Showing papers on "Pre-play attack published in 2017"

AppSAT: Approximately deobfuscating integrated circuits

Abstract: In today's diversified semiconductor supply-chain, protecting intellectual property (IP) and maintaining manufacturing integrity are important concerns. Circuit obfuscation techniques such as logic encryption and IC camouflaging can potentially defend against a majority of supply-chain threats such as stealthy malicious design modification, IP theft, overproduction, and cloning. Recently, a Boolean Satisfiability (SAT) based attack, namely the SAT attack has been able to deobfuscate almost all traditional circuit obfuscation schemes, and as a result, a number of defense solutions have been proposed in literature. All these defenses are based on the implicit assumption that the attacker needs a perfect deobfuscation accuracy which may not be true in many practical cases. Therefore, in this paper by relaxing the exactness constraint on deobfuscation, we propose the AppSAT attack, an approximate deobfuscation algorithm based on the SAT attack and random testing. We show how the AppSAT attack can deobfuscate 68 out of the 71 benchmark circuits that were obfuscated with state-of-the-art SAT attack defenses with an accuracy of, n being the number of inputs. AppSAT shows that with current SAT attack defenses there will be a trade-off between exact-attack resiliency and approximation resiliency.

Tactics of Adversarial Attack on Deep Reinforcement Learning Agents

Abstract: We introduce two tactics to attack agents trained by deep reinforcement learning algorithms using adversarial examples, namely the strategically-timed attack and the enchanting attack. In the strategically-timed attack, the adversary aims at minimizing the agent's reward by only attacking the agent at a small subset of time steps in an episode. Limiting the attack activity to this subset helps prevent detection of the attack by the agent. We propose a novel method to determine when an adversarial example should be crafted and applied. In the enchanting attack, the adversary aims at luring the agent to a designated target state. This is achieved by combining a generative model and a planning algorithm: while the generative model predicts the future states, the planning algorithm generates a preferred sequence of actions for luring the agent. A sequence of adversarial examples is then crafted to lure the agent to take the preferred sequence of actions. We apply the two tactics to the agents trained by the state-of-the-art deep reinforcement learning algorithm including DQN and A3C. In 5 Atari games, our strategically timed attack reduces as much reward as the uniform attack (i.e., attacking at every time step) does by attacking the agent 4 times less often. Our enchanting attack lures the agent toward designated target states with a more than 70% success rate. Videos are available at this http URL

Taxonomy of DoS and DDoS attacks and desirable defense mechanism in a Cloud computing environment

Abstract: As Cloud computing is reforming the infrastructure of IT industries, it has become one of the critical security concerns of the defensive mechanisms applied to secure Cloud environment. Even if there are tremendous advancements in defense systems regarding the confidentiality, authentication and access control, there is still a challenge to provide security against availability of associated resources. Denial-of-service (DoS) attack and distributed denial-of-service (DDoS) attack can primarily compromise availability of the system services and can be easily started by using various tools, leading to financial damage or affecting the reputation. These attacks are very difficult to detect and filter, since packets that cause the attack are very much similar to legitimate traffic. DoS attack is considered as the biggest threat to IT industry, and intensity, size and frequency of the attack are observed to be increasing every year. Therefore, there is a need for stronger and universal method to impede these attacks. In this paper, we present an overview of DoS attack and distributed DoS attack that can be carried out in Cloud environment and possible defensive mechanisms, tools and devices. In addition, we discuss many open issues and challenges in defending Cloud environment against DoS attack. This provides better understanding of the DDoS attack problem in Cloud computing environment, current solution space, and future research scope to deal with such attacks efficiently.

RAIN: Refinable Attack Investigation with On-demand Inter-Process Information Flow Tracking

Abstract: As modern attacks become more stealthy and persistent, detecting or preventing them at their early stages becomes virtually impossible. Instead, an attack investigation or provenance system aims to continuously monitor and log interesting system events with minimal overhead. Later, if the system observes any anomalous behavior, it analyzes the log to identify who initiated the attack and which resources were affected by the attack and then assess and recover from any damage incurred. However, because of a fundamental tradeoff between log granularity and system performance, existing systems typically record system-call events without detailed program-level activities (e.g., memory operation) required for accurately reconstructing attack causality or demand that every monitored program be instrumented to provide program-level information. To address this issue, we propose RAIN, a Refinable Attack INvestigation system based on a record-replay technology that records system-call events during runtime and performs instruction-level dynamic information flow tracking (DIFT) during on-demand process replay. Instead of replaying every process with DIFT, RAIN conducts system-call-level reachability analysis to filter out unrelated processes and to minimize the number of processes to be replayed, making inter-process DIFT feasible. Evaluation results show that RAIN effectively prunes out unrelated processes and determines attack causality with negligible false positive rates. In addition, the runtime overhead of RAIN is similar to existing system-call level provenance systems and its analysis overhead is much smaller than full-system DIFT.

