitation for Risk Assessment of Database Security

      H Grushka-Cohen, O Sofer, O Biller, B Shapira, L Rokach

      Proceedings of the 25th ACM International on Conference on Information and Knowledge Management

      In collaboration with IBM

      CyberRank: Knowledge Elicitation for Risk Assessment of Database Security

      H Grushka-Cohen, O Sofer, O Biller, B Shapira, L Rokach

      Proceedings of the 25th ACM International on Conference on Information and Knowledge Management

      Security systems for databases produce numerous alerts about
      anomalous activities and policy rule violations. Prioritizing these
      alerts will help security personnel focus their efforts on the most
      urgent alerts. Currently, this is done manually by security experts
      that rank the alerts or define static risk scoring rules. Existing
      solutions are expensive, consume valuable expert time, and do not
      dynamically adapt to changes in policy.
      Adopting a learning approach for ranking alerts is complex due to
      the efforts required by security experts to initially train such a
      model. The more features used, the more accurate the model is
      likely to be, but this will require the collection of a greater amount
      of user feedback and prolong the calibration process. In this paper,
      we propose CyberRank, a novel algorithm for automatic preference
      elicitation that is effective for situations with limited experts’ time
      and outperforms other algorithms for initial training of the system.
      We generate synthetic examples and annotate them using a model
      produced by Analytic Hierarchical Processing (AHP) to bootstrap
      a preference learning algorithm. We evaluate different approaches
      with a new dataset of expert ranked pairs of database transactions,
      in terms of their risk to the organization. We evaluated using
      manual risk assessments of transaction pairs, CyberRank outperforms all other methods for cold start scenario with error reduction of 20%.

      Link

      Anomaly detection for smartphone data streams

      Y Mirsky, A Shabtai, B Shapira, Y Elovici, L Rokach

      Pervasive and Mobile Computing 35, 83-107, 2017

      Anomaly detection for smartphone data streams

      Y Mirsky, A Shabtai, B Shapira, Y Elovici, L Rokach

      Pervasive and Mobile Computing 35, 83-107, 2017

      Smartphones centralize a great deal of users’ private information and are thus a primary target for cyber-attack. The main goal of the attacker is to try to access and exfiltrate the private information stored in the smartphone without detection. In situations where explicit information is lacking, these attackers can still be detected in an automated way by analyzing data streams (continuously sampled information such as an application’s CPU consumption, accelerometer readings, etc.). When clustered, anomaly detection techniques may be applied to the data stream in order to detect attacks in progress. In this paper we utilize an algorithm called pcStream that is well suited for detecting clusters in real world data streams and propose extensions to the pcStream algorithm designed to detect point, contextual, and collective anomalies. We provide a comprehensive evaluation that addresses mobile security issues on a unique dataset collected from 30 volunteers over eight months. Our evaluations show that the pcStream extensions can be used to effectively detect data leakage (point anomalies) and malicious activities (contextual anomalies) associated with malicious applications. Moreover, the algorithm can be used to detect when a device is being used by an unauthorized user (collective anomaly) within approximately 30 s with 1 false positive every two days.

      Link

      The Curious Case of the Curious Case: Detecting touchscreen events using a smartphone case

      Tomer Glick, Yossi Oren, Rami Puzis, Asaf Shabtai

      SEMS (2017)

      The Curious Case of the Curious Case: Detecting touchscreen events using a smartphone case

      Tomer Glick, Yossi Oren, Rami Puzis, Asaf Shabtai

      SEMS (2017)

      Security-conscious users are very careful with software
      they allow their phone to run. They are much less
      careful with the choices they make regarding accessories such
      as headphones or chargers and only few, if any, care about
      cyber security threats coming from the phone’s protective
      case. We show how a malicious smartphone protective case
      can be used to detect and monitor the victim’s interaction
      with the phone’s touchscreen, opening the door to keyloggerlike
      attacks, threatening the user’s security and privacy. This
      feat is achieved by implementing a hidden capacitive sensing
      mechanism inside the case. Our attack is both sensitive enough
      to track the user’s finger location across the screen, and
      simple and cheap enough to be mass-produced and deployed en
      masse. We discuss the theoretical principles behind this attack,
      present a preliminary proof-of-concept, and discuss potential
      countermeasures and mitigations.

      Link

      Creation and Management of Social Network Honeypots for Detecting Targeted Cyber Attacks

      Abigail Paradise, Rami Puzis, Aviad Elyashar, Yuval Elovici, Asaf Shabtai

      IEEE Transactions on Computational Social Systems (IEEE T-CSS), accepted (2017)

      Creation and Management of Social Network Honeypots for Detecting Targeted Cyber Attacks

      Abigail Paradise, Rami Puzis, Aviad Elyashar, Yuval Elovici, Asaf Shabtai

      IEEE Transactions on Computational Social Systems (IEEE T-CSS), accepted (2017)

      Reconnaissance is the initial and essential phase
      of a successful advanced persistent threat (APT). In many
      cases, attackers collect information from social media, such as
      professional social networks. This information is used to select
      members that can be exploited to penetrate the organization.
      Detecting such reconnaissance activity is extremely hard because
      it is performed outside the organization premises. In this paper,
      we propose a framework for management of social network
      honeypots to aid in detection of APTs at the reconnaissance
      phase. We discuss the challenges that such a framework faces,
      describe its main components, and present a case study based
      on the results of a field trial conducted with the cooperation of
      a large European organization. In the case study, we analyze the
      deployment process of the social network honeypots and their
      maintenance in real social networks. The honeypot profiles were
      successfully assimilated into the organizational social network
      and received suspicious friend requests and mail messages that
      revealed basic indications of a potential forthcoming attack.
      In addition, we explore the behavior of employees in professional
      social networks, and their resilience and vulnerability toward
      social network infiltration.

      Link

      Scalable Attack Path Finding for Increased Security

      Tom Gonda, Rami Puzis, and Bracha Shapira

      International Conference on Cyber Security Cryptography and Machine Learning (CSCML), 2017, 234-249

      Scalable Attack Path Finding for Increased Security

      Tom Gonda, Rami Puzis, and Bracha Shapira

      International Conference on Cyber Security Cryptography and Machine Learning (CSCML), 2017, 234-249

      Software vulnerabilities can be leveraged by attackers to gain control of a host. Attackers can then use the controlled hosts as stepping stones for compromising other hosts until they create a path to the critical assets. Consequently, network administrators must examine the protected network as a whole rather than each vulnerable host independently. To this end, various methods were suggested in order to analyze the multitude of attack paths in a given organizational network, for example, to identify the optimal attack paths. The down side of many of those methods is that they do not scale well to medium-large networks with hundreds or thousands of hosts. We suggest using graph reduction techniques in order to simplify the task of searching and eliminating optimal attacker paths. Results on an attack graph extracted from a network of a real organization with more than 300 hosts and 2400 vulnerabilities show that using the proposed graph reductions can improve the search time by a factor of 4 while maintaining the quality of the results.

      Link
      In collaboration with Paulson School of Engineering and Applied Sciences, Harvard University

      CRADLE: An Online Plan Recognition Algorithm for Exploratory Domains

      Reuth Mirsky, Ya'akov Gal, Stuart Shieber

      ACM Transactions on Intelligent Systems and Technology 8 (3), 2017, 45

      In collaboration with Paulson School of Engineering and Applied Sciences, Harvard University

      CRADLE: An Online Plan Recognition Algorithm for Exploratory Domains

      Reuth Mirsky, Ya'akov Gal, Stuart Shieber

      ACM Transactions on Intelligent Systems and Technology 8 (3), 2017, 45

      In exploratory domains, agents’ behaviors include switching between activities, extraneous actions, and mistakes.
      Such settings are prevalent in real world applications such as interaction with open-ended software,
      collaborative office assistants, and integrated development environments. Despite the prevalence of such
      settings in the real world, there is scarce work in formalizing the connection between high-level goals and
      low-level behavior and inferring the former from the latter in these settings. We present a formal grammar
      for describing users’ activities in such domains. We describe a new top-down plan recognition algorithm
      called CRADLE (Cumulative Recognition of Activities and Decreasing Load of Explanations) that uses this
      grammar to recognize agents’ interactions in exploratory domains. We compare the performance of CRADLE
      with state-of-the-art plan recognition algorithms in several experimental settings consisting of real and
      simulated data. Our results show that CRADLE was able to output plans exponentially more quickly than
      the state-of-the-art without compromising its correctness, as determined by domain experts. Our approach
      can form the basis of future systems that use plan recognition to provide real-time support to users in a
      growing class of interesting and challenging domains

      Link
      In collaboration with The Jerusalem College of Technology

      Shortest path for K-Goals

      Roni Stern, Meir Goldenberg, Ariel Felner

      SoCS-2017 short paper

      In collaboration with The Jerusalem College of Technology

      Shortest path for K-Goals

      Roni Stern, Meir Goldenberg, Ariel Felner

      SoCS-2017 short paper

      The k-goal problem is a generalization of the Shortest
      Path Problem (SPP) in which the task is to solve k SPP problems,
      such that all the problems share the same start vertex.
      kGP was introduced to the heuristic search community for
      building an Incremental Roadmap Spanner technique (Dobson
      and Bekris 2014), which is a useful construct in motion
      plannin for robotics. But kGP has many other applications,
      e.g., when path planning for multiple drones flying from a
      central dispatcher location to k target locations.

      Link
      In collaboration with PayPal

      Session Analysis using Plan Recognition

      Reuth Mirsky, Kobi Gal and David Tolpin

      Interfaces and Scheduling and Planning (UISP)  ICAPS (2017)

      In collaboration with PayPal

      Session Analysis using Plan Recognition

      Reuth Mirsky, Kobi Gal and David Tolpin

      Interfaces and Scheduling and Planning (UISP)  ICAPS (2017)

      This paper presents preliminary results of our work
      with a major financial company, where we try to use
      methods of plan recognition in order to investigate the
      interactions of a costumer with the company’s online
      interface. In this paper, we present the first steps of
      integrating a plan recognition algorithm in a real-world
      application for detecting and analyzing the interactions
      of a costumer. It uses a novel approach for plan recognition
      from bare-bone UI data, which reasons about
      the plan library at the lowest recognition level in order
      to define the relevancy of actions in our domain, and
      then uses it to perform plan recognition.
      We present preliminary results of inference on three different
      use-cases modeled by domain experts from the
      company, and show that this approach manages to decrease
      the overload of information required from an analyst
      to evaluate a costumer’s session — whether this
      is a malicious or benign session, whether the intended
      tasks were completed, and if not — what actions are
      expected next.

      Link
      In collaboration with Sapir Academic College, Ashkelon, Israel

      Advanced Flow Models for Computing the Reputation of Internet Domains

      Hussien Othman, Ehud Gudes, Nurit Gal-Oz

      IFIPTM 2017: 119-134

      In collaboration with Sapir Academic College, Ashkelon, Israel

      Advanced Flow Models for Computing the Reputation of Internet Domains

      Hussien Othman, Ehud Gudes, Nurit Gal-Oz

      IFIPTM 2017: 119-134

      The Domain Name System (DNS) is an essential component of the Internet infrastructure that translates domain names into IP addresses. Recent incidents verify the enormous damage of malicious activities utilizing DNS such as bots that use DNS to locate their command & control servers. We believe that a domain that is related to malicious domains is more likely to be malicious as well and therefore detecting malicious domains using the DNS network topology is a key challenge.
      In this work we improve the flow model presented by Mishsky etal. [12] for computing the reputation of domains. This flow model is applied on a graph of domains and IPs and propagates their reputation scores through the edges that connect them to express the impact of
      malicious domains on related domains. We propose the use of clustering to guide the flow of reputation in the graph and examine two different clustering methods to identify groups of domains and IPs that are
      strongly related. The flow algorithms use these groups to emphasize the influence of nodes within the same cluster on each other. We evaluate the algorithms using a large database received from a commercial company.
      The experimental evaluation of our work have shown the expected improvement over previous work [12] in detecting malicious domains

      12. Mishsky, I., Gal-Oz, N., Gudes, E.: A topology based flow model for computing
      domain reputation. In: Samarati, P. (ed.) DBSec 2015. LNCS, vol. 9149, pp. 277–
      292. Springer, Cham (2015). doi:10.1007/978-3-319-20810-7 20

      Link

      Cryptographically Enforced Role-Based Access Control for NoSQL Distributed Databases

      Yossif Shalabi, Ehud Gudes

      DBSec 2017: 3-19

      Cryptographically Enforced Role-Based Access Control for NoSQL Distributed Databases

      Yossif Shalabi, Ehud Gudes

      DBSec 2017: 3-19

      The support for Role-Based Access Control (RBAC) using cryptography for NOSQL distributed databases is investigated. Cassandra is a NoSQL DBMS that efficiently supports very large databases, but provides rather simple security measures (an agent having physical access to a Cassandra cluster is usually assumed to have access to all data therein). Support for RBAC had been added almost as an afterthought, with the Node Coordinator having to mediate all requests to read and write data, in order to ensure that only the requests allowed by the Access Control Policy (ACP) are allowed through. In this paper, we propose a model and protocols for cryptographic enforcement of an ACP in a cassandra like system, which would ease the load on the Node Coordinator, thereby taking the bottleneck out of the existing security implementation. We allow any client to read the data from any storage node(s) – provided that only the clients whom the ACP grants access to a datum, would hold the encryption keys that enable these clients to decrypt the data.

      Link
      In collaboration with Dept. of Mathematics and Computer Science, The Open University, Raanana, Israel

      Brief Announcement: Privacy Preserving Mining of Distributed Data Using a Trusted and Partitioned Third Party

      Nir Maoz, Ehud Gudes

      CSCML 2017: 193-195

      In collaboration with Dept. of Mathematics and Computer Science, The Open University, Raanana, Israel

      Brief Announcement: Privacy Preserving Mining of Distributed Data Using a Trusted and Partitioned Third Party

      Nir Maoz, Ehud Gudes

      CSCML 2017: 193-195

      We like to discuss the usability of new architecture of partitioned third party, offered in [1] for conducting a new protocols for data mining algorithms over shared data base between multiple data holders. Current solution for data mining over partitioned data base are: Data anonimization [4], homomorphic encryption [5], trusted third party [2] or secure multiparty computation algorithms [3]. Current solutions suffer from different problems such as expensive algorithms in terms of computation overhead and required communication rounds, revealing private information to third party. The new architecture offered by Sherman et al. allow the data holders to use simple masking techniques that are not expensive in computation nor assume trust in the third party, yet allow to perform simple and complex data mining algorithms between multiple data owners while private data is not revealed. That come with the assumption of no collude between the two parts of the PTTP.

