Day 1 23/10/2019
Room #1

Registration 08:00 - 17:05

Opening Session 08:30 - 09:00

Keynote 09:00 - 10:00

Break 10:00 - 10:30

Session 1 10:30 - 12:05

Blockchain
10:30 - 10:50
Trustless Framework for Iterative Double Auction based on Blockchain

One of the major problems in current implementations of iterative double auction is that they rely on a trusted third party to handle the auction process This imposes the risk of single point of failures and monopoly In this paper we aim to tackle this problem by proposing a novel decentralized and trustless framework for iterative double auction based on blockchain Our design adopts the smart contract and state channel technologies to enable a double auction process among parties that do not trust each other while minimizing the blockchain transactions We provide a formal development of the framework and highlight the security of our design against adversaries
Authors: My Thai (University of Florida), Truc Nguyen (University of Florida),
Hide Authors & Abstract

Show Authors & Abstract
10:55 - 11:15
Towards a Multi-Chain Future of Proof-of-Space

ProofofSpace provides an intriguing alternative for consensus protocol of permissionless blockchains due to its recyclable nature and the potential to support multiple chains simultaneously However a direct shared proof of the same storage which was adopted in the existing multichain schemes based on ProofofSpace could give rise to newborn attack on new chain launching To fix this gap we propose an innovative framework of singlechain ProofofSpace and further present a novel multichain scheme which can resist newborn attack effectively by elaborately combining shared proof and chainspecific proof of storage Moreover we analyze the security of the multichain scheme and prove that it is incentivecompatible This means that participants in such multichain system can achieve their greatest utility with our proposed strategy of storage resource partition
Authors: Shuyang Tang (Shanghai Jiao Tong University), Jilai Zheng (Shanghai Jiao Tong University), Yao Deng (Shanghai Jiao Tong University), Ziyu Wang (Beihang University), Zhiqiang Liu (Shanghai Jiao Tong University), Dawu Gu (Shanghai Jiao Tong University), Zhen Liu (Shanghai Jiao Tong University), Yu Long (Shanghai Jiao Tong University),
Hide Authors & Abstract

Show Authors & Abstract
11:20 - 11:40
Secure Consistency Verification for Untrusted Cloud Storage by Public Blockchains

This work presents ContractChecker a Blockchainbased security protocol for verifying the storage consistency between mutually distrusting cloud provider and clients Unlike existing protocols the ContractChecker uniquely delegates log auditing to the Blockchain and has the advantages in reducing client cost and lowering requirements on client availability lending itself to modern scenarios with mobile and web clientsThe ContractChecker collects the logs from both clients and cloud server and verifies the consistency by crosschecking the logs By this means it does not only detect the attacks from malicious clients and server forging their logs but also is able to mitigate those attacks and recover the system from themIn addition we design new attacks against ContractChecker exploiting various limits in real Blockchain systems eg write unavailability Blockchain forks contract race conditions We analyze and harden the security of ContractChecker protocols under these proposed new attacksWe implement a functional prototype on EthereumSolidity By experiments on Ethereum testnets we extensively evaluate the cost of the ContractChecker in comparison with that of existing clientbased log auditing works The result shows the ContractChecker can scale to hundreds of clients and save client costs by more than one order of magnitude The evaluation result verifies our design motivation of delegating log auditing to the Blockchain in ContractChecker
Authors: Kai Li (Syracuse University), Yu-zhe (Richard) Tang (Syracuse University), Jianliang Xu (Hong Kong Baptist University), Beom Heyn (Ben) Kim (University of Toronto),
Hide Authors & Abstract

Show Authors & Abstract
11:45 - 12:05
An Enhanced Verifiable Inter-domain Routing Protocol based on Blockchain

Promiseviolating attack to interdomain routing protocol is becomingcommon in recent years which always causes serious consequences suchas malicious attraction traffic broken network To deal with this kind of attackrouting verification is introduced by current research However it can onlydetect attacks against a specific routing policy triggered by one malicious nodeand no research has yet been conducted to solve the problem caused by multiplecollusion nodes In this work we present BRVM a blockchainbased routingVerification Model to address the issue of violating shortest AS Path policyThe main idea of BRVM is to record the route proofs to verify whether a routeviolates the policy by using blockchain technology The premise of avoiding acollusion attack is that the proportion of the malicious verification nodes islower than the fault tolerance rate of the consensus algorithm used in the blockchainWe theoretically prove the correctness of BRVM and implement a prototypebased on Quagga and Fabric Our experiments show that BRVM cansolve this kind of promiseviolating problem caused by multiple collusionnodes and about 39 faster than SPIDeR in performance
Authors: Yaping Liu (Guangzhou University, Guangzhou, China), Shuo Zhang (Guangzhou University, Guangzhou, China), Haojin Zhu (Shanghai Jiao Tong University, Shanghai, China), Peng-Jun Wan (Illinois Institute of Technology, Chicago, USA), Lixin Gao (University of Massachusetts at Amherst, Amherst, USA), Yaoxue Zhang (Tsinghua University, Beijing, China),
Hide Authors & Abstract

Show Authors & Abstract

Lunch 12:05 - 13:30

Session 3 13:30 - 15:05

Catching Malware
13:30 - 13:50
DeepCG: Classifying Metamorphic Malware through Deep Learning of Call Graphs

As the stateoftheart malware obfuscation technique metamorphism has received wide attention Metamorphic malware can mutate themselves into countless variants during propagation by obfuscating part of their executable code automatically thus posing serious challenges to all existing detection methods To address this problem a fundamental task is to understand the stable features that are relatively invariant across all variants of a certain type of metamorphic malware while distinguishable from other types In this paper we systematically study the obfuscation methods of metamorphic malware and reveal that compared to frequently used fragmented features such as byte ngrams and opcode sequences call graphs are more stable against metamorphism and can be leveraged to classify metamorphic malware effectively Based on call graphs we design a metamorphic malware classification method dubbed deepCG which enables automatic feature learning of metamorphic malware via deep learning Specifically we encapsulate the information of each call graph into an image that is then fed into deep convolutional neural networks for classifying the malware family Particularly due to its builtin training data enhancement approach deepCG can achieve promising classification accuracy even with smallscale training samples We evaluate deepCG using a PE malware dataset and the Microsoft BIG2015 dataset and achieve a test accuracy of above 96
Authors: Shuang Zhao (Institute of Information Engineering, Chinese Academy of Sciences), Xiaobo Ma (Faculty of Electronic and Information Engineering, Xi’an Jiaotong University), Wei Zou (Institute of Information Engineering, Chinese Academy of Sciences), Bo Bai (Institute of Information Engineering, Chinese Academy of Sciences),
Hide Authors & Abstract

Show Authors & Abstract
13:55 - 14:15
ChaffyScript: Vulnerability-Agnostic Defense of JavaScript Exploits via Memory Perturbation

JavaScript has been used to exploit binary vulnerabilities of host software that are otherwise difficult to exploit they impose a severe threat to computer security Although software vendors have deployed techniques like ASLRsandbox etc to mitigate JavaScript exploits hacking contests egPwn2Own GeekPwn have demonstrated that the latest software eg Chrome IE Edge Safarican still be exploited An ideal JavaScript exploit mitigation solution should be flexible and allow for deployment without requiring code changes To this end we propose ChaffyScript a vulnerabilityagnostic mitigation system that thwarts JavaScript exploits via undermining the memory preparation stage of exploitsWe implement a prototype of ChaffyScript and our evaluation shows that it defeats the 11 latest JavaScript exploits with minimal runtime and memory overhead Itincurs at most 588 runtime overhead for chrome and 1296 for FireFox Themaximal memory overhead JS heap usage observed using the Octane benchmarkwas 82 To demonstrate the deployment flexibility of ChaffyScript we have integrated it into a web proxy
Authors: Heng Yin (UC Riverside), Xunchao Hu (Deepbits Technology), Brian Testa (Syracuse University),
Hide Authors & Abstract

Show Authors & Abstract
14:20 - 14:40
Obfusi er: Obfuscation-Resistant Android Malware Detection System

The structurechanging obfuscation has become an effectivemeans for malware authors to create malicious apps that can evade themachine learningbased detection systems Generally a highly effectivedetection system for detecting unobfuscated malware samples can loseits effectiveness when encountering the same samples that have beenobfuscated In this paper we introduce Obfusifier a highly effectivemachinelearning based malware detection system that can sustain its effectiveness even when malware samples are obfuscated using complex andcomposite techniques The training of our system is based on obfuscationresistant features extracted from unobfuscated apps while the classierretains high effectiveness for detecting obfuscated malware Our experimental evaluation shows that Obfusifier can achieve the precisionrecall and Fmeasure that exceed 95 for detecting obfuscated Androidmalware well surpassing any of the previous approaches
Authors: Qiben Yan (University of Nebraska-Lincoln), Zhiqiang Li (University of Nebraska-Lincoln), Jun Sun (University of Nebraska-Lincoln), Witawas Srisa-An (University of Nebraska-Lincoln), Yutaka Tsutano (University of Nebraska-Lincoln),
Hide Authors & Abstract

