### Research Proposal

Add your abstract and contact information and we will be in touch

Thanks We will be in touch soon

Leave a massage and we’ll get back to you

You can also reach us at:

Cyber Security Research Center @ Ben-Gurion University of the Negev
P.O.B. 653
Beer Sheva, 84105,
Israel

+972 8 6428005
+972 8 6428121
cyber-labs bgu.ac.il

### Incentivized Delivery Network of IoT Software Updates Based on Trustless Proof-of-Distribution

Oded Leiba, Yechiav Yitzchak, Ron Bitton, Asaf Nadler, Asaf Shabtai

IEEE SECURITY & PRIVACY ON THE BLOCKCHAIN (IEEE S&B) AN IEEE EUROPEAN SYMPOSIUM ON SECURITY & PRIVACY AFFILIATED WORKSHOP 23 April 2018, University College London (UCL), London, UK

### Incentivized Delivery Network of IoT Software Updates Based on Trustless Proof-of-Distribution

Oded Leiba, Yechiav Yitzchak, Ron Bitton, Asaf Nadler, Asaf Shabtai

IEEE SECURITY & PRIVACY ON THE BLOCKCHAIN (IEEE S&B) AN IEEE EUROPEAN SYMPOSIUM ON SECURITY & PRIVACY AFFILIATED WORKSHOP 23 April 2018, University College London (UCL), London, UK

The Internet of Things (IoT) network of connected devices currently contains more than 11 billion devices and is estimated to double in size within the next four years. The prevalence of these devices makes them an ideal target for attackers. To reduce the risk of attacks vendors routinely deliver security updates (patches) for their devices. The delivery of security updates becomes challenging due to the issue of scalability as the number of devices may grow much quicker than vendors’ distribution systems. Previous studies have suggested a permissionless and decentralized blockchainbased network in which nodes can host and deliver security updates, thus the addition of new nodes scales out the network. However, these studies do not provide an incentive for nodes to join the network, making it unlikely for nodes to freely contribute their hosting space, bandwidth, and computation resources.
In this paper, we propose a novel decentralized IoT software update delivery network in which participating nodes (referred to as distributors) are compensated by vendors with digital currency for delivering updates to devices. Upon the release of a new security update, a vendor will make a commitment to provide digital currency to distributors that deliver the update; the commitment will be made with the use of smart contracts, and hence will be public, binding, and irreversible. The smart contract promises compensation to any distributor that provides proof-of-distribution, which is unforgeable proof that a single update was delivered to a single device. A distributor acquires the proof-of-distribution by exchanging a security update for a device signature using the Zero-Knowledge Contingent Payment (ZKCP) trustless data exchange protocol. Eliminating the need for trust between the security update distributor and the security consumer (IoT device) by providing fair compensation, can significantly increase the number of distributors, thus facilitating rapid scale out.

### EEG-triggered dynamic difficulty adjustment for multiplayer games

Adi Stein, Yair Yotam, Rami Puzis, Guy Shani, Meirav Taieb-Maimon

Entertainment Computing Volume 25, March 2018, Pages 14-25

### EEG-triggered dynamic difficulty adjustment for multiplayer games

Adi Stein, Yair Yotam, Rami Puzis, Guy Shani, Meirav Taieb-Maimon

Entertainment Computing Volume 25, March 2018, Pages 14-25

### Taxonomy of mobile users’ security awareness‏

R Bitton, A Finkelshtein, L Sidi, R Puzis, L Rokach, A Shabtai

Computers & Security Volume 73, March 2018, Pages 266-293

### Taxonomy of mobile users’ security awareness‏

R Bitton, A Finkelshtein, L Sidi, R Puzis, L Rokach, A Shabtai

Computers & Security Volume 73, March 2018, Pages 266-293

### Foundations of Homomorphic Secret Sharing

E. Boyle, N. Gilboa, Y. Ishai, R. Lin and S. Tessaro

9th Innovations in Theoretical Computer Science Conference (ITCS 2018)

### Foundations of Homomorphic Secret Sharing

E. Boyle, N. Gilboa, Y. Ishai, R. Lin and S. Tessaro

9th Innovations in Theoretical Computer Science Conference (ITCS 2018)

Homomorphic secret sharing (HSS) is the secret sharing analogue of homomorphic encryption. An HSS scheme supports a local evaluation of functions on shares of one or more secret inputs, such that the resulting shares of the output are short. Some applications require the stronger notion of additive HSS, where the shares of the output add up to the output over some finite Abelian group. While some strong positive results for HSS are known under specific cryptographic assumptions, many natural questions remain open. We initiate a systematic study of HSS, making the following contributions. – A definitional framework. We present a general framework for defining HSS schemes that unifies and extends several previous notions from the literature, and cast known results within this framework. – Limitations. We establish limitations on information-theoretic multi-input HSS with short output shares via a relation with communication complexity. We also show that additive HSS for non-trivial functions, even the AND of two input bits, implies non-interactive key exchange, and is therefore unlikely to be implied by public-key encryption or even oblivious transfer. – Applications. We present two types of applications of HSS. First, we construct 2-round protocols for secure multiparty computation from a simple constant-size instance of HSS. As a corollary, we obtain 2-round protocols with attractive asymptotic efficiency features under the Decision Diffie Hellman (DDH) assumption. Second, we use HSS to obtain nearly optimal worst-case to average-case reductions in P. This in turn has applications to fine-grained average-case hardness and verifiable computation.

### The Ergodic Capacity of the Multiple Access Channel Under Distributed Scheduling – Order Optimality of Linear Receivers

S. Kampeas, A. Cohen and O. Gurewitz

IEEE Transactions on Information Theory ( Volume: PP, Issue: 99 ) Page(s): 1 - 1

### The Ergodic Capacity of the Multiple Access Channel Under Distributed Scheduling – Order Optimality of Linear Receivers

S. Kampeas, A. Cohen and O. Gurewitz

IEEE Transactions on Information Theory ( Volume: PP, Issue: 99 ) Page(s): 1 - 1

Consider the problem of a Multiple-Input Multiple-Output (MIMO) Multiple-Access Channel (MAC) at the limit of large number of users. Clearly, in practical scenarios, only a small subset of the users can be scheduled to utilize the channel simultaneously. Thus, a problem of user selection arises. However, since solutions which collect Channel State Information (CSI) from all users and decide on the best subset to transmit in each slot do not scale when the number of users is large, distributed algorithms for user selection are advantageous. In this paper, we analyse a distributed user selection algorithm, which selects a group of users to transmit without coordinating between users and without all users sending CSI to the base station. This threshold-based algorithm is analysed for both Zero-Forcing (ZF) and Minimum Mean Square Error (MMSE) receivers, and its expected sum-rate in the limit of large number of users is investigated. It is shown that for large number of users it achieves the same scaling laws as the optimal centralized scheme.

### Early detection of spamming accounts in large-Scale service provider networks

Yehonatan Cohen, Daniel Gordon, Danny Hendler

Knowledge-Based Systems Volume 142, 15 February 2018, Pages 241-255

### Early detection of spamming accounts in large-Scale service provider networks

Yehonatan Cohen, Daniel Gordon, Danny Hendler

Knowledge-Based Systems Volume 142, 15 February 2018, Pages 241-255

### Quantifying the resilience of machine learning classifiers used for cyber security

Z Katzir, Y Elovici

Expert Systems with Applications 92, 419-429, 2018

### Quantifying the resilience of machine learning classifiers used for cyber security

Z Katzir, Y Elovici

Expert Systems with Applications 92, 419-429, 2018

The use of machine learning algorithms for cyber security purposes gives rise to questions of adversarial resilience, namely: Can we quantify the effort required of an adversary to manipulate a system that is based on machine learning techniques? Can the adversarial resilience of such systems be formally modeled and evaluated? Can we quantify this resilience such that different systems can be compared using empiric metrics?

Past works have demonstrated how an adversary can manipulate a system based on machine learning techniques by changing some of its inputs. However, comparatively little work has emphasized the creation of a formal method for measuring and comparing the adversarial resilience of different machine learning models to these changes.

In this work we study the adversarial resilience of detection systems based on supervised machine learning models. We provide a formal definition for adversarial resilience while focusing on multisensory fusion systems. We define the model robustness (MRB) score, a metric for evaluating the relative resilience of different models, and suggest two novel feature selection algorithms for constructing adversary aware classifiers. The first algorithm selects only features that cannot realistically be modified by the adversary, while the second algorithm allows control over the resilience versus accuracy tradeoff. Finally, we evaluate our approach with a real-life use case of dynamic malware classification using an extensive, up-to-date corpus of benign and malware executables. We demonstrate the potential of using adversary aware feature selection for building more resilient classifiers and provide empirical evidence supporting the inherent resilience of ensemble algorithms compared to single model algorithms.

### Detection of malicious webmail attachments based on propagation patterns

Yehonatan Cohen, Danny Hendler, Amir Rubin

Knowledge-Based Systems Volume 141, 1 February 2018, Pages 67-79

### Detection of malicious webmail attachments based on propagation patterns

Yehonatan Cohen, Danny Hendler, Amir Rubin

Knowledge-Based Systems Volume 141, 1 February 2018, Pages 67-79

### Kitsune: An Ensemble of Autoencoders for Online Network Intrusion Detection

Yisroel Mirsky, Tomer Doitshman, Yuval Elovici and Asaf Shabtai

Network and Distributed Systems Security Symposium (NDSS), 2018

### Kitsune: An Ensemble of Autoencoders for Online Network Intrusion Detection

Yisroel Mirsky, Tomer Doitshman, Yuval Elovici and Asaf Shabtai

Network and Distributed Systems Security Symposium (NDSS), 2018

Neural networks have become an increasingly popular solution for network intrusion detection systems (NIDS). Their capability of learning complex patterns and behaviors make them a suitable solution for differentiating between normal traffic and network attacks. However, a drawback of neural networks is the amount of resources needed to train them. Many network gateways and routers devices, which could potentially host an NIDS, simply do not have the memory or processing power to train and sometimes even execute such models. More importantly, the existing neural network solutions are trained in a supervised manner. Meaning that an expert must label the network traffic and update the model manually from time to time.

In this paper, we present Kitsune: a plug and play NIDS which can learn to detect attacks on the local network, without supervision, and in an efficient online manner. Kitsune’s core algorithm (KitNET) uses an ensemble of neural networks called autoencoders to collectively differentiate between normal and abnormal traffic patterns. KitNET is supported by a feature extraction framework which efficiently tracks the patterns of every network channel. Our evaluations show that  Kitsune can detect various attacks with a performance comparable to offline anomaly detectors, even on a Raspberry PI. This demonstrates that Kitsune can be a practical and economic NIDS.

