Showing papers by "Jelena Mirkovic published in 2014"

Class capture-the-flag exercises

Abstract: The field of cybersecurity is adversarial – the real challenge lies in outsmarting motivated and knowledgeable human attackers. Sadly, this aspect is missing from current cybersecurity classes, which are often taught through lectures and occasionally through “get your feet wet” practical exercises. We propose Class Capture-theFlag exercises (CCTFs) to revitalize cybersecurity education. These are small-scoped competitions that pit teams of students against each other in realistic attackdefense scenarios. We describe how to design these exercises to be easy for teachers to conduct and grade, easy for students to prepare for and a lot of fun for everyone involved. We also provide descriptions of CCTFs we have developed and recount our experiences of using them in class.

Cardinal pill testing of system virtual machines

Abstract: Malware analysis relies heavily on the use of virtual machines for functionality and safety. There are subtle differences in operation between virtual machines and physical machines. Contemporary malware checks for these differences to detect that it is being run in a virtual machine, and modifies its behavior to thwart being analyzed by the defenders. Existing approaches to uncover these differences use randomized testing, or malware analysis, and cannot guarantee completeness. In this paper we propose Cardinal Pill Testing--a modification of Red Pill Testing [21] that aims to enumerate the differences between a given VM and a physical machine, through carefully designed tests. Cardinal Pill Testing finds five times more pills by running fifteen times fewer tests than Red Pill Testing. We further examine the causes of pills and find that, while the majority of them stem from the failure of virtual machines to follow CPU design specifications, a significant number stem from under-specification of the effects of certain instructions by the Intel manual. This leads to divergent implementations in different CPU and virtual machine architectures. Cardinal Pill Testing successfully enumerates differences that stem from the first cause, but only exhaustive testing or an understanding of implementation semantics can enumerate those that stem from the second cause. Finally, we sketch a method to hide pills from malware by systematically correcting their outputs in the virtual machine.

Safe and automated live malware experimentation on public testbeds

Abstract: In this paper, we advocate for publicly accessible live malware experimentation testbeds. We introduce new advancements for high-fidelity transparent emulation and fine-grain automatic containment that make such experimentation safe and useful to researchers, and we propose a complete, extensible live-malware experimentation framework. Our framework, aided by our new technologies, facilitates a qualitative leap from current experimentation practices. It enables specific, detailed and quantitative understanding of risk, and safe, fully automated experimentation by novice users, with maximum utility to the researcher. We present preliminary results that demonstrate effectiveness of our technologies and map the path forward for public live-malware experimentation.

SENSS: observe and control your own traffic in the internet

Abstract: We propose a new software-defined security service -- SENSS -- that enables a victim network to request services from remote ISPs for traffic that carries source IPs or destination IPs from this network's address space. These services range from statistics gathering, to filtering or quality of service guarantees, to route reports or modifications. The SENSS service has very simple, yet powerful, interfaces. This enables it to handle a variety of data plane and control plane attacks, while being easily implementable in today's ISP. Through extensive evaluations on realistic traffic traces and Internet topology, we show how SENSS can be used to quickly, safely and effectively mitigate a variety of large-scale attacks that are largely unhandled today.

SENSS: Software Defined Security Service.

Abstract: Network attacks have long been an important problem, and have attracted a lot of research in academic and commercial sector. With a rapidly growing number of critical as well as business applications deployed on the Internet today, network attacks have both become more lucrative for the attackers and more damaging to the victims. The implications of network attacks on the victim can be huge. For example a distributed denial-of-service (DDoS) can overwhelm the victim and make it unable to handle its regular business. A large-volume DDoS attack can further cause collateral damage to traffic that shares links with the victim’s traffic, leading to large traffic drops, BGP session interruptions and routing interruptions [4]. Besides the data plane attacks, control plane misconfigurations and attacks on the interdomain routing protocol BGP [3] can have dire implications for victim networks. For example, the prefix-hijacking attack injects and propagates false routes to the Internet, causing victim’s traffic to be redirected to the attacker networks for sniffing, modification or dropping [1]. Traffic sniffing and modification are very difficult to detect and mitigate, and create huge security and privacy issues for the victim, while blackholing severely affects online businesses and critical infrastructures. Many solutions have been proposed to detect and mitigate individual attacks. For example, in DDoS realm many victim-deployed or ISP-deployed DDoS defenses, overlay-based DDoS defenses [2] and content replication to sustain high-volume attacks have been proposed and deployed. In routing realm, detection approaches that monitor live BGP data feeds and conduct data plane probing have been proposed to diagnose prefix-hijacking attacks. But ultimately, traffic flows, attacks, and their routes are the results of actions of multiple networks, each following its individual interests and priorities. Thus, while many attack instances can be handled by the victim and its local ISP, there will always exist attacks that cannot be diagnosed or mitigated without help from remote networks, which are involved in sourcing or carrying traffic to the victim. Today’s Internet lacks such wide-scale, general service for automated inter-ISP collaboration on security problem diagnosis and mitigation. There have been numerous research works on inter-ISP collaboration for attack diagnosis and mitigation, such as collaborative DDoS defenses, collaborative worm defenses, and collaborative routing defenses. However, most proposals are still not deployed today because: (1) Most of the proposals only focus on detection or mitigation of one attack type or variant; (2) Some solutions require complex changes of the data plane or new router functionality, which are difficult to achieve; (3) Some solutions do not create proper incentives for ISPs to collaborate with each other.

Critter: Content-Rich Traffic Trace Repository

Abstract: Access to current application and network data is vital to cybersecurity and networking research. Intrusion detection, steganography, traffic camouflaging, traffic classification and modeling all benefit from real-world data. Such data provides training, testing, and evaluation as well as furthers efforts to reach ground truth. Currently available network data--especially data with application-level information--is often outdated and is either private or customized to specific, narrow research needs. The biggest hurdle to obtaining such content-rich data is addressing the huge privacy risks associated with sharing such complex and open-ended data. In this paper we present a data sharing system called Critter-at-Home which addresses these challenges. Critter connects end-users willing to share data with researchers and strikes a balance between privacy risks for a data contributor and utility for a researcher.