      1: Q sends the query to DBi, 1 ≤ i ≤ M, and the query type (either intersection or
      union) to R.
      2: Q sends R which private column participate in the query (e.g. the age column).
      3: R generates a random permutation σ on the set of integers {1,…, 2|Ω|} and sends
      it to DBi, 1 ≤ i ≤ M.
      4: for all 1 ≤ i ≤ M do
      5: DBi sets a Boolean vector Vi={vi,1,. . . ,vi,|Ω|} where
      vi,j =
      1 ifDBi hold private value j
      0 otherwise

      Link
      In collaboration with Dept. of Mathematics and Computer Science, The Open University, Raanana, Israel

      Crowdsourced Data Integrity Verification for Key-Value Stores in the Cloud

      Grisha Weintraub, Ehud Gudes

      CCGrid 2017: 498-503

      In collaboration with Dept. of Mathematics and Computer Science, The Open University, Raanana, Israel

      Crowdsourced Data Integrity Verification for Key-Value Stores in the Cloud

      Grisha Weintraub, Ehud Gudes

      CCGrid 2017: 498-503

      Abstract—Thanks to their high availability, scalability, and
      usability, cloud databases have become one of the dominant
      cloud services. However, since cloud users do not physically
      possess their data, data integrity may be at risk. In this
      paper, we present a novel protocol that utilizes crowdsourcing
      paradigm to provide practical data integrity assurance in keyvalue
      cloud databases. The main advantage of our protocol
      over previous work is its high applicability – as opposed to
      existing approaches, our scheme does not require any system
      changes on the cloud side and thus can be applied directly
      to any existing system. We demonstrate the feasibility of our
      scheme by a prototype implementation and its evaluation.

      Link

      From Smashed Screens to Smashed Stacks: Attacking Mobile Phones using Malicious Aftermarket Parts

      Shwartz, O., Shitrit, G., Shabtai, A., Oren, Y.

      Workshop on Security for Embedded and Mobile Systems (SEMS'17), Paris, France (April 30, 2017)

      From Smashed Screens to Smashed Stacks: Attacking Mobile Phones using Malicious Aftermarket Parts

      Shwartz, O., Shitrit, G., Shabtai, A., Oren, Y.

      Workshop on Security for Embedded and Mobile Systems (SEMS'17), Paris, France (April 30, 2017)

      In this preliminary study we present the
      first practical attack on a modern smartphone which
      is mounted through a malicious aftermarket replacement
      part (specifically, a replacement touchscreen).
      Our attack exploits the lax security checks on the
      packets traveling between the touchscreen’s embedded
      controller and the phone’s main CPU, and is
      able to achieve kernel-level code execution privileges
      on modern Android phones protected by SELinux.
      This attack is memory independent and survives data
      wipes and factory resets. We evaluate two phones
      from major vendors and present a proof-of-concept
      attack in actual hardware on one phone and an emulation
      level attack on the other. Through a semiautomated
      source code review of 26 recent Android
      phones from 8 different vendors, we believe that our
      attack vector can be applied to many other phones,
      and that it is very difficult to protect against. Similar
      attacks should also be possible on other smart devices
      such as printers, cameras and cars, which similarly
      contain user-replaceable sub-units.

      Link
      In collaboration with SUTD+ CSRC, Ben-Gurion University of the Negev

      POSTER: Towards Exposing Internet of Things: A Roadmap

      Sachidananda, V., Toh, J., Siboni, S., Shabtai, A. and Elovici

      In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (pp. 1820-1822) (2016)

      In collaboration with SUTD+ CSRC, Ben-Gurion University of the Negev

      POSTER: Towards Exposing Internet of Things: A Roadmap

      Sachidananda, V., Toh, J., Siboni, S., Shabtai, A. and Elovici

      In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (pp. 1820-1822) (2016)

      Considering the exponential increase of Internet of Things
      (IoT) devices there is also unforeseen vulnerabilities associated
      with these IoT devices. One of the major problems
      in the IoT is the security testing and analysis due to the
      heterogeneous nature of deployments. Currently, there is no
      mechanism that performs security testing for IoT devices in
      different contexts. In addition, there is a missing framework
      to be able to adapt and tune accordingly with various security
      testing perspectives. In this paper, we propose an
      innovative security testbed targeted at IoT devices and also
      briefly introduce Adaptable and Tunable Framework (ATF)
      for testing IoT devices.

      Link
      In collaboration with SUTD + CSRC, Ben-Gurion University of the Negev

      Let the Cat Out of the Bag: A Holistic Approach Towards Security Analysis of the Internet of Things

      Sachidananda, V., Siboni, S., Shabtai, A., Toh, J., Bhairav, S. and Elovici, Y.

      In Proceedings of the 3rd ACM International Workshop on IoT Privacy, Trust, and Security (pp. 3-10) (2017)

      In collaboration with SUTD + CSRC, Ben-Gurion University of the Negev

      Let the Cat Out of the Bag: A Holistic Approach Towards Security Analysis of the Internet of Things

      Sachidananda, V., Siboni, S., Shabtai, A., Toh, J., Bhairav, S. and Elovici, Y.

      In Proceedings of the 3rd ACM International Workshop on IoT Privacy, Trust, and Security (pp. 3-10) (2017)

      The exponential increase of Internet of Things (IoT) devices have
      resulted in a range of new and unanticipated vulnerabilities
      associated with their use. IoT devices from smart homes to smart enterprises can easily be compromised. One of the major problems associated with the IoT is maintaining security; the
      vulnerable nature of IoT devices poses a challenge to many
      aspects of security, including security testing and analysis. It is
      trivial to perform the security analysis for IoT devices to
      understand the loop holes and very nature of the devices itself.
      Given these issues, there has been less emphasis on security
      testing and analysis of the IoT. In this paper, we show our
      preliminary efforts in the area of security analysis for IoT devices
      and introduce a security IoT testbed for performing security
      analysis. We also discuss the necessary design, requirements and the architecture to support our security analysis conducted via the proposed testbed.

      Link
      In collaboration with Singapore University of Technology and Design, Singapore (SUTD) + Daegu Gyeongbuk Institute of Science and Technology, Daegu, South Korea (DGIST)

      Advanced security testbed framework for wearable IoT devices

      Siboni, S., Shabtai, A., Tippenhauer, N.O., Lee, J. and Elovici, Y.

      ACM Transactions on Internet Technology (TOIT), 16(4), p.26 (2016)

      In collaboration with Singapore University of Technology and Design, Singapore (SUTD) + Daegu Gyeongbuk Institute of Science and Technology, Daegu, South Korea (DGIST)

      Advanced security testbed framework for wearable IoT devices

      Siboni, S., Shabtai, A., Tippenhauer, N.O., Lee, J. and Elovici, Y.

      ACM Transactions on Internet Technology (TOIT), 16(4), p.26 (2016)

      Analyzing the security of Wearable Internet-of-Things (WIoT) devices is considered a complex task due to
      their heterogeneous nature. In addition, there is currently no mechanism that performs security testing
      for WIoT devices in different contexts. In this article, we propose an innovative security testbed framework
      targeted at wearable devices, where a set of security tests are conducted, and a dynamic analysis is performed
      by realistically simulating environmental conditions in which WIoT devices operate. The architectural design
      of the proposed testbed and a proof-of-concept, demonstrating a preliminary analysis and the detection of
      context-based attacks executed by smartwatch devices, are presented.

      Link

      Ranking Vulnerability Fixes Using Planning Graph Analysis

      Tom Gonda, Rami Puzis, Bracha Shapira, Guy Shani

      International Workshop on Artificial Intelligence and Security (2017)

      Ranking Vulnerability Fixes Using Planning Graph Analysis

      Tom Gonda, Rami Puzis, Bracha Shapira, Guy Shani

      International Workshop on Artificial Intelligence and Security (2017)

      During the past years logical attack graphs were
      used to find the most critical vulnerabilities and
      devise efficient hardening strategies for organizational
      networks. Most techniques for ranking vulnerabilities
      either do not scale well, e.g. brute-force
      attack plan enumeration, or are not well suited for
      the analysis of logical attack graphs, e.g. centrality
      measures.
      In this paper we suggest an analysis of the planning
      graph (from classical planning) derived from
      the logical attack graph to improve the accuracy
      of centrality-based vulnerability ranking metrics.
      The planning graph also allows efficient enumeration
      of the set of possible attack plans that use a
      given vulnerability on a specific machine. We suggest
      a set of centrality based heuristics for reducing
      the number of attack plans and compare with
      previously suggested vulnerability ranking metrics.
      Results show that metrics computed over the planning
      graph are superior to metrics computed over
      the logical attack graph or the network connectivity
      graph.

      Link

      Partially Observable Contingent Planning for Penetration Testing

      Dorin Shmaryahu, Tom Gonda, Joerg Hoffman, Guy Shani

      28th International Workshop on Principles of Diagnosis (DX) (2017)

      Partially Observable Contingent Planning for Penetration Testing

      Dorin Shmaryahu, Tom Gonda, Joerg Hoffman, Guy Shani

      28th International Workshop on Principles of Diagnosis (DX) (2017)

      Penetration Testing (pentesting), where network administrators
      automatically attack their own network to identify
      and fix vulnerabilities, has recently received attention
      from the AI community. Smart algorithms that can
      identify robust and efficient attack plans may imitate
      human hackers better than simple protocols. Classical
      planning methods for pentesting model poorly the real
      world, where the attacker has only partial information
      concerning the network. On the other hand POMDPbased
      approaches provide a strong model, but fail to
      scale up to reasonable model sizes. In this paper we offer
      a middle ground, allowing for partial observability
      and non-deterministic action effects, by modeling pentesting
      as a partially observable contingent problem. We
      experiment with a real network of a large organization,
      showing our solver to scale to realistic problem sizes.
      We also experiment with sub-sampled networks, comparing
      the expected reward of a contingent plan graph
      to that of a POMDP policy.

      Link

      A hybrid approach for improving unsupervised fault detection for robotic systems

      Eliahu Khalastchi , Meir Kalech , Lior Rokach

      Expert Systems with Applications Volume 81, 15 September 2017, Pages 372-383

      A hybrid approach for improving unsupervised fault detection for robotic systems

      Eliahu Khalastchi , Meir Kalech , Lior Rokach

      Expert Systems with Applications Volume 81, 15 September 2017, Pages 372-383

      The use of robots in our daily lives is increasing. As we rely more on robots, thus it becomes more important for us that the robots will continue on with their mission successfully. Unfortunately, these sophisticated, and sometimes very expensive, machines are susceptible to different kinds of faults. It becomes important to apply a Fault Detection (FD) mechanism which is suitable for the domain of robots. Two important requirements of such a mechanism are: high accuracy and low computational-load during operation (online). Supervised learning can potentially produce very accurate FD models, and if the learning takes place offline then the online computational-load can be reduced. Yet, the domain of robots is characterized with the absence of labeled data (e.g., “faulty”, “normal”) required by supervised approaches, and consequently, unsupervised approaches are being used. In this paper we propose a hybrid approach – an unsupervised approach can label a data set, with a low degree of inaccuracy, and then the labeled data set is used offline by a supervised approach to produce an online FD model. Now, we are faced with a choice – should we use the unsupervised or the hybrid fault detector? Seemingly, there is no way to validate the choice due to the absence of (a priori) labeled data. In this paper we give an insight to why, and a tool to predict when, the hybrid approach is more accurate. In particular, the main impacts of our work are (1) we theoretically analyze the conditions under which the hybrid approach is expected to be more accurate. (2) Our theoretical findings are backed with empirical analysis. We use data sets of three different robotic domains: a high fidelity flight simulator, a laboratory robot, and a commercial Unmanned Arial Vehicle (UAV). (3) We analyze how different unsupervised FD approaches are improved by the hybrid technique and (4) how well this improvement fits our prediction tool. The significance of the hybrid approach and the prediction tool is the potential benefit to expert and intelligent systems in which labeled data is absent or expensive to create.

      Link
      Cooperation with Soroka University Medical Center

      Predicting Refractive Surgery Outcome: Machine Learning Approach With Big Data

      Asaf Achiron, Zvi Gur, Uri Aviv, Assaf Hilely, Michael Mimouni, Lily Karmona, Lior Rokach, Igor Kaiserman

      Journal of Refractive Surgery. 2017;33(9):592-597

      Cooperation with Soroka University Medical Center

      Predicting Refractive Surgery Outcome: Machine Learning Approach With Big Data

      Asaf Achiron, Zvi Gur, Uri Aviv, Assaf Hilely, Michael Mimouni, Lily Karmona, Lior Rokach, Igor Kaiserman

      Journal of Refractive Surgery. 2017;33(9):592-597

      PURPOSE:To develop a decision forest for prediction of laser refractive surgery outcome.

      METHODS:Data from consecutive cases of patients who underwent LASIK or photorefractive surgeries during a 12-year period in a single center were assembled into a single dataset. Training of machine-learning classifiers and testing were performed with a statistical classifier algorithm. The decision forest was created by feature vectors extracted from 17,592 cases and 38 clinical parameters for each patient. A 10-fold cross-validation procedure was applied to estimate the predictive value of the decision forest when applied to new patients.

      RESULTS:Analysis included patients younger than 40 years who were not treated for monovision. Efficacy of 0.7 or greater and 0.8 or greater was achieved in 16,198 (92.0%) and 14,945 (84.9%) eyes, respectively. Efficacy of less than 0.4 and less than 0.5 was achieved in 322 (1.8%) and 506 (2.9%) eyes, respectively. Patients in the low efficacy group (< 0.4) had statistically significant differences compared with the high efficacy group (≥ 0.8), yet were clinically similar (mean differences between groups of 0.7 years, of 0.43 mm in pupil size, of 0.11 D in cylinder, of 0.22 logMAR in preoperative CDVA, of 0.11 mm in optical zone size, of 1.03 D in actual sphere treatment, and of 0.64 D in actual cylinder treatment). The preoperative subjective CDVA had the highest gain (most important to the model). Correlations analysis revealed significantly decreased efficacy with increased age (r = −0.67, P < .001), central corneal thickness (r = −0.40, P < .001), mean keratometry (r = −0.33, P < .001), and preoperative CDVA (r = −0.47, P < .001). Efficacy increased with pupil size (r = 0.20, P < .001).

      CONCLUSIONS:This model could support clinical decision making and may lead to better individual risk assessment. Expanding the role of machine learning in analyzing big data from refractive surgeries may be of interest.

      Link

      Inter-labeler and intra-labeler variability of condition severity classification models using active and passive learning methods

      N Nissim, Y Shahar, Y Elovici, G Hripcsak, R Moskovitch

      Artificial Intelligence in Medicine Volume 81, September 2017, Pages 12-32

      Inter-labeler and intra-labeler variability of condition severity classification models using active and passive learning methods

      N Nissim, Y Shahar, Y Elovici, G Hripcsak, R Moskovitch

      Artificial Intelligence in Medicine Volume 81, September 2017, Pages 12-32

      Background and objectives

      Labeling instances by domain experts for classification is often time consuming and expensive. To reduce such labeling efforts, we had proposed the application of active learning (AL) methods, introduced our CAESAR-ALE framework for classifying the severity of clinical conditions, and shown its significant reduction of labeling efforts. The use of any of three AL methods (one well known [SVM-Margin], and two that we introduced [Exploitation and Combination_XA]) significantly reduced (by 48% to 64%) condition labeling efforts, compared to standard passive (random instance-selection) SVM learning. Furthermore, our new AL methods achieved maximal accuracy using 12% fewer labeled cases than the SVM-Margin AL method.

      However, because labelers have varying levels of expertise, a major issue associated with learning methods, and AL methods in particular, is how to best to use the labeling provided by a committee of labelers. First, we wanted to know, based on the labelers’ learning curves, whether using AL methods (versus standard passive learning methods) has an effect on the Intra-labeler variability (within the learning curve of each labeler) and inter-labeler variability (among the learning curves of different labelers). Then, we wanted to examine the effect of learning (either passively or actively) from the labels created by the majority consensus of a group of labelers.