### EVALUATION OF ADDITIVE AND SUBTRACTIVE MANUFACTURING FROM THE SECURITY PERSPECTIVE

Mark Yampolskiy , Wayne King, Gregory Pope, Sofia Belikovetsky, Yuval Elovici

ICCIP 2017: Critical Infrastructure Protection XI pp 23-44

### EVALUATION OF ADDITIVE AND SUBTRACTIVE MANUFACTURING FROM THE SECURITY PERSPECTIVE

Mark Yampolskiy , Wayne King, Gregory Pope, Sofia Belikovetsky, Yuval Elovici

ICCIP 2017: Critical Infrastructure Protection XI pp 23-44

Additive manufacturing involves a new class of cyber-physical systems that manufacture 3D objects incrementally by depositing and fusing together thin layers of source material. In 2015, the global additive manufacturing industry had $5.165 billion in revenue, with 32.5% of all manufactured objects used as functional parts. Because of their reliance on computerization, additive manufacturing devices (or 3D printers) are susceptible to a broad range of attacks. The rapid adoption of additive manufacturing in aerospace, automotive and other industries makes it an attractive attack target and a critical asset to be protected. This chapter compares emerging additive manufacturing and traditional subtractive manufacturing from the security perspective. While the discussion compares the two manufacturing technologies, the emphasis is on additive manufacturing due to its expected dominance as the manufacturing technology of the future. The chapter outlines the additive and subtractive manufacturing workflows, proposes a framework for analyzing attacks on or using additive manufacturing systems and presents the major threat categories. In order to compare the two manufacturing paradigms from the security perspective, the differences between the two workflows are identified and the attack analysis framework is applied to demonstrate how the differences translate into threats. The analysis reveals that, while there is significant overlap with regard to security, fundamental differences in the two manufacturing paradigms require a separate investigation of additive manufacturing security. Link Cooperation with IBM ### Rational deployment of multiple heuristics in optimal state-space search‏ E Karpas, O Betzalel, SE Shimony, D Tolpin, A Felner Cooperation with IBM ### Rational deployment of multiple heuristics in optimal state-space search‏ E Karpas, O Betzalel, SE Shimony, D Tolpin, A Felner Link ### Homomorphic Secret Sharing: Optimizations and Applications E. Boyle, G. Couteau, N. Gilboa and Y. Ishai and M. Orru CCS '17 Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security Pages 2105-2122 ### Homomorphic Secret Sharing: Optimizations and Applications E. Boyle, G. Couteau, N. Gilboa and Y. Ishai and M. Orru CCS '17 Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security Pages 2105-2122 We continue the study of Homomorphic Secret Sharing (HSS), recently introduced by Boyle et al. (Crypto 2016, Eurocrypt 2017). A (2-party) HSS scheme splits an input x into shares (x0,x1) such that (1) each share computationally hides x, and (2) there exists an efficient homomorphic evaluation algorithm$\Eval$such that for any function (or “program”) from a given class it holds that Eval(x0,P)+Eval(x1,P)=P(x). Boyle et al. show how to construct an HSS scheme for branching programs, with an inverse polynomial error, using discrete-log type assumptions such as DDH. We make two types of contributions. Optimizations. We introduce new optimizations that speed up the previous optimized implementation of Boyle et al. by more than a factor of 30, significantly reduce the share size, and reduce the rate of leakage induced by selective failure. Applications. Our optimizations are motivated by the observation that there are natural application scenarios in which HSS is useful even when applied to simple computations on short inputs. We demonstrate the practical feasibility of our HSS implementation in the context of such applications. Link ### Learning Software Behavior for Automated Diagnosis Ori Bar-Ilan, Roni Stern and Meir Kalech The Twenty Seventh International Workshop on Principles of Diagnosis (DX-17), 2017 ### Learning Software Behavior for Automated Diagnosis Ori Bar-Ilan, Roni Stern and Meir Kalech The Twenty Seventh International Workshop on Principles of Diagnosis (DX-17), 2017 Software diagnosis algorithms aim to identify the faulty software components that caused a failure. A key challenges of existing software diagnosis algorithms is how to prioritize the outputted diagnoses. To do so, previous work proposed a method for estimating the likelihood that each diagnosis is correct. Computing these diagnosis likelihoods is nontrivial. We propose to do this by learning a behavior model of the software components and use it to identify abnormally behaving components. In this work we show the potential of such an approach by performing an empirical evaluation on a synthetic behavior model of the components. The results show that even an imperfect behavior model is useful in improving diagnosis accuracy and minimizing wasted troubleshooting efforts. Link In collaboration with IDC Herzliya + Technion and UCLA ### Group-Based Secure Computation: Optimizing Rounds, Communication, and Computation Elette Boyle, Niv Gilboa and Yuval Ishai Advances in Cryptology - EUROCRYPT 2017, pages 163-193, 2017 In collaboration with IDC Herzliya + Technion and UCLA ### Group-Based Secure Computation: Optimizing Rounds, Communication, and Computation Elette Boyle, Niv Gilboa and Yuval Ishai Advances in Cryptology - EUROCRYPT 2017, pages 163-193, 2017 A recent work of Boyle et al. (Crypto 2016) suggests that “group-based” cryptographic protocols, namely ones that only rely on a cryptographically hard (Abelian) group, can be surprisingly powerful. In particular, they present succinct two-party protocols for securely computing branching programs and NC1 circuits under the DDH assumption, providing the first alternative to fully homomorphic encryption. In this work we further explore the power of group-based secure computation protocols, improving both their asymptotic and concrete effi- ciency. We obtain the following results. – Black-box use of group. We modify the succinct protocols of Boyle et al. so that they only make a black-box use of the underlying group, eliminating an expensive non-black-box setup phase. – Round complexity. For any constant number of parties, we obtain 2-round MPC protocols based on a PKI setup under the DDH assumption. Prior to our work, such protocols were only known using fully homomorphic encryption or indistinguishability obfuscation. – Communication complexity. Under DDH, we present a secure 2- party protocol for any NC1 or log-space computation with n input bits and m output bits using n + (1 + o(1))m + poly(λ) bits of communication, where λ is a security parameter. In particular, our protocol can generate n instances of bit-oblivious-transfer using (4 + o(1)) · n bits of communication. This gives the first constant-rate OT protocol under DDH. – Computation complexity. We present several techniques for improving the computational cost of the share conversion procedure of Boyle et al., improving the concrete efficiency of group-based protocols by several orders of magnitude. Link In collaboration with Technion and UCLA ### Ad Hoc PSM Protocols: Secure Computation Without Coordination Amos Beimel, Yuval Ishai, Eyal Kushilevitz Advances in Cryptology - EUROCRYPT 2017, pages 580-608, 2017 In collaboration with Technion and UCLA ### Ad Hoc PSM Protocols: Secure Computation Without Coordination Amos Beimel, Yuval Ishai, Eyal Kushilevitz Advances in Cryptology - EUROCRYPT 2017, pages 580-608, 2017 We study the notion of ad hoc secure computation, recently introduced by Beimel et al. (ITCS 2016), in the context of the Private Simultaneous Messages (PSM) model of Feige et al. (STOC 2004). In ad hoc secure computation we have n parties that may potentially participate in a protocol but, at the actual time of execution, only k of them, whose identity is not known in advance, actually participate. This situation is particularly challenging in the PSM setting, where protocols are non-interactive (a single message from each participating party to a special output party) and where the parties rely on pre-distributed, correlated randomness (that in the ad-hoc setting will have to take into account all possible sets of participants). We present several different constructions of ad hoc PSM protocols from standard PSM protocols. These constructions imply, in particular, that efficient information-theoretic ad hoc PSM protocols exist for NC 11 and different classes of log-space computation, and efficient computationally-secure ad hoc PSM protocols for polynomial-time computable functions can be based on a one-way function. As an application, we obtain an information-theoretic implementation of order-revealing encryption whose security holds for two messages. We also consider the case where the actual number of participating parties t may be larger than the minimal k for which the protocol is designed to work. In this case, it is unavoidable that the output party learns the output corresponding to each subset of k out of the t participants. Therefore, a “best possible security” notion, requiring that this will be the only information that the output party learns, is needed. We present connections between this notion and the previously studied notion of t-robust PSM (also known as “non-interactive MPC”). We show that constructions in this setting for even simple functions (like AND or threshold) can be translated into non-trivial instances of program obfuscation (such as point function obfuscation and fuzzy point function obfuscation, respectively). We view these results as a negative indication that protocols with “best possible security” are impossible to realize efficiently in the information-theoretic setting or require strong assumptions in the computational setting. Link In collaboration with IBM ### Supervised Detection of Infected Machines Using Anti-virus Induced Labels Tomer Cohen, Danny Hendler and Dennis Potashnik CSCML 2017, pages 211-220 In collaboration with IBM ### Supervised Detection of Infected Machines Using Anti-virus Induced Labels Tomer Cohen, Danny Hendler and Dennis Potashnik CSCML 2017, pages 211-220 Traditional antivirus software relies on signatures to uniquely identify malicious files. Malware writers, on the other hand, have responded by developing obfuscation techniques with the goal of evading content-based detection. A consequence of this arms race is that numerous new malware instances are generated every day, thus limiting the effectiveness of static detection approaches. For effective and timely malware detection, signature-based mechanisms must be augmented with detection approaches that are harder to evade. We introduce a novel detector that uses the information gathered by IBM’s QRadar SIEM (Security Information and Event Management) system and leverages anti-virus reports for automatically generating a labelled training set for identifying malware. Using this training set, our detector is able to automatically detect complex and dynamic patterns of suspicious machine behavior and issue high-quality security alerts. We believe that our approach can be used for providing a detection scheme that complements signature-based detection and is harder to circumvent. Link In collaboration with IBM ### CyberRank: Knowledge Elicitation for Risk Assessment of Database Security H Grushka-Cohen, O Sofer, O Biller, B Shapira, L Rokach Proceedings of the 25th ACM International on Conference on Information and Knowledge Management In collaboration with IBM ### CyberRank: Knowledge Elicitation for Risk Assessment of Database Security H Grushka-Cohen, O Sofer, O Biller, B Shapira, L Rokach Proceedings of the 25th ACM International on Conference on Information and Knowledge Management Security systems for databases produce numerous alerts about anomalous activities and policy rule violations. Prioritizing these alerts will help security personnel focus their efforts on the most urgent alerts. Currently, this is done manually by security experts that rank the alerts or define static risk scoring rules. Existing solutions are expensive, consume valuable expert time, and do not dynamically adapt to changes in policy. Adopting a learning approach for ranking alerts is complex due to the efforts required by security experts to initially train such a model. The more features used, the more accurate the model is likely to be, but this will require the collection of a greater amount of user feedback and prolong the calibration process. In this paper, we propose CyberRank, a novel algorithm for automatic preference elicitation that is effective for situations with limited experts’ time and outperforms other algorithms for initial training of the system. We generate synthetic examples and annotate them using a model produced by Analytic Hierarchical Processing (AHP) to bootstrap a preference learning algorithm. We evaluate different approaches with a new dataset of expert ranked pairs of database transactions, in terms of their risk to the organization. We evaluated using manual risk assessments of transaction pairs, CyberRank outperforms all other methods for cold start scenario with error reduction of 20%. Link ### Anomaly detection for smartphone data streams Y Mirsky, A Shabtai, B Shapira, Y Elovici, L Rokach Pervasive and Mobile Computing 35, 83-107, 2017 ### Anomaly detection for smartphone data streams Y Mirsky, A Shabtai, B Shapira, Y Elovici, L Rokach Pervasive and Mobile Computing 35, 83-107, 2017 Smartphones centralize a great deal of users’ private information and are thus a primary target for cyber-attack. The main goal of the attacker is to try to access and exfiltrate the private information stored in the smartphone without detection. In situations where explicit information is lacking, these attackers can still be detected in an automated way by analyzing data streams (continuously sampled information such as an application’s CPU consumption, accelerometer readings, etc.). When clustered, anomaly detection techniques may be applied to the data stream in order to detect attacks in progress. In this paper we utilize an algorithm called pcStream that is well suited for detecting clusters in real world data streams and propose extensions to the pcStream algorithm designed to detect point, contextual, and collective anomalies. We provide a comprehensive evaluation that addresses mobile security issues on a unique dataset collected from 30 volunteers over eight months. Our evaluations show that the pcStream extensions can be used to effectively detect data leakage (point anomalies) and malicious activities (contextual anomalies) associated with malicious applications. Moreover, the algorithm can be used to detect when a device is being used by an unauthorized user (collective anomaly) within approximately 30 s with 1 false positive every two days. Link ### The Curious Case of the Curious Case: Detecting touchscreen events using a smartphone case Tomer Glick, Yossi Oren, Rami Puzis, Asaf Shabtai SEMS (2017) ### The Curious Case of the Curious Case: Detecting touchscreen events using a smartphone case Tomer Glick, Yossi Oren, Rami Puzis, Asaf Shabtai SEMS (2017) Security-conscious users are very careful with software they allow their phone to run. They are much less careful with the choices they make regarding accessories such as headphones or chargers and only few, if any, care about cyber security threats coming from the phone’s protective case. We show how a malicious smartphone protective case can be used to detect and monitor the victim’s interaction with the phone’s touchscreen, opening the door to keyloggerlike attacks, threatening the user’s security and privacy. This feat is achieved by implementing a hidden capacitive sensing mechanism inside the case. Our attack is both sensitive enough to track the user’s finger location across the screen, and simple and cheap enough to be mass-produced and deployed en masse. We discuss the theoretical principles behind this attack, present a preliminary proof-of-concept, and discuss potential countermeasures and mitigations. Link ### Creation and Management of Social Network Honeypots for Detecting Targeted Cyber Attacks Abigail Paradise, Rami Puzis, Aviad Elyashar, Yuval Elovici, Asaf Shabtai IEEE Transactions on Computational Social Systems (IEEE T-CSS), accepted (2017) ### Creation and Management of Social Network Honeypots for Detecting Targeted Cyber Attacks Abigail Paradise, Rami Puzis, Aviad Elyashar, Yuval Elovici, Asaf Shabtai IEEE Transactions on Computational Social Systems (IEEE T-CSS), accepted (2017) Reconnaissance is the initial and essential phase of a successful advanced persistent threat (APT). In many cases, attackers collect information from social media, such as professional social networks. This information is used to select members that can be exploited to penetrate the organization. Detecting such reconnaissance activity is extremely hard because it is performed outside the organization premises. In this paper, we propose a framework for management of social network honeypots to aid in detection of APTs at the reconnaissance phase. We discuss the challenges that such a framework faces, describe its main components, and present a case study based on the results of a field trial conducted with the cooperation of a large European organization. In the case study, we analyze the deployment process of the social network honeypots and their maintenance in real social networks. The honeypot profiles were successfully assimilated into the organizational social network and received suspicious friend requests and mail messages that revealed basic indications of a potential forthcoming attack. In addition, we explore the behavior of employees in professional social networks, and their resilience and vulnerability toward social network infiltration. Link ### Scalable Attack Path Finding for Increased Security Tom Gonda, Rami Puzis, and Bracha Shapira International Conference on Cyber Security Cryptography and Machine Learning (CSCML), 2017, 234-249 ### Scalable Attack Path Finding for Increased Security Tom Gonda, Rami Puzis, and Bracha Shapira International Conference on Cyber Security Cryptography and Machine Learning (CSCML), 2017, 234-249 Software vulnerabilities can be leveraged by attackers to gain control of a host. Attackers can then use the controlled hosts as stepping stones for compromising other hosts until they create a path to the critical assets. Consequently, network administrators must examine the protected network as a whole rather than each vulnerable host independently. To this end, various methods were suggested in order to analyze the multitude of attack paths in a given organizational network, for example, to identify the optimal attack paths. The down side of many of those methods is that they do not scale well to medium-large networks with hundreds or thousands of hosts. We suggest using graph reduction techniques in order to simplify the task of searching and eliminating optimal attacker paths. Results on an attack graph extracted from a network of a real organization with more than 300 hosts and 2400 vulnerabilities show that using the proposed graph reductions can improve the search time by a factor of 4 while maintaining the quality of the results. Link In collaboration with Paulson School of Engineering and Applied Sciences, Harvard University ### CRADLE: An Online Plan Recognition Algorithm for Exploratory Domains Reuth Mirsky, Ya'akov Gal, Stuart Shieber ACM Transactions on Intelligent Systems and Technology 8 (3), 2017, 45 In collaboration with Paulson School of Engineering and Applied Sciences, Harvard University ### CRADLE: An Online Plan Recognition Algorithm for Exploratory Domains Reuth Mirsky, Ya'akov Gal, Stuart Shieber ACM Transactions on Intelligent Systems and Technology 8 (3), 2017, 45 In exploratory domains, agents’ behaviors include switching between activities, extraneous actions, and mistakes. Such settings are prevalent in real world applications such as interaction with open-ended software, collaborative office assistants, and integrated development environments. Despite the prevalence of such settings in the real world, there is scarce work in formalizing the connection between high-level goals and low-level behavior and inferring the former from the latter in these settings. We present a formal grammar for describing users’ activities in such domains. We describe a new top-down plan recognition algorithm called CRADLE (Cumulative Recognition of Activities and Decreasing Load of Explanations) that uses this grammar to recognize agents’ interactions in exploratory domains. We compare the performance of CRADLE with state-of-the-art plan recognition algorithms in several experimental settings consisting of real and simulated data. Our results show that CRADLE was able to output plans exponentially more quickly than the state-of-the-art without compromising its correctness, as determined by domain experts. Our approach can form the basis of future systems that use plan recognition to provide real-time support to users in a growing class of interesting and challenging domains Link In collaboration with The Jerusalem College of Technology ### Shortest path for K-Goals Roni Stern, Meir Goldenberg, Ariel Felner SoCS-2017 short paper In collaboration with The Jerusalem College of Technology ### Shortest path for K-Goals Roni Stern, Meir Goldenberg, Ariel Felner SoCS-2017 short paper The k-goal problem is a generalization of the Shortest Path Problem (SPP) in which the task is to solve k SPP problems, such that all the problems share the same start vertex. kGP was introduced to the heuristic search community for building an Incremental Roadmap Spanner technique (Dobson and Bekris 2014), which is a useful construct in motion plannin for robotics. But kGP has many other applications, e.g., when path planning for multiple drones flying from a central dispatcher location to k target locations. Link In collaboration with PayPal ### Session Analysis using Plan Recognition Reuth Mirsky, Kobi Gal and David Tolpin Interfaces and Scheduling and Planning (UISP) ICAPS (2017) In collaboration with PayPal ### Session Analysis using Plan Recognition Reuth Mirsky, Kobi Gal and David Tolpin Interfaces and Scheduling and Planning (UISP) ICAPS (2017) This paper presents preliminary results of our work with a major financial company, where we try to use methods of plan recognition in order to investigate the interactions of a costumer with the company’s online interface. In this paper, we present the first steps of integrating a plan recognition algorithm in a real-world application for detecting and analyzing the interactions of a costumer. It uses a novel approach for plan recognition from bare-bone UI data, which reasons about the plan library at the lowest recognition level in order to define the relevancy of actions in our domain, and then uses it to perform plan recognition. We present preliminary results of inference on three different use-cases modeled by domain experts from the company, and show that this approach manages to decrease the overload of information required from an analyst to evaluate a costumer’s session — whether this is a malicious or benign session, whether the intended tasks were completed, and if not — what actions are expected next. Link In collaboration with Sapir Academic College, Ashkelon, Israel ### Advanced Flow Models for Computing the Reputation of Internet Domains Hussien Othman, Ehud Gudes, Nurit Gal-Oz IFIPTM 2017: 119-134 In collaboration with Sapir Academic College, Ashkelon, Israel ### Advanced Flow Models for Computing the Reputation of Internet Domains Hussien Othman, Ehud Gudes, Nurit Gal-Oz IFIPTM 2017: 119-134 The Domain Name System (DNS) is an essential component of the Internet infrastructure that translates domain names into IP addresses. Recent incidents verify the enormous damage of malicious activities utilizing DNS such as bots that use DNS to locate their command & control servers. We believe that a domain that is related to malicious domains is more likely to be malicious as well and therefore detecting malicious domains using the DNS network topology is a key challenge. In this work we improve the flow model presented by Mishsky etal. [12] for computing the reputation of domains. This flow model is applied on a graph of domains and IPs and propagates their reputation scores through the edges that connect them to express the impact of malicious domains on related domains. We propose the use of clustering to guide the flow of reputation in the graph and examine two different clustering methods to identify groups of domains and IPs that are strongly related. The flow algorithms use these groups to emphasize the influence of nodes within the same cluster on each other. We evaluate the algorithms using a large database received from a commercial company. The experimental evaluation of our work have shown the expected improvement over previous work [12] in detecting malicious domains 12. Mishsky, I., Gal-Oz, N., Gudes, E.: A topology based flow model for computing domain reputation. In: Samarati, P. (ed.) DBSec 2015. LNCS, vol. 9149, pp. 277– 292. Springer, Cham (2015). doi:10.1007/978-3-319-20810-7 20 Link ### Cryptographically Enforced Role-Based Access Control for NoSQL Distributed Databases Yossif Shalabi, Ehud Gudes DBSec 2017: 3-19 ### Cryptographically Enforced Role-Based Access Control for NoSQL Distributed Databases Yossif Shalabi, Ehud Gudes DBSec 2017: 3-19 The support for Role-Based Access Control (RBAC) using cryptography for NOSQL distributed databases is investigated. Cassandra is a NoSQL DBMS that efficiently supports very large databases, but provides rather simple security measures (an agent having physical access to a Cassandra cluster is usually assumed to have access to all data therein). Support for RBAC had been added almost as an afterthought, with the Node Coordinator having to mediate all requests to read and write data, in order to ensure that only the requests allowed by the Access Control Policy (ACP) are allowed through. In this paper, we propose a model and protocols for cryptographic enforcement of an ACP in a cassandra like system, which would ease the load on the Node Coordinator, thereby taking the bottleneck out of the existing security implementation. We allow any client to read the data from any storage node(s) – provided that only the clients whom the ACP grants access to a datum, would hold the encryption keys that enable these clients to decrypt the data. Link In collaboration with Dept. of Mathematics and Computer Science, The Open University, Raanana, Israel ### Brief Announcement: Privacy Preserving Mining of Distributed Data Using a Trusted and Partitioned Third Party Nir Maoz, Ehud Gudes CSCML 2017: 193-195 In collaboration with Dept. of Mathematics and Computer Science, The Open University, Raanana, Israel ### Brief Announcement: Privacy Preserving Mining of Distributed Data Using a Trusted and Partitioned Third Party Nir Maoz, Ehud Gudes CSCML 2017: 193-195 We like to discuss the usability of new architecture of partitioned third party, offered in [1] for conducting a new protocols for data mining algorithms over shared data base between multiple data holders. Current solution for data mining over partitioned data base are: Data anonimization [4], homomorphic encryption [5], trusted third party [2] or secure multiparty computation algorithms [3]. Current solutions suffer from different problems such as expensive algorithms in terms of computation overhead and required communication rounds, revealing private information to third party. The new architecture offered by Sherman et al. allow the data holders to use simple masking techniques that are not expensive in computation nor assume trust in the third party, yet allow to perform simple and complex data mining algorithms between multiple data owners while private data is not revealed. That come with the assumption of no collude between the two parts of the PTTP. 1: Q sends the query to DBi, 1 ≤ i ≤ M, and the query type (either intersection or union) to R. 2: Q sends R which private column participate in the query (e.g. the age column). 