Show Authors & Abstract
14:40 - 15:05
Closing the Gap with APTs through Semantic Clusters and Automated Cybergames

Defenders spend significant time interpreting lowlevel events while attackers especially Advanced Persistent Threats APTs think and plan their activities at a higher strategic level In this paper we close this semantic gap by making the attackers strategy an explicit machinereadable component of intrusion detection We introduce the concept of semantic clusters which combine highlevel technique and tactic annotations with a set of events providing evidence for those annotations We then use a fully automated cybergaming environment in which a red team is programmed to emulate APT behavior to assess and improve defensive posture Semantic clusters both provide the basis of scoring these cybergames and highlight promising defensive improvements In a set of experiments we demonstrate effective defensive adjustments which can be made using this higherlevel information about adversarial strategy
Authors: Steven Gianvecchio (The MITRE Corporation), Christopher Burkhalter (The MITRE Corporation), Hongying Lan (The MITRE Corporation), Andrew Sillers (The MITRE Corporation), Ken Smith (The MITRE Corporation),
Hide Authors & Abstract

Show Authors & Abstract

Break 15:05 - 15:30

Session 5 15:30 - 17:05

Everything Traffic Security
15:30 - 15:50
Towards Forward Secure Internet Traffic

Forward Secrecy FS is a security property in keyexchange algorithms which guarantees that a compromise in the secrecy of a longterm privatekey does not compromise the secrecy of past session keys With a growing awareness of longterm mass surveillance programs by governments and others FS has become widely regarded as a highly desirable property This is particularly true in the TLS protocol which is used to secure Internet communication In this paper we investigate FS in preTLS 13 protocols which do not mandate FS but still widely used today We conduct an empirical analysis of over 10 million TLS servers from three different datasets using a novel heuristic approach Using a modern TLS client handshake algorithms our results show 537 of top domains 751 of random domains and 2616 of random IPs do not select FS keyexchange algorithms Surprisingly 3920 of the top domains 2440 of the random domains and 1446 of the random IPs that do not select FS do support FS In light of this analysis we discuss possible paths toward forward secure Internet traffic As an improvement of the current state we propose a new clientside mechanism that we call Best Effort Forward Secrecy BEFS and an extension of it that we call Best Effort Forward Secrecy and Authenticated Encryption BESAFE which aims to guide force misconfigured servers to FS using a best effort approach
Authors: Eman Alashwali (University of Oxford), Pawel Szalachowski (Singapore University of Technology and Design (SUTD)), Andrew Martin (University of Oxford),
Hide Authors & Abstract

Show Authors & Abstract
15:55 - 16:15
Trafficbased Automatic Detection of Browser Fingerprinting

Fingerprinting has been widely adopted by first and thirdparty websites for the purpose of online tracking It collects properties of operating systems browsers and even the hardware for generating unique identifiers for visitors on websites However fingerprinting has raised both privacy and security concerns In this paper we present a trafficbased fingerprinting detection framework FPExcavator By analyzing the difference on values carried in outgoing requests from different browsers and machines FPExcavator detects possible identifiers as the generated fingerprints in request header and payload We implemented FPExcavator with OpenStack Java and some command scripts and evaluated it on 100 websites in a lab setting and 100 websites selected from realworld FPExcavator achieved 100 detection accuracy rate on 100 testing websites and 99 detection accuracy rate on 100 realworld websites Meanwhile it identified 12 new online tracking domains that have not been reported by previous research work The evaluation results demonstrate that FPExcavator is useful and effective
Authors: Rui Zhao (University of Nebraska Omaha), Edward Chow (University of Colorado Colorado Springs), Chunchun Li (University of Colorado Colorado Springs),
Hide Authors & Abstract

Show Authors & Abstract
16:20 - 16:40
Measuring Tor Relay Popularity

Tor is one of the most popular anonymity networks It has been reported that over 2 million unique users utilize the Tor network daily The Tor network is run by over 6000 volunteer relays Each Tor client telescopically builds a circuit by choosing three Tor relays and then uses that circuit to connect to a server The Tor relay selection algorithm makes sure that no two relays with the same 16 IP address are chosen Our objective is to determine the popularity of Tor relays when building circuits With over 44 vantage points machines running Tor clients and over 145000 circuits built we found that some Tor relays are chosen more often than others Although a completely balanced selection algorithm is not possible analysis of our dataset shows that some Tor relays are over 3 times more likely to be chosen than others An adversary could potentially eavesdrop or correlate more Tor traffic
Authors: Tao Chen (Oklahoma State University), Weiqi Cui (Oklahoma State University), Eric Chan-Tin (Loyola University Chicago),
Hide Authors & Abstract

Show Authors & Abstract
16:45 - 17:05
SoK ATTCK Techniques and Trends in Windows Malware

In an everchanging landscape of adversary tactics techniques and procedures TTPs malware remains the tool of choice for attackers to gain a foothold on target systems The Mitre ATTCK framework is a taxonomy of adversary TTPs It is meant to advance cyber threat intelligence CTI by establishing a generic vocabulary to describe postcompromise adversary behavior This paper discusses the results of automated analysis of a sample of 951 Windows malware families which have been plotted on the ATTCK framework Based on the frameworks tactics and techniques we provide an overview of established techniques within Windows malware and techniques which have seen increased adoption over recent years Within our dataset we have observed an increase in techniques applied for leless execution of malware discovery of security software and DLL sideloading for defense evasion We also show how a sophisticated technique command and control CC over IPC named pipes is getting adopted by less sophisticated actor groups Through these observations we have identied how malware authors are innovating techniques in order to bypass established defenses
Authors: Kris Oosthoek (Delft University of Technology), Christian Doerr (Delft University of Technology),
Hide Authors & Abstract

Show Authors & Abstract
Room #2

Session 2 10:30 - 12:05

Internet of Things
10:30 - 10:50
Edge-Assisted CNN Inference over Encrypted Data for Internet of Things

Supporting the inference tasks of convolutional neural network CNN on resourceconstrained Internet of Things IoT devices in a timely manner has been an outstanding challenge for emerging smart systems To mitigate the burden on IoT devices one prevalent solution is to offload the CNN inference tasks to the public cloud However this offloadingtocloud solution may cause privacy breach since the offloaded data can contain sensitive information For privacy protection the research community has resorted to advanced cryptographic primitives to support CNN inference over encrypted data Nevertheless these attempts are limited by the realtime performance due to the heavy IoT computational overhead brought by cryptographic primitivesIn this paper we propose an edgecomputingassisted scheme to boost the efficiency of CNN inference tasks on IoT devices which also protects the privacy of IoT data to be offloaded In our scheme the most timeconsuming convolutional and fullyconnected layers are offloaded to edge computing devices and the IoT device only performs efficient encryption and decryption on the fly As a result our scheme enables IoT devices to securely offload over 99 CNN operations and edge devices to execute CNN inference over encrypted data as efficiently as on plaintext Experiments on AlexNet show that our scheme can speed up CNN inference for more than 35X with a 9556 energy saving for IoT devices
Authors: Yifan Tian (Embry-Riddle Aeronautical University), Jiawei Yuan (Embry-Riddle Aeronautical University), Shucheng Yu (Stevens Institute of Technology), Yantian Hou (Boise State University), Houbing Song (Embry-Riddle Aeronautical University),
Hide Authors & Abstract

Show Authors & Abstract
10:55 - 11:15
POKs Based Secure and Energy-Efficient Access Control for Implantable Medical Devices

Implantable medical devices IMDs such as pacemakers implanted cardiac defibrillators and neurostimulators are medical devices implanted into patients bodies for monitoring physiological signals and performing medical treatments Many IMDs have builtin wireless communication modules to facilitate data collecting and device reprogramming by external programmers The wireless communication brings significant conveniences for advanced applications such as realtime and remote monitoring but also introduces the risk of unauthorized wireless access The absence of effective access control mechanisms exposes patients life to cyber attacks In this paper we present a lightweight and universally applicable access control system for IMDs By leveraging Physically Obfuscated Keys POKs as the hardware root of trust provable security is achieved based on standard cryptographic primitives while attaining high energy efficiency In addition barrierfree IMD access under emergent situations is realized by utilizing the patients biometrical information We evaluate our proposed scheme through extensive security analysis and a prototype implementation which demonstrate our works superiority on security and energy efficiency
Authors: Chenglong Fu (Temple University), Xiaojiang Du (Temple University), Longfei Wu (Fayetteville State University), Qiang Zeng (University of South Carolina), Amr Mohamed (Qatar University), Mohsen Guizani (Qatar University),
Hide Authors & Abstract

Show Authors & Abstract
11:20 - 11:40
USB-Watch: A Dynamic Hardware-Assisted USB Threat Detection Framework