      Methods

      We used our CAESAR-ALE framework for classifying the severity of clinical conditions, the three AL methods and the passive learning method, as mentioned above, to induce the classifications models. We used a dataset of 516 clinical conditions and their severity labeling, represented by features aggregated from the medical records of 1.9 million patients treated at Columbia University Medical Center. We analyzed the variance of the classification performance within (intra-labeler), and especially among (inter-labeler) the classification models that were induced by using the labels provided by seven labelers. We also compared the performance of the passive and active learning models when using the consensus label.

      Results

      The AL methods: produced, for the models induced from each labeler, smoother Intra-labeler learning curves during the training phase, compared to the models produced when using the passive learning method. The mean standard deviation of the learning curves of the three AL methods over all labelers (mean: 0.0379; range: [0.0182 to 0.0496]), was significantly lower (p = 0.049) than the Intra-labeler standard deviation when using the passive learning method (mean: 0.0484; range: [0.0275–0.0724).

      Using the AL methods resulted in a lower mean Inter-labeler AUC standard deviation among the AUC values of the labelers’ different models during the training phase, compared to the variance of the induced models’ AUC values when using passive learning. The Inter-labeler AUC standard deviation, using the passive learning method (0.039), was almost twice as high as the Inter-labeler standard deviation using our two new AL methods (0.02 and 0.019, respectively). The SVM-Margin AL method resulted in an Inter-labeler standard deviation (0.029) that was higher by almost 50% than that of our two AL methods The difference in the inter-labeler standard deviation between the passive learning method and the SVM-Margin learning method was significant (p = 0.042). The difference between the SVM-Margin and Exploitation method was insignificant (p = 0.29), as was the difference between the Combination_XA and Exploitation methods (p = 0.67).

      Finally, using the consensus label led to a learning curve that had a higher mean intra-labeler variance, but resulted eventually in an AUC that was at least as high as the AUC achieved using the gold standard label and that was always higher than the expected mean AUC of a randomly selected labeler, regardless of the choice of learning method (including a passive learning method). Using a paired t-test, the difference between the intra-labeler AUC standard deviation when using the consensus label, versus that value when using the other two labeling strategies, was significant only when using the passive learning method (p = 0.014), but not when using any of the three AL methods.

      Conclusions

      The use of AL methods, (a) reduces intra-labeler variability in the performance of the induced models during the training phase, and thus reduces the risk of halting the process at a local minimum that is significantly different in performance from the rest of the learned models; and (b) reduces Inter-labeler performance variance, and thus reduces the dependence on the use of a particular labeler. In addition, the use of a consensus label, agreed upon by a rather uneven group of labelers, might be at least as good as using the gold standard labeler, who might not be available, and certainly better than randomly selecting one of the group’s individual labelers. Finally, using the AL methods: when provided by the consensus label reduced the intra-labeler AUC variance during the learning phase, compared to using passive learning.

      Link
      Cooperation with IBM & Google

      DLRS 2017: Second Workshop on Deep Learning for Recommender Systems

      Balázs Hidasi, Alexandros Karatzoglou, Oren Sar-Shalom, Sander Dieleman, Bracha Shapira, Domonkos Tikk

      RecSys '17 Proceedings of the Eleventh ACM Conference on Recommender Systems Pages 370-371 Como, Italy — August 27 - 31, 2017

      Cooperation with IBM & Google

      DLRS 2017: Second Workshop on Deep Learning for Recommender Systems

      Balázs Hidasi, Alexandros Karatzoglou, Oren Sar-Shalom, Sander Dieleman, Bracha Shapira, Domonkos Tikk

      RecSys '17 Proceedings of the Eleventh ACM Conference on Recommender Systems Pages 370-371 Como, Italy — August 27 - 31, 2017

      Deep learning methods became widely popular in the recommender systems community in 2016, in part thanks to the previous event of the DLRS workshop series. Now, deep learning has been embedded in the main conference as well and initial research directions have started forming, so the role of DLRS 2017 is to encourage starting new research directions, incentivize the application of very recent techniques from deep learning, and provide a venue for specialized discussion of this topic.

      Link

      Acoustic Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard-Drive Noise (‘DiskFiltration’)

      Mordechai Guri Email author , Yosef Solewicz, Andrey Daidakulov, Yuval Elovici

      ESORICS 2017: Computer Security – ESORICS 2017 pp 98-115

      Acoustic Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard-Drive Noise (‘DiskFiltration’)

      Mordechai Guri Email author , Yosef Solewicz, Andrey Daidakulov, Yuval Elovici

      ESORICS 2017: Computer Security – ESORICS 2017 pp 98-115

      In the past, it has been shown that malware can exfiltrate data from air-gapped (isolated) networks by transmitting ultrasonic signals via the computer’s speakers. However, such a communication relies on the availability of speakers on a computer. In this paper, we present ‘DiskFiltration’, a method to leak data from speakerless computers via covert acoustic signals emitted from its hard disk drive (HDD) (Video: https://www.youtube.com/watch?v=H7lQXmSLiP8 or http://cyber.bgu.ac.il/advanced-cyber/airgap). Although it is known that HDDs generate acoustical noise, it has never been studied in the context of a malicious covert-channel. Notably, the magnetic HDDs dominate the storage wars, and most PCs, servers, and laptops todays are installed with HDD drive(s). A malware installed on a compromised machine can generate acoustic emissions at specific audio frequencies by controlling the movements of the HDD’s actuator arm. Binary Information can be modulated over the acoustic signals and then be picked up by a nearby receiver (e.g., microphone, smartphone, laptop, etc.). We examine the HDD anatomy and analyze its acoustical characteristics. We also present signal generation and detection, and data modulation and demodulation algorithms. Based on our proposed method, we developed a transmitter and a receiver for PCs and smartphones, and provide the design and implementation details. We examine the channel capacity and evaluate it on various types of internal and external HDDs in different computer chassis and at various distances. With DiskFiltration we were able to covertly transmit data (e.g., passwords, encryption keys, and keylogging data) between air-gapped computers to a nearby receiver at an effective bit rate of 180 bits/min (10,800 bits/h).

      Link
      Cooperation with IDF

      DiskFiltration: Acoustic Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard-Drive Noise

      Mordechai Guri, Yosef Solewicz, Andrey Daidakulov, Yuval Elovici,

      ESORICS 2017: Computer Security – ESORICS 2017 pp 98-115

      Cooperation with IDF

      DiskFiltration: Acoustic Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard-Drive Noise

      Mordechai Guri, Yosef Solewicz, Andrey Daidakulov, Yuval Elovici,

      ESORICS 2017: Computer Security – ESORICS 2017 pp 98-115

      In the past, it has been shown that malware can exfiltrate data from air-gapped (isolated) networks by transmitting ultrasonic signals via the computer’s speakers. However, such a communication relies on the availability of speakers on a computer. In this paper, we present ‘DiskFiltration’, a method to leak data from speakerless computers via covert acoustic signals emitted from its hard disk drive (HDD) (Video: https://www.youtube.com/watch?v=H7lQXmSLiP8 or http://cyber.bgu.ac.il/advanced-cyber/airgap). Although it is known that HDDs generate acoustical noise, it has never been studied in the context of a malicious covert-channel. Notably, the magnetic HDDs dominate the storage wars, and most PCs, servers, and laptops todays are installed with HDD drive(s). A malware installed on a compromised machine can generate acoustic emissions at specific audio frequencies by controlling the movements of the HDD’s actuator arm. Binary Information can be modulated over the acoustic signals and then be picked up by a nearby receiver (e.g., microphone, smartphone, laptop, etc.). We examine the HDD anatomy and analyze its acoustical characteristics. We also present signal generation and detection, and data modulation and demodulation algorithms. Based on our proposed method, we developed a transmitter and a receiver for PCs and smartphones, and provide the design and implementation details. We examine the channel capacity and evaluate it on various types of internal and external HDDs in different computer chassis and at various distances. With DiskFiltration we were able to covertly transmit data (e.g., passwords, encryption keys, and keylogging data) between air-gapped computers to a nearby receiver at an effective bit rate of 180 bits/min (10,800 bits/h).

      Link
      In collaboration with Ariel University

      I Know What You Saw Last Minute – Encrypted HTTP Adaptive Video Streaming Title Classification

      R. DubinS, A. DvirPI, O. PelePI and O. HadarPI

      IEEE Transactions on Information Forensics & Security, Vol. 12, No. 12, pp. 3039-3049, July 2017

      In collaboration with Ariel University

      I Know What You Saw Last Minute – Encrypted HTTP Adaptive Video Streaming Title Classification

      R. DubinS, A. DvirPI, O. PelePI and O. HadarPI

      IEEE Transactions on Information Forensics & Security, Vol. 12, No. 12, pp. 3039-3049, July 2017

      Desktops and laptops can be maliciously exploited to violate privacy. There are two main types of attack scenarios: active and passive. In this paper, we consider the passive scenario where the adversary does not interact actively with the device, but he is able to eavesdrop on the network traffic of the device from the network side. Most of the Internet traffic is encrypted and thus passive attacks are challenging. Previous research has shown that information can be extracted from encrypted multimedia streams. This includes video title classification of non HTTP adaptive streams (non-HAS). This paper presents an algorithm for encrypted HTTP adaptive video streaming title classification. We show that an external attacker can identify the video title from video HTTP adaptive streams (HAS) sites such as YouTube. To the best of our knowledge, this is the first work that shows this. We provide a large data set of 10000 YouTube video streams of 100 popular video titles (each title downloaded 100 times) as examples for this task. The dataset was collected under real-world network conditions. We present several machine algorithms for the task and run a through set of experiments, which shows that our classification accuracy is more than 95%. We also show that our algorithms are able to classify video titles that are not in the training set as unknown and some of the algorithms are also able to eliminate false prediction of video titles and instead report unknown. Finally, we evaluate our algorithms robustness to delays and packet losses at test time and show that a solution that uses SVM is the most robust against these changes given enough training data. We provide the dataset and the crawler for future research.

      Link
      Cooperation with Tel-Aviv University

      Cyber Security and the Role of Intelligent Systems in Addressing its Challenges

      Yaniv Harel, Irad Ben Gal and Yuval Elovici

      ACM Transactions on Intelligent Systems and Technology (TIST) - Special Issue: Cyber Security and Regular Papers archive Volume 8 Issue 4, July 2017 Article No. 49

      Cooperation with Tel-Aviv University

      Cyber Security and the Role of Intelligent Systems in Addressing its Challenges

      Yaniv Harel, Irad Ben Gal and Yuval Elovici

      ACM Transactions on Intelligent Systems and Technology (TIST) - Special Issue: Cyber Security and Regular Papers archive Volume 8 Issue 4, July 2017 Article No. 49

      We are living in a unique period of history, and the current technology revolution will
      be among the most dramatic societal transformations remembered by humanity. The
      important changes associated with the invention of the engine, electricity, and the
      printing press gradually transformed society in the western world over a period of over
      a hundred years. The changes accompanying the current revolution have significantly
      altered the lives of average citizens across the globe in less than a generation. This is
      unprecedented.
      In the past, revolutions spanned decades, enabling the establishment of processes
      and systems. For example, a language that supports the new revolution evolves, and
      leaders emerge, with the fresh perspective required by the revolutionary changes. New
      disciplines are created and new occupations are developed to support the changes. The
      present revolution is taking place at such a high speed that such enabling processes
      and systems have not yet been established, let alone developed or matured, and they
      will continue to be created well into the future.
      Over the past three decades, an important new vector of the technology revolution
      has emerged: the cyber domain. In particular, the technological aspects of cyber—
      such as computer technologies, access to information and systems, greater connectivity
      among subsystems, and the combined effect of all these aspects on a growing list of diverse
      spheres—expose the world to unprecedented risks. Academia and the intellectual infrastructure associated with the cyber domain are struggling to keep up with the domain’s
      rapid pace.
      Cryptography is a mature discipline, with strong connections to mathematics and
      computer science, which have helped the discipline evolve and develop over the years.
      Traditionally, it has been the cyber area most rooted in the academic world. However,
      many other technological subjects should also be part of the cyber academic discussion.
      Each month, as the cyber effect expands, new aspects of this arena become part of the
      cyber theoretical discipline. For example, the autonomous car came on the scene in
      recent years [Coppola and Morisio 2016], and it did not take long before a cyber threat
      associated with the autonomous car was identified. The immaturity of the discipline
      is reflected by the fact that cyber is currently being discussed on many stages and
      studied by researchers from diverse disciplines and perspectives. The issue of whether
      cyber is a pure discipline or a topic that relates to several disciplines will continue
      to be discussed in the coming years. The following special issue includes a collection
      of selected papers that cover the diverse cyber domain and how it interfaces with
      intelligent systems. The topics were presented at the Tel Aviv Academic Conference
      over two successive years. The scope of this special issue is relatively broad, yet there
      are many cyber issues that have not been addressed in this edition.

      Link

      Measurement of online discussion authenticity within online social media‏

      A Elyashar, J Bendahan, R Puzis, MA Sanmateu

      IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining.

      Measurement of online discussion authenticity within online social media‏

      A Elyashar, J Bendahan, R Puzis, MA Sanmateu

      IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining.

      In this paper, we propose an approach for estimating the authenticity of online discussions based on the similarity of online social media (OSM) accounts participating in the online discussion to known abusers and legitimate accounts. Our method uses similarity functions for the analysis and classification of OSM accounts. The proposed methods are demonstrated using Twitter data collected for this study and a previously published Arabic Honeypot dataset. The data collected during this study includes manually labeled accounts and a ground truth collection of abusers from crowdturfing platforms. Demonstration of the discussion topic’s authenticity, derived from account similarity functions, shows that the suggested approach is effective for discriminating between topics that were strongly promoted by abusers and topics that attracted authentic public interest.

      Measurement of Online Discussion Authenticity within Online Social Media | Request PDF. Available from: https://www.researchgate.net/publication/321064925_Measurement_of_Online_Discussion_Authenticity_within_Online_Social_Media [accessed Mar 05 2018].

      Link

      9-1-1 DDoS: Attacks, Analysis and Mitigation

      Mordechai Guri, Yisroel Mirsky, Yuval Elovici

      2017 IEEE European Symposium on Security and Privacy (EuroS&P).

      9-1-1 DDoS: Attacks, Analysis and Mitigation

      Mordechai Guri, Yisroel Mirsky, Yuval Elovici

      2017 IEEE European Symposium on Security and Privacy (EuroS&P).

      The 911 emergency service belongs to one of the 16 critical infrastructure sectors in the United States. Distributed denial of service (DDoS) attacks launched from a mobile phone botnet pose a significant threat to the availability of this vital service. In this paper we show how attackers can exploit the cellular network protocols in order to launch an anonymized DDoS attack on 911. The current FCC regulations require that all emergency calls be immediately routed regardless of the caller’s identifiers (e.g., IMSI and IMEI). A rootkit placed within the baseband firmware of a mobile phone can mask and randomize all cellular identifiers, causing the device to have no genuine identification within the cellular network. Such anonymized phones can issue repeated emergency calls that cannot be blocked by the network or the emergency call centers, technically or legally. We explore the 911 infrastructure and discuss why it is susceptible to this kind of attack. We then implement different forms of the attack and test our implementation on a small cellular network. Finally, we simulate and analyze anonymous attacks on a model of current 911 infrastructure in order to measure the severity of their impact. We found that with less than 6K bots (or $100K hardware), attackers can block emergency services in an entire state (e.g., North Carolina) for days. We believe that this paper will assist the respective organizations, lawmakers, and security professionals in understanding the scope of this issue in order to prevent possible 911-DDoS attacks in the future.
      Link
      Cooperation with IBM

      Supervised Detection of Infected Machines

      Tomer Cohen, Danny Hendler and Dennis Potashnik

      CSCML 2017: Cyber Security Cryptography and Machine Learning pp 34-49

      Cooperation with IBM

      Supervised Detection of Infected Machines

      Tomer Cohen, Danny Hendler and Dennis Potashnik

      CSCML 2017: Cyber Security Cryptography and Machine Learning pp 34-49

      Traditional antivirus software relies on signatures to uniquely identify malicious files. Malware writers, on the other hand, have responded by developing obfuscation techniques with the goal of evading content-based detection. A consequence of this arms race is that numerous new malware instances are generated every day, thus limiting the effectiveness of static detection approaches. For effective and timely malware detection, signature-based mechanisms must be augmented with detection approaches that are harder to evade.