3: R generates a random permutation σ on the set of integers {1,…, 2|Ω|} and sends it to DBi, 1 ≤ i ≤ M. 4: for all 1 ≤ i ≤ M do 5: DBi sets a Boolean vector Vi={vi,1,. . . ,vi,|Ω|} where vi,j = 1 ifDBi hold private value j 0 otherwise Link In collaboration with Dept. of Mathematics and Computer Science, The Open University, Raanana, Israel ### Crowdsourced Data Integrity Verification for Key-Value Stores in the Cloud Grisha Weintraub, Ehud Gudes CCGrid 2017: 498-503 In collaboration with Dept. of Mathematics and Computer Science, The Open University, Raanana, Israel ### Crowdsourced Data Integrity Verification for Key-Value Stores in the Cloud Grisha Weintraub, Ehud Gudes CCGrid 2017: 498-503 Abstract—Thanks to their high availability, scalability, and usability, cloud databases have become one of the dominant cloud services. However, since cloud users do not physically possess their data, data integrity may be at risk. In this paper, we present a novel protocol that utilizes crowdsourcing paradigm to provide practical data integrity assurance in keyvalue cloud databases. The main advantage of our protocol over previous work is its high applicability – as opposed to existing approaches, our scheme does not require any system changes on the cloud side and thus can be applied directly to any existing system. We demonstrate the feasibility of our scheme by a prototype implementation and its evaluation. Link ### From Smashed Screens to Smashed Stacks: Attacking Mobile Phones using Malicious Aftermarket Parts Shwartz, O., Shitrit, G., Shabtai, A., Oren, Y. Workshop on Security for Embedded and Mobile Systems (SEMS'17), Paris, France (April 30, 2017) ### From Smashed Screens to Smashed Stacks: Attacking Mobile Phones using Malicious Aftermarket Parts Shwartz, O., Shitrit, G., Shabtai, A., Oren, Y. Workshop on Security for Embedded and Mobile Systems (SEMS'17), Paris, France (April 30, 2017) In this preliminary study we present the first practical attack on a modern smartphone which is mounted through a malicious aftermarket replacement part (specifically, a replacement touchscreen). Our attack exploits the lax security checks on the packets traveling between the touchscreen’s embedded controller and the phone’s main CPU, and is able to achieve kernel-level code execution privileges on modern Android phones protected by SELinux. This attack is memory independent and survives data wipes and factory resets. We evaluate two phones from major vendors and present a proof-of-concept attack in actual hardware on one phone and an emulation level attack on the other. Through a semiautomated source code review of 26 recent Android phones from 8 different vendors, we believe that our attack vector can be applied to many other phones, and that it is very difficult to protect against. Similar attacks should also be possible on other smart devices such as printers, cameras and cars, which similarly contain user-replaceable sub-units. Link In collaboration with SUTD+ CSRC, Ben-Gurion University of the Negev ### POSTER: Towards Exposing Internet of Things: A Roadmap Sachidananda, V., Toh, J., Siboni, S., Shabtai, A. and Elovici In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (pp. 1820-1822) (2016) In collaboration with SUTD+ CSRC, Ben-Gurion University of the Negev ### POSTER: Towards Exposing Internet of Things: A Roadmap Sachidananda, V., Toh, J., Siboni, S., Shabtai, A. and Elovici In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (pp. 1820-1822) (2016) Considering the exponential increase of Internet of Things (IoT) devices there is also unforeseen vulnerabilities associated with these IoT devices. One of the major problems in the IoT is the security testing and analysis due to the heterogeneous nature of deployments. Currently, there is no mechanism that performs security testing for IoT devices in different contexts. In addition, there is a missing framework to be able to adapt and tune accordingly with various security testing perspectives. In this paper, we propose an innovative security testbed targeted at IoT devices and also briefly introduce Adaptable and Tunable Framework (ATF) for testing IoT devices. Link In collaboration with SUTD + CSRC, Ben-Gurion University of the Negev ### Let the Cat Out of the Bag: A Holistic Approach Towards Security Analysis of the Internet of Things Sachidananda, V., Siboni, S., Shabtai, A., Toh, J., Bhairav, S. and Elovici, Y. In Proceedings of the 3rd ACM International Workshop on IoT Privacy, Trust, and Security (pp. 3-10) (2017) In collaboration with SUTD + CSRC, Ben-Gurion University of the Negev ### Let the Cat Out of the Bag: A Holistic Approach Towards Security Analysis of the Internet of Things Sachidananda, V., Siboni, S., Shabtai, A., Toh, J., Bhairav, S. and Elovici, Y. In Proceedings of the 3rd ACM International Workshop on IoT Privacy, Trust, and Security (pp. 3-10) (2017) The exponential increase of Internet of Things (IoT) devices have resulted in a range of new and unanticipated vulnerabilities associated with their use. IoT devices from smart homes to smart enterprises can easily be compromised. One of the major problems associated with the IoT is maintaining security; the vulnerable nature of IoT devices poses a challenge to many aspects of security, including security testing and analysis. It is trivial to perform the security analysis for IoT devices to understand the loop holes and very nature of the devices itself. Given these issues, there has been less emphasis on security testing and analysis of the IoT. In this paper, we show our preliminary efforts in the area of security analysis for IoT devices and introduce a security IoT testbed for performing security analysis. We also discuss the necessary design, requirements and the architecture to support our security analysis conducted via the proposed testbed. Link In collaboration with Singapore University of Technology and Design, Singapore (SUTD) + Daegu Gyeongbuk Institute of Science and Technology, Daegu, South Korea (DGIST) ### Advanced security testbed framework for wearable IoT devices Siboni, S., Shabtai, A., Tippenhauer, N.O., Lee, J. and Elovici, Y. ACM Transactions on Internet Technology (TOIT), 16(4), p.26 (2016) In collaboration with Singapore University of Technology and Design, Singapore (SUTD) + Daegu Gyeongbuk Institute of Science and Technology, Daegu, South Korea (DGIST) ### Advanced security testbed framework for wearable IoT devices Siboni, S., Shabtai, A., Tippenhauer, N.O., Lee, J. and Elovici, Y. ACM Transactions on Internet Technology (TOIT), 16(4), p.26 (2016) Analyzing the security of Wearable Internet-of-Things (WIoT) devices is considered a complex task due to their heterogeneous nature. In addition, there is currently no mechanism that performs security testing for WIoT devices in different contexts. In this article, we propose an innovative security testbed framework targeted at wearable devices, where a set of security tests are conducted, and a dynamic analysis is performed by realistically simulating environmental conditions in which WIoT devices operate. The architectural design of the proposed testbed and a proof-of-concept, demonstrating a preliminary analysis and the detection of context-based attacks executed by smartwatch devices, are presented. Link ### Ranking Vulnerability Fixes Using Planning Graph Analysis Tom Gonda, Rami Puzis, Bracha Shapira, Guy Shani International Workshop on Artificial Intelligence and Security (2017) ### Ranking Vulnerability Fixes Using Planning Graph Analysis Tom Gonda, Rami Puzis, Bracha Shapira, Guy Shani International Workshop on Artificial Intelligence and Security (2017) During the past years logical attack graphs were used to find the most critical vulnerabilities and devise efficient hardening strategies for organizational networks. Most techniques for ranking vulnerabilities either do not scale well, e.g. brute-force attack plan enumeration, or are not well suited for the analysis of logical attack graphs, e.g. centrality measures. In this paper we suggest an analysis of the planning graph (from classical planning) derived from the logical attack graph to improve the accuracy of centrality-based vulnerability ranking metrics. The planning graph also allows efficient enumeration of the set of possible attack plans that use a given vulnerability on a specific machine. We suggest a set of centrality based heuristics for reducing the number of attack plans and compare with previously suggested vulnerability ranking metrics. Results show that metrics computed over the planning graph are superior to metrics computed over the logical attack graph or the network connectivity graph. Link ### Partially Observable Contingent Planning for Penetration Testing Dorin Shmaryahu, Tom Gonda, Joerg Hoffman, Guy Shani 28th International Workshop on Principles of Diagnosis (DX) (2017) ### Partially Observable Contingent Planning for Penetration Testing Dorin Shmaryahu, Tom Gonda, Joerg Hoffman, Guy Shani 28th International Workshop on Principles of Diagnosis (DX) (2017) Penetration Testing (pentesting), where network administrators automatically attack their own network to identify and fix vulnerabilities, has recently received attention from the AI community. Smart algorithms that can identify robust and efficient attack plans may imitate human hackers better than simple protocols. Classical planning methods for pentesting model poorly the real world, where the attacker has only partial information concerning the network. On the other hand POMDPbased approaches provide a strong model, but fail to scale up to reasonable model sizes. In this paper we offer a middle ground, allowing for partial observability and non-deterministic action effects, by modeling pentesting as a partially observable contingent problem. We experiment with a real network of a large organization, showing our solver to scale to realistic problem sizes. We also experiment with sub-sampled networks, comparing the expected reward of a contingent plan graph to that of a POMDP policy. Link ### A hybrid approach for improving unsupervised fault detection for robotic systems Eliahu Khalastchi , Meir Kalech , Lior Rokach Expert Systems with Applications Volume 81, 15 September 2017, Pages 372-383 ### A hybrid approach for improving unsupervised fault detection for robotic systems Eliahu Khalastchi , Meir Kalech , Lior Rokach Expert Systems with Applications Volume 81, 15 September 2017, Pages 372-383 The use of robots in our daily lives is increasing. As we rely more on robots, thus it becomes more important for us that the robots will continue on with their mission successfully. Unfortunately, these sophisticated, and sometimes very expensive, machines are susceptible to different kinds of faults. It becomes important to apply a Fault Detection (FD) mechanism which is suitable for the domain of robots. Two important requirements of such a mechanism are: high accuracy and low computational-load during operation (online). Supervised learning can potentially produce very accurate FD models, and if the learning takes place offline then the online computational-load can be reduced. Yet, the domain of robots is characterized with the absence of labeled data (e.g., “faulty”, “normal”) required by supervised approaches, and consequently, unsupervised approaches are being used. In this paper we propose a hybrid approach – an unsupervised approach can label a data set, with a low degree of inaccuracy, and then the labeled data set is used offline by a supervised approach to produce an online FD model. Now, we are faced with a choice – should we use the unsupervised or the hybrid fault detector? Seemingly, there is no way to validate the choice due to the absence of (a priori) labeled data. In this paper we give an insight to why, and a tool to predict when, the hybrid approach is more accurate. In particular, the main impacts of our work are (1) we theoretically analyze the conditions under which the hybrid approach is expected to be more accurate. (2) Our theoretical findings are backed with empirical analysis. We use data sets of three different robotic domains: a high fidelity flight simulator, a laboratory robot, and a commercial Unmanned Arial Vehicle (UAV). (3) We analyze how different unsupervised FD approaches are improved by the hybrid technique and (4) how well this improvement fits our prediction tool. The significance of the hybrid approach and the prediction tool is the potential benefit to expert and intelligent systems in which labeled data is absent or expensive to create. Link Cooperation with Soroka University Medical Center ### Predicting Refractive Surgery Outcome: Machine Learning Approach With Big Data Asaf Achiron, Zvi Gur, Uri Aviv, Assaf Hilely, Michael Mimouni, Lily Karmona, Lior Rokach, Igor Kaiserman Journal of Refractive Surgery. 2017;33(9):592-597 Cooperation with Soroka University Medical Center ### Predicting Refractive Surgery Outcome: Machine Learning Approach With Big Data Asaf Achiron, Zvi Gur, Uri Aviv, Assaf Hilely, Michael Mimouni, Lily Karmona, Lior Rokach, Igor Kaiserman Journal of Refractive Surgery. 2017;33(9):592-597 PURPOSE:To develop a decision forest for prediction of laser refractive surgery outcome. METHODS:Data from consecutive cases of patients who underwent LASIK or photorefractive surgeries during a 12-year period in a single center were assembled into a single dataset. Training of machine-learning classifiers and testing were performed with a statistical classifier algorithm. The decision forest was created by feature vectors extracted from 17,592 cases and 38 clinical parameters for each patient. A 10-fold cross-validation procedure was applied to estimate the predictive value of the decision forest when applied to new patients. RESULTS:Analysis included patients younger than 40 years who were not treated for monovision. Efficacy of 0.7 or greater and 0.8 or greater was achieved in 16,198 (92.0%) and 14,945 (84.9%) eyes, respectively. Efficacy of less than 0.4 and less than 0.5 was achieved in 322 (1.8%) and 506 (2.9%) eyes, respectively. Patients in the low efficacy group (< 0.4) had statistically significant differences compared with the high efficacy group (≥ 0.8), yet were clinically similar (mean differences between groups of 0.7 years, of 0.43 mm in pupil size, of 0.11 D in cylinder, of 0.22 logMAR in preoperative CDVA, of 0.11 mm in optical zone size, of 1.03 D in actual sphere treatment, and of 0.64 D in actual cylinder treatment). The preoperative subjective CDVA had the highest gain (most important to the model). Correlations analysis revealed significantly decreased efficacy with increased age (r = −0.67, P < .001), central corneal thickness (r = −0.40, P < .001), mean keratometry (r = −0.33, P < .001), and preoperative CDVA (r = −0.47, P < .001). Efficacy increased with pupil size (r = 0.20, P < .001). CONCLUSIONS:This model could support clinical decision making and may lead to better individual risk assessment. Expanding the role of machine learning in analyzing big data from refractive surgeries may be of interest. Link ### Inter-labeler and intra-labeler variability of condition severity classification models using active and passive learning methods N Nissim, Y Shahar, Y Elovici, G Hripcsak, R Moskovitch Artificial Intelligence in Medicine Volume 81, September 2017, Pages 12-32 ### Inter-labeler and intra-labeler variability of condition severity classification models using active and passive learning methods N Nissim, Y Shahar, Y Elovici, G Hripcsak, R Moskovitch Artificial Intelligence in Medicine Volume 81, September 2017, Pages 12-32 Link Cooperation with IBM & Google ### DLRS 2017: Second Workshop on Deep Learning for Recommender Systems Balázs Hidasi, Alexandros Karatzoglou, Oren Sar-Shalom, Sander Dieleman, Bracha Shapira, Domonkos Tikk RecSys '17 Proceedings of the Eleventh ACM Conference on Recommender Systems Pages 370-371 Como, Italy — August 27 - 31, 2017 Cooperation with IBM & Google ### DLRS 2017: Second Workshop on Deep Learning for Recommender Systems Balázs Hidasi, Alexandros Karatzoglou, Oren Sar-Shalom, Sander Dieleman, Bracha Shapira, Domonkos Tikk RecSys '17 Proceedings of the Eleventh ACM Conference on Recommender Systems Pages 370-371 Como, Italy — August 27 - 31, 2017 Deep learning methods became widely popular in the recommender systems community in 2016, in part thanks to the previous event of the DLRS workshop series. Now, deep learning has been embedded in the main conference as well and initial research directions have started forming, so the role of DLRS 2017 is to encourage starting new research directions, incentivize the application of very recent techniques from deep learning, and provide a venue for specialized discussion of this topic. Link ### Acoustic Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard-Drive Noise (‘DiskFiltration’) Mordechai Guri Email author , Yosef Solewicz, Andrey Daidakulov, Yuval Elovici ESORICS 2017: Computer Security – ESORICS 2017 pp 98-115 ### Acoustic Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard-Drive Noise (‘DiskFiltration’) Mordechai Guri Email author , Yosef Solewicz, Andrey Daidakulov, Yuval Elovici ESORICS 2017: Computer Security – ESORICS 2017 pp 98-115 In the past, it has been shown that malware can exfiltrate data from air-gapped (isolated) networks by transmitting ultrasonic signals via the computer’s speakers. However, such a communication relies on the availability of speakers on a computer. In this paper, we present ‘DiskFiltration’, a method to leak data from speakerless computers via covert acoustic signals emitted from its hard disk drive (HDD) (Video: https://www.youtube.com/watch?v=H7lQXmSLiP8 or http://cyber.bgu.ac.il/advanced-cyber/airgap). Although it is known that HDDs generate acoustical noise, it has never been studied in the context of a malicious covert-channel. Notably, the magnetic HDDs dominate the storage wars, and most PCs, servers, and laptops todays are installed with HDD drive(s). A malware installed on a compromised machine can generate acoustic emissions at specific audio frequencies by controlling the movements of the HDD’s actuator arm. Binary Information can be modulated over the acoustic signals and then be picked up by a nearby receiver (e.g., microphone, smartphone, laptop, etc.). We examine the HDD anatomy and analyze its acoustical characteristics. We also present signal generation and detection, and data modulation and demodulation algorithms. Based on our proposed method, we developed a transmitter and a receiver for PCs and smartphones, and provide the design and implementation details. We examine the channel capacity and evaluate it on various types of internal and external HDDs in different computer chassis and at various distances. With DiskFiltration we were able to covertly transmit data (e.g., passwords, encryption keys, and keylogging data) between air-gapped computers to a nearby receiver at an effective bit rate of 180 bits/min (10,800 bits/h). Link Cooperation with IDF ### DiskFiltration: Acoustic Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard-Drive Noise Mordechai Guri, Yosef Solewicz, Andrey Daidakulov, Yuval Elovici, ESORICS 2017: Computer Security – ESORICS 2017 pp 98-115 Cooperation with IDF ### DiskFiltration: Acoustic Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard-Drive Noise Mordechai Guri, Yosef Solewicz, Andrey Daidakulov, Yuval Elovici, ESORICS 2017: Computer Security – ESORICS 2017 pp 98-115 In the past, it has been shown that malware can exfiltrate data from air-gapped (isolated) networks by transmitting ultrasonic signals via the computer’s speakers. However, such a communication relies on the availability of speakers on a computer. In this paper, we present ‘DiskFiltration’, a method to leak data from speakerless computers via covert acoustic signals emitted from its hard disk drive (HDD) (Video: https://www.youtube.com/watch?v=H7lQXmSLiP8 or http://cyber.bgu.ac.il/advanced-cyber/airgap). Although it is known that HDDs generate acoustical noise, it has never been studied in the context of a malicious covert-channel. Notably, the magnetic HDDs dominate the storage wars, and most PCs, servers, and laptops todays are installed with HDD drive(s). A malware installed on a compromised machine can generate acoustic emissions at specific audio frequencies by controlling the movements of the HDD’s actuator arm. Binary Information can be modulated over the acoustic signals and then be picked up by a nearby receiver (e.g., microphone, smartphone, laptop, etc.). We examine the HDD anatomy and analyze its acoustical characteristics. We also present signal generation and detection, and data modulation and demodulation algorithms. Based on our proposed method, we developed a transmitter and a receiver for PCs and smartphones, and provide the design and implementation details. We examine the channel capacity and evaluate it on various types of internal and external HDDs in different computer chassis and at various distances. With DiskFiltration we were able to covertly transmit data (e.g., passwords, encryption keys, and keylogging data) between air-gapped computers to a nearby receiver at an effective bit rate of 180 bits/min (10,800 bits/h). Link In collaboration with Ariel University ### I Know What You Saw Last Minute – Encrypted HTTP Adaptive Video Streaming Title Classification R. DubinS, A. DvirPI, O. PelePI and O. HadarPI IEEE Transactions on Information Forensics & Security, Vol. 12, No. 12, pp. 3039-3049, July 2017 In collaboration with Ariel University ### I Know What You Saw Last Minute – Encrypted HTTP Adaptive Video Streaming Title Classification R. DubinS, A. DvirPI, O. PelePI and O. HadarPI IEEE Transactions on Information Forensics & Security, Vol. 12, No. 12, pp. 3039-3049, July 2017 Desktops and laptops can be maliciously exploited to violate privacy. There are two main types of attack scenarios: active and passive. In this paper, we consider the passive scenario where the adversary does not interact actively with the device, but he is able to eavesdrop on the network traffic of the device from the network side. Most of the Internet traffic is encrypted and thus passive attacks are challenging. Previous research has shown that information can be extracted from encrypted multimedia streams. This includes video title classification of non HTTP adaptive streams (non-HAS). This paper presents an algorithm for encrypted HTTP adaptive video streaming title classification. We show that an external attacker can identify the video title from video HTTP adaptive streams (HAS) sites such as YouTube. To the best of our knowledge, this is the first work that shows this. We provide a large data set of 10000 YouTube video streams of 100 popular video titles (each title downloaded 100 times) as examples for this task. The dataset was collected under real-world network conditions. We present several machine algorithms for the task and run a through set of experiments, which shows that our classification accuracy is more than 95%. We also show that our algorithms are able to classify video titles that are not in the training set as unknown and some of the algorithms are also able to eliminate false prediction of video titles and instead report unknown. Finally, we evaluate our algorithms robustness to delays and packet losses at test time and show that a solution that uses SVM is the most robust against these changes given enough training data. We provide the dataset and the crawler for future research. Link Cooperation with Tel-Aviv University ### Cyber Security and the Role of Intelligent Systems in Addressing its Challenges Yaniv Harel, Irad Ben Gal and Yuval Elovici ACM Transactions on Intelligent Systems and Technology (TIST) - Special Issue: Cyber Security and Regular Papers archive Volume 8 Issue 4, July 2017 Article No. 49 Cooperation with Tel-Aviv University ### Cyber Security and the Role of Intelligent Systems in Addressing its Challenges Yaniv Harel, Irad Ben Gal and Yuval Elovici ACM Transactions on Intelligent Systems and Technology (TIST) - Special Issue: Cyber Security and Regular Papers archive Volume 8 Issue 4, July 2017 Article No. 49 We are living in a unique period of history, and the current technology revolution will be among the most dramatic societal transformations remembered by humanity. The important changes associated with the invention of the engine, electricity, and the printing press gradually transformed society in the western world over a period of over a hundred years. The changes accompanying the current revolution have significantly altered the lives of average citizens across the globe in less than a generation. This is unprecedented. In the past, revolutions spanned decades, enabling the establishment of processes and systems. For example, a language that supports the new revolution evolves, and leaders emerge, with the fresh perspective required by the revolutionary changes. New disciplines are created and new occupations are developed to support the changes. The present revolution is taking place at such a high speed that such enabling processes and systems have not yet been established, let alone developed or matured, and they will continue to be created well into the future. Over the past three decades, an important new vector of the technology revolution has emerged: the cyber domain. In particular, the technological aspects of cyber— such as computer technologies, access to information and systems, greater connectivity among subsystems, and the combined effect of all these aspects on a growing list of diverse spheres—expose the world to unprecedented risks. Academia and the intellectual infrastructure associated with the cyber domain are struggling to keep up with the domain’s rapid pace. Cryptography is a mature discipline, with strong connections to mathematics and computer science, which have helped the discipline evolve and develop over the years. Traditionally, it has been the cyber area most rooted in the academic world. However, many other technological subjects should also be part of the cyber academic discussion. Each month, as the cyber effect expands, new aspects of this arena become part of the cyber theoretical discipline. For example, the autonomous car came on the scene in recent years [Coppola and Morisio 2016], and it did not take long before a cyber threat associated with the autonomous car was identified. The immaturity of the discipline is reflected by the fact that cyber is currently being discussed on many stages and studied by researchers from diverse disciplines and perspectives. The issue of whether cyber is a pure discipline or a topic that relates to several disciplines will continue to be discussed in the coming years. The following special issue includes a collection of selected papers that cover the diverse cyber domain and how it interfaces with intelligent systems. The topics were presented at the Tel Aviv Academic Conference over two successive years. The scope of this special issue is relatively broad, yet there are many cyber issues that have not been addressed in this edition. Link ### Measurement of online discussion authenticity within online social media‏ A Elyashar, J Bendahan, R Puzis, MA Sanmateu IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining. ### Measurement of online discussion authenticity within online social media‏ A Elyashar, J Bendahan, R Puzis, MA Sanmateu IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining. In this paper, we propose an approach for estimating the authenticity of online discussions based on the similarity of online social media (OSM) accounts participating in the online discussion to known abusers and legitimate accounts. Our method uses similarity functions for the analysis and classification of OSM accounts. The proposed methods are demonstrated using Twitter data collected for this study and a previously published Arabic Honeypot dataset. The data collected during this study includes manually labeled accounts and a ground truth collection of abusers from crowdturfing platforms. Demonstration of the discussion topic’s authenticity, derived from account similarity functions, shows that the suggested approach is effective for discriminating between topics that were strongly promoted by abusers and topics that attracted authentic public interest. Measurement of Online Discussion Authenticity within Online Social Media | Request PDF. Available from: https://www.researchgate.net/publication/321064925_Measurement_of_Online_Discussion_Authenticity_within_Online_Social_Media [accessed Mar 05 2018]. Link ### 9-1-1 DDoS: Attacks, Analysis and Mitigation Mordechai Guri, Yisroel Mirsky, Yuval Elovici 2017 IEEE European Symposium on Security and Privacy (EuroS&P). ### 9-1-1 DDoS: Attacks, Analysis and Mitigation Mordechai Guri, Yisroel Mirsky, Yuval Elovici 2017 IEEE European Symposium on Security and Privacy (EuroS&P). The 911 emergency service belongs to one of the 16 critical infrastructure sectors in the United States. Distributed denial of service (DDoS) attacks launched from a mobile phone botnet pose a significant threat to the availability of this vital service. In this paper we show how attackers can exploit the cellular network protocols in order to launch an anonymized DDoS attack on 911. The current FCC regulations require that all emergency calls be immediately routed regardless of the caller’s identifiers (e.g., IMSI and IMEI). A rootkit placed within the baseband firmware of a mobile phone can mask and randomize all cellular identifiers, causing the device to have no genuine identification within the cellular network. Such anonymized phones can issue repeated emergency calls that cannot be blocked by the network or the emergency call centers, technically or legally. We explore the 911 infrastructure and discuss why it is susceptible to this kind of attack. We then implement different forms of the attack and test our implementation on a small cellular network. Finally, we simulate and analyze anonymous attacks on a model of current 911 infrastructure in order to measure the severity of their impact. We found that with less than 6K bots (or$100K hardware), attackers can block emergency services in an entire state (e.g., North Carolina) for days. We believe that this paper will assist the respective organizations, lawmakers, and security professionals in understanding the scope of this issue in order to prevent possible 911-DDoS attacks in the future.
Cooperation with IBM