The USB protocol is among the most widely adopted protocols today However this same adoptability leaves unwitting computing devices prone to attacks Malicious USB devices can mimic benign devices to insert malicious commands on end devices These malicious USB devices can behave as an actual device and appear benign to the operating system Typically advanced softwarebased detection schemes are used to identify the malicious nature of such devices However a powerful adversary can still subvert those softwarebased detection schemes To address these concerns in this work we introduce a novel hardwareassisted dynamic USBthreat detection framework called USBWatch Specifically USBWatch utilizes hardware placed between a USB device and the host machine to hook into the USB communication collect USB data and provide the capability to view unaltered USB protocol communications This unfettered data is then fed into a machine learningbased classifier which dynamically determines the true nature of the USB device We perform a thorough analysis of typing dynamic features to effectively classify malicious USB devices from benign typing behaviors We show that USBWatch provides a lightweight OSindependent framework which effectively distinguishes differences between normal and malicious USB behaviors with a ROC curve of 089 To the best of our knowledge this is the first hardwarebased detection mechanism to dynamically detect threats coming from USB devices
Authors: Kyle Denney (Florida International University), Enes Erdin (Florida International University), Leonardo Babun (Florida International University), Michael Vai (MIT Lincoln Laboratory), A. Selcuk Uluagac (Florida International University),
Hide Authors & Abstract

Show Authors & Abstract
11:45 - 12:05
Automated IoT Device Fingerprinting Through Encrypted Stream Classification

The explosive growth of the Internet of Things IoT has enabled a wide range of new applications and services Meanwhile the massive scale and enormous heterogeneity eg in device vendors and types of IoT raise challenges in efficient networkdevice management application QoSaware provisioning and security and privacy Automated and accurate IoT device fingerprinting is a prerequisite step for realizing secure reliable and highquality IoT applications In this paper we propose a novel datadriven approach for passive fingerprinting of IoT device types through automatic classification of encrypted IoT network flows Based on an indepth empirical study on the traffic of realworld IoT devices we identify a variety of valuable data features for accurately characterizing IoT device communications By leveraging these features we develop a deep learning based classification model for IoT device fingerprinting Experimental results using a realworld IoT dataset demonstrate that our method can achieve 99 accuracy in IoT devicetype identification
Authors: Jianhua Sun (College of William and Mary), Sun Kun (George Mason University), Chris Shenefie (Cisco Systems, Inc.),
Hide Authors & Abstract

Show Authors & Abstract

Session 4 13:30 - 15:05

Machine Learning
13:30 - 13:50
Stochastic ADMM Based Distributed Machine Learning with Differential Privacy

While embracing various machine learning techniques to make effective decisions in the big data era preserving the privacy of sensitive data poses significant challenges In this paper we develop a privacypreserving distributed machine learning algorithm to address this issue Given the assumption that each data provider owns a dataset with different sample size our goal is to learn a common classifier over the union of all the local datasets in a distributed way without leaking any sensitive information of the data samples Such an algorithm needs to jointly consider efficient distributed learning and effective privacy preservation In the proposed algorithm we extend stochastic alternating direction method of multipliers ADMM in a distributed setting to do distributed learning For preserving privacy during the iterative process we combine differential privacy and stochastic ADMM together In particular we propose a novel stochastic ADMM based privacypreserving distributed machine learning PSADMM algorithm by perturbing the updating gradients that provide differential privacy guarantee and have a low computational cost We theoretically demonstrate the convergence rate and utility bound of our proposed PSADMM under strongly convex objective Through our experiments performed on realworld datasets we show that PSADMM outperforms other differentially private ADMM algorithms under the same differential privacy guarantee
Authors: Jiahao Ding (University of Houston), Sai Mounika Errapotu (University of Houston), Haijun Zhang (University of Science and Technology Beijing), Yanmin Gong (University of Texas at San Antonio), Miao Pan (University of Houston), Zhu Han (University of Houston),
Hide Authors & Abstract

Show Authors & Abstract
13:55 - 14:15
Topology-Aware Hashing for Effective Control Flow Graph Similarity Analysis

Control Flow Graph CFG similarity analysis is an essential technique for a variety of security analysis tasks including malwaredetection and malware clustering Even though various algorithms havebeen developed existing CFG similarity analysis methods still suffer fromlimited efficiency accuracy and usability In this paper we propose anovel fuzzy hashing scheme called topologyaware hashing TAH for effective and efficient CFG similarity analysis Given the CFGs constructedfrom program binaries we extract blended ngram graphical features ofthe CFGs encode the graphical features into numeric vectors calledgraph signatures and then measure the graph similarity by comparingthe graph signatures We further employ a fuzzy hashing technique toconvert the numeric graph signatures into smaller xedsize fuzzy hashsignatures for efficient similarity calculation Our comprehensive evaluation demonstrates that TAH is more effective and efficient compared toexisting CFG comparison techniques To demonstrate the applicabilityof TAH to realworld security analysis tasks we develop a binary similarity analysis tool based on TAH and show that it outperforms existingsimilarity analysis tools while conducting malware clustering
Authors: Yuping Li (Pinterest), Jiyong Jang (IBM Research), Xinming Ou (University of South Florida),
Hide Authors & Abstract

Show Authors & Abstract
14:20 - 14:40
Trojan Attack on Deep Generative Models in Autonomous Driving

Deep generative models DGMs have empowered unprecedented innovations in many application domains However their security has not been thoroughly assessed when deploying such models in practice especially in those missioncritical tasks like autonomous driving In this work we draw attention to a new attack surface of DGMs which is the data used in the training phase We demonstrate that the training data poisoning the injection of speciallycrafted data are able to teach Trojan behaviors to a DGM without influencing the original training goal Such Trojan attack will be activated after model deployment only if certain rare triggers are present in an input For example a rainremoval DGM after poisoning can while removing raindrops in input images change a traffic light from red to green if this traffic light has a specific appearance ie a trigger Clearly severe consequences can occur if such poisoned model is deployed on vehicle Our study shows that launching our Trojan attack is feasible on different DGM categories designed for the autonomous driving scenario and existing defense methods cannot effectively defeat it We also introduce a concealing technique to make our data poisoning more inconspicuous during the training In the end we propose some potential defense strategies inspiring future explorations
Authors: Shaohua Ding (State Key Laboratory for Novel Software Technology, Nanjing University, China), Yulong Tian (State Key Laboratory for Novel Software Technology, Nanjing University, China), Fengyuan Xu (State Key Laboratory for Novel Software Technology, Nanjing University, China), Qun Li (College of William and Mary, USA), Sheng Zhong (State Key Laboratory for Novel Software Technology, Nanjing University, China),
Hide Authors & Abstract

Show Authors & Abstract
14:45 - 15:05
FuncNet: A Euclidean Embedding Approach for Lightweight Cross-platform Binary Recognition

Reverse analysis is a necessary but manually dependent technique to comprehend the working principle of new malware The crossplatform binary recognition facilitates the work of reverse engineers by identifying those duplicated or known parts compiled from various platforms However existing approaches mainly rely on raw function bytes or cosine embedding representation which have either low binary recognition accuracy or high binary search overheads on realworld binary recognition tasks In this paper we propose a lightweight neural networkbased approach to generate the Euclidean embedding ie a numeric vector based on the control flow graph and callees interface information of each binary function and classify the embedding vectors with an Euclidean distance sensitive artificial neural network We implement a prototype called FuncNet and evaluate it on realworld projects with 1980 binaries about 2 million function pairs The experiment result shows that its accuracy outperforms stateoftheart solutions by over 13 percent on average and the binary search on big datasets can be done with constant time complexity
Authors: mengxia luo (Institute of Information Engineering, Chinese Academy of Sciences), can yang (Institute of Information Engineering, Chinese Academy of Sciences), xiaorui gong (Institute of Information Engineering, Chinese Academy of Sciences), lei yu (Institute of Information Engineering, Chinese Academy of Sciences),
Hide Authors & Abstract

Show Authors & Abstract

Break 15:05 - 15:30

Session 6 15:30 - 17:05

Communicating Covertly
15:30 - 15:50
Covert Channels in SDN: Leaking Out Information from Controllers to End Hosts

SoftwareDefined Networking SDN enables diversified network functionalities with plentiful applications deployed on a logicallycentralized controller In order to work properly applications are naturally provided with much information on SDN However this paper shows that malicious applications can exploit basic SDN mechanisms to build covert channels to stealthily leak out valuable information to end hosts which can bypass network security policies and break physical network isolation We design two types of covert channels with basic SDN mechanisms The first type is a highrate covert channel that exploits SDN proxy mechanisms to transmit covert messages to colluding hosts inside SDN The second type is a lowrate covert channel that exploits SDN rule expiry mechanisms to transmit covert messages from SDN applications to any host on the Internet We develop the prototypes of both covert channels in a real SDN testbed consisting of commercial hardware switches and an open source controller Evaluations show that the covert channels successfully leak out a TLS private key from the controller to a host inside SDN at a rate of 200 bps with 0 bit error rate or to a remote host on the Internet at a rate of 05 bps with less than 3 bit error rate In addition we discuss possible countermeasures to mitigate the covert channel attacks
Authors: Jiahao Cao (Tsinghua University), Kun Sun (George Mason University), Qi Li (Tsinghua University), Mingwei Xu (Tsinghua University), Zijie Yang (Tsinghua University), Kyung Joon Kwak (Intelligent Automation Inc.), Jason Li (Intelligent Automation Inc.),
Hide Authors & Abstract