      We introduce a novel detector that uses the information gathered by IBM’s QRadar SIEM (Security Information and Event Management) system and leverages anti-virus reports for automatically generating a labelled training set for identifying malware. Using this training set, our detector is able to automatically detect complex and dynamic patterns of suspicious machine behavior and issue high-quality security alerts. We believe that our approach can be used for providing a detection scheme that complements signature-based detection and is harder to circumvent.

      Link

      Diagnosing resource usage failures in multi-agent systems

      Orel Elimelech, Roni Stern, Meir Kalech, Yedidya Bar-Zeev

      Expert Systems with Applications Volume 77, 1 July 2017, Pages 44-56

      Diagnosing resource usage failures in multi-agent systems

      Orel Elimelech, Roni Stern, Meir Kalech, Yedidya Bar-Zeev

      Expert Systems with Applications Volume 77, 1 July 2017, Pages 44-56

      In the not-so-far future, autonomous vehicles will be ubiquitous and, consequently, need to be coordinated to avoid traffic jams and car accidents. A failure in one or more autonomous vehicles may break this coordination, resulting in reduced efficiency (due to traffic load) or even bodily harm (due to accidents). The challenge we address in this paper is to identify the root cause of such failures. Identifying the faulty vehicles in such cases is crucial in order to know which vehicles to repair to avoid future failures as well as for determining accountability (e.g., for legal purposes). More generally, this paper discusses multi-agent systems (MAS) in which the agents use a shared pool of resources and they coordinate to avoid resource contention by agreeing on a temporal resource allocation. The problem we address, called the Temporal Multi-Agent Resource Allocation (TMARA) diagnosis problem (TMARA-Diag), is to find the root cause of failures in such MAS that are caused by malfunctioning agents that use resources not allocated to them. As in the autonomous vehicles example, such failures may cause the MAS to perform suboptimally or even fail, potentially causing a chain reaction of failures, and we aim to identify the root cause of such failures, i.e., which agents did not follow the planned resource allocation. We show how to formalize TMARA-Diag as a model-based diagnosis problem and how to compile it to a set of logical constraints that can be compiled to Boolean satisfiability (SAT) and solved efficiently with modern SAT solvers. Importantly, the proposed solution does not require the agents to share their actual plans, only the agreed upon temporal resource allocation and the resources used at the time of failure. Such solutions are key in the development and success of intelligent, large, and security-aware MAS.

      Link

      Ensembles of classifiers based on dimensionality reduction

      Alon Schclar, Lior Rokach, Amir Amit

      Intelligent Data Analysis, vol. 21, no. 3, pp. 467-489, 2017

      Ensembles of classifiers based on dimensionality reduction

      Alon Schclar, Lior Rokach, Amir Amit

      Intelligent Data Analysis, vol. 21, no. 3, pp. 467-489, 2017

      We present a novel approach for the construction of ensemble classifiers based on dimensionality reduction. The ensemble members are trained based on dimension-reduced versions of the training set. In order to classify a test sample, it is first embedded into the dimension reduced space of each individual classifier by using an out-of-sample extension algorithm. Each classifier is then applied to the embedded sample and the classification is obtained via a voting scheme. We demonstrate the proposed approach using the Random Projections, the Diffusion Maps and the Random Subspaces dimensionality reduction algorithms. We also present a multi-strategy ensemble which combines AdaBoost and Diffusion Maps. A comparison is made with the Bagging, AdaBoost, Rotation Forest ensemble classifiers and also with the base classifier. Our experiments used seventeen benchmark datasets from the UCI repository. The results obtained by the proposed algorithms were superior in many cases to other algorithms.

      Link
      In collaboration with Princeton University

      Physical Layer Security over Wiretap Channels with Random Parameters

      Z. Goldfeld, P. Cuff and H. H. Permuter.

      Accepted to the 2017 International Symposium on Cyber Security Cryptography and Machine Learning (CSCML-2017), Beer-Sheva, Israel, June 2017

      In collaboration with Princeton University

      Physical Layer Security over Wiretap Channels with Random Parameters

      Z. Goldfeld, P. Cuff and H. H. Permuter.

      Accepted to the 2017 International Symposium on Cyber Security Cryptography and Machine Learning (CSCML-2017), Beer-Sheva, Israel, June 2017

      We study the trade-off between secret message (SM) and secret key (SK) rates, simultaneously achievable over a state-dependent (SD) wiretap channel (WTC) with non-causal channel state information (CSI) at the encoder. This model subsumes other instances of CSI availability as special cases, and calls for efficient utilization of the state sequence for both reliability and security purposes. An inner bound on the semantic-security (SS) SM-SK capacity region is derived based on a superposition coding scheme inspired by a past work of the authors. The region is shown to attain capacity for a certain class of SD-WTCs. SS is established by virtue of two versions of the strong soft-covering lemma. The derived region yields an improvement upon the previously best known SM-SK trade-off result reported by Prabhakaran et al., and, to the best of our knowledge, upon all other existing lower bounds for either SM or SK for this setup, even if the semantic security requirement is relaxed to weak secrecy. It is demonstrated that our region can be strictly larger than those reported in the preceding works.

      Link
      In collaboration with Princeton University

      The Gelfand-Pinsker wiretap channel: strictly higher secrecy rates via a novel superposition code

      Z. Goldfeld, P. Cuff and H. H. Permuter

      Accepted to the 2017 IEEE International Symposium on Information Theory (ISIT-2017), Aachen, Germany, June 2017

      In collaboration with Princeton University

      The Gelfand-Pinsker wiretap channel: strictly higher secrecy rates via a novel superposition code

      Z. Goldfeld, P. Cuff and H. H. Permuter

      Accepted to the 2017 IEEE International Symposium on Information Theory (ISIT-2017), Aachen, Germany, June 2017

      To be considered for the 2017 IEEE Jack Keil
      Wolf ISIT Student Paper Award. We study the state-dependent
      (SD) wiretap channel (WTC) with non-causal channel state
      information (CSI) at the encoder. This model subsumes all other
      instances of CSI availability as special cases, and calls for an
      efficient utilization of the state sequence both for reliability and
      security purposes. A lower bound on the secrecy-capacity, that
      improves upon the previously best known result by Chen and
      Han Vinck, is derived based on a novel superposition coding
      scheme. The improvement over the Chen and Han Vinck result
      is strict for some SD-WTCs. Specializing the lower bound to the
      case where CSI is also available to the decoder reveals that it
      is at least as good as the achievable formula by Chia and ElGamal,
      which is already known to outperform the adaptation
      of the Chen and Han Vinck code to the encoder and decoder
      CSI scenario. The results are derived under the strict semanticsecurity
      metric that requires negligible information leakage for
      all message distributions. The proof of achievability relies on
      a stronger version of the soft-covering lemma for superposition
      codes.

      Link

      Centralized vs. Decentralized Multi-Agent Guesswork

      S. Salamatian, A. Beirami, A. Cohen and M. Medard

      2017 IEEE International Symposium on Information Theory (ISIT)

      Centralized vs. Decentralized Multi-Agent Guesswork

      S. Salamatian, A. Beirami, A. Cohen and M. Medard

      2017 IEEE International Symposium on Information Theory (ISIT)

      Abstract:

      We study a notion of guesswork, where multiple agents intend to launch a coordinated brute-force attack to find a single binary secret string, and each agent has access to side information generated through either a BEC or a BSC. The average number of trials required to find the secret string grows exponentially with the length of the string, and the rate of the growth is called the guesswork exponent. We compute the guesswork exponent for several multi-agent attacks. We show that a multi-agent attack reduces the guesswork exponent compared to a single agent, even when the agents do not exchange information to coordinate their attack, and try to individually guess the secret string using a predetermined scheme in a decentralized fashion. Further, we show that the guesswork exponent of two agents who do coordinate their attack is strictly smaller than that of any finite number of agents individually performing decentralized guesswork.
      Link

      Active hypothesis testing on a tree: Anomaly detection under hierarchical observations

      Chao Wang, Qing Zhao, and Kobi Cohen

      2017 IEEE International Symposium on Information Theory (ISIT)

      Active hypothesis testing on a tree: Anomaly detection under hierarchical observations

      Chao Wang, Qing Zhao, and Kobi Cohen

      2017 IEEE International Symposium on Information Theory (ISIT)

      The problem of detecting a few anomalous processes among a large number of M processes is considered. At each
      time, aggregated observations can be taken from a chosen subset of processes, where the chosen subset conforms to a
      given binary tree structure. The random observations are i.i.d. over time with a general distribution that may depend
      on the size of the chosen subset and the number of anomalous processes in the subset. The objective is a sequential
      search strategy that minimizes the sample complexity (i.e., the expected number of observations which represents
      detection delay) subject to a reliability constraint. A sequential test that results in a biased random walk on the tree
      is developed and is shown to be asymptotically optimal in terms of detection accuracy. Furthermore, it achieves the
      optimal logarithmic-order sample complexity in M provided that the Kullback-Liebler divergence between aggregated
      observations in the presence and the absence of anomalous processes are bounded away from zero at all levels of the
      tree structure as M approaches infinity. Sufficient conditions on the decaying rate of the aggregated observations to
      pure noise under which a sublinear scaling in M is preserved are also identified for the Bernoulli case.

      Link
      In collaboration with Princeton University

      Semantically-Secured Message-Key Trade-off over Wiretap Channels with Random Parameters

      A. Bunin, Z. Goldfeld, H. H. Permuter, S. Shamai, P. Cuff and P. Piantanida

      In Proceedings of the 2nd Workshop on Communication Security affiliated with EUROCRYPT, Paris, France, April 2017

      In collaboration with Princeton University

      Semantically-Secured Message-Key Trade-off over Wiretap Channels with Random Parameters

      A. Bunin, Z. Goldfeld, H. H. Permuter, S. Shamai, P. Cuff and P. Piantanida

      In Proceedings of the 2nd Workshop on Communication Security affiliated with EUROCRYPT, Paris, France, April 2017

      We study the trade-off between secret message (SM) and secret key (SK) rates, simultaneously achievable over
      a state-dependent (SD) wiretap channel (WTC) with non-causal channel state information (CSI) at the encoder. This
      model subsumes other instances of CSI availability as special cases, and calls for efficient utilization of the state
      sequence for both reliability and security purposes. An inner bound on the semantic-security (SS) SM-SK capacity
      region is derived based on a superposition coding scheme inspired by a past work of the authors. The region is
      shown to attain capacity for a certain class of SD-WTCs. SS is established by virtue of two versions of the strong
      soft-covering lemma. The derived region yields an improvement upon the previously best known SM-SK trade-off
      result reported by Prabhakaran et al., and, to the best of our knowledge, upon all other existing lower bounds for
      either SM or SK for this setup, even if the semantic security requirement is relaxed to weak secrecy. It is demonstrated
      that our region can be strictly larger than those reported in the preceding works.

      Link

      A Proxy-Based Solution for Securiting Remote Desktop Connections in Mission-Critical Systems

      Ron Bitton ; Clint Feher ; Yuval Elovici ; Asaf Shabtai ; Gaby Shugol ; Raz Tikochinski ; Shachar Kur

      2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE).

      A Proxy-Based Solution for Securiting Remote Desktop Connections in Mission-Critical Systems

      Ron Bitton ; Clint Feher ; Yuval Elovici ; Asaf Shabtai ; Gaby Shugol ; Raz Tikochinski ; Shachar Kur

      2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE).

      Remote desktop protocols (RDPs) are used for connecting and interacting with computers remotely. In recent years, we have witnessed a number of vulnerabilities identified in two widely used remote desktop implementations, Microsoft Remote Desktop and RealVNC, that may expose the connected systems to a new attack vector. Such vulnerabilities are particularly concerning when it comes to mission-critical systems in which a client device with a low trust level connects to the critical system via a remote desktop server. In this preliminary study we propose a proxy-based solution that applies various modules, each of which mitigates a different type of threat, in order to secure remote desktop connections used in missioncritical systems.
      Link
      Cooperation with Tel-Aviv University

      Enhanced situation space mining for data streams

      Y Mirsky, T Halpern, R Upadhyay, S Toledo, Y Elovici

      SAC '17 Proceedings of the Symposium on Applied Computing Pages 842-849 Marrakech, Morocco — April 03 - 07, 2017

      Cooperation with Tel-Aviv University

      Enhanced situation space mining for data streams

      Y Mirsky, T Halpern, R Upadhyay, S Toledo, Y Elovici

      SAC '17 Proceedings of the Symposium on Applied Computing Pages 842-849 Marrakech, Morocco — April 03 - 07, 2017

      Data streams can capture the situation which an actor is experiencing. Knowledge of the present situation is highly beneficial for a wide range of applications. An algorithm called pcStream can be used to extract situations from a numerical data stream in an unsupervised manner. Although pcStream outperforms other stream clustering algorithms at this task, pcStream has two major flaws. The first is its complexity due to continuously performing principal component analysis (PCA). The second is its difficulty in detecting emerging situations whose distributions overlap in the same feature space.

      In this paper we introduce pcStream2, a variant of pcStream which employs windowing and persistence in order to distinguish between emerging overlapping concepts. We also propose the use of incremental PCA (IPCA) to reduce the overall complexity and memory requirements of the algorithm. Although any IPCA algorithm can be used, we use a novel IPCA algorithm called Just-In-Time PCA which is better suited for processing streams. JIT-PCA makes intelligent ‘short cuts’ in order to reduce computations. We provide experimental results on real-world datasets that demonstrates how the proposed improvements make pcStream2 a more accurate and practical tool for situation space mining.