Scenario and countermeasure for replay attack using join request messages in LoRaWAN

Abstract: LPWAN (Low Power Wide Area Networks) technologies have been attracting attention continuously in IoT (Internet of Things). LoRaWAN is present on the market as a LPWAN technology and it has features such as low power consumption, low transceiver chip cost and wide coverage area. In the LoRaWAN, end devices must perform a join procedure for participating in the network. Attackers could exploit the join procedure because it has vulnerability in terms of security. Replay attack is a method of exploiting the vulnerability in the join procedure. In this paper, we propose a attack scenario and a countermeasure against replay attack that may occur in the join request transfer process.

The Password Reset MitM Attack

Abstract: We present the password reset MitM (PRMitM) attack and show how it can be used to take over user accounts. The PRMitM attack exploits the similarity of the registration and password reset processes to launch a man in the middle (MitM) attack at the application level. The attacker initiates a password reset process with a website and forwards every challenge to the victim who either wishes to register in the attacking site or to access a particular resource on it. The attack has several variants, including exploitation of a password reset process that relies on the victim's mobile phone, using either SMS or phone call. We evaluated the PRMitM attacks on Google and Facebook users in several experiments, and found that their password reset process is vulnerable to the PRMitM attack. Other websites and some popular mobile applications are vulnerable as well. Although solutions seem trivial in some cases, our experiments show that the straightforward solutions are not as effective as expected. We designed and evaluated two secure password reset processes and evaluated them on users of Google and Facebook. Our results indicate a significant improvement in the security. Since millions of accounts are currently vulnerable to the PRMitM attack, we also present a list of recommendations for implementing and auditing the password reset process.

Quantitative Method for Network Security Situation Based on Attack Prediction

Abstract: Multistep attack prediction and security situation awareness are two big challenges for network administrators because future is generally unknown. In recent years, many investigations have been made. However, they are not sufficient. To improve the comprehensiveness of prediction, in this paper, we quantitatively convert attack threat into security situation. Actually, two algorithms are proposed, namely, attack prediction algorithm using dynamic Bayesian attack graph and security situation quantification algorithm based on attack prediction. The first algorithm aims to provide more abundant information of future attack behaviors by simulating incremental network penetration. Through timely evaluating the attack capacity of intruder and defense strategies of defender, the likely attack goal, path, and probability and time-cost are predicted dynamically along with the ongoing security events. Furthermore, in combination with the common vulnerability scoring system (CVSS) metric and network assets information, the second algorithm quantifies the concealed attack threat into the surfaced security risk from two levels: host and network. Examples show that our method is feasible and flexible for the attack-defense adversarial network environment, which benefits the administrator to infer the security situation in advance and prerepair the critical compromised hosts to maintain normal network communication.

DDoS attack on cloud auto-scaling mechanisms

Abstract: Auto-scaling mechanisms are an important line of defense against Distributed Denial of Service (DDoS) in the cloud. Using auto-scaling, machines can be added and removed in an on-line manner to respond to fluctuating load. It is commonly believed that the auto-scaling mechanism casts DDoS attacks into Economic Denial of Sustainability (EDoS) attacks. Rather than suffering from performance degradation up to a total denial of service, the victim suffers only from the economic damage incurred by paying for the extra resources required to process the bogus traffic of the attack. Contrary to this belief, we present and analyze the Yo-Yo attack, a new attack against the auto-scaling mechanism, that can cause significant performance degradation in addition to economic damage. In the Yo-Yo attack, the attacker sends periodic bursts of overload, thus causing the auto-scaling mechanism to oscillate between scale-up and scale-down phases. The Yo-Yo attack is harder to detect and requires less resources from the attacker compared to traditional DDoS. We demonstrate the attack on Amazon EC2 [4], and analyze protection measures the victim can take by reconfiguring the auto-scaling mechanism.