Show Authors & Abstract
15:55 - 16:15
Victim-Aware Adaptive Covert Channels

We investigate the problem of detecting advanced covert channel techniques namely victimaware adaptive covert channels An adaptive covert channel is considered victimaware when the attacker mimics the content of its victims legitimate communication such as applicationlayer metadata in order to evade detection from a security monitor In this paper we show that victimaware adaptive covert channels break the underlying assumptions of existing covert channel detection solutions thereby exposing a lack of detection mechanisms against this threat We propose a toolchain CHAMELEON to create synthetic datasets containing victimaware adaptive covert channel traffic Armed with CHAMELEON we evaluate stateoftheart detection solutions and we show that they fail to effectively detect stealthy attacks The design of detection techniques against these stealthy attacks is challenging because their network characteristics are similar to those of benign traffic We explore a deceptionbased detection technique that we call HONEYTRAFFIC which generates network messages containing honey tokens while mimicking the victims communication Our approach detects victimaware adaptive covert channels by observing inconsistencies in such tokens which are induced by the attacker while mimicking the victims traffic Although HONEYTRAFFIC has detection limitations it can be combined with existing detection methods to make evasion harder for an attacker
Authors: Riccardo Bortolameotti (University of Twente), Thijs van Ede (University of Twente), Andrea Continella (University of California, Santa Barbara), Maarten H. Everts (University of Twente), Willem Jonker (University of Twente), Pieter Hartel (Delft University of Technology), Andreas Peter (University of Twente),
Hide Authors & Abstract

Show Authors & Abstract
16:20 - 16:40
Random Allocation Seed-DSSS Broadcast Communication against Jamming Attacks

Spread spectrum techniques including Direct Sequence Spread Spectrum DSSS and Frequency Hopping Spread Spectrum FHSS are used widely as a countermeasure against jamming attacks In recent years the DSSS based system has been used to achieve the antijamming systems without a preshared secret key Delayed SeedDisclosure DSSS DSDDSSS is one of these systems that uses a random seed to generate multiple spreading codes to spread an original message However it discloses the information of a random seed in a way that it is vulnerable to the attacker In this paper we propose a new system that mainly focuses on concealing a random seed from the attacker by inserting it at a random position of a spreading message We develop a new technique to identify the location of a random seed at a receiver by aligning between multiple received messages Our evaluation and simulation results show that a receiver can obtain the position of a random seed and then he can recover both a random seed then regenerating the spreading codes used to spread an original message
Authors: Ahmad Alagil (Department of Computer Science and Engineering, University of South Florida),
Hide Authors & Abstract

Show Authors & Abstract
16:45 - 17:05
A Loss-tolerant Mechanism of Message Segmentation and Reconstruction in Multi-path Communication of Anti-tracking Network

Multipath communication applied in the anonymous communication netowrk improves the difficulty of online theft of the netizens privacy But in the current multipath communication mechanisms when some message blocks are lost the frequent request for the lost message blocks greatly reduces the communication efficiency and the trackingresistance To address this problem we propose a losstolerant mechanism of message segmentation and reconstruction in multipath communicationFMC The losstolerance of FMC is subject to the property of orthogonal matrix that the inner product of any two rowscolumns is 0FMC works as follows 1 firstly the message is encoded into an orthogonal matrix and divided into triangular blocks as more as possible 2 secondly the message blocks are sent to different communication paths and each communication path guarantees the security of the transmitted message 3 thirdly the receiver recovers the original message even when some message blocks are lost Without the frequent request for the lost message blocks FMC greatly improves the communication efficiency and trackingresistance Experimental results show that FMC has a strong losstolerant performance and the receiver can certainly recover the original message with 15 lost message blocks at most For a nn matrix n2 is a proper size of message blocks to balance losstolerance trackingresistance and communication efficiency
Authors: Changbo Tian (School of Cyber Security, University of Chinese Academy of Sciences), YongZheng Zhang (Institute of Information Engineering, Chinese Academy of Sciences), Tao Yin (Institute of Information Engineering, Chinese Academy of Sciences), Yupeng Tuo (Institute of Information Engineering, Chinese Academy of Sciences), Ruihai Ge (Institute of Information Engineering, Chinese Academy of Sciences),
Hide Authors & Abstract

Show Authors & Abstract

ATCS Workshop 17:10 - 18:20

Day 2 24/10/2019
Room #1

Session 7 15:06 - 12:35

Let's Talk Privacy
11:00 - 11:20
Ticket Transparency: Accountable Single Sign-On with Privacy-Preserving Public Logs

Single signon SSO is becoming more and more popular in the Internet An SSO ticket issued by the identity provider IdP allows an entity to sign onto a relying party RP on behalf of the account enclosed in the ticket To ensure its authenticity an SSO ticket is digi tally signed by the IdP and verified by the RP However recent security incidents indicate that a signing system eg certification authority might be compromised to sign fraudulent messages even when it is well protected in accredited commercial systems Compared with certification authorities the online signing components of IdPs are even more exposed to adversaries and thus more vulnerable to such threats in practice This paper proposes ticket transparency to provide accountable SSO services with privacypreserving public logs against potentially fraudulent tickets issued by a compromised IdP With this scheme an IdPsigned ticket is accepted by the RP only if it is recorded in the public logs It en ables a user to check all his tickets in the public logs and detect any fraudulent ticket issued without his participation or authorization We integrate blind signatures identitybased encryption and Bloom filters in the design to balance transparency privacy and efficiency in these securityenhanced SSO services To the best of our knowledge this is the first attempt to solve the security problems caused by potentially intruded or compromised IdPs in the SSO services
Authors: Dawei Chu (Institute of Information Engineering, Chinese Academy of Sciences), Jingqiang Lin (State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences), Fengjun Li (The University of Kansas), Xiaokun Zhang (Academy of Opto-Electronics, Chinese Academy of Sciences), Qiongxiao Wang (Institute of Information Engineering, Chinese Academy of Sciences), Guangqi Liu (Institute of Information Engineering, Chinese Academy of Sciences),
Hide Authors & Abstract

Show Authors & Abstract
11:25 - 11:45
Decentralized Privacy-Preserving Reputation Management for Mobile Crowdsensing

In mobile crowdsensing mobile devices can be fully utilizedto complete various sensing tasks without deploying thousands of staticsensors This property makes that mobile crowdsensing has been adopted by a wide range of practical applications Since most crowdsensingplatforms are open for registration it is very possible that some participants might be motivated by financial interest or compromised by hackersto provide falsified sensing data Further the urgent privacypreservingneed in this scenario has brought more difficulty to deal with these malicious participants Even though there have existed some approachesto tackle to problem of falsified sensing data while preserving the partipants privacy these approaches rely on a centralized entity which iseasy to be the bottleneck of the security of the whole system Hence inthis paper we propose a decentralized privacypreserving management scheme to address the problem above At first the system model ispresent based on the consortium blockchain Then a novel metric to evaluate the reliability degree of the sensing data efficiently and privatelyis designed by leveraging the Paillier crytosystem Based on this metrichow to update reputation values is given Extensive experiments verifythe effectiveness and efficiency of the proposed scheme
Authors: Qingqi Pei (Xidian University), Lichuan Ma (ISN), Youyang Qu (Deakin University), Kefeng Fan (China Electronics Standardization Institute), Xin Lai (Xunlei Network Technologies Limited),
Hide Authors & Abstract

Show Authors & Abstract
11:50 - 12:10
Location Privacy Issues in the OpenSky Network Crowdsourcing Platform

OpenSky Network leverages the freely accessible data generated by the aircraft through the Automatic Dependent Surveillance Broadcast ADSB technology to create a global openaccess network where individuals industries and academia can contribute and obtain data Avionic data are acquired through onground general purpose antennas installed and operated in adequate locations and later delivered to OpenSky NetworkTo maintain operators privacy while still keeping data value OpenSky Network promises not to reveal the antenna location if the data contributor wishes so Thus open data provided to the participating entities contain neither the location of the operating receiver nor other location identification dataIn this work we practically demonstrate that maintaining full location privacy in this scenario is almost unfeasible We apply a timebased location estimation technique that leveraging i the disclosed location of legitimate receivers that did not opt in for location privacy and ii data provided by commercial and military aircraft reveals with reasonable accuracy the location of the receivers that did optin for location privacy Results achieved by simulations and an experimental campaign over real data provided by the OpenSky Network support our claim further confirming that maintaining location privacy while still contributing to the community cannot be fully achieved in the actual setting hence calling for further research
Authors: Savio Sciancalepore (Hamad Bin Khalifa University (HBKU) - College of Science and Engineering (CSE)), Saeif Alhazbi (Hamad Bin Khalifa University (HBKU) - College of Science and Engineering (CSE)), Roberto Di Pietro (Hamad Bin Khalifa University (HBKU) - College of Science and Engineering (CSE)),
Hide Authors & Abstract

Show Authors & Abstract
12:15 - 12:35
Privacy-Preserving Genomic Data Publishing via Differentially-Private Suffix Tree