      Link
      Cooperation with Singapore University of Technology and Design

      Cyber security patrol: detecting fake and vulnerable wifi-enabled printers

      J Toh, M Hatib, O Porzecanski, Y Elovici‏

      SAC '17 Proceedings of the Symposium on Applied Computing Pages 535-542 Marrakech, Morocco — April 03 - 07, 2017

      Cooperation with Singapore University of Technology and Design

      Cyber security patrol: detecting fake and vulnerable wifi-enabled printers

      J Toh, M Hatib, O Porzecanski, Y Elovici‏

      SAC '17 Proceedings of the Symposium on Applied Computing Pages 535-542 Marrakech, Morocco — April 03 - 07, 2017

      Many printers nowadays support Wi-Fi connectivity. Some organizations opt to disable their printer’s wireless connectivity, others are not aware at all that it is enabled and some enable it in an encrypted form. In this paper we demonstrate how an application called “pFaker” running on a mobile device or smart watch can be used to mimic a printer’s Wi-Fi connectivity and functionalities in order to harm user privacy by unobtrusively stealing print jobs. To mitigate these risks, we developed a mobile application called “Cyber-Security Patrol”. We demonstrate how a mobile phone running Cyber-Security patrol can be placed on a drone or an autonomous vacuum cleaner to search for devices that try to mimic the printer’s Wi-Fi connectivity and for printers that expose unsecured wireless connection in the target organization. Cyber-Security Patrol takes photos of the location where unauthorized Wi-Fi enabled printers were detected and sends them to the organization’s administrator. For cases that the Wi-Fi enabled printer is legitimate but unsecured, Cyber Security Patrol sends a print job to the printer with detailed instructions on how to secure the specific printer model as identified based on its Service Set Identifier (SSID). A demo that demonstrates one of the use cases can be found here: https://www.youtube.com/watch?v=aJ2ZG04BrjM

      Link
      Cooperation with Singapore University of Technology and Design

      Siphon: Towards scalable high-interaction physical honeypots

      Juan David Guarnizo, Amit Tambe, Suman Sankar Bhunia, Martín Ochoa, Nils Ole Tippenhauer, Asaf Shabtai, Yuval Elovici,

      CPSS '17 Proceedings of the 3rd ACM Workshop on Cyber-Physical System Security Pages 57-68 Abu Dhabi, United Arab Emirates — April 02 - 02, 2017

      Cooperation with Singapore University of Technology and Design

      Siphon: Towards scalable high-interaction physical honeypots

      Juan David Guarnizo, Amit Tambe, Suman Sankar Bhunia, Martín Ochoa, Nils Ole Tippenhauer, Asaf Shabtai, Yuval Elovici,

      CPSS '17 Proceedings of the 3rd ACM Workshop on Cyber-Physical System Security Pages 57-68 Abu Dhabi, United Arab Emirates — April 02 - 02, 2017

      In recent years, the emerging Internet-of-Things (IoT) has led to rising concerns about the security of networked embedded devices. In this work, we propose the SIPHON architecture—a Scalable high-Interaction Honeypot platform for IoT devices. Our architecture leverages IoT devices that are physically at one location and are connected to the Internet through so-called \emph{wormholes} distributed around the world. The resulting architecture allows exposing few physical devices over a large number of geographically distributed IP addresses. We demonstrate the proposed architecture in a large scale experiment with 39 wormhole instances in 16 cities in 9 countries. Based on this setup, five physical IP cameras, one NVR and one IP printer are presented as 85 real IoT devices on the Internet, attracting a daily traffic of 700MB for a period of two months. A preliminary analysis of the collected traffic indicates that devices in some cities attracted significantly more traffic than others (ranging from 600 000 incoming TCP connections for the most popular destination to less than 50 000 for the least popular). We recorded over 400 brute-force login attempts to the web-interface of our devices using a total of 1826 distinct credentials, from which 11 attempts were successful. Moreover, we noted login attempts to Telnet and SSH ports some of which used credentials found in the recently disclosed Mirai malware

      Link

      An SMDP approach to optimal PHY configuration in wireless networks

      Mark Shifrin ; Daniel S. Menasché ; Asaf Cohen ; Omer Gurewitz ; Dennis Goeckel

      2017 13th Annual Conference on Wireless On-demand Network Systems and Services (WONS), Jackson, WY, USA

      An SMDP approach to optimal PHY configuration in wireless networks

      Mark Shifrin ; Daniel S. Menasché ; Asaf Cohen ; Omer Gurewitz ; Dennis Goeckel

      2017 13th Annual Conference on Wireless On-demand Network Systems and Services (WONS), Jackson, WY, USA

      In this work, we study the optimal configuration of the physical layer in wireless networks by means of Semi-Markov Decision Process (SMDP) modeling. In particular, assume the physical layer is characterized by a set of potential operating points, with each point corresponding to a rate and reliability pair; for example, these pairs might be obtained through a now-standard diversity-vs-multiplexing tradeoff characterization. Given the current network state (e.g., buffer occupancies), a Decision Maker (DM) needs to dynamically decide which operating point to use. The SMDP problem formulation allows us to choose from these pairs an optimal selection, which is expressed by a decision rule as a function of the number of awaiting packets in the source’s finite queue, channel state, size of the packet to be transmitted. We derive a general solution which covers various model configurations, including packet size distributions and varying channels. For the specific case of exponential transmission time, we analytically prove the optimal policy has a threshold structure. Numerical results validate this finding, as well as depict muti-threshold policies for time varying channels such as the Gilber-Elliot channel.
      Link
      In collaboration with SUTD + CSRC

      ProfilIoT: A Machine Learning Approach for IoT Device Identification Based on Network Traffic Analysis

      Meidan Yair, Bohadana Michael, Shabtai Asaf, Guarnizo Juan-David, Ochoa Martin, Tippenhauer Nils-Ole, Elovici Yuval

      In Proceedings of The 32nd ACM Symposium On Applied Computing (SAC'17), Marrakesh, Morocco, April 3-7 2017

      In collaboration with SUTD + CSRC

      ProfilIoT: A Machine Learning Approach for IoT Device Identification Based on Network Traffic Analysis

      Meidan Yair, Bohadana Michael, Shabtai Asaf, Guarnizo Juan-David, Ochoa Martin, Tippenhauer Nils-Ole, Elovici Yuval

      In Proceedings of The 32nd ACM Symposium On Applied Computing (SAC'17), Marrakesh, Morocco, April 3-7 2017

      In this work we apply machine learning algorithms on network
      traffic data for accurate identification of IoT devices
      connected to a network. To train and evaluate the classi-
      fier, we collected and labeled network traffic data from nine
      distinct IoT devices, and PCs and smartphones. Using supervised
      learning, we trained a multi-stage meta classifier; in
      the first stage, the classifier can distinguish between traffic
      generated by IoT and non-IoT devices. In the second stage,
      each IoT device is associated a specific IoT device class. The
      overall IoT classification accuracy of our model is 99.281%.

      Link
      In collaboration with Princeton University

      Strong secrecy for cooperative broadcast channels

      Z. Goldfeld, G. Kramer, H. H. Permuter and P. Cuff

      IEEE Transactions on Information Theory, vol. 63, no. 1, pp. 469-495, January 2017, and International Zurich Seminar on Communications

      In collaboration with Princeton University

      Strong secrecy for cooperative broadcast channels

      Z. Goldfeld, G. Kramer, H. H. Permuter and P. Cuff

      IEEE Transactions on Information Theory, vol. 63, no. 1, pp. 469-495, January 2017, and International Zurich Seminar on Communications

      A broadcast channel (BC) where the decoders cooperate via a one-sided link is considered. One common and two private messages are transmitted and the private message to the cooperative user should be kept secret from the cooperationaided user. The secrecy level is measured in terms of strong secrecy, i.e., a vanishing information leakage. An inner bound on the capacity region is derived by using a channel-resolvabilitybased code that double-bins the codebook of the secret message, and by using a likelihood encoder to choose the transmitted codeword. The inner bound is shown to be tight for semideterministic
      and physically degraded BCs, and the results are compared with those of the corresponding BCs without a secrecy constraint. Blackwell and Gaussian BC examples illustrate the impact of secrecy on the rate regions. Unlike the case without secrecy, where sharing information about both private messages via the cooperative link is optimal, our protocol conveys parts of the common and non-confidential messages only. This restriction reduces the transmission rates more than the usual rate loss due to secrecy requirements. An example that illustrates this loss is provided.

      Link

      Individually-Secure Multi-Source Multicast

      A. Cohen, A. Cohen, M. Medard and O. Gurewitz

      2017 IEEE International Symposium on Information Theory (ISIT)

      Individually-Secure Multi-Source Multicast

      A. Cohen, A. Cohen, M. Medard and O. Gurewitz

      2017 IEEE International Symposium on Information Theory (ISIT)

      The principal mission of Multi-Source Multicast (MSM) is to disseminate all messages from all sources in a network to all destinations. MSM is utilized in numerous applications. In many of them, securing the messages disseminated is critical. A common secure model is to consider a network where there is an eavesdropper which is able to observe a subset of the network links, and seek a code which keeps the eavesdropper ignorant regarding all the messages. While this is solved when all messages are located at a single source, Secure MSM (SMSM) is an open problem, and the rates required are hard to characterize in general. In this paper, we consider Individual Security, which promises that the eavesdropper has zero mutual information with each message individually. We completely characterize the rate region for SMSM under individual security, and show that such a security level is achievable at the full capacity of the network, that is, the cut-set bound is the matching converse, similar to non-secure MSM. Moreover, we show that the field size is similar to non-secure MSM and does not have to be larger due to the security constraint.
      Link

      WEM: A New Family of White-Box Block Ciphers Based on the Even-Mansour Construction.

      Jihoon Cho, Kyu Young Choi, Itai Dinur, Orr Dunkelman, Nathan Keller, Dukjae Moon, Aviya Veidberg

      CT-RSA 2017: Topics in Cryptology – CT-RSA 2017 pp 293-308

      WEM: A New Family of White-Box Block Ciphers Based on the Even-Mansour Construction.

      Jihoon Cho, Kyu Young Choi, Itai Dinur, Orr Dunkelman, Nathan Keller, Dukjae Moon, Aviya Veidberg

      CT-RSA 2017: Topics in Cryptology – CT-RSA 2017 pp 293-308

      White-box cryptosystems aim at providing security against an adversary that has access to the encryption process. As a countermeasure against code lifting (in which the adversary simply distributes the code of the cipher), recent white-box schemes aim for ‘incompressibility’, meaning that any useful representation of the secret key material is memory-consuming.

      In this paper we introduce a new family of white-box block ciphers relying on incompressible permutations and the classical Even-Mansour construction. Our ciphers allow achieving tradeoffs between encryption speed and white-box security that were not obtained by previous designs. In particular, we present a cipher with reasonably strong space hardness of 2 15  215  bytes, that runs at less than 100 cycles per byte.

      Link

      Arbitrarily varying wiretap channels with type constrained states

      Z. Goldfeld, P. Cuff, and H. H. Permuter

      In Proceedings of the 2016 IEEE GLOBECOM Workshop on Physical Layer Security, Washington DC, WA, USA, December 2016, and in IEEE Transactions on Information Theory, vol. 62, no. 12, pp. 7216-7244, December 2016.

      Arbitrarily varying wiretap channels with type constrained states

      Z. Goldfeld, P. Cuff, and H. H. Permuter

      In Proceedings of the 2016 IEEE GLOBECOM Workshop on Physical Layer Security, Washington DC, WA, USA, December 2016, and in IEEE Transactions on Information Theory, vol. 62, no. 12, pp. 7216-7244, December 2016.

      —The arbitrarily varying wiretap channel (AVWTC) is an open problem largely because of two main challenges. Not only does it capture the difficulty of the compound wiretap channel (another open problem) as a special case, it also requires that secrecy is ensured with respect to exponentially many possible channel state sequences. This work overcomes the second aforementioned difficulty. To that end, we consider an AVWTC with a type constraint on the allowed state sequences, and derive a single-letter characterization of its correlated-random (CR) assisted semantic-security (SS) capacity. The allowed state sequences are the ones in a typical set around a single constraining type. SS is established by showing that the mutual information between the message and the eavesdropper’s observations is negligible even when maximized over all message distributions, choices of state sequences and realizations of the CR-code. Both the achievability and the converse proofs of the type constrained coding theorem rely on stronger claims than actually required. The direct part establishes a novel single-letter lower bound on the CR-assisted SS-capacity of an AVWTC with state sequences constrained by any convex and closed set of state probability mass functions. This bound achieves the best known single-letter secrecy rates for a corresponding compound wiretap channel over the same constraint set. In contrast to other singleletter results in the AVWTC literature, the derivation does not assume the existence of a best channel to the eavesdropper. Optimality is a consequence of an max-inf upper bound on the CR-assisted SS-capacity of an AVWTC with state sequences constrained to any collection of type-classes. When adjusted to the aforementioned compound WTC, the upper bound simplifies to a max-min structure, thus strengthening the previously best known single-letter upper bound by Liang et al. that has a minmax form.

      Link

      An optical covert-channel to leak data through an air-gap

      Mordechai Guri, Ofer Hasson, Gabi Kedma, Yuval Elovici

      Conference: 2016 14th Annual Conference on Privacy, Security and Trust (PST)

      An optical covert-channel to leak data through an air-gap

      Mordechai Guri, Ofer Hasson, Gabi Kedma, Yuval Elovici

      Conference: 2016 14th Annual Conference on Privacy, Security and Trust (PST)

      In recent years, various out-of-band covert channels have been proposed that demonstrate the feasibility of leaking data out of computers without the need for network connectivity. The methods proposed have been based on different type of electromagnetic, acoustic, and thermal emissions. However, optical channels have largely been considered less covert: because they are visible to the human eye and hence can be detected, they have received less attention from researchers. In this paper, we introduce VisiSploit, a new type of optical covert channel which, unlike other optical methods, is also stealthy. Our method exploits the limitations of human visual perception in order to unobtrusively leak data through a standard computer LCD display. Our experiments show that very low contrast or fast flickering images which are invisible to human subjects, can be recovered from photos taken by a camera. Consequentially, we show that malicious code on a compromised computer can obtain sensitive data (e.g., images, encryption keys, passwords), and project it onto a computer LCD screen, invisible and unbeknownst to users, allowing an attacker to reconstruct the data using a photo taken by a nearby (possibly hidden) camera. In order to demonstrate the feasibility of this type of attack and evaluate the channel’s stealth, we conducted a battery of tests with 40 human subjects. We also examined the channel’s boundaries under various parameters, with different types of encoded objects, at several distances, and using several kinds of cameras. Our results show that binary data can be leaked via our covert channel. Further research and discussion may widen the scope of this field beyond its current boundaries, yielding novel attack paradigms that exploit the subtle mechanisms of human visual perception.

      Link

      An optical covert-channel to leak data through an air-gap

      Mordechai Guri, Ofer Hasson, Gabi Kedma, Yuval Elovici

      Conference: 2016 14th Annual Conference on Privacy, Security and Trust (PST)

      An optical covert-channel to leak data through an air-gap

      Mordechai Guri, Ofer Hasson, Gabi Kedma, Yuval Elovici

      Conference: 2016 14th Annual Conference on Privacy, Security and Trust (PST)

      In recent years, various out-of-band covert channels have been proposed that demonstrate the feasibility of
      leaking data out of computers without the need for network connectivity. The methods proposed have been based on different
      type of electromagnetic, acoustic, and thermal emissions. However, optical channels have largely been considered less
      covert: because they are visible to the human eye and hence can be detected, they have received less attention from researchers.