### Supervised Detection of Infected Machines

Tomer Cohen, Danny Hendler and Dennis Potashnik

CSCML 2017: Cyber Security Cryptography and Machine Learning pp 34-49

Cooperation with IBM

### Supervised Detection of Infected Machines

Tomer Cohen, Danny Hendler and Dennis Potashnik

CSCML 2017: Cyber Security Cryptography and Machine Learning pp 34-49

Traditional antivirus software relies on signatures to uniquely identify malicious files. Malware writers, on the other hand, have responded by developing obfuscation techniques with the goal of evading content-based detection. A consequence of this arms race is that numerous new malware instances are generated every day, thus limiting the effectiveness of static detection approaches. For effective and timely malware detection, signature-based mechanisms must be augmented with detection approaches that are harder to evade.

We introduce a novel detector that uses the information gathered by IBM’s QRadar SIEM (Security Information and Event Management) system and leverages anti-virus reports for automatically generating a labelled training set for identifying malware. Using this training set, our detector is able to automatically detect complex and dynamic patterns of suspicious machine behavior and issue high-quality security alerts. We believe that our approach can be used for providing a detection scheme that complements signature-based detection and is harder to circumvent.

### Diagnosing resource usage failures in multi-agent systems

Orel Elimelech, Roni Stern, Meir Kalech, Yedidya Bar-Zeev

Expert Systems with Applications Volume 77, 1 July 2017, Pages 44-56

### Diagnosing resource usage failures in multi-agent systems

Orel Elimelech, Roni Stern, Meir Kalech, Yedidya Bar-Zeev

Expert Systems with Applications Volume 77, 1 July 2017, Pages 44-56

### Ensembles of classifiers based on dimensionality reduction

Alon Schclar, Lior Rokach, Amir Amit

Intelligent Data Analysis, vol. 21, no. 3, pp. 467-489, 2017

### Ensembles of classifiers based on dimensionality reduction

Alon Schclar, Lior Rokach, Amir Amit

Intelligent Data Analysis, vol. 21, no. 3, pp. 467-489, 2017

We present a novel approach for the construction of ensemble classifiers based on dimensionality reduction. The ensemble members are trained based on dimension-reduced versions of the training set. In order to classify a test sample, it is first embedded into the dimension reduced space of each individual classifier by using an out-of-sample extension algorithm. Each classifier is then applied to the embedded sample and the classification is obtained via a voting scheme. We demonstrate the proposed approach using the Random Projections, the Diffusion Maps and the Random Subspaces dimensionality reduction algorithms. We also present a multi-strategy ensemble which combines AdaBoost and Diffusion Maps. A comparison is made with the Bagging, AdaBoost, Rotation Forest ensemble classifiers and also with the base classifier. Our experiments used seventeen benchmark datasets from the UCI repository. The results obtained by the proposed algorithms were superior in many cases to other algorithms.

In collaboration with Princeton University

### Physical Layer Security over Wiretap Channels with Random Parameters

Z. Goldfeld, P. Cuff and H. H. Permuter.

Accepted to the 2017 International Symposium on Cyber Security Cryptography and Machine Learning (CSCML-2017), Beer-Sheva, Israel, June 2017

In collaboration with Princeton University

### Physical Layer Security over Wiretap Channels with Random Parameters

Z. Goldfeld, P. Cuff and H. H. Permuter.

Accepted to the 2017 International Symposium on Cyber Security Cryptography and Machine Learning (CSCML-2017), Beer-Sheva, Israel, June 2017

We study the trade-off between secret message (SM) and secret key (SK) rates, simultaneously achievable over a state-dependent (SD) wiretap channel (WTC) with non-causal channel state information (CSI) at the encoder. This model subsumes other instances of CSI availability as special cases, and calls for efficient utilization of the state sequence for both reliability and security purposes. An inner bound on the semantic-security (SS) SM-SK capacity region is derived based on a superposition coding scheme inspired by a past work of the authors. The region is shown to attain capacity for a certain class of SD-WTCs. SS is established by virtue of two versions of the strong soft-covering lemma. The derived region yields an improvement upon the previously best known SM-SK trade-off result reported by Prabhakaran et al., and, to the best of our knowledge, upon all other existing lower bounds for either SM or SK for this setup, even if the semantic security requirement is relaxed to weak secrecy. It is demonstrated that our region can be strictly larger than those reported in the preceding works.

In collaboration with Princeton University

### The Gelfand-Pinsker wiretap channel: strictly higher secrecy rates via a novel superposition code

Z. Goldfeld, P. Cuff and H. H. Permuter

Accepted to the 2017 IEEE International Symposium on Information Theory (ISIT-2017), Aachen, Germany, June 2017

In collaboration with Princeton University

### The Gelfand-Pinsker wiretap channel: strictly higher secrecy rates via a novel superposition code

Z. Goldfeld, P. Cuff and H. H. Permuter

Accepted to the 2017 IEEE International Symposium on Information Theory (ISIT-2017), Aachen, Germany, June 2017

To be considered for the 2017 IEEE Jack Keil
Wolf ISIT Student Paper Award. We study the state-dependent
(SD) wiretap channel (WTC) with non-causal channel state
information (CSI) at the encoder. This model subsumes all other
instances of CSI availability as special cases, and calls for an
efficient utilization of the state sequence both for reliability and
security purposes. A lower bound on the secrecy-capacity, that
improves upon the previously best known result by Chen and
Han Vinck, is derived based on a novel superposition coding
scheme. The improvement over the Chen and Han Vinck result
is strict for some SD-WTCs. Specializing the lower bound to the
case where CSI is also available to the decoder reveals that it
is at least as good as the achievable formula by Chia and ElGamal,
of the Chen and Han Vinck code to the encoder and decoder
CSI scenario. The results are derived under the strict semanticsecurity
metric that requires negligible information leakage for
all message distributions. The proof of achievability relies on
a stronger version of the soft-covering lemma for superposition
codes.