Privacypreserving data publishing is a mechanism for sharing data while ensuring that the privacy of individuals is preserved in the published data and utility is maintained for data mining and analysisThere is a huge need for sharing genomic data to advance medical and health researchesHowever since genomic data is highly sensitive and the ultimate identifier it is a big challenge to publish genomic data while protecting the privacy of individuals in the dataIn this paper we address the aforementioned challenge by presenting an approach for privacypreserving genomic data publishing via differentiallyprivate suffix tree The proposed algorithm uses a topdown approach and utilizes the Laplace mechanism to divide the raw genomic data into disjoint partitions and then normalize the partitioning structure to ensure consistency and maintain utilityThe output of our algorithm is a differentiallyprivate suffix tree a data structure most suitable for efficient search on genomic data We experiment on reallife genomic data obtained from the Human Genome Privacy Challenge project and we show that our approach is efficient scalable and achieves high utility with respect to genomic sequence matching count queries
Authors: Tanya Khatri (Boise State University), Gaby Dagher (Boise State University), Yantian Hou (Boise State University),
Hide Authors & Abstract

Show Authors & Abstract

Registration 08:00 - 18:00

Keynote 08:30 - 09:30

Panel 09:30 - 10:30

Break 10:30 - 11:00

Lunch 12:35 - 14:00

Session 9 14:00 - 15:35

Systematic Theory
14:00 - 14:20
On the Security of TRNGs based on Multiple Ring Oscillators

True random number generator TRNG is essential for the implementation of cryptographic applications such as digital signature algorithms and security protocols The quality of generated sequences would directly influence the security of the cryptographic application Furthermore in order to enhance the generation rate of random numbers a TRNG based on multiple ring oscillators ROs ie MROTRNG for short has been proposed by Sunar et al There exist potential risks threatening the security of the MROTRNG like pseudorandomness and phase interlock For MROTRNG experimental observation and statistical test results have been well investigated However these methods cannot distinguish the pseudorandomness The concept of entropy is used to quantify the amount of randomness As far as we know there is no entropy estimation method for MROTRNGs In this regard this paper provides an entropy estimation method to analyze the security of MROTRNG based on the method for oscillatorbased TRNG and calculates a lower bound of entropy The theoretical results are verified through Matlab simulations and FPGA experiments The conclusions can further guide the setting of design parameters ie number of ROs sampling frequency etc to generate outputs with sufficient entropy
Authors: Xinying Wu (School of Cyber Security, University of Chinese Academy of Sciences; Data Assurance and Communications Security Research Center; State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China), Yuan Ma (Data Assurance and Communications Security Research Center; State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China), Jing Yang (School of Cyber Security, University of Chinese Academy of Sciences; Data Assurance and Communications Security Research Center; State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China), Tianyu Chen (Data Assurance and Communications Security Research Center; State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China), Jingqiang Lin (School of Cyber Security, University of Chinese Academy of Sciences; Data Assurance and Communications Security Research Center; State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China),
Hide Authors & Abstract

Show Authors & Abstract
14:25 - 14:45
Secrecy on a Gaussian Relay-Eavesdropper Channel with a Trusted Relay

Security is a crucial aspect in nowadays wireless communication systems The open nature of wireless makes the communications more vulnerable to eavesdropping which leads to that the physical layer security information theoretic secrecy is becoming attractive due to its relying on the characteristics of the transmission medium In this paper we study the secrecy on a gaussian relayeavesdropper channel with a trusted relay which is assumed to be able to decode and encode wiretap codes We discuss several cooperative strategies to guarantee the information secrecy in some cases and bound the corresponding secrecy rate Also we derive a cutsetlike upper bound on the secrecy capacity for our scenario The relative proofs are also presented in this paper
Authors: Keke Hu (Institute of Information Engineering, Chinese Academy of Sciences P.R. China), Xiaohui Zhang (Institute of Information Engineering, Chinese Academy of Sciences), Yongming Wang (Institute of Information Engineering, Chinese Academy of Sciences),
Hide Authors & Abstract

Show Authors & Abstract
14:50 - 15:10
Target Information Trading - An Economic Perspective of Security

Ample evidence has confirmed the importance of information in security While much research on security game has assumed the attackers limited observation capabilities to obtain target information few work considers the possibility that the information can be acquired from a data broker not to mention exploring the profitseeking behaviors of such an information service in the shrouded underground society This paper studies the role of information in security problem when the target information is sold by a data broker to multiple competitive attackers We formulate a novel multistage game model to characterize both the cooperative and competitive interactions of the data broker and attackers Specifically the attacker competition with correlated purchasing and attacking decisions is modeled as a twostage stochastic model and the bargaining process between the data broker and the attackers is analyzed in a Stackelberg game Both the attackers competitive equilibrium solutions and data brokers optimal pricing strategy are obtained Our results show that the information accuracy is more valuable when the target value is higher Furthermore the competition may weaken the information value to the attackers but benefit the data broker The study contributes to the literature by characterizing the coopetitive behaviors of the attackers with labor specialization and providing quantitative measures of information value from an economic perspective
Authors: Jing Hou (Department of Computer Science and Software Engineering, Auburn University), Li Sun (Department of Computer Science and Software Engineering, Auburn University), Tao Shu (Department of Computer Science and Software Engineering, Auburn University), Husheng Li (Department of Electrical Engineering and Computer Science, The University of Tennessee Knoxville),
Hide Authors & Abstract

Show Authors & Abstract
15:15 - 15:35
Cyber Threat Analysis based on Characterizing Adversarial Behavior for Energy Delivery System

Recently Energy Delivery Systems EDS has been the target of several sophisticated attacks with potentials for catastrophic damages These attacks are diverse in techniques attack progression and impacts System administrators require comprehensive analytics to assess their defense against these diverse adversarial strategies To address this challenge this paper proposes a methodology to assess cyber threats proactively by characterizing adversary behavior First we describe the different level of threat indicators and their effectiveness to understand the adversary activity Next we integrate static network information with dynamic attack strategy by mapping attack graphs into attackers techniques and tactics This contextual integration provides insights into attackers stealthy behavior Following the enumeration of complexity and effort for attack progression we devise a metric to quantify the likelihood of an adversary taking an attack path for compromising an asset in EDS We empirically evaluated our approach within an ICS testbed The results show the significance of our approach for characterizing adversarial behavior and gaining valuable insights on cyber risk management
Authors: Md Sharif Ullah (Old Dominion University), Sachin Shetty (Old Dominion University), Anup Nayak (Accenture Cyber Lab), Amin Hassanzadeh (Accenture Cyber Lab), Kamrul Hasan (Old Dominion University),
Hide Authors & Abstract

Show Authors & Abstract

Break 15:35 - 16:00

Session 11 16:00 - 17:50

Blockchains and IoT
16:00 - 16:20
A Behavior-Aware Profiling of Smart Contracts

The inception of blockchain techniques has been revolutionizing various domains eg Internet of Things supply chain and healthcare Ethereum smart contracts emerge as the promising blockchain application which could enable distrustful parties to participate in the automatic and trustful transactions Given the increasing importance of Ethereum smart contracts understanding them becomes imperativeHowever prior work only studied smart contracts with general highlevel patterns and one critical question has not been answered yet how do smart contracts behave individually In this paper we present a behavioraware profiling of individual smart contract from a multiparty perspective which improves the visibility of the smart contract ecosystem We conduct a detailed study of the behavior of individual smart contract on two realworld datasets and our profiling reveals interesting and surprising observations For example a few contract completion chains have more than 50 contracts and all of them belong to the Finance category We also discuss the implications that lead to recommendations to improve the security and performance of the smart contract ecosystem Overall our work effectively complements previous work towards generating a comprehensive understanding of smart contracts
Authors: Xuetao Wei (University of Cincinnati), Can Lu (University of Cincinnati), Fatma Rana Ozcan (University of Cincinnati), Ting Chen (University of Electronic Science and Technology of China), Boyang Wang (University of Cincinnati), Di Wu (Hunan University), Qiang Tang (New Jersey Institute of Technology),
Hide Authors & Abstract

Show Authors & Abstract
16:25 - 16:45
A Performance-Optimization Method for Reusable Fuzzy Extractor Based on Block Error Distribution of Iris Trait

Fuzzy extractors convert repeated noise readings of a source into same uniformly distributed key To eliminate noise nonsecret helper data is extracted from the initial enrolment in the registration phase and acts as the error correct tool in the verification phase However error correct code based fuzzy extractors have crossmatching problems Reusable fuzzy extractors are proposed to realize multiple registrations of the same biometrics and provide privacyenhancing features such as revocability and protection against crossmatching Nonetheless Canettis reusable fuzzy extractors named samplethenlock suffer from heavy storage and computing resources burdens In this paper after conducting a thorough correlation analysis between performance and error tolerance in Canettis reusable fuzzy extractors we find that decreasing error tolerance threshold can improve storage and computation performance of reusable fuzzy extractors Based on statistical analysis of the block error distribution of iris trait we propose an iriscode preprocessing method which uses Hadamard code to lower error tolerance We conduct an experiment on a public iris dataset and experimental result shows that our method can improve the performance and security of the reusable fuzzy extractor
Authors: Feng Zhu (State Key Laboratory of Information Security, Institute of Information Engineering Chinese Academy of Science), Peisong Shen (State Key Laboratory of Information Security, Institute of Information Engineering Chinese Academy of Science), Chi Chen (State Key Laboratory of Information Security, Institute of Information Engineering Chinese Academy of Science),
Hide Authors & Abstract

