August 10, 2016
Kurt Thomas, Juan A. Elices Crespo, Ryan Rasti, Jean-Michel Picod, Cait Phillips, Marc-André Decoste, Chris Sharp, Fabio Tirelo, Ali Tofigh, Marc-Antoine Courteau, Lucas Ballard, Robert Shield, Nav Jagpal, Moheeb Abu Rajab, Panayiotis Mavrommatis, Niels Provos, and Elie Bursztein, and Damon McCoy
In this work, we explore the ecosystem of commercial pay-per-install (PPI) and the role it plays in the proliferation of unwanted software. Commercial PPI enables companies to bundle their applications with more popular software in return for a fee, effectively commoditizing access to user devices.
August 10, 2016
Jeffrey Pawlick and Quanyan Zhu
Internet tracking technologies and wearable electronics provide a vast amount of data to machine learning algorithms. This stock of data stands to increase with the developments of the internet of things and cyber-physical systems. Clearly, these technologies promise benefits. But they also raise the risk of sensitive information disclosure. To mitigate this risk, machine learning algorithms can add noise to outputs according to the formulations provided by differential privacy. At the same time, users can fight for privacy by injecting noise into the data that they report.
On Omitting Commits and Committing Omissions: Preventing Git Metadata Tampering That (Re)introduces Software Vulnerabilities
August 10, 2016
Santiago Torres-Arias, Anil Kumar Ammula, Reza Curtmola, and Justin Cappos
Metadata manipulation attacks represent a new threat class directed against Version Control Systems, such as the popular Git. This type of attack provides inconsistent views of a repository state to different developers, and deceives them into performing unintended operations with often negative consequences.
August 10, 2016
Frank Li, Zakir Durumeric, Jakub Czyz, Mohammad Karami, Michael Bailey, Damon McCoy, Stefan Savage, and Vern Paxson
Security researchers can send vulnerability notifications to take proactive measures in securing systems at scale. However, the factors affecting a notification’s efficacy have not been deeply explored. In this paper, we report on an extensive study of notifying thousands of parties of security issues present within their networks, with an aim of illuminating which fundamental aspects of notifications have the greatest impact on efficacy.
Self-Efficacy in Cybersecurity Tasks and Its Relationship with Cybersecurity Competition and Work-Related Outcomes
August 9, 2016
Jian Ming Colin Wee, Masooda Bashir, and Nasir Memon
Research on cybersecurity competitions is still in its nascent state, and many questions remain unanswered, including how effective these competitions actually are at influencing career decisions and attracting a diverse participant base. The present research aims to address these questions through surveying a sample of ex-cybersecurity competition participants from New York University’s Cyber-Security Awareness Week (CSAW).
Non-Deterministic Timers for Hardware Trojan Activation (Or How a Little Randomness Can Go the Wrong Way)
August 8, 2016
Frank Imeson, Saeed Nejati, Siddharth Garg, and Mahesh V. Tripunitara
The security of digital Integrated Circuits (ICs) is essential to the security of a computer system that comprises them. A particularly pernicious attack is the insertion of a hardware backdoor, that is triggered in the field using a timer that is also inserted in the hardware. Prior work has addressed deterministic timer-based triggers—those that are designed to trigger at a specific time with probability.
August 7, 2016
Jay Koven, Enrico Bertini, Luke Dubois, and Nasir Memon
Large email data sets are often the focus of criminal and civil investigations. This has created a daunting task for investigators due to the extraordinary size of many of these collections. Our work offers an interactive visual analytic alternative to the current, manually intensive methodology used in the search for evidence in large email data sets. These sets usually contain many emails which are irrelevant to an investigation, forcing investigators to manually comb through information in order to find relevant emails, a process which is costly in terms of both time and money.
July 27, 2016
Farshad Khorrami, Prashanth Krishnamurthy, and Ramesh Karri
The authors argue that it is vital to develop effective real-time attack monitoring and threat mitigation mechanisms.
July 14, 2016
Minhui Xue, Gabriel Magno, Evandro Cunha, Virgilio Almeida, and Keith W. Ross
Due to the recent “Right to be Forgotten” (RTBF) ruling, for queries about an individual, Google and other search engines now delist links to web pages that contain “inadequate, irrelevant or no longer relevant, or excessive” information about that individual. In this paper we take a data-driven approach to study the RTBF in the traditional media outlets, its consequences, and its susceptibility to inference attacks.
July 6, 2016
Zhiheng Xu, Quanyan Zhu
The authors explore the vulnerabilities of 3D-printing systems, and design a cross-layer approach for the system.
July 5, 2016
Zachary K. Goldman and Damon McCoy
In “Deterring Financially Motivated Cybercrime,” Zachary K. Goldman and Damon McCoy present three strategies for deterring attacks that use malicious cyber capabilities to generate a profit.
June 22, 2016
Colin Wee, Masooda Bashir, and Nasir Memon
How do workers within the field of cybersecurity perceive cybersecurity competitions? This study aims to address this question and investigate if competitions left a positive mark on the information security workers who participated in them.
Student research highlight: Secure and resilient distributed machine learning under adversarial environments
June 17, 2016
Rui Zhang and Quanyan Zhu
Machine learning algorithms, such as support vector machines (SVMs), neutral networks, and decision trees (DTs) have been widely used in data processing for estimation and detection. They can be used to classify samples based on a model built from training data. However, under the assumption that training and testing samples come from the same natural distribution, an attacker who can generate or modify training data will lead to misclassification or misestimation.
June 2, 2016
This talk will cover various forms of threats that the electronic chip supply chain is up against, as well as defenses against these threats. The talk will elucidate the development of CAD algorithms/tools for this newly emerging field by mostly leveraging principles from other more mature research domains.
June 1, 2016
Srikanth Sundaresan, Damon McCoy, Sadia Afroz, and Vern Paxson
Online underground forums serve a key role in facilitating information exchange and commerce between gray market or even cybercriminal actors. In order to streamline
bilateral communication to complete sales, merchants often publicly post their IM contact details, such as their Skype handle. Merchants that publicly post their Skype handle
potentially leak information, since Skype has a known protocol flaw that reveals the IP address(es) of a user when they are online.
May 25, 2016
Fei Miao, Quanyan Zhu, Miroslav Pajic, and George J. Pappas
This paper considers a method of coding the sensor outputs in order to detect stealthy false data injection attacks.
May 11, 2016
Steven Eric Zeltmann, Nikhil Gupta, Nektarios Georgios Tsoutsos, Michail Maniatakos, Jeyavijayan Rajendran, and Ramesh Karri
As the manufacturing time, quality, and cost associated with additive manufacturing (AM) continue to improve, more and more businesses and consumers are adopting this technology. Some of the key benefits of AM include customizing products, localizing production and reducing logistics. Due to these and numerous other benefits, AM is enabling a globally distributed manufacturing process and supply chain spanning multiple parties, and hence raises concerns about the reliability of the manufactured product. In this work, we first present a brief overview of the potential risks that exist in the cyber-physical environment of additive manufacturing.
May 3, 2016
Arun Kanuparthi, Jeyavijayan Rajendran, Ramesh Karri
In this paper, the authors propose Dynamic Sequence Checker (DSC), a framework to verify the validity of control flow between basic blocks in the program