      In this paper, we introduce VisiSploit, a new type of optical covert channel which, unlike other optical methods, is also
      stealthy. Our method exploits the limitations of human visual perception in order to unobtrusively leak data through a standard
      computer LCD display. Our experiments show that very low contrast or fast flickering images which are invisible to human
      subjects, can be recovered from photos taken by a camera. Consequentially, we show that malicious code on a compromised
      computer can obtain sensitive data (e.g., images, encryption keys, passwords), and project it onto a computer LCD screen, invisible
      and unbeknownst to users, allowing an attacker to reconstruct the data using a photo taken by a nearby (possibly hidden) camera.
      Our research yielding novel attack paradigms that exploit the subtle mechanisms of human visual perception.

      Link

      USBee: Air-gap covert-channel via electromagnetic emission from USB

      Mordechai Guri, Matan Monitz, Yuval Elovici

      2016 14th Annual Conference on Privacy, Security and Trust (PST)

      USBee: Air-gap covert-channel via electromagnetic emission from USB

      Mordechai Guri, Matan Monitz, Yuval Elovici

      2016 14th Annual Conference on Privacy, Security and Trust (PST)

      In recent years researchers have demonstrated how attackers could use USB connectors implanted with RF transmitters to exfiltrate data from secure, and even air-gapped, computers (e.g., COTTONMOUTH in the leaked NSA ANT catalog). Such methods require a hardware modification of the USB plug or device, in which a dedicated RF transmitter is embedded. In this paper we present `USBee,’ a software that can utilize an unmodified USB device connected to a computer as a RF transmitter. We demonstrate how a software can intentionally generate controlled electromagnetic emissions from the data bus of a USB connector. We also show that the emitted RF signals can be controlled and modulated with arbitrary binary data. We implement a prototype of USBee, and discuss its design and implementation details including signal generation and modulation. We evaluate the transmitter by building a receiver and demodulator using GNU Radio. Our evaluation shows that USBee can be used for transmitting binary data to a nearby receiver at a bandwidth of 20 to 80 BPS (bytes per second
      Link

      ALDOCX: Detection of Unknown Malicious Microsoft Office Documents Using Designated Active Learning Methods Based on New Structural Feature Extraction Methodology

      Nir Nissim ; Aviad Cohen ; Yuval Elovici

      IEEE Transactions on Information Forensics and Security ( Volume: 12, Issue: 3, March 2017 ) Page(s): 631 - 646

      ALDOCX: Detection of Unknown Malicious Microsoft Office Documents Using Designated Active Learning Methods Based on New Structural Feature Extraction Methodology

      Nir Nissim ; Aviad Cohen ; Yuval Elovici

      IEEE Transactions on Information Forensics and Security ( Volume: 12, Issue: 3, March 2017 ) Page(s): 631 - 646

      Attackers increasingly take advantage of innocent users who tend to casually open email messages assumed to be benign, carrying malicious documents. Recent targeted attacks aimed at organizations utilize the new Microsoft Word documents (*.docx). Anti-virus software fails to detect new unknown malicious files, including malicious docx files. In this paper, we present ALDOCX, a framework aimed at accurate detection of new unknown malicious docx files that also efficiently enhances the framework’s detection capabilities over time. Detection relies upon our new structural feature extraction methodology (SFEM), which is performed statically using meta-features extracted from docx files. Using machine-learning algorithms with SFEM, we created a detection model that successfully detects new unknown malicious docx files. In addition, because it is crucial to maintain the detection model’s updatability and incorporate new malicious files created daily, ALDOCX integrates our active-learning (AL) methods, which are designed to efficiently assist anti-virus vendors by better focusing their experts’ analytical efforts and enhance detection capability. ALDOCX identifies and acquires new docx files that are most likely malicious, as well as informative benign files. These files are used for enhancing the knowledge stores of both the detection model and the anti-virus software. The evaluation results show that by using ALDOCX and SFEM, we achieved a high detection rate of malicious docx files (94.44% TPR) compared with the anti-virus software (85.9% TPR)-with very low FPR rates (0.19%). ALDOCX’s AL methods used only 14% of the labeled docx files, which led to a reduction of 95.5% in security experts’ labeling efforts compared with the passive learning and the support vector machine (SVM)-Margin (existing active-learning method). Our AL methods also showed a significant improvement of 91% in number of unknown docx malware acquired, compared with the passive learning and the SVM-Margin, thus providing an improved updating solution for the detection model, as well as the anti-virus software widely used within organizations.
      Link

      I Know What You Saw Last Minute – The Chrome Browser Case

      R. Dubin. A. Dvir, O. Pele, and O. Hadar

      in Blackhat Europe 2016, 1st-4th November 2016, London, UK

      I Know What You Saw Last Minute – The Chrome Browser Case

      R. Dubin. A. Dvir, O. Pele, and O. Hadar

      in Blackhat Europe 2016, 1st-4th November 2016, London, UK

      Link
      In collaboration with Princeton University

      Wiretap channel with random states non-causally available at the encoder

      Z. Goldfeld, P. Cuff, and H. H. Permuter

      In Proceedings of the 2016 IEEE International Conference on the Science of Electrical Engineers (ICSEE-2016), Eilat, Israel, November 2016

      In collaboration with Princeton University

      Wiretap channel with random states non-causally available at the encoder

      Z. Goldfeld, P. Cuff, and H. H. Permuter

      In Proceedings of the 2016 IEEE International Conference on the Science of Electrical Engineers (ICSEE-2016), Eilat, Israel, November 2016

      We study the state-dependent (SD) wiretap channel (WTC) with non-causal channel state information (CSI) at the encoder. This model subsumes all other instances of CSI availability as special cases, and calls for an efficient utilization of the state sequence both for reliability and security purposes. A lower bound on the secrecy-capacity, that improves upon the previously best known result by Chen and Han Vinck, is derived based on a novel superposition coding scheme. The improvement over the Chen and Han Vinck result is strict for some SD-WTCs. Specializing the lower bound to the case where CSI is also available to the decoder reveals that it is at least as good as the achievable formula by Chia and El-Gamal, which is already known to outperform the adaptation of the Chen and Han Vinck code to the encoder and decoder CSI scenario. The results are derived under the strict semantic-security metric that requires negligible information leakage for all message distributions.

      Link
      Cooperation with IDC

      The role of network setting and gender in online content popularity‏

      O Lesser, T Hayat, Y Elovici‏

      Information, Communication & Society 20, 2017 (11), 1607-1624‏.

      Cooperation with IDC

      The role of network setting and gender in online content popularity‏

      O Lesser, T Hayat, Y Elovici‏

      Information, Communication & Society 20, 2017 (11), 1607-1624‏.

      In this study, we explore the role of specific network structures that enhance social capital and assess the extent to which gender, social ties, and communication interaction relate to content popularity within online social networks (OSNs). Our results are based on an extensive OSN data set, containing over 100,000 members, connected by over 1.7 million links. The findings indicate that content popularity inference is more accurate when considering activity interaction among users and that network structures known as advantageous for amassing social capital in the offline environment are relevant online as well. We conclude by discussing how gender mediates the correlation between some network measures and the growth of users’ content popularity and provide a potential explanation for the emergence of gender differences.

      Link

      Data-Augmented Software Diagnosis

      Amir Elmishali, Roni Stern, Meir Kalech

      AAAI 2016: 4003-4009

      Data-Augmented Software Diagnosis

      Amir Elmishali, Roni Stern, Meir Kalech

      AAAI 2016: 4003-4009

      Software fault prediction algorithms predict which software
      components is likely to contain faults using machine learning
      techniques. Software diagnosis algorithm identify the faulty
      software components that caused a failure using model-based
      or spectrum based approaches. We show how software fault
      prediction algorithms can be used to improve software diagnosis.
      The resulting data-augmented diagnosis algorithm
      overcomes key problems in software diagnosis algorithms:
      ranking diagnoses and distinguishing between diagnoses with
      high probability and low probability. We demonstrate the ef-
      ficiency of the proposed approach empirically on three open
      sources domains, showing significant increase in accuracy of
      diagnosis and efficiency of troubleshooting. These encouraging
      results suggests broader use of data-driven methods to
      complement and improve existing model-based methods.

      Link
      In collaboration with IDC Herzliya + Technion and UCLA

      Function Secret Sharing Improvements and Extensions

      Elette Boyle, Niv Gilboa and Yuval Ishai

      ACM CCS 2016, pages 1292-1303, 2016

      In collaboration with IDC Herzliya + Technion and UCLA

      Function Secret Sharing Improvements and Extensions

      Elette Boyle, Niv Gilboa and Yuval Ishai

      ACM CCS 2016, pages 1292-1303, 2016

      Function Secret Sharing (FSS), introduced by Boyle et al.
      (Eurocrypt 2015), provides a way for additively secret-sharing
      a function from a given function family F. More concretely,
      an m-party FSS scheme splits a function f : {0, 1}
      n → G, for some abelian group G, into functions f1, . . . , fm, described by keys k1, . . . , km, such that f = f1 + . . . + fm and every
      strict subset of the keys hides f. A Distributed Point Function
      (DPF) is a special case where F is the family of point
      functions, namely functions fα,β that evaluate to β on the
      input α and to 0 on all other inputs. FSS schemes are useful for applications that involve privately reading from or writing to distributed databases while
      minimizing the amount of communication. These include
      different flavors of private information retrieval (PIR), as
      well as a recent application of DPF for large-scale anonymous
      messaging. We improve and extend previous results in several ways:
      • Simplified FSS constructions. We introduce a tensoring
      operation for FSS which is used to obtain a conceptually
      simpler derivation of previous constructions
      and present our new constructions.
      • Improved 2-party DPF. We reduce the key size of
      the PRG-based DPF scheme of Boyle et al. roughly
      by a factor of 4 and optimize its computational cost.
      The optimized DPF significantly improves the concrete
      costs of 2-server PIR and related primitives.
      • FSS for new function families. We present an ef-
      ficient PRG-based 2-party FSS scheme for the family
      of decision trees, leaking only the topology of the tree
      and the internal node labels. We apply this towards
      FSS for multi-dimensional intervals. We also present
      a general technique for extending FSS schemes by increasing
      the number of parties.
      • Verifiable FSS. We present efficient protocols for verifying
      that keys (k ∗ 1 , . . . , k∗ m), obtained from a potentially
      malicious user, are consistent with some f ∈ F.
      Permission to make digital or hard copies of all or part of this work for personal or
      classroom use is granted without fee provided that copies are not made or distributed
      for profit or commercial advantage and that copies bear this notice and the full citation
      on the first page. Copyrights for components of this work owned by others than the
      author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or
      republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org.
      CCS’16, October 24 – 28, 2016, Vienna, Austria

      c 2016 Copyright held by the owner/author(s). Publication rights licensed to ACM.
      ISBN 978-1-4503-4139-4/16/10. . . $15.00
      DOI: http://dx.doi.org/10.1145/2976749.2978429
      Such a verification may be critical for applications that
      involve private writing or voting by many users.
      Keywords: Function secret sharing, private information
      retrieval, secure multiparty computation, homomorphic encryption

      Link
      In collaboration with IDC Herzliya + Technion and UCLA

      Breaking the Circuit Size Barrier for Secure Computation under DDH

      Elette Boyle, Niv Gilboa and Yuval Ishai

      Crypto 2016, pages 509-539, 2016

      In collaboration with IDC Herzliya + Technion and UCLA

      Breaking the Circuit Size Barrier for Secure Computation under DDH

      Elette Boyle, Niv Gilboa and Yuval Ishai

      Crypto 2016, pages 509-539, 2016

      Under the Decisional Diffie-Hellman (DDH) assumption, we present a 2-out-of-2 secret sharing scheme that supports a compact evaluation of branching programs on the shares. More concretely, there is an evaluation algorithm Eval with a single bit of output, such that if an input w ∈ {0, 1}n is shared into (w0, w1), then for any deterministic branching program P of size S we have that Eval(P, w0) ⊕ Eval(P, w1) = P(w) except with at most δ failure probability. The running time of the sharing algorithm is polynomial in n and the security parameter λ, and that of Eval is polynomial in S, λ, and 1/δ. This applies as a special case to boolean formulas of size S or boolean circuits of depth log S. We also present a public-key variant that enables homomorphic computation on inputs contributed by multiple clients. The above result implies the following DDH-based applications: – A secure 2-party computation protocol for evaluating any branching program or formula of size S, where the communication complexity is linear in the input size and only the running time grows with S. – A secure 2-party computation protocol for evaluating layered boolean circuits of size S with communication complexity O(S/ log S). – A 2-party function secret sharing scheme, as defined by Boyle et al. (Eurocrypt 2015), for general branching programs (with inverse polynomial error probability). – A 1-round 2-server private information retrieval scheme supporting general searches expressed by branching programs. Prior to our work, similar results could only be achieved using fully homomorphic encryption. We hope that our approach will lead to more practical alternatives to known fully homomorphic encryption schemes in the context of low-communication secure computation.

      Link

      Node-Centric Detection of Overlapping Communities in Social Networks

      Yehonatan Cohen, Danny Hendler and Amir Rubin

      12th International Conference and School on Advances in Network Science (NetSci-X16) pp 2016

      Node-Centric Detection of Overlapping Communities in Social Networks

      Yehonatan Cohen, Danny Hendler and Amir Rubin

      12th International Conference and School on Advances in Network Science (NetSci-X16) pp 2016

      We present NECTAR, a community detection algorithm that generalizes Louvain method’s local search heuristic for overlapping community structures. NECTAR chooses dynamically which objective function to optimize based on the network on which it is invoked. Our experimental evaluation on both synthetic benchmark graphs and real-world networks, based on ground-truth communities, shows that NECTAR provides excellent results as compared with state of the art community detection algorithms.

      Link
      In collaboration with Telekom Innovation Laboratories

      Identifying Attack Propagation Patterns in Honeypots Using Markov Chains Modeling and Complex Networks Analysis

      Bar, Ariel and Shapira, Bracha and Rokach, Lior and Unger, Moshe

      Software Science, 2016 IEEE International Conference on Technology and Engineering (SWSTE), 28-36

      In collaboration with Telekom Innovation Laboratories

      Identifying Attack Propagation Patterns in Honeypots Using Markov Chains Modeling and Complex Networks Analysis

      Bar, Ariel and Shapira, Bracha and Rokach, Lior and Unger, Moshe

      Software Science, 2016 IEEE International Conference on Technology and Engineering (SWSTE), 28-36

      Honey pots are computer resources that are used to detect and deflect network attacks on a protected system. The data collected from honey pots can be utilized to better understand cyber-attacks and provide insights for improving security measures, such as intrusion detection systems. In recent years, attackers’ sophistication has increased significantly, thus additional and more advanced analytical models are required. In this paper we suggest several unique methods for detecting attack propagation patterns using Markov Chains modeling and complex networks analysis. These methods can be applied on attack datasets collected from honey pots. The results of these models shed light on different attack profiles and interaction patterns between the deployed sensors in the honey pot system. We evaluate the suggested methods on a massive data set which includes over 167 million observed attacks on a globally distributed honey pot system. Analyzing the results reveals interesting patterns regarding attack correlations between the honey pots. We identify central honey pots which enable the propagation of attacks, and present how attack profiles may vary according to the attacking country. These patterns can be used to better understand existing or evolving attacks, and may aid security experts to better deploy honey pots in their system.