Show Authors & Abstract
16:50 - 17:10
Detecting Root-Level Endpoint Sensor Compromises with Correlated Activity

Endpoint sensors play an important role in an organizations network defense However endpoint sensors may be disabled or sabotaged if an adversary gains rootlevel access to the endpoint running the sensor While traditional sensors cannot reliably defend against such compromises this work explores an approach to detect these compromises in applications where multiple sensors can be correlated We focus on the OpenFlow protocol and show that endpoint sensor data can be corroborated using a remote endpoints sensor data or that of innetwork sensors like an OpenFlow switch The approach allows endtoend round trips of less than 20ms for around 90 of flows which includes all flow elevation and processing overheads In addition the approach can detect flows from compromised nodes if there is a single uncompromised sensor on the network path This approach allows defenders to quickly identify and quarantine nodes with compromised endpoint sensors
Authors: Yunsen Lei (Worcester Polytechnic Institute), Craig Shue (Worcester Polytechnic Institute),
Hide Authors & Abstract

Show Authors & Abstract
17:15 - 17:35
Footprints: Ensuring Trusted Service Function Chaining in the World of SDN and NFV

Network Function Virtualization NFV and Software Defined Networking SDN empower Service Function Chaining SFC which integrates an ordered list of Virtualized Network Functions VNFs together for implementing a particular service However the highlevel SFC policy specification cannot guarantee that the VNFs are always chained in an expected manner or the packet flows of the service are forwarded to the VNFs of concern in a predefined order An attacker can manage to bypass or evade the security VNFs eg firewall virus scanner DPI and deviate the packets flows from the prespecified path It is thus a significant need to have an efficient selfchecking mechanism in place ensuring the SFC to be implemented in a secure and correct way We develop such a scheme based on an improved crypto primitive Lite identitybased ordered multisignature which enforces all the VNFs in the same service chain to sequentially sign the packets received Then the last hop of the chain will verify the aggregated signature so as to validate the authenticity of the VNFs as well as their orders in the chain We leverage the IETF Network Service Header NSH to implement our scheme and run the experiments in a realworld environment to evaluate its performance in terms of computational overhead and latency
Authors: Montida Pattaranantakul (IMT Lille Douai), Qipeng Song (IMT Lille Douai), Yanmei Tian (Beijing University of Posts and Telecommunications), Licheng Wang (Beijing University of Posts and Telecommunications), Zonghua Zhang (IMT Lille Douai), Ahmed Meddahi (IMT Lille Douai),
Hide Authors & Abstract

Show Authors & Abstract
Room #2

Session 8 11:00 - 12:35

Deep Analytics
11:00 - 11:20
TL;DR Hazard: A Comprehensive Study of Levelsquatting Scams

In this paper we present a largescale analysis about an emerging newtype of domainname fraud which we call levelsquatting Unlike existing fraudsthat impersonate wellknown brand names like googlecom by using similarsecondlevel domain names adversaries here embed brand name in the subdomainsection deceiving users who do not pay attention to the entire domain namesespecially mobile usersFirst we develop a detection system LDS based on passive DNS data and webpage content Using LDS we successfully detect 817681 levelsquatting domainsSecond we perform detailed characterization on levelsquatting scams Existingblacklists are less effective against levelsquatting domains with only around 4of domains reported by VirusTotal and PhishTank respectively In particular wefind a number of levelsquatting domains impersonate wellknown search enginesSo far Baidu security team has acknowledged our findings and removed thesedomains from its search result Finally we analyze how levelsquatting domainnames are displayed in different browsers We find 2 mobile browsers Firefox andUC and 1 desktop browser Internet Explorer could confuse users when showinglevelsquatting domain names in the address bar In summary our study sheds lightto the emerging levelsquatting fraud and we believe new approaches are needed tomitigate this type of fraud
Authors: Kun Du (Tsinghua University, China), Hao Yang (Tsinghua University), Zhou Li (University of California, Irvine), Haixin Duan (Tsinghua University, Beijing National Research Center for Information Science and Technology, China), Shuang Hao (University of Texas, Dallas), Baojun Liu (Tsinghua University, China), Yuxiao Ye (Tsinghua University, China), Mingxuan Liu (Tsinghua University, China), Xiaodong Su (Baidu Company, China), Guang Liu (Baidu Company, China), Zhifeng Geng (Baidu Company, China), Zaifeng Zhang (Network security Research Lab at Qihoo 360, China), Jinjin Liang (Network security Research Lab at Qihoo 360, China),
Hide Authors & Abstract

Show Authors & Abstract
11:25 - 11:45
Account Lockouts: Characterizing and Preventing Account Denial-of-Service Attacks

To stymie password guessing attacks many systems lock an account after a given number of failed authentication attempts preventing access even if proper credentials are later provided Combined with the proliferation of single signon providers adversaries can use relatively few resources to launch largescale applicationlevel denialofservice attacks against targeted user accounts by deliberately providing incorrect credentials across multiple authentication attemptsIn this paper we measure the extent to which this vulnerability exists in production systems We focus on Microsoft services which are used in many organizations to identify exposed authentication points We measure 2066 organizations and found between 58 and 77 of organizations expose authentication portals that are vulnerable to account lockout attacks Such attacks can be completely successful with only 13 KBytessecond of attack traffic We then propose and evaluate a set of lockout bypass mechanisms for legitimate users Our performance and security evaluation shows these solutions are effective while introducing little overhead to the network and systems
Authors: Yu Liu (Worcester Polytechnic Institute), Matthew Squires (Worcester Polytechnic Institute), Curtis Taylor (Oak Ridge National Laboratory, Worcester Polytechnic Institute), Robert Walls (Worcester Polytechnic Institute), Craig Shue (Worcester Polytechnic Institute),
Hide Authors & Abstract

Show Authors & Abstract
11:50 - 12:10
Application Transiency: Towards a Fair Trade of Personal Information for Application Services

Smartphone users are offered a plethora of applications providing services such as games and entertainment In 2018 94 of applications on Google Play were advertised as free However many of these applications obtain undefined amounts of personal information from unaware users In this paper we introduce transiency a privacyenhancing feature that prevents applications from running unless explicitly opened by the user Transient applications can only collect sensitive user information while they are being used and remain disabled otherwise We show that a transient app would not be able to detect a sensitive user activity such as a daily commute to work unless it was used during the activity We define characteristics of transient applications and find that of the top 100 free apps on Google Play 88 could be made transient By allowing the user to decide when to allow an app to collect their data we move towards a fair trade of personal information for application services
Authors: Raquel Alvarez (Pennsylvania State University), Jake Levenson (Pennsylvania State University), Ryan Sheatsley (Pennsylvania State University), Patrick McDaniel (Pennsylvania State University),
Hide Authors & Abstract

Show Authors & Abstract
12:15 - 12:35
CustomPro: Network Protocol Customization through Cross-host Feature Analysis

The implementations of network protocols are often bloated due to the need to satisfy diverse user requirements and to suit different application environments The continual expansion of program features contribute to not only growing complexity but also increased the attack surface making the maintenance of network protocol security very challenging Existing work either debloat programs at source code level which may not always be available in particular for legacy systems or customize binaries only with respect to a very limited set of inputs In this paper we propose CustomPro a new approach for automated customization of network protocols We harness program execution tracing tainting and guided symbolic execution to identify relevant code from the original program binary and leverage static binary rewriting techniques to create a customized program binary that only contains the desired functionalities We implement a prototype of CustomPro and evaluate its feasibility using OpenSSL a widely used SSL implementation and Mosquitto an IoT messaging protocol implementation The results show that CustomPro is able to create functional program binaries with only desired features and significantly reduce the potential attack surface by targeting and eliminating unwanted protocol features
Authors: Yurong Chen (George Washington University), Tian Lan (George Washington University), Guru Venkataramani (George Washington University),
Hide Authors & Abstract

Show Authors & Abstract

Session 10 14:00 - 15:35

Bulletproof Defenses
14:00 - 14:20
The Disbanding Attack: Exploiting Human-in-the-loop Control in Vehicular Platooning