### Centralized vs. Decentralized Multi-Agent Guesswork

S. Salamatian, A. Beirami, A. Cohen and M. Medard

2017 IEEE International Symposium on Information Theory (ISIT)

### Centralized vs. Decentralized Multi-Agent Guesswork

S. Salamatian, A. Beirami, A. Cohen and M. Medard

2017 IEEE International Symposium on Information Theory (ISIT)

Abstract:

We study a notion of guesswork, where multiple agents intend to launch a coordinated brute-force attack to find a single binary secret string, and each agent has access to side information generated through either a BEC or a BSC. The average number of trials required to find the secret string grows exponentially with the length of the string, and the rate of the growth is called the guesswork exponent. We compute the guesswork exponent for several multi-agent attacks. We show that a multi-agent attack reduces the guesswork exponent compared to a single agent, even when the agents do not exchange information to coordinate their attack, and try to individually guess the secret string using a predetermined scheme in a decentralized fashion. Further, we show that the guesswork exponent of two agents who do coordinate their attack is strictly smaller than that of any finite number of agents individually performing decentralized guesswork.

### Active hypothesis testing on a tree: Anomaly detection under hierarchical observations

Chao Wang, Qing Zhao, and Kobi Cohen

2017 IEEE International Symposium on Information Theory (ISIT)

### Active hypothesis testing on a tree: Anomaly detection under hierarchical observations

Chao Wang, Qing Zhao, and Kobi Cohen

2017 IEEE International Symposium on Information Theory (ISIT)

The problem of detecting a few anomalous processes among a large number of M processes is considered. At each
time, aggregated observations can be taken from a chosen subset of processes, where the chosen subset conforms to a
given binary tree structure. The random observations are i.i.d. over time with a general distribution that may depend
on the size of the chosen subset and the number of anomalous processes in the subset. The objective is a sequential
search strategy that minimizes the sample complexity (i.e., the expected number of observations which represents
detection delay) subject to a reliability constraint. A sequential test that results in a biased random walk on the tree
is developed and is shown to be asymptotically optimal in terms of detection accuracy. Furthermore, it achieves the
optimal logarithmic-order sample complexity in M provided that the Kullback-Liebler divergence between aggregated
observations in the presence and the absence of anomalous processes are bounded away from zero at all levels of the
tree structure as M approaches infinity. Sufficient conditions on the decaying rate of the aggregated observations to
pure noise under which a sublinear scaling in M is preserved are also identified for the Bernoulli case.

In collaboration with Princeton University

### Semantically-Secured Message-Key Trade-off over Wiretap Channels with Random Parameters

A. Bunin, Z. Goldfeld, H. H. Permuter, S. Shamai, P. Cuff and P. Piantanida

In Proceedings of the 2nd Workshop on Communication Security affiliated with EUROCRYPT, Paris, France, April 2017

In collaboration with Princeton University

### Semantically-Secured Message-Key Trade-off over Wiretap Channels with Random Parameters

A. Bunin, Z. Goldfeld, H. H. Permuter, S. Shamai, P. Cuff and P. Piantanida

In Proceedings of the 2nd Workshop on Communication Security affiliated with EUROCRYPT, Paris, France, April 2017

We study the trade-off between secret message (SM) and secret key (SK) rates, simultaneously achievable over
a state-dependent (SD) wiretap channel (WTC) with non-causal channel state information (CSI) at the encoder. This
model subsumes other instances of CSI availability as special cases, and calls for efficient utilization of the state
sequence for both reliability and security purposes. An inner bound on the semantic-security (SS) SM-SK capacity
region is derived based on a superposition coding scheme inspired by a past work of the authors. The region is
shown to attain capacity for a certain class of SD-WTCs. SS is established by virtue of two versions of the strong
soft-covering lemma. The derived region yields an improvement upon the previously best known SM-SK trade-off
result reported by Prabhakaran et al., and, to the best of our knowledge, upon all other existing lower bounds for
either SM or SK for this setup, even if the semantic security requirement is relaxed to weak secrecy. It is demonstrated
that our region can be strictly larger than those reported in the preceding works.

### A Proxy-Based Solution for Securiting Remote Desktop Connections in Mission-Critical Systems

Ron Bitton ; Clint Feher ; Yuval Elovici ; Asaf Shabtai ; Gaby Shugol ; Raz Tikochinski ; Shachar Kur

2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE).

### A Proxy-Based Solution for Securiting Remote Desktop Connections in Mission-Critical Systems

Ron Bitton ; Clint Feher ; Yuval Elovici ; Asaf Shabtai ; Gaby Shugol ; Raz Tikochinski ; Shachar Kur

2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE).

Remote desktop protocols (RDPs) are used for connecting and interacting with computers remotely. In recent years, we have witnessed a number of vulnerabilities identified in two widely used remote desktop implementations, Microsoft Remote Desktop and RealVNC, that may expose the connected systems to a new attack vector. Such vulnerabilities are particularly concerning when it comes to mission-critical systems in which a client device with a low trust level connects to the critical system via a remote desktop server. In this preliminary study we propose a proxy-based solution that applies various modules, each of which mitigates a different type of threat, in order to secure remote desktop connections used in missioncritical systems.
Cooperation with Tel-Aviv University

### Enhanced situation space mining for data streams

Y Mirsky, T Halpern, R Upadhyay, S Toledo, Y Elovici

SAC '17 Proceedings of the Symposium on Applied Computing Pages 842-849 Marrakech, Morocco — April 03 - 07, 2017

Cooperation with Tel-Aviv University

### Enhanced situation space mining for data streams

Y Mirsky, T Halpern, R Upadhyay, S Toledo, Y Elovici

SAC '17 Proceedings of the Symposium on Applied Computing Pages 842-849 Marrakech, Morocco — April 03 - 07, 2017

Data streams can capture the situation which an actor is experiencing. Knowledge of the present situation is highly beneficial for a wide range of applications. An algorithm called pcStream can be used to extract situations from a numerical data stream in an unsupervised manner. Although pcStream outperforms other stream clustering algorithms at this task, pcStream has two major flaws. The first is its complexity due to continuously performing principal component analysis (PCA). The second is its difficulty in detecting emerging situations whose distributions overlap in the same feature space.

In this paper we introduce pcStream2, a variant of pcStream which employs windowing and persistence in order to distinguish between emerging overlapping concepts. We also propose the use of incremental PCA (IPCA) to reduce the overall complexity and memory requirements of the algorithm. Although any IPCA algorithm can be used, we use a novel IPCA algorithm called Just-In-Time PCA which is better suited for processing streams. JIT-PCA makes intelligent ‘short cuts’ in order to reduce computations. We provide experimental results on real-world datasets that demonstrates how the proposed improvements make pcStream2 a more accurate and practical tool for situation space mining.

Cooperation with Singapore University of Technology and Design

### Cyber security patrol: detecting fake and vulnerable wifi-enabled printers

J Toh, M Hatib, O Porzecanski, Y Elovici‏

SAC '17 Proceedings of the Symposium on Applied Computing Pages 535-542 Marrakech, Morocco — April 03 - 07, 2017

Cooperation with Singapore University of Technology and Design

### Cyber security patrol: detecting fake and vulnerable wifi-enabled printers

J Toh, M Hatib, O Porzecanski, Y Elovici‏

SAC '17 Proceedings of the Symposium on Applied Computing Pages 535-542 Marrakech, Morocco — April 03 - 07, 2017

Many printers nowadays support Wi-Fi connectivity. Some organizations opt to disable their printer’s wireless connectivity, others are not aware at all that it is enabled and some enable it in an encrypted form. In this paper we demonstrate how an application called “pFaker” running on a mobile device or smart watch can be used to mimic a printer’s Wi-Fi connectivity and functionalities in order to harm user privacy by unobtrusively stealing print jobs. To mitigate these risks, we developed a mobile application called “Cyber-Security Patrol”. We demonstrate how a mobile phone running Cyber-Security patrol can be placed on a drone or an autonomous vacuum cleaner to search for devices that try to mimic the printer’s Wi-Fi connectivity and for printers that expose unsecured wireless connection in the target organization. Cyber-Security Patrol takes photos of the location where unauthorized Wi-Fi enabled printers were detected and sends them to the organization’s administrator. For cases that the Wi-Fi enabled printer is legitimate but unsecured, Cyber Security Patrol sends a print job to the printer with detailed instructions on how to secure the specific printer model as identified based on its Service Set Identifier (SSID). A demo that demonstrates one of the use cases can be found here: https://www.youtube.com/watch?v=aJ2ZG04BrjM

Cooperation with Singapore University of Technology and Design

### Siphon: Towards scalable high-interaction physical honeypots

Juan David Guarnizo, Amit Tambe, Suman Sankar Bhunia, Martín Ochoa, Nils Ole Tippenhauer, Asaf Shabtai, Yuval Elovici,

CPSS '17 Proceedings of the 3rd ACM Workshop on Cyber-Physical System Security Pages 57-68 Abu Dhabi, United Arab Emirates — April 02 - 02, 2017

Cooperation with Singapore University of Technology and Design

### Siphon: Towards scalable high-interaction physical honeypots

Juan David Guarnizo, Amit Tambe, Suman Sankar Bhunia, Martín Ochoa, Nils Ole Tippenhauer, Asaf Shabtai, Yuval Elovici,

CPSS '17 Proceedings of the 3rd ACM Workshop on Cyber-Physical System Security Pages 57-68 Abu Dhabi, United Arab Emirates — April 02 - 02, 2017

In recent years, the emerging Internet-of-Things (IoT) has led to rising concerns about the security of networked embedded devices. In this work, we propose the SIPHON architecture—a Scalable high-Interaction Honeypot platform for IoT devices. Our architecture leverages IoT devices that are physically at one location and are connected to the Internet through so-called \emph{wormholes} distributed around the world. The resulting architecture allows exposing few physical devices over a large number of geographically distributed IP addresses. We demonstrate the proposed architecture in a large scale experiment with 39 wormhole instances in 16 cities in 9 countries. Based on this setup, five physical IP cameras, one NVR and one IP printer are presented as 85 real IoT devices on the Internet, attracting a daily traffic of 700MB for a period of two months. A preliminary analysis of the collected traffic indicates that devices in some cities attracted significantly more traffic than others (ranging from 600 000 incoming TCP connections for the most popular destination to less than 50 000 for the least popular). We recorded over 400 brute-force login attempts to the web-interface of our devices using a total of 1826 distinct credentials, from which 11 attempts were successful. Moreover, we noted login attempts to Telnet and SSH ports some of which used credentials found in the recently disclosed Mirai malware

### An SMDP approach to optimal PHY configuration in wireless networks

Mark Shifrin ; Daniel S. Menasché ; Asaf Cohen ; Omer Gurewitz ; Dennis Goeckel

2017 13th Annual Conference on Wireless On-demand Network Systems and Services (WONS), Jackson, WY, USA

### An SMDP approach to optimal PHY configuration in wireless networks

Mark Shifrin ; Daniel S. Menasché ; Asaf Cohen ; Omer Gurewitz ; Dennis Goeckel

2017 13th Annual Conference on Wireless On-demand Network Systems and Services (WONS), Jackson, WY, USA

In this work, we study the optimal configuration of the physical layer in wireless networks by means of Semi-Markov Decision Process (SMDP) modeling. In particular, assume the physical layer is characterized by a set of potential operating points, with each point corresponding to a rate and reliability pair; for example, these pairs might be obtained through a now-standard diversity-vs-multiplexing tradeoff characterization. Given the current network state (e.g., buffer occupancies), a Decision Maker (DM) needs to dynamically decide which operating point to use. The SMDP problem formulation allows us to choose from these pairs an optimal selection, which is expressed by a decision rule as a function of the number of awaiting packets in the source’s finite queue, channel state, size of the packet to be transmitted. We derive a general solution which covers various model configurations, including packet size distributions and varying channels. For the specific case of exponential transmission time, we analytically prove the optimal policy has a threshold structure. Numerical results validate this finding, as well as depict muti-threshold policies for time varying channels such as the Gilber-Elliot channel.
In collaboration with SUTD + CSRC

### ProfilIoT: A Machine Learning Approach for IoT Device Identification Based on Network Traffic Analysis

Meidan Yair, Bohadana Michael, Shabtai Asaf, Guarnizo Juan-David, Ochoa Martin, Tippenhauer Nils-Ole, Elovici Yuval

In Proceedings of The 32nd ACM Symposium On Applied Computing (SAC'17), Marrakesh, Morocco, April 3-7 2017

In collaboration with SUTD + CSRC

### ProfilIoT: A Machine Learning Approach for IoT Device Identification Based on Network Traffic Analysis

Meidan Yair, Bohadana Michael, Shabtai Asaf, Guarnizo Juan-David, Ochoa Martin, Tippenhauer Nils-Ole, Elovici Yuval

In Proceedings of The 32nd ACM Symposium On Applied Computing (SAC'17), Marrakesh, Morocco, April 3-7 2017

In this work we apply machine learning algorithms on network
traffic data for accurate identification of IoT devices
connected to a network. To train and evaluate the classi-
fier, we collected and labeled network traffic data from nine
distinct IoT devices, and PCs and smartphones. Using supervised
learning, we trained a multi-stage meta classifier; in
the first stage, the classifier can distinguish between traffic
generated by IoT and non-IoT devices. In the second stage,
each IoT device is associated a specific IoT device class. The
overall IoT classification accuracy of our model is 99.281%.

In collaboration with Princeton University

### Strong secrecy for cooperative broadcast channels

Z. Goldfeld, G. Kramer, H. H. Permuter and P. Cuff

IEEE Transactions on Information Theory, vol. 63, no. 1, pp. 469-495, January 2017, and International Zurich Seminar on Communications

In collaboration with Princeton University

### Strong secrecy for cooperative broadcast channels

Z. Goldfeld, G. Kramer, H. H. Permuter and P. Cuff

IEEE Transactions on Information Theory, vol. 63, no. 1, pp. 469-495, January 2017, and International Zurich Seminar on Communications

A broadcast channel (BC) where the decoders cooperate via a one-sided link is considered. One common and two private messages are transmitted and the private message to the cooperative user should be kept secret from the cooperationaided user. The secrecy level is measured in terms of strong secrecy, i.e., a vanishing information leakage. An inner bound on the capacity region is derived by using a channel-resolvabilitybased code that double-bins the codebook of the secret message, and by using a likelihood encoder to choose the transmitted codeword. The inner bound is shown to be tight for semideterministic
and physically degraded BCs, and the results are compared with those of the corresponding BCs without a secrecy constraint. Blackwell and Gaussian BC examples illustrate the impact of secrecy on the rate regions. Unlike the case without secrecy, where sharing information about both private messages via the cooperative link is optimal, our protocol conveys parts of the common and non-confidential messages only. This restriction reduces the transmission rates more than the usual rate loss due to secrecy requirements. An example that illustrates this loss is provided.

### Individually-Secure Multi-Source Multicast

A. Cohen, A. Cohen, M. Medard and O. Gurewitz

2017 IEEE International Symposium on Information Theory (ISIT)

### Individually-Secure Multi-Source Multicast

A. Cohen, A. Cohen, M. Medard and O. Gurewitz

2017 IEEE International Symposium on Information Theory (ISIT)

The principal mission of Multi-Source Multicast (MSM) is to disseminate all messages from all sources in a network to all destinations. MSM is utilized in numerous applications. In many of them, securing the messages disseminated is critical. A common secure model is to consider a network where there is an eavesdropper which is able to observe a subset of the network links, and seek a code which keeps the eavesdropper ignorant regarding all the messages. While this is solved when all messages are located at a single source, Secure MSM (SMSM) is an open problem, and the rates required are hard to characterize in general. In this paper, we consider Individual Security, which promises that the eavesdropper has zero mutual information with each message individually. We completely characterize the rate region for SMSM under individual security, and show that such a security level is achievable at the full capacity of the network, that is, the cut-set bound is the matching converse, similar to non-secure MSM. Moreover, we show that the field size is similar to non-secure MSM and does not have to be larger due to the security constraint.

### WEM: A New Family of White-Box Block Ciphers Based on the Even-Mansour Construction.

Jihoon Cho, Kyu Young Choi, Itai Dinur, Orr Dunkelman, Nathan Keller, Dukjae Moon, Aviya Veidberg

CT-RSA 2017: Topics in Cryptology – CT-RSA 2017 pp 293-308

### WEM: A New Family of White-Box Block Ciphers Based on the Even-Mansour Construction.

Jihoon Cho, Kyu Young Choi, Itai Dinur, Orr Dunkelman, Nathan Keller, Dukjae Moon, Aviya Veidberg

CT-RSA 2017: Topics in Cryptology – CT-RSA 2017 pp 293-308

White-box cryptosystems aim at providing security against an adversary that has access to the encryption process. As a countermeasure against code lifting (in which the adversary simply distributes the code of the cipher), recent white-box schemes aim for ‘incompressibility’, meaning that any useful representation of the secret key material is memory-consuming.