      Link

      SherLock vs Moriarty: A Smartphone Dataset for Cybersecurity

      Mirsky, A Shabtai, L Rokach, B Shapira, Y Elovici

      Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security

      SherLock vs Moriarty: A Smartphone Dataset for Cybersecurity

      Mirsky, A Shabtai, L Rokach, B Shapira, Y Elovici

      Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security

      In this paper we describe and share with the research community,
      a significant smartphone dataset obtained from an
      ongoing long-term data collection experiment. The dataset
      currently contains 10 billion data records from 30 users collected
      over a period of 1.6 years and an additional 20 users for
      6 months (totaling 50 active users currently participating in
      the experiment).
      The experiment involves two smartphone agents: SherLock
      and Moriarty. SherLock collects a wide variety of software and
      sensor data at a high sample rate. Moriarty perpetrates various
      attacks on the user and logs its activities, thus providing
      labels for the SherLock dataset.
      The primary purpose of the dataset is to help security professionals
      and academic researchers in developing innovative
      methods of implicitly detecting malicious behavior in smartphones.
      Specifically, from data obtainable without superuser
      (root) privileges. To demonstrate possible uses of the dataset,
      we perform a basic malware analysis and evaluate a method
      of continuous user authentication.

      Link

      Scalable attack propagation model and algorithms for honeypot systems

      A Bar, B Shapira, L Rokach, M Unger

      Big Data (Big Data), 2016 IEEE International Conference on, 1130-1135

      Scalable attack propagation model and algorithms for honeypot systems

      A Bar, B Shapira, L Rokach, M Unger

      Big Data (Big Data), 2016 IEEE International Conference on, 1130-1135

      Attack propagation models within honeypot systems aim at providing insights about attack strategies that target multiple honeypots, rather than analyzing attacks on each honeypot separately. Traditional attack propagation models focus on building a single probabilistic model. This modeling approach may be misleading, since it does not take into consideration contextual information such as the country from which the attack is initiated. In addition, with the massive increase in the magnitude of attacks on honeypots, a scalable modeling approach is required. In this work we present a novel attack propagation model that can utilize contextual information about the attacks by training multiple Markov Chain models. Moreover, we add additional layers of analysis: first, we present a likelihood estimation procedure that can identify new and evolving attack patterns; and second, we introduce a method for generating simulated attack sequences that can be used for training or sensitivity analysis. Lastly, we present, in details, a MapReduce design for all suggested algorithms in order to address scalability issues. We evaluate our methods on a massive dataset which includes approximately 170 million attacks on an operational honeypot system. Results indicate that contextual modeling is important for explaining attack propagation that may vary by country. In addition, we show the effectiveness of the suggested method for generating simulated sequences by comparing the attack propagation patterns we learned in the generated dataset and the original one. Finally, we demonstrate the scalability of all of the proposed algorithms on real and synthetic datasets that include over a billion records.

      Link

      Spot the Hotspot: Wi-Fi Hotspot Classification from Internet Traffic

      Andrey Finkelshtein, Rami Puzis, Asaf Shabtai, Bronislav Sidik

      SBP-BRiMS (2016)

      Spot the Hotspot: Wi-Fi Hotspot Classification from Internet Traffic

      Andrey Finkelshtein, Rami Puzis, Asaf Shabtai, Bronislav Sidik

      SBP-BRiMS (2016)

      The meteoric progress of Internet technologies and PDA (personal digital assistant) devices has made public Wi-Fi hotspots very popular. Nowadays, hotspots can be found almost anywhere: organizations, home networks, public transport systems, restaurants, etc. The Internet usage patterns (e.g. browsing) differ with the hotspot venue. This insight introduces new traffic profiling opportunities. Using machine learning techniques we show that it is possible to infer types of venues that provide Wi-Fi access (e.g., organizations and hangout places) by analyzing the Internet traffic of connected mobile phones. We show that it is possible to infer the user’s current venue type disclosing his/her current context. This information can be used for improving personalized and context aware services such as web search engines or online shops, without the presence on user’s device. In this paper we evaluate venue type inference based on mobile phone traffic collected from 115 college students and analyze their Internet behavior across the different venues types.

      Link

      MIMO Gaussian broadcast channels with common, private and confidential messages

      Z. Goldfeld

      In Proceedings of the 2016 IEEE Information Theory Workshop (ITW-2016), Cambridge, UK, September 2016

      MIMO Gaussian broadcast channels with common, private and confidential messages

      Z. Goldfeld

      In Proceedings of the 2016 IEEE Information Theory Workshop (ITW-2016), Cambridge, UK, September 2016

      The two-user multiple-input multiple-output
      (MIMO) Gaussian broadcast channel (BC) with common,
      private and confidential messages is considered. The transmitter
      sends a common message to both users, a confidential message
      to User 1 and a private (non-confidential) message to User
      2. The secrecy-capacity region is characterized by showing
      that certain inner and outer bounds coincide and that the
      boundary points are achieved by Gaussian inputs. The proof
      relies on factorization of upper concave envelopes and a variant
      of dirty-paper coding (DPC). The entire region is exhausted
      by using DPC to cancel out the signal of the non-confidential
      message at Receiver 1, making DPC against the signal of the
      confidential message unnecessary. The secrecy-capacity results
      are visualized using a numerical example.

      Link
      Cooperation with Singapore University of Technology and Design

      Network Flow Watermarking: A Survey‏

      A Iacovazzi, Y Elovici‏

      IEEE Communications Surveys & Tutorials ( Volume: 19, Issue: 1, Firstquarter 2017 ) Page(s): 512 - 530

      Cooperation with Singapore University of Technology and Design

      Network Flow Watermarking: A Survey‏

      A Iacovazzi, Y Elovici‏

      IEEE Communications Surveys & Tutorials ( Volume: 19, Issue: 1, Firstquarter 2017 ) Page(s): 512 - 530

      Traffic analysis (TA) is a useful tool aimed at understanding network traffic behavior. Basic network administration often takes advantage of TA for purposes such as security, intrusion detection, traffic shaping and policing, diagnostic monitoring, provisioning, and resource management. Network flow watermarking is a type of TA in which packet features of selected flows are manipulated in order to add a specific pattern easily identifiable when the watermarked flows cross an observation point. While passive TA has been extensively studied with hundreds of papers found in the literature, active TA, and more specifically network flow watermarking, has only recently attracted attention. Enforced robustness against traffic perturbations due to either natural network noise or attacks against passive TA have enhanced the appeal of this technique. The contribution of this paper is a thorough review of the main watermarking algorithms implemented for traffic analysis purposes. We present an overview of the motivations and the objectives that have led to the use of network flow watermarking. We also describe the general architecture of a watermarking system. In addition, we impose clarity and order in this branch of TA by providing a taxonomy of the algorithms proposed in the literature over the years, and categorize and present them based on carrier, visibility, and robustness.
      Link
      In collaboration with Technische Universit¨at M¨unchen

      Broadcast channels with privacy leakage constraints

      Z. Goldfeld, G. Kramer and H. H. Permuter

      Accepted to the IEEE Transactions on Information Theory, August 2016

      In collaboration with Technische Universit¨at M¨unchen

      Broadcast channels with privacy leakage constraints

      Z. Goldfeld, G. Kramer and H. H. Permuter

      Accepted to the IEEE Transactions on Information Theory, August 2016

      The broadcast channel (BC) with one common and two private messages with leakage constraints is studied, where leakage refers to the normalized mutual information between a message and a channel symbol string. Each private message is destined for a different user and the leakage to the other receiver must satisfy a constraint. This model captures several scenarios concerning secrecy, i.e., when both, either or neither of the private messages are secret. Inner and outer bounds on the leakage-capacity region are derived. Without leakage constraints the inner bound recovers Marton’s region and the outer bound reduces to the UVW-outer bound. The bounds match for semi-deterministic (SD) and physically degraded (PD) BCs, as well as for BCs with a degraded message set. The leakage-capacity regions of the SD-BC and the BC with a degraded message set recover past results for different secrecy scenarios. A Blackwell BC example illustrates the results and shows how its leakage-capacity region changes from the capacity region without secrecy to the secrecy-capacity regions for different secrecy scenarios.

      Link
      In collaboration with Princeton University

      Semantic-security capacity for wiretap channels of type II

      Z. Goldfeld, P. Cuff and H. H. Permuter

      IEEE Transactions on Information Theory, vol. 62, no. 7, pp. 3863-3879, July 2016

      In collaboration with Princeton University

      Semantic-security capacity for wiretap channels of type II

      Z. Goldfeld, P. Cuff and H. H. Permuter

      IEEE Transactions on Information Theory, vol. 62, no. 7, pp. 3863-3879, July 2016

      The secrecy capacity of the type II wiretap channel (WTC II) with a noisy main channel is currently an open problem. Herein its secrecy-capacity is derived and shown to be equal to its semantic-security (SS) capacity. In this setting, the legitimate users communicate via a discrete-memoryless (DM) channel in the presence of an eavesdropper that has perfect access to a subset of its choosing of the transmitted symbols, constrained to a fixed fraction of the blocklength. The secrecy criterion is achieved simultaneously for all possible eavesdropper subset choices. The SS criterion demands negligible mutual information between the message and the eavesdropper’s observations even when maximized over all message distributions. A key tool for the achievability proof is a novel and stronger version of Wyner’s soft covering lemma. Specifically, a random codebook is shown to achieve the soft-covering phenomenon with high probability. The probability of failure is doubly exponentially small in the blocklength. Since the combined number of messages and subsets grows only exponentially with the blocklength, SS for the WTC II is established by using the union bound and invoking the stronger soft-covering lemma. The direct proof shows that rates up to the weak-secrecy capacity of the classic WTC with a DM erasure channel (EC) to the eavesdropper are achievable. The converse follows by establishing the capacity of this DM wiretap EC as an upper bound for the WTC II. From a broader perspective, the stronger soft-covering lemma constitutes a tool for showing the existence of codebooks that satisfy exponentially many constraints, a beneficial ability for many other applications in information theoretic security.

      Link
      In collaboration with Princeton University

      Semantic-Security Capacity for the Physical Layer via Information Theory

      Z. Goldfeld, P. Cuff and H. H. Permuter

      In Proceedings of the IEEE CS International Conference on Software Science, Technology, and Engineering (SwSTE-2016), Beer-Sheva, Israel, June 2016

      In collaboration with Princeton University

      Semantic-Security Capacity for the Physical Layer via Information Theory

      Z. Goldfeld, P. Cuff and H. H. Permuter

      In Proceedings of the IEEE CS International Conference on Software Science, Technology, and Engineering (SwSTE-2016), Beer-Sheva, Israel, June 2016

      Physical layer security can ensure secure communication over noisy channels in the presence of an eavesdropper with unlimited computational power. We adopt an information theoretic variant of semantic-security (SS) (a cryptographic gold standard), as our secrecy metric and study the open problem of the type II wiretap channel (WTC II) with a noisy main channel is, whose secrecy-capacity is unknown even under looser metrics than SS. Herein the secrecy-capacity is derived and shown to be equal to its SS capacity. In this setting, the legitimate users communicate via a discrete-memoryless (DM) channel in the presence of an eavesdropper that has perfect access to a subset of its choosing of the transmitted symbols, constrained to a fixed fraction of the blocklength. The secrecy criterion is achieved simultaneously for all possible eavesdropper subset choices. On top of that, SS requires negligible mutual information between the message and the eavesdropper’s observations even when maximized over all message distributions. A key tool for the achievability proof is a novel and stronger version of Wyner’s soft covering lemma. Specifically, the lemma shows that a random codebook achieves the soft-covering phenomenon with high probability. The probability of failure is doubly-exponentially small in the blocklength. Since the combined number of messages and subsets grows only exponentially with the blocklength, SS for the WTC II is established by using the union bound and invoking the stronger soft-covering lemma. The direct proof shows that rates up to the weak-secrecy capacity of the classic WTC with a DM erasure channel (EC) to the eavesdropper are achievable. The converse follows by establishing the capacity of this DM wiretap EC as an upper bound for the WTC II. From a broader perspective, the stronger soft-covering lemma constitutes a tool for showing the existence of codebooks that satisfy exponentially many constraints, a beneficial ability for many other applications in information theoretic security. Index Terms—Erasure wiretap channel, information theoretic security, physical-layer security, semantic-security, soft-covering lemma, wiretap channel of type II, wiretap codes.

      Link
      In collaboration with Ministry of Science and Technology of Israel

      Search problems in the domain of multiplication: Case study on anomaly detection using markov chains

      Y Mirsky, A Cohen, R Stern, A Felner, L Rokack, Y Elovici, B Shapira

      Eighth Annual Symposium on Combinatorial Search, 2015

      In collaboration with Ministry of Science and Technology of Israel

      Search problems in the domain of multiplication: Case study on anomaly detection using markov chains

      Y Mirsky, A Cohen, R Stern, A Felner, L Rokack, Y Elovici, B Shapira

      Eighth Annual Symposium on Combinatorial Search, 2015

      Most work in heuristic search focused on path finding problems
      in which the cost of a path in the state space is the sum
      of its edges’ weights. This paper addresses a different class
      of path finding problems in which the cost of a path is the
      product of its weights. We present reductions from different
      classes of multiplicative path finding problems to suitable
      classes of additive path finding problems. As a case study,
      we consider the problem of finding least and most probable
      paths in a Markov Chain, where path cost corresponds to the
      probability of traversing it. The importance of this problem
      is demonstrated in an anomaly detection application for cyberspace
      security. Three novel anomaly detection metrics for
      Markov Chains are presented, where computing these metrics
      require finding least and most probable paths. The underlying
      Markov Chain is dynamically changing, and so fast methods
      for computing least and most probable paths are needed. We
      propose such methods based on the proposed reductions and
      using heuristic search algorithms.

      Link
      In collaboration with Ministry of Science and Technology

      pcstream: A stream clustering algorithm for dynamically detecting and managing temporal contexts

      Y Mirsky, B Shapira, L Rokach, Y Elovici

      Pacific-Asia Conference on Knowledge Discovery and Data Mining, 119-133, 2015

      In collaboration with Ministry of Science and Technology

      pcstream: A stream clustering algorithm for dynamically detecting and managing temporal contexts

      Y Mirsky, B Shapira, L Rokach, Y Elovici

      Pacific-Asia Conference on Knowledge Discovery and Data Mining, 119-133, 2015

      The clustering of unbounded data-streams is a difficult problem since the observed instances cannot be stored for future clustering decisions. Moreover, the probability distribution of streams tends to change over time, making it challenging to differentiate between a concept-drift and an anomaly. Although many excellent data-stream clustering algorithms have been proposed in the past, they are not suitable for capturing the temporal contexts of an entity.

      In this paper, we propose pcStream; a novel data-stream clustering algorithm for dynamically detecting and managing sequential temporal contexts. pcStream takes into account the properties of sensor-fused data-streams in order to accurately infer the present concept, and dynamically detect new contexts as they occur. Moreover, the algorithm is capable of detecting point anomalies and can operate with high velocity data-streams. Lastly, we show in our evaluation that pcStream outperforms state-of-the-art stream clustering algorithms in detecting real world contexts from sensor-fused datasets. We also show how pcStream can be used as an analysis tool for contextual sensor streams.