Due to advances in automated vehicle technology and intervehicle communication vehicular platoons have attracted a growing interest by academia and industry alike as they can produce safe driving regularize traffic flow and increase throughput Research has demonstrated however that when platoons are placed in an adversarial environment they are vulnerable to a variety of attacks that could negatively impact traffic flow and produce collisions andor injuries In this work we consider an attack that seeks to exploit humanintheloop control of compromised vehicles that are part of a platoon Specifically we demonstrate that should a human operator need to suddenly take control of a platooned vehicle significant upstream effects which threaten the safety of passengers in other vehicles may be induced To counter this socalled disbanding attack we present an optimal centralized mitigation approach Due to scalability security and privacy concerns such an approach may not be practical in reality Hence we also propose a decentralized mitigation algorithm that reduces excessive speed changes and coordinates interplatoon behaviors to minimize the attack impacts Our algorithm is compared to the aforementioned optimal approach and is shown to produce nearly equivalent results while requiring fewer resources Experimental results on a hardware testbed show that our countermeasure permits graceful speed reductions and can provide safety ie no collisions
Authors: Ali Al-Hashimi (Utah State University), Pratham Oza (Virginia Tech), Ryan Gerdes (Virginia Tech), Thidapat Chantem (Virginia Tech),
Hide Authors & Abstract

Show Authors & Abstract
14:25 - 14:45
Generic Construction of ElGamal-Type Attribute-Based Encryption Schemes with Revocability and Dual-Policy

Cloud is a computing paradigm for allowing data owners to outsource their data to enjoy ondemand services and mitigate the burden of local data storage However secure sharing of data via cloud remains an essential issue since the cloud service provider is untrusted Fortunately asymmetrickey encryption such as identitybased encryption IBE and attributebased encryption ABE provides a promising tool to offer data confidentiality and has been widely applied in cloudbased applications In this paper we summarize the common properties of most of IBE and ABE and introduce a cryptographic primitive called ElGamal type cryptosystem This primitive can be used to derive a variety of ABE schemes To illustrate the feasibility we present generic constructions of revocable attributebased encryption and dualpolicy attributebased encryption with formal definitions and security proofs By applying our proposed generic constructions we also present instantiations of these schemes Furthermore we demonstrate the high performance of the proposed schemes via experiments
Authors: Shengmin Xu (Xi'an University of Posts and Telecommunications), Yinghui Zhang (Xi'an University of Posts and Telecommunications), Yingjiu Li (Singapore Management University), Ximeng Liu (Fuzhou University), Guomin Yang (University of Wollongong),
Hide Authors & Abstract

Show Authors & Abstract
14:50 - 15:10
Online Cyber Deception System using Partially Observable Monte-Carlo Planning Framework

Cyber deception is an approach where the network administrators can deploy a network of decoy assets with the aim to expendadversaries resources and time and gather information about the adversaries strategies tactics capabilities and intent The key challenge in this cyber deception approach is the design and placement of network decoys to ensure maximal information uncertainty for the attackers Stateoftheart approaches to address this design and placement problem assume a static environment and apriori strategies taken by the attacker In this paper we propose the design and placement of network decoys considering scenarios where defenders action influence an attacker to change its strategies and tactics dynamically while maintaining the tradeoff between availability and security The defender maintains a belief consisting of security state and the resultant actions are modeled as Partially Observable Markov Decision Process POMDP Our simulation results illustrate the defenders increasing ability to influence the attackers attack path to comprise of fake nodes and networks
Authors: MD ALI REZA AL AMIN (Old Dominion University), Sachin Shetty (Old Dominion University), Laurent Njilla (Air Force Research Lab), Deepak Tosh (University of Texas at El Paso), Charles Kamhoua (Army Research Lab),
Hide Authors & Abstract

Show Authors & Abstract
15:15 - 15:35
SEVGuard: Protecting User Mode Applications using Secure Encrypted Virtualization

We present SEVGuard a minimal virtual execution environmentthat protects the condentiality of applications based on AMDsSecure Encrypted Virtualization SEV Although SEV was primarilydesigned for the protection of VMs we found a way to overcome thislimitation and exclusively protect user mode applications Therefore wemigrate the application into a hardwareaccelerated VM and encryptboth its memory and register state To avoid the overhead of a typicalhypervisor we built our solution on top of the plain Linux Kernel VirtualMachine KVM API With the help of an advanced trapping mechanismwe fully support system and library calls from within the encrypted guestFurthermore we allow unmodied code to be transparently virtualizedand encrypted by appropriate memory mappings The memory neededfor our minimal VM can be directly allocated within SEVGuards addressspace We evaluated our execution environment regarding correctnessand performance conrming that SEVGuard can be practically used toprotect existing legacy applications
Authors: Ralph Palutke (Friedrich-Alexander-University Erlangen/Nuernberg), Andreas Neubaum (Friedrich-Alexander-University Erlangen/Nuernberg), Johannes Götzfried (Friedrich-Alexander-University Erlangen/Nuernberg),
Hide Authors & Abstract

Show Authors & Abstract

Break 15:35 - 16:00

Session 12 16:00 - 17:50

Security and Analytics
16:00 - 16:20
Hecate: Automated Customization of Program and Communication Features to Reduce Attack Surfaces

Customizing program and communication features is a commonly adopted strategy to counter security threats that arise from rapid inflation of software features In this paper we propose Hecate a novel framework that leverages dynamic execution and trace to create customized selfcontained programs in order to minimize potential attack surface It automatically identifies program features ie independent wellcontained operations utilities or capabilities relating to application binaries and their communication functions tailors and eliminates the features to create customized program binaries in accordance with user needs in a fully unsupervised fashion Hecate makes novel use of deep learning to identify program features and their constituent functions by mapping dynamic instruction trace to functions in the binaries It enables us to modularize program features and efficiently create customized program binaries at large scale We implement a prototype of Hecate using a number of open source tools such as DynInst and TensorFlow Evaluation using realworld executables including OpenSSL and LibreOffice demonstrates that Hecate can create a wide range of customized binaries for diverse feature requirements with the highest accuracy up to 9628 for featurefunction identification and up to 67 reduction of program attack surface
Authors: Hongfa Xue (The George Washington University), Yurong Chen (The George Washington University), Guru Venkataramani (The George Washington University), Tian Lan (The George Washington University),
Hide Authors & Abstract

Show Authors & Abstract
16:25 - 16:45
Phish-Hook: Detecting Phishing Certificates Using Certificate Transparency Logs

Certificate misissuance is a growing issue in the context of phishing attacks as it leads inexperienced users to further trust fraudulent websites if they are equipped with a technically valid certificate Certificate Transparency CT aims at increasing the visibility of such maliciousactions by requiring certificate authorities CAs to log every certificatethey issue in public tamperproof appendonly logs This work introduces PhishHook a novel approach towards detecting phishing websites based on machine learning PhishHook analyses certificates submitted to theCT system based on a conceptually simple wellunderstood classificationmechanism to effectively attest the phishing likelihood of newly issued certificates PhishHook relies solely on CT log data and foregoes intricateanalyses of websites source code and traffic As a consequence we are able to provide classification results in near realtime and in a resourceefficient way Our approach advances the state of the art by classifying websitesaccording to five different incremental certificate risk labels instead of assigning a binary label Evaluation results demonstrate the effectiveness of our approach achieving a success rate of over 90 while requiring fewer less complex input data and delivering results in near realtime
Authors: Edona Fasllija (A-SIT Secure Information Technology Center Austria), Hasan Enişer (Bogazici University), Bernd Prünster (Graz University of Technology),
Hide Authors & Abstract

Show Authors & Abstract
16:50 - 17:10
IIFA: Modular Inter-app Intent Information Flow Analysis of Android Applications

Android apps cooperate through message passing via intents However when apps have disparate sets of privileges interapp communication IAC can accidentally or maliciously be misused eg to leak sensitive information contrary to users expectations Recent research has considered static program analysis to detect dangerous data leaks due to intercomponent communication ICC but suffers from shortcomings for IAC with respect to precision soundness and scalabilityAs a remedy we propose a novel preanalysis for static ICCIAC analysis Our main contribution is the first fully automatic ICCIAC information flow analysis that is scalable for realistic apps due to modularity avoiding combinatorial explosion Our approach determines communicating apps using short summaries rather than inlining intent calls between components and apps which entails simultaneously analyzing all apps installed on a deviceUsing benchmarks we establish that IIFA outperforms stateoftheart analyses in terms of precision and recall But foremost applied to the 90 most popular applications from the Google Playstore IIFA demonstrated its scalability to a large corpus of realworld apps
Authors: Abhishek Tiwari (University of Potsdam), Sascha Groß (University of Potsdam), Christian Hammer (University of Potsdam),
Hide Authors & Abstract

Show Authors & Abstract
17:15 - 17:35
Power Analysis and Protection on SPECK and Its Application in IoT

Emerging applications such as the Internet of Things IoT promotes the development of lightweight cryptography SPECK is a lightweight block cipher specially designed for limited resource devices that was presented by National Security Agency Nevertheless before using SPECK in any practical application protection against sidechannel attacks must be paid attention to In this paper we take two attack positions into account and make effort to implement correlation power analysis on a naive software implementation of SPECK algorithm in the IoT application scenario Our experimental results show that the real key fixed in the register can be successfully recovered when attack the XOR operations while there is always an interference item that confuses the correct key when attack the modulo addition operation Furthermore we proposal a countermeasure against power attacks in the IoT application and the protected SPECK only cost 5301 627 and 31818 of extra code RAM and time respectively
Authors: Jing Ge (Beijing Institute of Technology),
Hide Authors & Abstract