In this paper we introduce a new family of white-box block ciphers relying on incompressible permutations and the classical Even-Mansour construction. Our ciphers allow achieving tradeoffs between encryption speed and white-box security that were not obtained by previous designs. In particular, we present a cipher with reasonably strong space hardness of 2 15  215 $2^{15}$  bytes, that runs at less than 100 cycles per byte.

### Arbitrarily varying wiretap channels with type constrained states

Z. Goldfeld, P. Cuff, and H. H. Permuter

In Proceedings of the 2016 IEEE GLOBECOM Workshop on Physical Layer Security, Washington DC, WA, USA, December 2016, and in IEEE Transactions on Information Theory, vol. 62, no. 12, pp. 7216-7244, December 2016.

### Arbitrarily varying wiretap channels with type constrained states

Z. Goldfeld, P. Cuff, and H. H. Permuter

In Proceedings of the 2016 IEEE GLOBECOM Workshop on Physical Layer Security, Washington DC, WA, USA, December 2016, and in IEEE Transactions on Information Theory, vol. 62, no. 12, pp. 7216-7244, December 2016.

—The arbitrarily varying wiretap channel (AVWTC) is an open problem largely because of two main challenges. Not only does it capture the difficulty of the compound wiretap channel (another open problem) as a special case, it also requires that secrecy is ensured with respect to exponentially many possible channel state sequences. This work overcomes the second aforementioned difficulty. To that end, we consider an AVWTC with a type constraint on the allowed state sequences, and derive a single-letter characterization of its correlated-random (CR) assisted semantic-security (SS) capacity. The allowed state sequences are the ones in a typical set around a single constraining type. SS is established by showing that the mutual information between the message and the eavesdropper’s observations is negligible even when maximized over all message distributions, choices of state sequences and realizations of the CR-code. Both the achievability and the converse proofs of the type constrained coding theorem rely on stronger claims than actually required. The direct part establishes a novel single-letter lower bound on the CR-assisted SS-capacity of an AVWTC with state sequences constrained by any convex and closed set of state probability mass functions. This bound achieves the best known single-letter secrecy rates for a corresponding compound wiretap channel over the same constraint set. In contrast to other singleletter results in the AVWTC literature, the derivation does not assume the existence of a best channel to the eavesdropper. Optimality is a consequence of an max-inf upper bound on the CR-assisted SS-capacity of an AVWTC with state sequences constrained to any collection of type-classes. When adjusted to the aforementioned compound WTC, the upper bound simplifies to a max-min structure, thus strengthening the previously best known single-letter upper bound by Liang et al. that has a minmax form.

### An optical covert-channel to leak data through an air-gap

Mordechai Guri, Ofer Hasson, Gabi Kedma, Yuval Elovici

Conference: 2016 14th Annual Conference on Privacy, Security and Trust (PST)

### An optical covert-channel to leak data through an air-gap

Mordechai Guri, Ofer Hasson, Gabi Kedma, Yuval Elovici

Conference: 2016 14th Annual Conference on Privacy, Security and Trust (PST)

In recent years, various out-of-band covert channels have been proposed that demonstrate the feasibility of leaking data out of computers without the need for network connectivity. The methods proposed have been based on different type of electromagnetic, acoustic, and thermal emissions. However, optical channels have largely been considered less covert: because they are visible to the human eye and hence can be detected, they have received less attention from researchers. In this paper, we introduce VisiSploit, a new type of optical covert channel which, unlike other optical methods, is also stealthy. Our method exploits the limitations of human visual perception in order to unobtrusively leak data through a standard computer LCD display. Our experiments show that very low contrast or fast flickering images which are invisible to human subjects, can be recovered from photos taken by a camera. Consequentially, we show that malicious code on a compromised computer can obtain sensitive data (e.g., images, encryption keys, passwords), and project it onto a computer LCD screen, invisible and unbeknownst to users, allowing an attacker to reconstruct the data using a photo taken by a nearby (possibly hidden) camera. In order to demonstrate the feasibility of this type of attack and evaluate the channel’s stealth, we conducted a battery of tests with 40 human subjects. We also examined the channel’s boundaries under various parameters, with different types of encoded objects, at several distances, and using several kinds of cameras. Our results show that binary data can be leaked via our covert channel. Further research and discussion may widen the scope of this field beyond its current boundaries, yielding novel attack paradigms that exploit the subtle mechanisms of human visual perception.

### An optical covert-channel to leak data through an air-gap

Mordechai Guri, Ofer Hasson, Gabi Kedma, Yuval Elovici

Conference: 2016 14th Annual Conference on Privacy, Security and Trust (PST)

### An optical covert-channel to leak data through an air-gap

Mordechai Guri, Ofer Hasson, Gabi Kedma, Yuval Elovici

Conference: 2016 14th Annual Conference on Privacy, Security and Trust (PST)

In recent years, various out-of-band covert channels have been proposed that demonstrate the feasibility of
leaking data out of computers without the need for network connectivity. The methods proposed have been based on different
type of electromagnetic, acoustic, and thermal emissions. However, optical channels have largely been considered less
covert: because they are visible to the human eye and hence can be detected, they have received less attention from researchers.

In this paper, we introduce VisiSploit, a new type of optical covert channel which, unlike other optical methods, is also
stealthy. Our method exploits the limitations of human visual perception in order to unobtrusively leak data through a standard
computer LCD display. Our experiments show that very low contrast or fast flickering images which are invisible to human
subjects, can be recovered from photos taken by a camera. Consequentially, we show that malicious code on a compromised
computer can obtain sensitive data (e.g., images, encryption keys, passwords), and project it onto a computer LCD screen, invisible
and unbeknownst to users, allowing an attacker to reconstruct the data using a photo taken by a nearby (possibly hidden) camera.
Our research yielding novel attack paradigms that exploit the subtle mechanisms of human visual perception.

### USBee: Air-gap covert-channel via electromagnetic emission from USB

Mordechai Guri, Matan Monitz, Yuval Elovici

2016 14th Annual Conference on Privacy, Security and Trust (PST)

### USBee: Air-gap covert-channel via electromagnetic emission from USB

Mordechai Guri, Matan Monitz, Yuval Elovici

2016 14th Annual Conference on Privacy, Security and Trust (PST)

In recent years researchers have demonstrated how attackers could use USB connectors implanted with RF transmitters to exfiltrate data from secure, and even air-gapped, computers (e.g., COTTONMOUTH in the leaked NSA ANT catalog). Such methods require a hardware modification of the USB plug or device, in which a dedicated RF transmitter is embedded. In this paper we present `USBee,’ a software that can utilize an unmodified USB device connected to a computer as a RF transmitter. We demonstrate how a software can intentionally generate controlled electromagnetic emissions from the data bus of a USB connector. We also show that the emitted RF signals can be controlled and modulated with arbitrary binary data. We implement a prototype of USBee, and discuss its design and implementation details including signal generation and modulation. We evaluate the transmitter by building a receiver and demodulator using GNU Radio. Our evaluation shows that USBee can be used for transmitting binary data to a nearby receiver at a bandwidth of 20 to 80 BPS (bytes per second

### ALDOCX: Detection of Unknown Malicious Microsoft Office Documents Using Designated Active Learning Methods Based on New Structural Feature Extraction Methodology

Nir Nissim ; Aviad Cohen ; Yuval Elovici

IEEE Transactions on Information Forensics and Security ( Volume: 12, Issue: 3, March 2017 ) Page(s): 631 - 646

### ALDOCX: Detection of Unknown Malicious Microsoft Office Documents Using Designated Active Learning Methods Based on New Structural Feature Extraction Methodology

Nir Nissim ; Aviad Cohen ; Yuval Elovici

IEEE Transactions on Information Forensics and Security ( Volume: 12, Issue: 3, March 2017 ) Page(s): 631 - 646

Attackers increasingly take advantage of innocent users who tend to casually open email messages assumed to be benign, carrying malicious documents. Recent targeted attacks aimed at organizations utilize the new Microsoft Word documents (*.docx). Anti-virus software fails to detect new unknown malicious files, including malicious docx files. In this paper, we present ALDOCX, a framework aimed at accurate detection of new unknown malicious docx files that also efficiently enhances the framework’s detection capabilities over time. Detection relies upon our new structural feature extraction methodology (SFEM), which is performed statically using meta-features extracted from docx files. Using machine-learning algorithms with SFEM, we created a detection model that successfully detects new unknown malicious docx files. In addition, because it is crucial to maintain the detection model’s updatability and incorporate new malicious files created daily, ALDOCX integrates our active-learning (AL) methods, which are designed to efficiently assist anti-virus vendors by better focusing their experts’ analytical efforts and enhance detection capability. ALDOCX identifies and acquires new docx files that are most likely malicious, as well as informative benign files. These files are used for enhancing the knowledge stores of both the detection model and the anti-virus software. The evaluation results show that by using ALDOCX and SFEM, we achieved a high detection rate of malicious docx files (94.44% TPR) compared with the anti-virus software (85.9% TPR)-with very low FPR rates (0.19%). ALDOCX’s AL methods used only 14% of the labeled docx files, which led to a reduction of 95.5% in security experts’ labeling efforts compared with the passive learning and the support vector machine (SVM)-Margin (existing active-learning method). Our AL methods also showed a significant improvement of 91% in number of unknown docx malware acquired, compared with the passive learning and the SVM-Margin, thus providing an improved updating solution for the detection model, as well as the anti-virus software widely used within organizations.

### I Know What You Saw Last Minute – The Chrome Browser Case

R. Dubin. A. Dvir, O. Pele, and O. Hadar

in Blackhat Europe 2016, 1st-4th November 2016, London, UK

### I Know What You Saw Last Minute – The Chrome Browser Case

R. Dubin. A. Dvir, O. Pele, and O. Hadar

in Blackhat Europe 2016, 1st-4th November 2016, London, UK

In collaboration with Princeton University

### Wiretap channel with random states non-causally available at the encoder

Z. Goldfeld, P. Cuff, and H. H. Permuter

In Proceedings of the 2016 IEEE International Conference on the Science of Electrical Engineers (ICSEE-2016), Eilat, Israel, November 2016

In collaboration with Princeton University

### Wiretap channel with random states non-causally available at the encoder

Z. Goldfeld, P. Cuff, and H. H. Permuter

In Proceedings of the 2016 IEEE International Conference on the Science of Electrical Engineers (ICSEE-2016), Eilat, Israel, November 2016

We study the state-dependent (SD) wiretap channel (WTC) with non-causal channel state information (CSI) at the encoder. This model subsumes all other instances of CSI availability as special cases, and calls for an efficient utilization of the state sequence both for reliability and security purposes. A lower bound on the secrecy-capacity, that improves upon the previously best known result by Chen and Han Vinck, is derived based on a novel superposition coding scheme. The improvement over the Chen and Han Vinck result is strict for some SD-WTCs. Specializing the lower bound to the case where CSI is also available to the decoder reveals that it is at least as good as the achievable formula by Chia and El-Gamal, which is already known to outperform the adaptation of the Chen and Han Vinck code to the encoder and decoder CSI scenario. The results are derived under the strict semantic-security metric that requires negligible information leakage for all message distributions.

Cooperation with IDC

### The role of network setting and gender in online content popularity‏

O Lesser, T Hayat, Y Elovici‏

Information, Communication & Society 20, 2017 (11), 1607-1624‏.

Cooperation with IDC

### The role of network setting and gender in online content popularity‏

O Lesser, T Hayat, Y Elovici‏

Information, Communication & Society 20, 2017 (11), 1607-1624‏.

In this study, we explore the role of specific network structures that enhance social capital and assess the extent to which gender, social ties, and communication interaction relate to content popularity within online social networks (OSNs). Our results are based on an extensive OSN data set, containing over 100,000 members, connected by over 1.7 million links. The findings indicate that content popularity inference is more accurate when considering activity interaction among users and that network structures known as advantageous for amassing social capital in the offline environment are relevant online as well. We conclude by discussing how gender mediates the correlation between some network measures and the growth of users’ content popularity and provide a potential explanation for the emergence of gender differences.

### Data-Augmented Software Diagnosis

Amir Elmishali, Roni Stern, Meir Kalech

AAAI 2016: 4003-4009

### Data-Augmented Software Diagnosis

Amir Elmishali, Roni Stern, Meir Kalech

AAAI 2016: 4003-4009

Software fault prediction algorithms predict which software
components is likely to contain faults using machine learning
techniques. Software diagnosis algorithm identify the faulty
software components that caused a failure using model-based
or spectrum based approaches. We show how software fault
prediction algorithms can be used to improve software diagnosis.
The resulting data-augmented diagnosis algorithm
overcomes key problems in software diagnosis algorithms:
ranking diagnoses and distinguishing between diagnoses with
high probability and low probability. We demonstrate the ef-
ficiency of the proposed approach empirically on three open
sources domains, showing significant increase in accuracy of
diagnosis and efficiency of troubleshooting. These encouraging
results suggests broader use of data-driven methods to
complement and improve existing model-based methods.

In collaboration with IDC Herzliya + Technion and UCLA

### Function Secret Sharing Improvements and Extensions

Elette Boyle, Niv Gilboa and Yuval Ishai

ACM CCS 2016, pages 1292-1303, 2016

In collaboration with IDC Herzliya + Technion and UCLA

### Function Secret Sharing Improvements and Extensions

Elette Boyle, Niv Gilboa and Yuval Ishai

ACM CCS 2016, pages 1292-1303, 2016

Function Secret Sharing (FSS), introduced by Boyle et al.
(Eurocrypt 2015), provides a way for additively secret-sharing
a function from a given function family F. More concretely,
an m-party FSS scheme splits a function f : {0, 1}
n → G, for some abelian group G, into functions f1, . . . , fm, described by keys k1, . . . , km, such that f = f1 + . . . + fm and every
strict subset of the keys hides f. A Distributed Point Function
(DPF) is a special case where F is the family of point
functions, namely functions fα,β that evaluate to β on the
input α and to 0 on all other inputs. FSS schemes are useful for applications that involve privately reading from or writing to distributed databases while
minimizing the amount of communication. These include
different flavors of private information retrieval (PIR), as
well as a recent application of DPF for large-scale anonymous
messaging. We improve and extend previous results in several ways:
• Simplified FSS constructions. We introduce a tensoring
operation for FSS which is used to obtain a conceptually
simpler derivation of previous constructions
and present our new constructions.
• Improved 2-party DPF. We reduce the key size of
the PRG-based DPF scheme of Boyle et al. roughly
by a factor of 4 and optimize its computational cost.
The optimized DPF significantly improves the concrete
costs of 2-server PIR and related primitives.
• FSS for new function families. We present an ef-
ficient PRG-based 2-party FSS scheme for the family
of decision trees, leaking only the topology of the tree
and the internal node labels. We apply this towards
FSS for multi-dimensional intervals. We also present
a general technique for extending FSS schemes by increasing
the number of parties.
• Verifiable FSS. We present efficient protocols for verifying
that keys (k ∗ 1 , . . . , k∗ m), obtained from a potentially
malicious user, are consistent with some f ∈ F.
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for profit or commercial advantage and that copies bear this notice and the full citation
on the first page. Copyrights for components of this work owned by others than the
author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or
republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org.
CCS’16, October 24 – 28, 2016, Vienna, Austria

c 2016 Copyright held by the owner/author(s). Publication rights licensed to ACM.
ISBN 978-1-4503-4139-4/16/10. . . \$15.00
DOI: http://dx.doi.org/10.1145/2976749.2978429
Such a verification may be critical for applications that
involve private writing or voting by many users.
Keywords: Function secret sharing, private information
retrieval, secure multiparty computation, homomorphic encryption

In collaboration with IDC Herzliya + Technion and UCLA

### Breaking the Circuit Size Barrier for Secure Computation under DDH

Elette Boyle, Niv Gilboa and Yuval Ishai

Crypto 2016, pages 509-539, 2016

In collaboration with IDC Herzliya + Technion and UCLA

### Breaking the Circuit Size Barrier for Secure Computation under DDH

Elette Boyle, Niv Gilboa and Yuval Ishai

Crypto 2016, pages 509-539, 2016

Under the Decisional Diffie-Hellman (DDH) assumption, we present a 2-out-of-2 secret sharing scheme that supports a compact evaluation of branching programs on the shares. More concretely, there is an evaluation algorithm Eval with a single bit of output, such that if an input w ∈ {0, 1}n is shared into (w0, w1), then for any deterministic branching program P of size S we have that Eval(P, w0) ⊕ Eval(P, w1) = P(w) except with at most δ failure probability. The running time of the sharing algorithm is polynomial in n and the security parameter λ, and that of Eval is polynomial in S, λ, and 1/δ. This applies as a special case to boolean formulas of size S or boolean circuits of depth log S. We also present a public-key variant that enables homomorphic computation on inputs contributed by multiple clients. The above result implies the following DDH-based applications: – A secure 2-party computation protocol for evaluating any branching program or formula of size S, where the communication complexity is linear in the input size and only the running time grows with S. – A secure 2-party computation protocol for evaluating layered boolean circuits of size S with communication complexity O(S/ log S). – A 2-party function secret sharing scheme, as defined by Boyle et al. (Eurocrypt 2015), for general branching programs (with inverse polynomial error probability). – A 1-round 2-server private information retrieval scheme supporting general searches expressed by branching programs. Prior to our work, similar results could only be achieved using fully homomorphic encryption. We hope that our approach will lead to more practical alternatives to known fully homomorphic encryption schemes in the context of low-communication secure computation.