      Link
      In collaboration with

      JoKER: Trusted Detection of Kernel Rootkits in Android Devices via JTAG Interface

      M Guri, Y Poliak, B Shapira, Y Elovici

      Trustcom/BigDataSE/ISPA, 2015 IEEE 1, 65-73

      In collaboration with

      JoKER: Trusted Detection of Kernel Rootkits in Android Devices via JTAG Interface

      M Guri, Y Poliak, B Shapira, Y Elovici

      Trustcom/BigDataSE/ISPA, 2015 IEEE 1, 65-73

      Smartphones and tablets have become prime
      targets for malware, due to the valuable private and corporate
      information they hold. While Anti-Virus (AV) program may
      successfully detect malicious applications (apps), they remain
      ineffective against low-level rootkits that evade detection
      mechanisms by masking their own presence. Furthermore, any
      detection mechanism run on the same physical device as the
      monitored OS can be compromised via application, kernel or
      boot-loader vulnerabilities. Consequentially, trusted detection of
      kernel rootkits in mobile devices is a challenging task in practice.
      In this paper we present ‘JoKER’ – a system which aims at
      detecting rootkits in the Android kernel by utilizing the
      hardware’s Joint Test Action Group (JTAG) interface for
      trusted memory forensics. Our framework consists of
      components that extract areas of a kernel’s memory and
      reconstruct it for further analysis. We present the overall
      architecture along with its implementation, and demonstrate that
      the system can successfully detect the presence of stealthy
      rootkits in the kernel. The results show that although JTAG’s
      main purpose is system testing, it can also be used for malware
      detection where traditional methods fail.

      Link
      In collaboration with Ministry of Economy under the Magnet Program

      Unknown malware detection using network traffic classification

      D Bekerman, B Shapira, L Rokach, A Bar

      Communications and Network Security (CNS), 2015 IEEE Conference on, 134-142

      In collaboration with Ministry of Economy under the Magnet Program

      Unknown malware detection using network traffic classification

      D Bekerman, B Shapira, L Rokach, A Bar

      Communications and Network Security (CNS), 2015 IEEE Conference on, 134-142

      We present an end-to-end supervised based system
      for detecting malware by analyzing network traffic. The
      proposed method extracts 972 behavioral features across
      different protocols and network layers, and refers to different
      observation resolutions (transaction, session, flow and
      conversation windows). A feature selection method is then used
      to identify the most meaningful features and to reduce the data
      dimensionality to a tractable size. Finally, various supervised
      methods are evaluated to indicate whether traffic in the network
      is malicious, to attribute it to known malware “families” and to
      discover new threats. A comparative experimental study using
      real network traffic from various environments indicates that the
      proposed system outperforms existing state-of-the-art rule-based
      systems, such as Snort and Suricata. In particular, our
      chronological evaluation shows that many unknown malware
      incidents could have been detected at least a month before their
      static rules were introduced to either the Snort or Suricata
      systems.

      Link
      In collaboration with Technische Universit¨at M¨unchen

      Cooperative broadcast channels with a secret message

      Z. Goldfeld, G. Kramer and H. H. Permuter

      In Proceedings of the 2015 IEEE International Symposium on Information Theory (ISIT-2015), Hong-Kong, June 2015

      In collaboration with Technische Universit¨at M¨unchen

      Cooperative broadcast channels with a secret message

      Z. Goldfeld, G. Kramer and H. H. Permuter

      In Proceedings of the 2015 IEEE International Symposium on Information Theory (ISIT-2015), Hong-Kong, June 2015

      The broadcast channel (BC) with one confidential message and where the decoders cooperate via a one-sided link is considered. A pair of messages is transmitted, one message for
      each user. The message to the cooperative user is confidential and is kept secret from the cooperation-aided user. The secrecy level is measured by the equivocation rate. An inner bound on the secrecy-capacity region of the BC is derived. The inner bound is achieved by double-binning the codebook of the secret message. The inner bound is tight for the semi-deterministic (SD) and physically degraded (PD) cases. The secrecy results are compared to those of the corresponding BCs without a secrecy constraint. A cooperative Blackwell channel example illustrates the impact of secrecy on the rate regions.

      Link

      CAESAR-ALE: An Active Learning Enhancement for Conditions Severity Classification

      Nir Nissim, Mary Regina Boland, Robert Moskovitch, Nicholas Tatonetti, Yuval Elovici, Yuval Shahar, George Hripcsak

      Conference on Artificial Intelligence in Medicine in Europe AIME 2015: Artificial Intelligence in Medicine pp 13-24

      CAESAR-ALE: An Active Learning Enhancement for Conditions Severity Classification

      Nir Nissim, Mary Regina Boland, Robert Moskovitch, Nicholas Tatonetti, Yuval Elovici, Yuval Shahar, George Hripcsak

      Conference on Artificial Intelligence in Medicine in Europe AIME 2015: Artificial Intelligence in Medicine pp 13-24

      Understanding condition severity, as extracted from Electronic Health Records (EHRs), is important for many public health purposes. Methods requiring physicians to annotate condition severity are time-consuming and costly. Previously, a passive learning algorithm called CAESAR was developed to capture severity in EHRs. This approach required physicians to label conditions manually, an exhaustive process. We developed a framework that uses two Active Learning (AL) methods (Exploitation and Combination_XA) to decrease manual labeling efforts by selecting only the most informative conditions for training. We call our approach CAESAR-Active Learning Enhancement (CAESAR-ALE). As compared to passive methods,CAESAR-ALE’s first AL method, Exploitation, reduced labeling efforts by 64% and achieved an equivalent true positive rate, while CAESAR-ALE’s second AL method, Combination_XA, reduced labeling efforts by 48% and achieved equivalent accuracy. In addition, both these AL methods outperformed the traditional AL method (SVM-Margin). These results demonstrate the potential of AL methods for decreasing the labeling efforts of medical experts, while achieving greater accuracy and lower costs.

      Link
      In collaboration with Telekom Innovation Laboratories

      Mobile malware detection through analysis of deviations in application network behavior

      A Shabtai, L Tenenboim-Chekina, D Mimran, L Rokach, B Shapira

      Computers & Security 43, 2014, 1-18

      In collaboration with Telekom Innovation Laboratories

      Mobile malware detection through analysis of deviations in application network behavior

      A Shabtai, L Tenenboim-Chekina, D Mimran, L Rokach, B Shapira

      Computers & Security 43, 2014, 1-18

      In this paper we present a new behavior-based anomaly detection system for detecting meaningful deviations in a mobile application’s network behavior. The main goal of the proposed system is to protect mobile device users and cellular infrastructure companies from malicious applications by: (1) identification of malicious attacks or masquerading applications installed on a mobile device, and (2) identification of republished popular applications injected with a malicious code (i.e., repackaging). More specifically, we attempt to detect a new type of mobile malware with self-updating capabilities that were recently found on the official Google Android marketplace. Malware of this type cannot be detected using the standard signatures approach or by applying regular static or dynamic analysis methods. The detection is performed based on the application’s network traffic patterns only. For each application, a model representing its specific traffic pattern is learned locally (i.e., on the device). Semi-supervised machine-learning methods are used for learning the normal behavioral patterns and for detecting deviations from the application’s expected behavior. These methods were implemented and evaluated on Android devices. The evaluation experiments demonstrate that: (1) various applications have specific network traffic patterns and certain application categories can be distinguished by their network patterns; (2) different levels of deviation from normal behavior can be detected accurately; (3) in the case of self-updating malware, original (benign) and infected versions of an application have different and distinguishable network traffic patterns that in most cases, can be detected within a few minutes after the malware is executed while presenting very low false alarms rate; and (4) local learning is feasible and has a low performance overhead on mobile devices.

      Link

      Poster: Misuseablity Analysis for IT Infrastructure

      Shabtai, A., Elovici, Y.

      Conference on Computer and Communications Security 2014

      Poster: Misuseablity Analysis for IT Infrastructure

      Shabtai, A., Elovici, Y.

      Conference on Computer and Communications Security 2014

      Today, organizations have limited resources available to allocate to the detection of complex cyber-attacks. In order to optimize their resource allocation, organizations must conduct a thorough risk analysis process so as to focus their efforts and resources on the protection of the organization’s important assets. In this study we propose a framework that automatically and dynamically derives a misuseability score for every IT component (e.g., PC, laptop, server, router, smartphone, and user). The misuseability score encapsulates the potential damage that can be caused to the organization when its assets are compromised and misused.
      Misuseablity analysis for IT infrastructure | Request PDF. Available from: https://www.researchgate.net/publication/293099407_Misuseablity_analysis_for_IT_infrastructure [accessed Feb 13 2018].

      Link

      OSPF vulnerability to persistent poisoning attacks: a systematic analysis

      Nakibly, G., Sosnovich, A., Menahem, E., Waizel, A., Elovici, Y.

      ACSAC '14 Proceedings of the 30th Annual Computer Security Applications Conference Pages 336-345

      OSPF vulnerability to persistent poisoning attacks: a systematic analysis

      Nakibly, G., Sosnovich, A., Menahem, E., Waizel, A., Elovici, Y.

      ACSAC '14 Proceedings of the 30th Annual Computer Security Applications Conference Pages 336-345

      Open Shortest Path First (OSPF) is one of the most widely deployed interior gateway routing protocols on the Internet. The most common attack vector against OSPF is spoofing of routing advertisements on behalf of a remote router. OSPF employs a self-defense “fight-back” mechanism that quickly reverts the effects of such attacks. Nonetheless, some attacks that evade the fight-back mechanism have been discovered, making it possible to persistently falsify routing advertisements. This type of attacks are the most serious threat to a routing protocol since they allow an attacker to gain persistent control over how traffic is routed throughout the network. This shows that despite its maturity, the OSPF specification is not without security flaws and may have still-unknown vulnerabilities. In this work we systematically analyze — manually and by formal verification — the OSPF specification for additional vulnerabilities in the fight-back mechanism. Our analysis uncovered a fundamental security flaw in OSPF that allows a simple means for an attacker to evade the fight-back mechanism. Most major router vendors acknowledged the existence of this vulnerability in their products. Fortunately, our analysis strongly indicates that no other vulnerabilities in the fight-back mechanism are likely to exist.

      Link

      Cryptanalysis of Iterated Even-Mansour Schemes with Two Keys

      Itai Dinur, Orr Dunkelman, Nathan Keller, Adi Shamir

      International Conference on the Theory and Application of Cryptology and Information Security ASIACRYPT 2014: Advances in Cryptology – ASIACRYPT 2014 pp 439-457

      Cryptanalysis of Iterated Even-Mansour Schemes with Two Keys

      Itai Dinur, Orr Dunkelman, Nathan Keller, Adi Shamir

      International Conference on the Theory and Application of Cryptology and Information Security ASIACRYPT 2014: Advances in Cryptology – ASIACRYPT 2014 pp 439-457

      The iterated Even-Mansour (EM) scheme is a generalization of the original 1-round construction proposed in 1991, and can use one key, two keys, or completely independent keys. In this paper, we methodically analyze the security of all the possible iterated Even-Mansour schemes with two n-bit keys and up to four rounds, and show that none of them provides more than n-bit security. Our attacks are based on a new cryptanalytic technique called multibridgewhich splits the cipher to different parts in a novel way, such that they can be analyzed independently, exploiting its self-similarity properties. After the analysis of the parts, the key suggestions are efficiently joined using a meet-in-the-middle procedure.

      As a demonstration of the multibridge technique, we devise a new attack on 4 steps of the LED-128 block cipher, reducing the time complexity of the best known attack on this scheme from 296 to 264. Furthermore, we show that our technique can be used as a generic key-recovery tool, when combined with some statistical distinguishers (like those recently constructed in reflection cryptanalysis of GOST and PRINCE).

      Link

      Anomaly detection over independent processes: switching with memor

      Kobi Cohen and Qing Zhao

      2014 52nd Annual Allerton Conference on Communication, Control, and Computing (Allerton)

      Anomaly detection over independent processes: switching with memor

      Kobi Cohen and Qing Zhao

      2014 52nd Annual Allerton Conference on Communication, Control, and Computing (Allerton)

      The problem of sequential detection of anomalous processes among K independent processes is considered. At each time, only a subset of the processes can be observed, and the observations from each chosen process follow two different distributions, depending on whether the process is normal or abnormal. Each anomalous process incurs a cost per unit time until its anomaly is identified and fixed. Different anomalous processes may incur different costs depending on their criticality to the system. Switching between processes and state declarations are allowed at all times, while decisions are based on all past observations and actions. The objective is a sequential search strategy that minimizes the total expected cost, incurred by all the processes during the detection process, under reliability constraints. We develop a simple closed-loop policy (i.e., decisions depend on past observations and actions) for the anomaly detection problem. Asymptotic optimality of the proposed policy is shown when a single process is observed at a time and strong performance are demonstrated by simulation examples under multi-processes probing.

      Link

      Limiting access to unintentionally leaked sensitive documents using malware signatures

      Z. Goldfeld, P. Cuff and H. H. Permuter

      SACMAT '14 Proceedings of the 19th ACM symposium on Access control models and technologies Pages 129-140

      Limiting access to unintentionally leaked sensitive documents using malware signatures

      Z. Goldfeld, P. Cuff and H. H. Permuter

      SACMAT '14 Proceedings of the 19th ACM symposium on Access control models and technologies Pages 129-140

      Organizations are repeatedly embarrassed when their sensitive digital documents go public or fall into the hands of adversaries, often as a result of unintentional or inadvertent leakage. Such leakage has been traditionally handled either by preventive means, which are evidently not hermetic, or by punitive measures taken after the main damage has already been done. Yet, the challenge of preventing a leaked file from spreading further among computers and over the Internet is not resolved by existing approaches. This paper presents a novel method, which aims at reducing and limiting the potential damage of a leakage that has already occurred. The main idea is to tag sensitive documents within the organization’s boundaries by attaching a benign detectable malware signature (DMS). While the DMS is masked inside the organization, if a tagged document is somehow leaked out of the organization’s boundaries, common security services such as Anti-Virus (AV) programs, firewalls or email gateways will detect the file as a real threat and will consequently delete or quarantine it, preventing it from spreading further. This paper discusses various aspects of the DMS, such as signature type and attachment techniques, along with proper design considerations and implementation issues. The proposed method was implemented and successfully tested on various file types including documents, spreadsheets, presentations, images, executable binaries and textual source code. The evaluation results have demonstrated its effectiveness in limiting the spread of leaked documents.

      Link
      In collaboration with Telekom Innovation Laboratories

      CoBAn: A context based model for data leakage prevention

      G Katz, Y Elovici, B Shapira

      Information sciences 262, 137-158, 2014

      In collaboration with Telekom Innovation Laboratories

      CoBAn: A context based model for data leakage prevention

      G Katz, Y Elovici, B Shapira

      Information sciences 262, 137-158, 2014

      A new context-based model (CoBAn) for accidental and intentional data leakage prevention (DLP) is proposed. Existing methods attempt to prevent data leakage by either looking for specific keywords and phrases or by using various statistical methods. Keyword-based methods are not sufficiently accurate since they ignore the context of the keyword, while statistical methods ignore the content of the analyzed text. The context-based approach we propose leverages the advantages of both these approaches. The new model consists of two phases: training and detection. During the training phase, clusters of documents are generated and a graph representation of the confidential content of each cluster is created. This representation consists of key terms and the context in which they need to appear in order to be considered confidential. During the detection phase, each tested document is assigned to several clusters and its contents are then matched to each cluster’s respective graph in an attempt to determine the confidentiality of the document. Extensive experiments have shown that the model is superior to other methods in detecting leakage attempts, where the confidential information is rephrased or is different from the original examples provided in the learning set.

      Link
      Back to top