Publications

A Game-Theoretic Approach to Secure Control of Communication-Based Train Control Systems Under Jamming Attacks

April 21, 2017

Zhiheng Xu and Quanyan Zhu

To meet the growing railway-transportation demand, a new train control system, communication-based train control (CBTC) system, aims to maximize the ability of train lines by reducing the headway of each train. However, the wireless communications expose the CBTC system to new security threats. Due to the cyber-physical nature of the CBTC system, a jamming attack can damage the physical part of the train system by disrupting the communications. To address this issue, we develop a secure framework to mitigate the impact of the jamming attack based on a security criterion. At the cyber layer, we apply a multi-channel model to enhance the reliability of the communications and develop a zero-sum stochastic game to capture the interactions between the transmitter and jammer. We present analytical results and apply dynamic programming to find the equilibrium of the stochastic game. Finally, the experimental results are provided to evaluate the performance of the proposed secure mechanism.

Electric power dependent dynamic tariffs for water distribution systems

April 21, 2017

Varghese Kurian, Juntao Chen and Quanyan Zhu

Peak time water demands cause significant burden to the utility providers in terms of pumping loads. Its coincidence with the peak hours of electricity consumption makes the situation worse. In this paper, we bring forth the requirement as well as the viability of implementing time-varying tariffs in the ‘smart water systems’.We present the problem of finding the optimal tariffs as a Stackelberg game between the utility provider and the consumers of water. Further, we propose an algorithm that iterates between the suppliers problem and the consumers problem for finding the optimal tariffs along with a demonstration of its applicability on a small system.

Optimizing Mission Critical Data Dissemination in Massive IoT Networks

April 19, 2017

Muhammad Junaid Farooq , Hesham ElSawy , Quanyan Zhu  and Mohamed-Slim Alouini.

Mission critical data dissemination in massive Internet of things (IoT) networks imposes constraints on the message transfer delay between devices. Due to low power and communication range of IoT devices, data is foreseen to be relayed over multiple device-to-device (D2D) links before reaching the destination.The coexistence of a massive number of IoT devices poses a challenge in maximizing the successful transmission capacity of the overall network alongside reducing the multihop transmission delay in order to support mission critical applications.

Physical Intrusion Games – Optimizing Surveillance by Simulation and Game Theory

April 12, 2017

Stefan Rass , Ali Alshawish , Mohamed Amine Abid , Stefan Schauer , Quanyan Zhu and Hermann de Meer.

The protection of cyber-physical networks is a topic of increasing importance. The evolution of IT (cyber) systems that control and supervise the underlying physical system has grown over decades, whereas security has not become a concern until quite recently. Advanced persistent threats (APTs) have proven to be a difficult but significant challenge for practitioners. This work adopts a game-theoretic modeling of APTs and applies it to the (sub)problem of physical intrusion in an infrastructure. The gap between defining a good theoretical model and practically instantiating it is considered in particular. The model description serves to illustrate what is needed to put it into practice. The main contribution of this article is the demonstration of how simulation, physical understanding of an infrastructure, and theoretical methods can be combined towards a practical solution to the physical intrusion avoidance problem.

MasterPrint: Exploring the Vulnerability of Partial Fingerprint-based Authentication Systems

April 6, 2017

Aditi Roy, Nasir Memon and Arun Ross

This paper investigates the security of partial fingerprint-based authentication systems, especially when multiple fingerprints of a user are enrolled. A number of consumer electronic devices, such as smartphones, are beginning to incorporate fingerprint sensors for user authentication. The sensors embedded in these devices are generally small and the resulting images are, therefore, limited in size. To compensate for the limited size, these devices often acquire multiple partial impressions of a single finger during enrollment to ensure that at least one of them will successfully match with the image obtained from the user during authentication. Further, in some cases, the user is allowed to enroll multiple fingers, and the impressions pertaining to multiple partial fingers are associated with the same identity (i.e., one user). A user is said to be successfully authenticated if the partial fingerprint obtained during authentication matches any one of the stored templates. This paper investigates the possibility of generating a “MasterPrint”, a synthetic or real partial fingerprint that serendipitously matches one or more of the stored templates for a significant number of users.