### Node-Centric Detection of Overlapping Communities in Social Networks

Yehonatan Cohen, Danny Hendler and Amir Rubin

12th International Conference and School on Advances in Network Science (NetSci-X16) pp 2016

### Node-Centric Detection of Overlapping Communities in Social Networks

Yehonatan Cohen, Danny Hendler and Amir Rubin

12th International Conference and School on Advances in Network Science (NetSci-X16) pp 2016

We present NECTAR, a community detection algorithm that generalizes Louvain method’s local search heuristic for overlapping community structures. NECTAR chooses dynamically which objective function to optimize based on the network on which it is invoked. Our experimental evaluation on both synthetic benchmark graphs and real-world networks, based on ground-truth communities, shows that NECTAR provides excellent results as compared with state of the art community detection algorithms.

In collaboration with Telekom Innovation Laboratories

### Identifying Attack Propagation Patterns in Honeypots Using Markov Chains Modeling and Complex Networks Analysis

Bar, Ariel and Shapira, Bracha and Rokach, Lior and Unger, Moshe

Software Science, 2016 IEEE International Conference on Technology and Engineering (SWSTE), 28-36

In collaboration with Telekom Innovation Laboratories

### Identifying Attack Propagation Patterns in Honeypots Using Markov Chains Modeling and Complex Networks Analysis

Bar, Ariel and Shapira, Bracha and Rokach, Lior and Unger, Moshe

Software Science, 2016 IEEE International Conference on Technology and Engineering (SWSTE), 28-36

Honey pots are computer resources that are used to detect and deflect network attacks on a protected system. The data collected from honey pots can be utilized to better understand cyber-attacks and provide insights for improving security measures, such as intrusion detection systems. In recent years, attackers’ sophistication has increased significantly, thus additional and more advanced analytical models are required. In this paper we suggest several unique methods for detecting attack propagation patterns using Markov Chains modeling and complex networks analysis. These methods can be applied on attack datasets collected from honey pots. The results of these models shed light on different attack profiles and interaction patterns between the deployed sensors in the honey pot system. We evaluate the suggested methods on a massive data set which includes over 167 million observed attacks on a globally distributed honey pot system. Analyzing the results reveals interesting patterns regarding attack correlations between the honey pots. We identify central honey pots which enable the propagation of attacks, and present how attack profiles may vary according to the attacking country. These patterns can be used to better understand existing or evolving attacks, and may aid security experts to better deploy honey pots in their system.

### SherLock vs Moriarty: A Smartphone Dataset for Cybersecurity

Mirsky, A Shabtai, L Rokach, B Shapira, Y Elovici

Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security

### SherLock vs Moriarty: A Smartphone Dataset for Cybersecurity

Mirsky, A Shabtai, L Rokach, B Shapira, Y Elovici

Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security

In this paper we describe and share with the research community,
a significant smartphone dataset obtained from an
ongoing long-term data collection experiment. The dataset
currently contains 10 billion data records from 30 users collected
over a period of 1.6 years and an additional 20 users for
6 months (totaling 50 active users currently participating in
the experiment).
The experiment involves two smartphone agents: SherLock
and Moriarty. SherLock collects a wide variety of software and
sensor data at a high sample rate. Moriarty perpetrates various
attacks on the user and logs its activities, thus providing
labels for the SherLock dataset.
The primary purpose of the dataset is to help security professionals
and academic researchers in developing innovative
methods of implicitly detecting malicious behavior in smartphones.
Specifically, from data obtainable without superuser
(root) privileges. To demonstrate possible uses of the dataset,
we perform a basic malware analysis and evaluate a method
of continuous user authentication.

### Scalable attack propagation model and algorithms for honeypot systems

A Bar, B Shapira, L Rokach, M Unger

Big Data (Big Data), 2016 IEEE International Conference on, 1130-1135

### Scalable attack propagation model and algorithms for honeypot systems

A Bar, B Shapira, L Rokach, M Unger

Big Data (Big Data), 2016 IEEE International Conference on, 1130-1135

Attack propagation models within honeypot systems aim at providing insights about attack strategies that target multiple honeypots, rather than analyzing attacks on each honeypot separately. Traditional attack propagation models focus on building a single probabilistic model. This modeling approach may be misleading, since it does not take into consideration contextual information such as the country from which the attack is initiated. In addition, with the massive increase in the magnitude of attacks on honeypots, a scalable modeling approach is required. In this work we present a novel attack propagation model that can utilize contextual information about the attacks by training multiple Markov Chain models. Moreover, we add additional layers of analysis: first, we present a likelihood estimation procedure that can identify new and evolving attack patterns; and second, we introduce a method for generating simulated attack sequences that can be used for training or sensitivity analysis. Lastly, we present, in details, a MapReduce design for all suggested algorithms in order to address scalability issues. We evaluate our methods on a massive dataset which includes approximately 170 million attacks on an operational honeypot system. Results indicate that contextual modeling is important for explaining attack propagation that may vary by country. In addition, we show the effectiveness of the suggested method for generating simulated sequences by comparing the attack propagation patterns we learned in the generated dataset and the original one. Finally, we demonstrate the scalability of all of the proposed algorithms on real and synthetic datasets that include over a billion records.

### Spot the Hotspot: Wi-Fi Hotspot Classiﬁcation from Internet Trafﬁc

Andrey Finkelshtein, Rami Puzis, Asaf Shabtai, Bronislav Sidik

SBP-BRiMS (2016)

### Spot the Hotspot: Wi-Fi Hotspot Classiﬁcation from Internet Trafﬁc

Andrey Finkelshtein, Rami Puzis, Asaf Shabtai, Bronislav Sidik

SBP-BRiMS (2016)

The meteoric progress of Internet technologies and PDA (personal digital assistant) devices has made public Wi-Fi hotspots very popular. Nowadays, hotspots can be found almost anywhere: organizations, home networks, public transport systems, restaurants, etc. The Internet usage patterns (e.g. browsing) differ with the hotspot venue. This insight introduces new traffic profiling opportunities. Using machine learning techniques we show that it is possible to infer types of venues that provide Wi-Fi access (e.g., organizations and hangout places) by analyzing the Internet traffic of connected mobile phones. We show that it is possible to infer the user’s current venue type disclosing his/her current context. This information can be used for improving personalized and context aware services such as web search engines or online shops, without the presence on user’s device. In this paper we evaluate venue type inference based on mobile phone traffic collected from 115 college students and analyze their Internet behavior across the different venues types.

### MIMO Gaussian broadcast channels with common, private and confidential messages

Z. Goldfeld

In Proceedings of the 2016 IEEE Information Theory Workshop (ITW-2016), Cambridge, UK, September 2016

### MIMO Gaussian broadcast channels with common, private and confidential messages

Z. Goldfeld

In Proceedings of the 2016 IEEE Information Theory Workshop (ITW-2016), Cambridge, UK, September 2016

The two-user multiple-input multiple-output
(MIMO) Gaussian broadcast channel (BC) with common,
private and confidential messages is considered. The transmitter
sends a common message to both users, a confidential message
to User 1 and a private (non-confidential) message to User
2. The secrecy-capacity region is characterized by showing
that certain inner and outer bounds coincide and that the
boundary points are achieved by Gaussian inputs. The proof
relies on factorization of upper concave envelopes and a variant
of dirty-paper coding (DPC). The entire region is exhausted
by using DPC to cancel out the signal of the non-confidential
message at Receiver 1, making DPC against the signal of the
confidential message unnecessary. The secrecy-capacity results
are visualized using a numerical example.

Cooperation with Singapore University of Technology and Design

### Network Flow Watermarking: A Survey‏

A Iacovazzi, Y Elovici‏

IEEE Communications Surveys & Tutorials ( Volume: 19, Issue: 1, Firstquarter 2017 ) Page(s): 512 - 530

Cooperation with Singapore University of Technology and Design

### Network Flow Watermarking: A Survey‏

A Iacovazzi, Y Elovici‏

IEEE Communications Surveys & Tutorials ( Volume: 19, Issue: 1, Firstquarter 2017 ) Page(s): 512 - 530

Traffic analysis (TA) is a useful tool aimed at understanding network traffic behavior. Basic network administration often takes advantage of TA for purposes such as security, intrusion detection, traffic shaping and policing, diagnostic monitoring, provisioning, and resource management. Network flow watermarking is a type of TA in which packet features of selected flows are manipulated in order to add a specific pattern easily identifiable when the watermarked flows cross an observation point. While passive TA has been extensively studied with hundreds of papers found in the literature, active TA, and more specifically network flow watermarking, has only recently attracted attention. Enforced robustness against traffic perturbations due to either natural network noise or attacks against passive TA have enhanced the appeal of this technique. The contribution of this paper is a thorough review of the main watermarking algorithms implemented for traffic analysis purposes. We present an overview of the motivations and the objectives that have led to the use of network flow watermarking. We also describe the general architecture of a watermarking system. In addition, we impose clarity and order in this branch of TA by providing a taxonomy of the algorithms proposed in the literature over the years, and categorize and present them based on carrier, visibility, and robustness.
In collaboration with Technische Universit¨at M¨unchen

### Broadcast channels with privacy leakage constraints

Z. Goldfeld, G. Kramer and H. H. Permuter

Accepted to the IEEE Transactions on Information Theory, August 2016

In collaboration with Technische Universit¨at M¨unchen

### Broadcast channels with privacy leakage constraints

Z. Goldfeld, G. Kramer and H. H. Permuter

Accepted to the IEEE Transactions on Information Theory, August 2016

The broadcast channel (BC) with one common and two private messages with leakage constraints is studied, where leakage refers to the normalized mutual information between a message and a channel symbol string. Each private message is destined for a different user and the leakage to the other receiver must satisfy a constraint. This model captures several scenarios concerning secrecy, i.e., when both, either or neither of the private messages are secret. Inner and outer bounds on the leakage-capacity region are derived. Without leakage constraints the inner bound recovers Marton’s region and the outer bound reduces to the UVW-outer bound. The bounds match for semi-deterministic (SD) and physically degraded (PD) BCs, as well as for BCs with a degraded message set. The leakage-capacity regions of the SD-BC and the BC with a degraded message set recover past results for different secrecy scenarios. A Blackwell BC example illustrates the results and shows how its leakage-capacity region changes from the capacity region without secrecy to the secrecy-capacity regions for different secrecy scenarios.

In collaboration with Princeton University

### Semantic-security capacity for wiretap channels of type II

Z. Goldfeld, P. Cuff and H. H. Permuter

IEEE Transactions on Information Theory, vol. 62, no. 7, pp. 3863-3879, July 2016

In collaboration with Princeton University

### Semantic-security capacity for wiretap channels of type II

Z. Goldfeld, P. Cuff and H. H. Permuter

IEEE Transactions on Information Theory, vol. 62, no. 7, pp. 3863-3879, July 2016

The secrecy capacity of the type II wiretap channel (WTC II) with a noisy main channel is currently an open problem. Herein its secrecy-capacity is derived and shown to be equal to its semantic-security (SS) capacity. In this setting, the legitimate users communicate via a discrete-memoryless (DM) channel in the presence of an eavesdropper that has perfect access to a subset of its choosing of the transmitted symbols, constrained to a fixed fraction of the blocklength. The secrecy criterion is achieved simultaneously for all possible eavesdropper subset choices. The SS criterion demands negligible mutual information between the message and the eavesdropper’s observations even when maximized over all message distributions. A key tool for the achievability proof is a novel and stronger version of Wyner’s soft covering lemma. Specifically, a random codebook is shown to achieve the soft-covering phenomenon with high probability. The probability of failure is doubly exponentially small in the blocklength. Since the combined number of messages and subsets grows only exponentially with the blocklength, SS for the WTC II is established by using the union bound and invoking the stronger soft-covering lemma. The direct proof shows that rates up to the weak-secrecy capacity of the classic WTC with a DM erasure channel (EC) to the eavesdropper are achievable. The converse follows by establishing the capacity of this DM wiretap EC as an upper bound for the WTC II. From a broader perspective, the stronger soft-covering lemma constitutes a tool for showing the existence of codebooks that satisfy exponentially many constraints, a beneficial ability for many other applications in information theoretic security.

In collaboration with Princeton University

### Semantic-Security Capacity for the Physical Layer via Information Theory

Z. Goldfeld, P. Cuff and H. H. Permuter

In Proceedings of the IEEE CS International Conference on Software Science, Technology, and Engineering (SwSTE-2016), Beer-Sheva, Israel, June 2016

In collaboration with Princeton University

### Semantic-Security Capacity for the Physical Layer via Information Theory

Z. Goldfeld, P. Cuff and H. H. Permuter

In Proceedings of the IEEE CS International Conference on Software Science, Technology, and Engineering (SwSTE-2016), Beer-Sheva, Israel, June 2016

Physical layer security can ensure secure communication over noisy channels in the presence of an eavesdropper with unlimited computational power. We adopt an information theoretic variant of semantic-security (SS) (a cryptographic gold standard), as our secrecy metric and study the open problem of the type II wiretap channel (WTC II) with a noisy main channel is, whose secrecy-capacity is unknown even under looser metrics than SS. Herein the secrecy-capacity is derived and shown to be equal to its SS capacity. In this setting, the legitimate users communicate via a discrete-memoryless (DM) channel in the presence of an eavesdropper that has perfect access to a subset of its choosing of the transmitted symbols, constrained to a fixed fraction of the blocklength. The secrecy criterion is achieved simultaneously for all possible eavesdropper subset choices. On top of that, SS requires negligible mutual information between the message and the eavesdropper’s observations even when maximized over all message distributions. A key tool for the achievability proof is a novel and stronger version of Wyner’s soft covering lemma. Specifically, the lemma shows that a random codebook achieves the soft-covering phenomenon with high probability. The probability of failure is doubly-exponentially small in the blocklength. Since the combined number of messages and subsets grows only exponentially with the blocklength, SS for the WTC II is established by using the union bound and invoking the stronger soft-covering lemma. The direct proof shows that rates up to the weak-secrecy capacity of the classic WTC with a DM erasure channel (EC) to the eavesdropper are achievable. The converse follows by establishing the capacity of this DM wiretap EC as an upper bound for the WTC II. From a broader perspective, the stronger soft-covering lemma constitutes a tool for showing the existence of codebooks that satisfy exponentially many constraints, a beneficial ability for many other applications in information theoretic security. Index Terms—Erasure wiretap channel, information theoretic security, physical-layer security, semantic-security, soft-covering lemma, wiretap channel of type II, wiretap codes.

In collaboration with Ministry of Science and Technology of Israel

### Search problems in the domain of multiplication: Case study on anomaly detection using markov chains

Y Mirsky, A Cohen, R Stern, A Felner, L Rokack, Y Elovici, B Shapira

Eighth Annual Symposium on Combinatorial Search, 2015

In collaboration with Ministry of Science and Technology of Israel

### Search problems in the domain of multiplication: Case study on anomaly detection using markov chains

Y Mirsky, A Cohen, R Stern, A Felner, L Rokack, Y Elovici, B Shapira

Eighth Annual Symposium on Combinatorial Search, 2015

Most work in heuristic search focused on path finding problems
in which the cost of a path in the state space is the sum
of its edges’ weights. This paper addresses a different class
of path finding problems in which the cost of a path is the
product of its weights. We present reductions from different
classes of multiplicative path finding problems to suitable
classes of additive path finding problems. As a case study,
we consider the problem of finding least and most probable
paths in a Markov Chain, where path cost corresponds to the
probability of traversing it. The importance of this problem
is demonstrated in an anomaly detection application for cyberspace
security. Three novel anomaly detection metrics for
Markov Chains are presented, where computing these metrics
require finding least and most probable paths. The underlying
Markov Chain is dynamically changing, and so fast methods
for computing least and most probable paths are needed. We
propose such methods based on the proposed reductions and
using heuristic search algorithms.