Show Authors & Abstract
Day 3 25/10/2019
Room #1

Registration 08:00 - 12:00

Session 13 08:30 - 10:05

Machine Learning, Privately
08:30 - 08:50
Adversarial False Data Injection Attack against Nonlinear AC State Estimation with ANN in Smart Grid

Artificial neural network ANN provides superior accuracy for nonlinear alternating current AC state estimation SE in smart grid over traditional methods However research has discovered that ANN could be easily fooled by adversarial examples In this paper we initiate a new study of adversarial false data injection FDI attack against AC SE with ANN by injecting a deliberate attack vector into measurements the attacker can degrade the accuracy of ANN SE while remaining undetected We propose a populationbased algorithm and a gradientbased algorithm to generate attack vectors The performance of these algorithms are evaluated through simulations on IEEE 9bus 14bus and 30bus systems under various attack scenarios Simulation results show that DE is more effective than SLSQP on all simulation cases The attack examples generated by DE algorithm successfully degrade the ANN SE accuracy with high probability
Authors: Tian Liu (Auburn University), Tao Shu (Auburn University),
Hide Authors & Abstract

Show Authors & Abstract
08:55 - 09:15
Effectiveness of Adversarial Examples and Defenses for Malware Classification

Artificial neural networks have been successfully used formany different classification tasks including malware detection and distinguishing between malicious and nonmalicious programs Althoughartificial neural networks perform very well on these tasks they are alsovulnerable to adversarial examples An adversarial example is a sample that has minor modifications made to it so that the neural networkmisclassifies it Many techniques have been proposed both for craftingadversarial examples and for hardening neural networks against themMost previous work was done in the image domain Some of the attackshave been adopted to work in the malware domain which typically dealswith binary feature vectors In order to better understand the space ofadversarial examples in malware classification we study different approaches of crafting adversarial examples and defense techniques in themalware domain and compare their effectiveness on multiple data sets
Authors: Robert Podschwadt (University of North Texas), Hassan Takabi (University of North Texas),
Hide Authors & Abstract

Show Authors & Abstract
09:20 - 09:40
PrivC - A Framework for Efficient Secure Two-Party Computation

Secure Multiparty Computation SMC allows mutually distrusted parties to jointly evaluate a function on their private inputs without revealing anything but the output of the function SMC has been extensively studied for decades by the research community and significant progresses have been made both in the directions of computing capability and performance improvement In this work we design and implement PrivC an efficient framework for secure twoparty computing Our design was based on arithmetic sharing oblivious transfer and garbled circuits We demonstrate the efficiency of our design and implementation using benchmark datasets and real world applications at our organization Evaluations have shown that PrivC outperforms several other competitive twoparty frameworks
Authors: Kai He (Baidu Inc.), Liu Yang (Baidu Inc.), Jue Hong (Baidu Inc.), Jinghua Jiang (Baidu Inc.), Jieming Wu (Baidu Inc.), Xu Dong (Baidu Inc.), Zhuxun Liang (Baidu Inc.),
Hide Authors & Abstract

Show Authors & Abstract
09:45 - 10:05
CoRide: A Privacy-preserving Collaborative-Ride Hailing Service using Blockchain-assisted Vehicular Fog Computing

Ridehailing services have experienced remarkable development throughout the world serving millions of users per day However service providers such as Uber and Didi operate independently If they are willing to share user data and establish collaborativerides crides more ride services and commercial interests will be produced Meanwhile these collaborations raise significant security and privacy concerns for both users and service providers because users sensitive information and service providers business secrets could be leaked during crides Moreover data auditability and fairness must be guaranteed In this paper we propose CoRide a privacypreserving CollaborativeRide hailing service using blockchainassisted vehicular fog computing First we anonymously authenticate users and disclose a targeted user only if all collaborative service providers are present while requiring no trusted authority Then we construct a consortium blockchain to record crides and create smart contracts to pair riders with drivers Private proximity test and query processing are utilized to support location authentication driver screening and destination matching Last we modify Zerocash to achieve anonymous payment and defend double spending attacks Finally we analyze the security of CoRide and demonstrate its efficiency through extensive experiments based on an Ethereum network
Authors: Meng Li (Hefei University of Technology), Liehuang Zhu (Beijing Institute of Technology), Xiaodong Lin (University of Guelph),
Hide Authors & Abstract

Show Authors & Abstract

Break 10:05 - 10:30

Session 14 10:30 - 12:05

Better Clouds
10:30 - 10:50
Non-Interactive MPC with Trusted Hardware Secure Against Residual Function Attacks

Secure multiparty computation MPC has been repeatedly optimized and protocols with two communication rounds and strong security guarantees have been achieved While progress has been made constructing noninteractive protocols with just oneround of online communication ie noninteractive MPC or NIMPC since correct evaluation must be guaranteed with only one round these protocols are by their nature vulnerable to the residual function attack in the standard model This is because a party that receives a garbled circuit may repeatedly evaluate the circuit locally while varying their own inputs and fixing the inputs of others to learn the values entered by other participants We present the first MPC protocol with a oneround online phase that is secure against the residual function attack We also present rigorous proofs of correctness and security in the covert adversary model a reductionof the malicious model that is stronger than the semihonest model and better suited for modeling the behaviour of parties in the real world for our protocol Furthermore we rigorously analyze the communication and computational complexity of current state of the art protocols which require two rounds of communication or one round during the onlinephase with a reduced security requirement and demonstrate that our protocolis comparable to or outperforms their complexity
Authors: Ryan Karl (University of Notre Dame), Timothy Burchfield (University of Notre Dame), Jonathan Takeshita (University of Notre Dame), Taeho Jung (University of Notre Dame),
Hide Authors & Abstract

Show Authors & Abstract
10:55 - 11:15
A Study of the Multiple Sign-in Feature in Web Applications

Nowadays more and more web applications start to oer themultiple signin feature allowing users to sign into multiple accounts simultaneouslyfrom the same browser This feature significantly improvesuser experience Unfortunately if such a feature is not designed and implementedproperly it could lead to security privacy or usability issuesIn this paper we perform the first comprehensive study of the multiplesignin feature among various web applications including Google DropboxOur results show that the problem is quite worrisome All analyzedproducts that provide the multiple signin feature either suffer from potentialsecurityprivacy threats or are sacrificing usability to some extentWe present all issues found in these applications and analyze the rootcause by identifying four different implementation models Finally basedon our analysis results we design a clientside proofofconcept solutioncalled GRemember to mitigate these issues Our experiments show thatGRemember can successfully provide adequate context information forweb servers to recognize users intended accounts and thus effectivelyaddress the presented multiple signin threat
Authors: Marwan Albahar (Boise State University), Xing Gao (University of Memphis), Gaby Dagher (Boise State University), Daiping Liu (Palo Alto Networks), Fengwei Zhang (SUSTech and Wayne State University), Jidong Xiao (Boise State University),
Hide Authors & Abstract

Show Authors & Abstract
11:20 - 11:40
Authenticated LSM Trees with Minimal Trust

In the age of usergenerated contents the workloads imposed on informationsecurity infrastructures become increasingly write intensive However existing security protocols specifically authenticated data structures ADSs are historically designed based on updateinplace data structures and incur overhead when serving writeintensive workloadsIn this work we present LPAD Logstructured Persistent Authenticated Directory a new ADS protocol designed uniquely based on the logstructure merge trees LSM trees which recently gain popularity in the design of modern storage systems On the write path LPAD supports streaming noninteractive updates with constant proof from trusted data owners On the read path LPAD supports point queries over the dynamic dataset with a polynomial proof The key to enable this efficiency is a verifiable reorganization operation called verifiable merge in LPAD Verifiable merge is secured by the execution in an enclave of trusted ex execution environments TEE To minimize the trusted computing base TCB LPAD places the code related to verifiable merge in enclave and nothing else Our implementation of LPAD on Google LevelDB codebase and on Intel SGX shows that the TCB is reduced by 20 times The enclave size of LPAD is one thousand code lines out of more than twenty thousands code lines of a vanilla LevelDB Under the YCSB workloads LPAD improves the performance by an order of magnitude comparing with existing ADSs
Authors: Yuzhe Tang (Syracuse University), Ju Chen (Syracuse University), Kai Li (Syracuse University),
Hide Authors & Abstract

Show Authors & Abstract
11:45 - 12:05
Modern Family: A Revocable Hybrid Encryption Scheme Based on Attribute-Based Encryption, Symmetric Searchable Encryption and SGX

Secure cloud storage is considered as one of the most important issues that both businesses and endusers take into account before moving their private data to the cloud Lately we have seen some interesting approaches that are based either on the promising concept of Symmetric Searchable Encryption SSE or on the wellstudied field of AttributeBased Encryption ABE In this paper we propose a hybrid encryption scheme that combines both SSE and ABE by utilizing the advantages of both these techniques In contrast to many approaches we design a revocation mechanism that is completely separated from the ABE scheme and solely based on the functionality offered by SGX
Authors: Alexandros Bakas (Tampere University), Atnonis Michalas (Tampere University),
Hide Authors & Abstract

Show Authors & Abstract