X-Platform Phishing: Abusing Trust for Targeted Attacks

April 6, 2017

Hossein Siadati, Toan Nguyen and Nasir D. Memon

Anti-phishing techniques intended to reduce the delivery rate of phishing emails, and anti-phishing trainings meant to decrease the phishing click-through rates. This paper presents the X-Platform Phishing Attack, a deceptive phishing attack with an alarmingly high delivery and click-through rates, and highlights a subset of the challenges that existing anti-phishing methods have fallen short to address. In this attack, an attacker embeds a malicious link within a legitimate message generated by a service provider. This attack can bypass the existing anti-phishing filters because the attacker uses the email ID of a reputable service provider to generate a seemingly legitimate email. This attack is irresistible for users to click on for a similar reason. For this, the attackers use email-based messaging and notification mechanisms such as friend requests, membership invitations, status updates, and customizable gift cards to embed and deliver phishing links to their targets. We have tested the delivery and click-through rates of this at- tack based on customized phishing emails tunneled through GitHubs pull-request mechanism. We observed that 100% of X-Platform Phishing emails passed the anti-phishing systems and were delivered to the inbox of the target subjects. All of the participants clicked on phishing messages, and in some cases, forwarded the message to other project collaborators and they also clicked on the phishing links in turn.

Tools for Automated Analysis of Cybercriminal Markets

April 6, 2017

Sadia Afroz, Rebecca Sorla Portnoff, Greg Durrett, Jonathan Kummerfeld, Damon McCoy, Kirill Levchenko, and Vern Paxson

Underground forums are widely used by criminals to buy and sell a host of stolen items, datasets, resources, and criminal services. These forums contain important resources for understanding cybercrime. However, the number of forums, their size, and the domain expertise required to understand the markets makes manual exploration of these forums unscalable. In this work, we propose an automated, top-down approach for analyzing underground forums.

Secure 3D Printing: Reconstructing and Validating Solid Geometries using Toolpath Reverse Engineering

April 2, 2017

Nektarios Georgios Tsoutsos, Homer Gamil and Michail Maniatakos

As 3D printing becomes more ubiquitous, traditional centralized process chains are transformed to a distributed manufacturing model, where each step of the process can be outsourced to different parties. Despite the countless benefits of this revolutionary technology, outsourcing parts of the process to potentially untrusted parties raises security concerns, as malicious design modifications can impact the structural integrity of the manufactured 3D geometries. To address this problem, we introduce a novel compiler that allows reverse engineering G-code toolpaths (i.e., machine commands describing how a geometry is printed) to reconstruct a close approximation of the original 3D object. Our framework then uses Finite Element Analysis to simulate the reconstructed object under different stress conditions and validate its structural integrity, without requiring a golden model reference.

Logic Locking for Secure Outsourced Chip Fabrication: A New Attack and Provably Secure Defense Mechanism

March 29, 2017

Mohamed El Massad, Jun Zhang, Siddharth Garg, and Mahesh V. Tripunitara

Chip designers outsource chip fabrication to external foundries, but at the risk of IP theft. Logic locking, a promising solution to mitigate this threat, adds extra logic gates (key gates) and inputs (key bits) to the chip so that it functions correctly only when the correct key, known only to the designer but not the foundry, is applied. In this paper, we identify a new vulnerability in all existing logic locking schemes.

 

Demystifying advanced persistent threats for industrial control systems.

March 23, 2017

Keliris, Anastasis and Maniatakos, Michail.

Cyberattacks are an emerging threat for Industrial Control Systems (ICS) that, given the tight coupling between the cyber and physical components, can have far-reaching implications. It is typical for contemporary ICS components to utilize Commercial-Off-The-Shelf (COTS) hardware and software, rendering them prone to vulnerabilities and exploitation techniques that afflict IT systems (Figure 1). In an effort to demonstrate the ICS cyber threat landscape, we discuss a comprehensive methodology for designing an Advanced Persistent Threat (APT), which is a stealthy and continuous type of cyberattack with a high level of sophistication suitable for the complex environment of ICS.

Secure and Flexible Trace-Based Debugging of Systems-on-Chip

March 15, 2017

Jerry Backer, David Hely and Ramesh Karri

This work tackles the conflict between enforcing security of a system-on-chip (SoC) and providing observability during trace-based debugging. On one hand, security objectives require that assets remain confidential at different stages of the SoC life cycle. On the other hand, the trace-based debug infrastructure exposes values of internal signals that can leak the assets to untrusted third parties.

 

Phishing for Phools in the Internet of Things: Modeling One-to-Many Deception using Poisson Signaling Games

March 15, 2017

Jeffrey Pawlick and Quanyan Zhu

Strategic interactions ranging from politics and pharmaceuticals to e-commerce and social networks support equilibria in which agents with private information manipulate others which are vulnerable to deception. Especially in cyberspace and the Internet of things, deception is difficult to detect and trust is complicated to establish. For this reason, effective policy-making, profitable entrepreneurship, and optimal technological design demand quantitative models of deception. In this paper, we use game theory to model specifically one-to-many deception.