In collaboration with Ministry of Science and Technology

### pcstream: A stream clustering algorithm for dynamically detecting and managing temporal contexts

Y Mirsky, B Shapira, L Rokach, Y Elovici

Pacific-Asia Conference on Knowledge Discovery and Data Mining, 119-133, 2015

In collaboration with Ministry of Science and Technology

### pcstream: A stream clustering algorithm for dynamically detecting and managing temporal contexts

Y Mirsky, B Shapira, L Rokach, Y Elovici

Pacific-Asia Conference on Knowledge Discovery and Data Mining, 119-133, 2015

The clustering of unbounded data-streams is a difficult problem since the observed instances cannot be stored for future clustering decisions. Moreover, the probability distribution of streams tends to change over time, making it challenging to differentiate between a concept-drift and an anomaly. Although many excellent data-stream clustering algorithms have been proposed in the past, they are not suitable for capturing the temporal contexts of an entity.

In this paper, we propose pcStream; a novel data-stream clustering algorithm for dynamically detecting and managing sequential temporal contexts. pcStream takes into account the properties of sensor-fused data-streams in order to accurately infer the present concept, and dynamically detect new contexts as they occur. Moreover, the algorithm is capable of detecting point anomalies and can operate with high velocity data-streams. Lastly, we show in our evaluation that pcStream outperforms state-of-the-art stream clustering algorithms in detecting real world contexts from sensor-fused datasets. We also show how pcStream can be used as an analysis tool for contextual sensor streams.

In collaboration with

### JoKER: Trusted Detection of Kernel Rootkits in Android Devices via JTAG Interface

M Guri, Y Poliak, B Shapira, Y Elovici

Trustcom/BigDataSE/ISPA, 2015 IEEE 1, 65-73

In collaboration with

### JoKER: Trusted Detection of Kernel Rootkits in Android Devices via JTAG Interface

M Guri, Y Poliak, B Shapira, Y Elovici

Trustcom/BigDataSE/ISPA, 2015 IEEE 1, 65-73

Smartphones and tablets have become prime
targets for malware, due to the valuable private and corporate
information they hold. While Anti-Virus (AV) program may
successfully detect malicious applications (apps), they remain
ineffective against low-level rootkits that evade detection
mechanisms by masking their own presence. Furthermore, any
detection mechanism run on the same physical device as the
monitored OS can be compromised via application, kernel or
boot-loader vulnerabilities. Consequentially, trusted detection of
kernel rootkits in mobile devices is a challenging task in practice.
In this paper we present ‘JoKER’ – a system which aims at
detecting rootkits in the Android kernel by utilizing the
hardware’s Joint Test Action Group (JTAG) interface for
trusted memory forensics. Our framework consists of
components that extract areas of a kernel’s memory and
reconstruct it for further analysis. We present the overall
architecture along with its implementation, and demonstrate that
the system can successfully detect the presence of stealthy
rootkits in the kernel. The results show that although JTAG’s
main purpose is system testing, it can also be used for malware

In collaboration with Ministry of Economy under the Magnet Program

### Unknown malware detection using network traffic classification

D Bekerman, B Shapira, L Rokach, A Bar

Communications and Network Security (CNS), 2015 IEEE Conference on, 134-142

In collaboration with Ministry of Economy under the Magnet Program

### Unknown malware detection using network traffic classification

D Bekerman, B Shapira, L Rokach, A Bar

Communications and Network Security (CNS), 2015 IEEE Conference on, 134-142

We present an end-to-end supervised based system
for detecting malware by analyzing network traffic. The
proposed method extracts 972 behavioral features across
different protocols and network layers, and refers to different
observation resolutions (transaction, session, flow and
conversation windows). A feature selection method is then used
to identify the most meaningful features and to reduce the data
dimensionality to a tractable size. Finally, various supervised
methods are evaluated to indicate whether traffic in the network
is malicious, to attribute it to known malware “families” and to
discover new threats. A comparative experimental study using
real network traffic from various environments indicates that the
proposed system outperforms existing state-of-the-art rule-based
systems, such as Snort and Suricata. In particular, our
chronological evaluation shows that many unknown malware
incidents could have been detected at least a month before their
static rules were introduced to either the Snort or Suricata
systems.

In collaboration with Technische Universit¨at M¨unchen

### Cooperative broadcast channels with a secret message

Z. Goldfeld, G. Kramer and H. H. Permuter

In Proceedings of the 2015 IEEE International Symposium on Information Theory (ISIT-2015), Hong-Kong, June 2015

In collaboration with Technische Universit¨at M¨unchen

### Cooperative broadcast channels with a secret message

Z. Goldfeld, G. Kramer and H. H. Permuter

In Proceedings of the 2015 IEEE International Symposium on Information Theory (ISIT-2015), Hong-Kong, June 2015

The broadcast channel (BC) with one confidential message and where the decoders cooperate via a one-sided link is considered. A pair of messages is transmitted, one message for
each user. The message to the cooperative user is confidential and is kept secret from the cooperation-aided user. The secrecy level is measured by the equivocation rate. An inner bound on the secrecy-capacity region of the BC is derived. The inner bound is achieved by double-binning the codebook of the secret message. The inner bound is tight for the semi-deterministic (SD) and physically degraded (PD) cases. The secrecy results are compared to those of the corresponding BCs without a secrecy constraint. A cooperative Blackwell channel example illustrates the impact of secrecy on the rate regions.

### CAESAR-ALE: An Active Learning Enhancement for Conditions Severity Classification

Nir Nissim, Mary Regina Boland, Robert Moskovitch, Nicholas Tatonetti, Yuval Elovici, Yuval Shahar, George Hripcsak

Conference on Artificial Intelligence in Medicine in Europe AIME 2015: Artificial Intelligence in Medicine pp 13-24

### CAESAR-ALE: An Active Learning Enhancement for Conditions Severity Classification

Nir Nissim, Mary Regina Boland, Robert Moskovitch, Nicholas Tatonetti, Yuval Elovici, Yuval Shahar, George Hripcsak

Conference on Artificial Intelligence in Medicine in Europe AIME 2015: Artificial Intelligence in Medicine pp 13-24

Understanding condition severity, as extracted from Electronic Health Records (EHRs), is important for many public health purposes. Methods requiring physicians to annotate condition severity are time-consuming and costly. Previously, a passive learning algorithm called CAESAR was developed to capture severity in EHRs. This approach required physicians to label conditions manually, an exhaustive process. We developed a framework that uses two Active Learning (AL) methods (Exploitation and Combination_XA) to decrease manual labeling efforts by selecting only the most informative conditions for training. We call our approach CAESAR-Active Learning Enhancement (CAESAR-ALE). As compared to passive methods,CAESAR-ALE’s first AL method, Exploitation, reduced labeling efforts by 64% and achieved an equivalent true positive rate, while CAESAR-ALE’s second AL method, Combination_XA, reduced labeling efforts by 48% and achieved equivalent accuracy. In addition, both these AL methods outperformed the traditional AL method (SVM-Margin). These results demonstrate the potential of AL methods for decreasing the labeling efforts of medical experts, while achieving greater accuracy and lower costs.

In collaboration with Telekom Innovation Laboratories

### Mobile malware detection through analysis of deviations in application network behavior

A Shabtai, L Tenenboim-Chekina, D Mimran, L Rokach, B Shapira

Computers & Security 43, 2014, 1-18

In collaboration with Telekom Innovation Laboratories

### Mobile malware detection through analysis of deviations in application network behavior

A Shabtai, L Tenenboim-Chekina, D Mimran, L Rokach, B Shapira

Computers & Security 43, 2014, 1-18

In this paper we present a new behavior-based anomaly detection system for detecting meaningful deviations in a mobile application’s network behavior. The main goal of the proposed system is to protect mobile device users and cellular infrastructure companies from malicious applications by: (1) identification of malicious attacks or masquerading applications installed on a mobile device, and (2) identification of republished popular applications injected with a malicious code (i.e., repackaging). More specifically, we attempt to detect a new type of mobile malware with self-updating capabilities that were recently found on the official Google Android marketplace. Malware of this type cannot be detected using the standard signatures approach or by applying regular static or dynamic analysis methods. The detection is performed based on the application’s network traffic patterns only. For each application, a model representing its specific traffic pattern is learned locally (i.e., on the device). Semi-supervised machine-learning methods are used for learning the normal behavioral patterns and for detecting deviations from the application’s expected behavior. These methods were implemented and evaluated on Android devices. The evaluation experiments demonstrate that: (1) various applications have specific network traffic patterns and certain application categories can be distinguished by their network patterns; (2) different levels of deviation from normal behavior can be detected accurately; (3) in the case of self-updating malware, original (benign) and infected versions of an application have different and distinguishable network traffic patterns that in most cases, can be detected within a few minutes after the malware is executed while presenting very low false alarms rate; and (4) local learning is feasible and has a low performance overhead on mobile devices.

### Poster: Misuseablity Analysis for IT Infrastructure

Shabtai, A., Elovici, Y.

Conference on Computer and Communications Security 2014

### Poster: Misuseablity Analysis for IT Infrastructure

Shabtai, A., Elovici, Y.

Conference on Computer and Communications Security 2014

Today, organizations have limited resources available to allocate to the detection of complex cyber-attacks. In order to optimize their resource allocation, organizations must conduct a thorough risk analysis process so as to focus their efforts and resources on the protection of the organization’s important assets. In this study we propose a framework that automatically and dynamically derives a misuseability score for every IT component (e.g., PC, laptop, server, router, smartphone, and user). The misuseability score encapsulates the potential damage that can be caused to the organization when its assets are compromised and misused.
Misuseablity analysis for IT infrastructure | Request PDF. Available from: https://www.researchgate.net/publication/293099407_Misuseablity_analysis_for_IT_infrastructure [accessed Feb 13 2018].

### OSPF vulnerability to persistent poisoning attacks: a systematic analysis

Nakibly, G., Sosnovich, A., Menahem, E., Waizel, A., Elovici, Y.

ACSAC '14 Proceedings of the 30th Annual Computer Security Applications Conference Pages 336-345

### OSPF vulnerability to persistent poisoning attacks: a systematic analysis

Nakibly, G., Sosnovich, A., Menahem, E., Waizel, A., Elovici, Y.

ACSAC '14 Proceedings of the 30th Annual Computer Security Applications Conference Pages 336-345

Open Shortest Path First (OSPF) is one of the most widely deployed interior gateway routing protocols on the Internet. The most common attack vector against OSPF is spoofing of routing advertisements on behalf of a remote router. OSPF employs a self-defense “fight-back” mechanism that quickly reverts the effects of such attacks. Nonetheless, some attacks that evade the fight-back mechanism have been discovered, making it possible to persistently falsify routing advertisements. This type of attacks are the most serious threat to a routing protocol since they allow an attacker to gain persistent control over how traffic is routed throughout the network. This shows that despite its maturity, the OSPF specification is not without security flaws and may have still-unknown vulnerabilities. In this work we systematically analyze — manually and by formal verification — the OSPF specification for additional vulnerabilities in the fight-back mechanism. Our analysis uncovered a fundamental security flaw in OSPF that allows a simple means for an attacker to evade the fight-back mechanism. Most major router vendors acknowledged the existence of this vulnerability in their products. Fortunately, our analysis strongly indicates that no other vulnerabilities in the fight-back mechanism are likely to exist.

### Cryptanalysis of Iterated Even-Mansour Schemes with Two Keys

Itai Dinur, Orr Dunkelman, Nathan Keller, Adi Shamir

International Conference on the Theory and Application of Cryptology and Information Security ASIACRYPT 2014: Advances in Cryptology – ASIACRYPT 2014 pp 439-457

### Cryptanalysis of Iterated Even-Mansour Schemes with Two Keys

Itai Dinur, Orr Dunkelman, Nathan Keller, Adi Shamir

International Conference on the Theory and Application of Cryptology and Information Security ASIACRYPT 2014: Advances in Cryptology – ASIACRYPT 2014 pp 439-457

The iterated Even-Mansour (EM) scheme is a generalization of the original 1-round construction proposed in 1991, and can use one key, two keys, or completely independent keys. In this paper, we methodically analyze the security of all the possible iterated Even-Mansour schemes with two n-bit keys and up to four rounds, and show that none of them provides more than n-bit security. Our attacks are based on a new cryptanalytic technique called multibridgewhich splits the cipher to different parts in a novel way, such that they can be analyzed independently, exploiting its self-similarity properties. After the analysis of the parts, the key suggestions are efficiently joined using a meet-in-the-middle procedure.

As a demonstration of the multibridge technique, we devise a new attack on 4 steps of the LED-128 block cipher, reducing the time complexity of the best known attack on this scheme from 296 to 264. Furthermore, we show that our technique can be used as a generic key-recovery tool, when combined with some statistical distinguishers (like those recently constructed in reflection cryptanalysis of GOST and PRINCE).

### Anomaly detection over independent processes: switching with memor

Kobi Cohen and Qing Zhao

2014 52nd Annual Allerton Conference on Communication, Control, and Computing (Allerton)

### Anomaly detection over independent processes: switching with memor

Kobi Cohen and Qing Zhao

2014 52nd Annual Allerton Conference on Communication, Control, and Computing (Allerton)

The problem of sequential detection of anomalous processes among K independent processes is considered. At each time, only a subset of the processes can be observed, and the observations from each chosen process follow two different distributions, depending on whether the process is normal or abnormal. Each anomalous process incurs a cost per unit time until its anomaly is identified and fixed. Different anomalous processes may incur different costs depending on their criticality to the system. Switching between processes and state declarations are allowed at all times, while decisions are based on all past observations and actions. The objective is a sequential search strategy that minimizes the total expected cost, incurred by all the processes during the detection process, under reliability constraints. We develop a simple closed-loop policy (i.e., decisions depend on past observations and actions) for the anomaly detection problem. Asymptotic optimality of the proposed policy is shown when a single process is observed at a time and strong performance are demonstrated by simulation examples under multi-processes probing.

Z. Goldfeld, P. Cuff and H. H. Permuter

SACMAT '14 Proceedings of the 19th ACM symposium on Access control models and technologies Pages 129-140

Z. Goldfeld, P. Cuff and H. H. Permuter

SACMAT '14 Proceedings of the 19th ACM symposium on Access control models and technologies Pages 129-140

Organizations are repeatedly embarrassed when their sensitive digital documents go public or fall into the hands of adversaries, often as a result of unintentional or inadvertent leakage. Such leakage has been traditionally handled either by preventive means, which are evidently not hermetic, or by punitive measures taken after the main damage has already been done. Yet, the challenge of preventing a leaked file from spreading further among computers and over the Internet is not resolved by existing approaches. This paper presents a novel method, which aims at reducing and limiting the potential damage of a leakage that has already occurred. The main idea is to tag sensitive documents within the organization’s boundaries by attaching a benign detectable malware signature (DMS). While the DMS is masked inside the organization, if a tagged document is somehow leaked out of the organization’s boundaries, common security services such as Anti-Virus (AV) programs, firewalls or email gateways will detect the file as a real threat and will consequently delete or quarantine it, preventing it from spreading further. This paper discusses various aspects of the DMS, such as signature type and attachment techniques, along with proper design considerations and implementation issues. The proposed method was implemented and successfully tested on various file types including documents, spreadsheets, presentations, images, executable binaries and textual source code. The evaluation results have demonstrated its effectiveness in limiting the spread of leaked documents.

In collaboration with Telekom Innovation Laboratories

### CoBAn: A context based model for data leakage prevention

G Katz, Y Elovici, B Shapira

Information sciences 262, 137-158, 2014

In collaboration with Telekom Innovation Laboratories

### CoBAn: A context based model for data leakage prevention

G Katz, Y Elovici, B Shapira

Information sciences 262, 137-158, 2014

A new context-based model (CoBAn) for accidental and intentional data leakage prevention (DLP) is proposed. Existing methods attempt to prevent data leakage by either looking for specific keywords and phrases or by using various statistical methods. Keyword-based methods are not sufficiently accurate since they ignore the context of the keyword, while statistical methods ignore the content of the analyzed text. The context-based approach we propose leverages the advantages of both these approaches. The new model consists of two phases: training and detection. During the training phase, clusters of documents are generated and a graph representation of the confidential content of each cluster is created. This representation consists of key terms and the context in which they need to appear in order to be considered confidential. During the detection phase, each tested document is assigned to several clusters and its contents are then matched to each cluster’s respective graph in an attempt to determine the confidentiality of the document. Extensive experiments have shown that the model is superior to other methods in detecting leakage attempts, where the confidential information is rephrased or is different from the original examples provided in the learning set.