Learning from Experience: A Dynamic Closed-Loop QoE Optimization for Video Adaptation and Delivery

March 6, 2017

Imen Triki, Quanyan Zhu, Rachid Elazouzi, Majed Haddad, Zhiheng Xu

In general, the quality of experience QoE is subjective and context-dependent, identifying and calculating the factors that affect QoE is a difficult task. Recently, a lot of effort has been devoted to estimating the users QoE in order to enhance video delivery. In the literature, most of the QoE-driven optimization schemes that realize trade-offs among different quality metrics have been addressed under the assumption of homogenous populations, nevertheless, people perceptions on a given video quality may not be the same, which makes the QoE optimization harder. This paper aims at taking a step further to address this limitation to meet all the users profiles. We propose a closed-loop control framework based on the users subjective feedbacks to learn the QoE function and enhance video qualities at the same time. Our simulation results show that our system converges to a steady state where the learned QoE-function noticeably enhances the users feedbacks.

Remote field device fingerprinting using device-specific modbus information

March 6, 2017

Anastasis Keliris and Michail Maniatakos

Device fingerprinting can provide useful information for vulnerability assessment and penetration testing, and can also facilitate the reconnaissance phase of a malicious campaign. This information becomes critical when the target devices are deployed in industrial environments, given the potential impact of cyber-attacks on critical infrastructure devices. In this paper, we propose a method for fingerprinting industrial devices that utilize the Modbus protocol. Our technique is based on the observation that implementations of the Modbus protocol differ between vendors. Although the Modbus protocol specification defines a device identification mechanism, several vendors do not implement this mechanism or use different methods for identifying their devices. We utilize these implementation differences, in conjunction with the lack of authentication in the Modbus protocol, to fingerprint remote field devices.

Remote field device fingerprinting using device-specific modbus information

March 6, 2017

Anastasis Keliris and Michail Maniatakos

Device fingerprinting can provide useful information for vulnerability assessment and penetration testing, and can also facilitate the reconnaissance phase of a malicious campaign. This information becomes critical when the target devices are deployed in industrial environments, given the potential impact of cyber-attacks on critical infrastructure devices. In this paper, we propose a method for fingerprinting industrial devices that utilize the Modbus protocol. Our technique is based on the observation that implementations of the Modbus protocol differ between vendors. Although the Modbus protocol specification defines a device identification mechanism, several vendors do not implement this mechanism or use different methods for identifying their devices. We utilize these implementation differences, in conjunction with the lack of authentication in the Modbus protocol, to fingerprint remote field devices. We evaluate our proposed methodology on Modbus-enabled devices that are directly connected to the internet and indexed by the Shodan search engine. Our analysis focuses on devices from four vendors used across different industry verticals. We have accurately identified make and model information for 308 devices, improving the fingerprinting capabilities of Shodan by 28%.

Secure and Reconfigurable Network Design for Critical Information Dissemination in the Internet of Battlefield Things (IoBT)

March 2, 2017

Muhammad Junaid Farooq and Quanyan Zhu

This work aims to build the theoretical foundations of designing secure and reconfigurable IoBT networks. Leveraging the theories of stochastic geometry and mathematical epidemiology, we develop an integrated framework to study the communication of mission-critical data among different types of network devices and consequently design the network in a cost effective manner.

Security analysis of Anti-SAT

February 20, 2017

Muhammad Yasin, Bodhisatwa Mazumdar, Ozgur Sinanoglu, and Jeyavijayan Rajendran

Logic encryption protects integrated circuits (ICs) against intellectual property (IP) piracy and overbuilding attacks by encrypting the IC with a key. A Boolean satisfiability (SAT) based attack breaks all existing logic encryption technique within few hours. Recently, a defense mechanism known as Anti-SAT was presented that protects against SAT attack, by rendering the SAT-attack effort exponential in terms of the number of key gates.

A Bi-Level Game Approach to Attack-Aware Cyber Insurance of Computer Networks

February 20, 2017

Rui Zhang, Quanyan Zhu and Yezekael Hayel

Network security becomes more challenging than ever as today’s computer networks become increasingly complex. The deployment of defense mechanisms such as firewalls , intrusion detection systems , and moving target defenses can effectively reduce the success rate of cyber attacks but cannot guarantee perfect network security as attacks are becoming more stealthy and sophisticated . Network users can still be hacked, resulting in severe data breaches, disruption of services and financial losses. Cyber insurance provides users a valuable additional layer of protection to mitigate potential vulnerabilities to unknown threats, hacking, and human errors. An incentive compatible cyber insurance policy could help reduce the number of successful cyber attacks by incentivizing the adoption of preventative measures in return for more coverage and the implementation of best practices by basing premiums on an insured level of self-protection