Cryptanalysis and improvement of a biometric-based remote user authentication protocol usable in a multiserver environment

Abstract: Recently, Amin and Biswas have discussed a bilinear pairing–based three-factor remote user authentication protocol, claiming it to be secured against various attacks. We scrutinize this protocol and find that it is vulnerable to identity guessing attack, password guessing attack, user untraceability attack, user-server impersonation attack, new smart card issue attack, and privileged insider attack. In this paper, we propose an elliptic curve cryptography and biometric-based remote user authentication protocol for a multiserver environment by overcoming these drawbacks. We conduct its informal and formal security analysis to show that it resists all known security attacks. The Burrows-Abadi-Needham (BAN) logic verifies that our protocol facilitates mutual authentication and session key agreement securely. We simulate it using the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool to certify that it can be protected from passive and active threats, including replay and man-in-the-middle attacks. Furthermore, the proposed protocol provides more security attributes and better complexity in terms of smart card storage cost, computation cost, estimated time, and communication cost, as compared with the related existing protocols.

SEINA: A stealthy and effective internal attack in Hadoop systems

Abstract: Big data processing frameworks such as Hadoop [1] are now widely adopted, however the security issues in large scale systems have not been well studied yet. Unlike prior work on data privacy and protection, this paper investigates a potential attack from a compromised internal node against the overall system performance. We develop an effective attack launched from the compromised node that can significantly degrade the data processing performance of the cluster without being detected and blacklisted for job execution, also present a mitigation scheme that protects a Hadoop system from such attack. The results of experiments show that this attack greatly slows down the job executions in the native Hadoop system even with some basic defense mechanisms, however, our mitigation schem can keep the whole cluster running efficiently under such attack.

Slowcomm: Design, development and performance evaluation of a new slow DoS attack

Abstract: The Internet, a useful tool for communicating information, is now a pervasive and necessary infrastructure for modern economy Accordingly, because of economic motivations, it became an arena for cyberwarfare and cybercrime In this paper, we present the novel threat called SlowComm and we show how it can successfully lead a DoS on a targeted system using a small amount of attack bandwidth Further, since the proposed attack is not bounded to a specific protocol, it can be considered a protocol independent attack, proving the ability it has to affect different Internet services

The Case for In-Network Replay Suppression

Abstract: We make a case for packet-replay suppression at the network layer, a concept that has been generally neglected. Our contribution is twofold. First, we demonstrate a new attack, the router-reflection attack, that can be launched using compromised routers. In this attack, a compromised router degrades the connectivity of a remote Internet region just by replaying packets. The attack is feasible even if all packets are attributed to their sources, i.e., source authentication is in place, and our evaluation shows that the threat is pervasive---candidate routers for compromise are in the order of hundreds or thousands. Second, we design an in-network mechanism for replay suppression. We start by showing that designing such a mechanism poses unsolved challenges and simple adaptations of end-to-end solutions are not sufficient. Then, we devise, analyze, and implement a highly efficient protocol that suppresses replayed traffic at the network layer without global time synchronization. Our software-router prototype can saturate a 10 Gbps link using only two CPU cores for packet processing.

Investigation Approach for Network Attack Intention Recognition

Abstract: Sensitive information has critical risks when transmitted through computer networks. Existing protection systems still have limitations with treating network information with sufficient confidentiality, integrity, and availability. The rapid development of network technologies helps increase network attacks and hides their malicious intentions. Attack intention is the ultimate attack goal that the attacker attempts to achieve by executing various intrusion methods or techniques. Recognizing attack intentions helps security administrator develop effective protection systems that can detect network attacks that have similar intentions. This paper analyses attack types and classifies them according to their malicious intent. An investigation approach based on similarity metric is proposed to recognize attacker plans and predict their intentions. The obtained results demonstrate that the proposed approach is capable of investigating similarity of attack signatures and recognizing the intentions of Network attack.

A session hijacking attack on physical layer key generation agreement

Abstract: Physical layer key agreement is a new kind of schemes used to generate a shared key between pervasive and resource constrained devices. These schemes utilize the characteristics of the wireless channel to generate the shared key. As all characteristics are time-depend and location-depend, it is hard for eavesdroppers to get the key. But it lacks research on active attacks which aim at manipulating the key. PHY-UIR (PHYsical layer key agreement with User Introduced Randomness) is the only paper which proposes a solution in detail to against such kind of active attacks. In this paper, we propose a new kind of key manipulating attack which PHY-UIR can not prevent. We call it session hijacking attack as the attacker hijacking the key agreement by injecting high power signals and force legitimate devices running PHY-UIR protocol with the attacker. In such way, the attacker and device generate the same key. Our simulation result validates our attack and shows the high performance of our attack on manipulating the generated key.

Numerical simulation of the optimal two-mode attacks for two-way continuous-variable quantum cryptography in reverse reconciliation

Abstract: We analyze the security of the two-way continuous-variable quantum key distribution protocol in reverse reconciliation against general two-mode attacks, which represent all accessible attacks at fixed channel parameters. Rather than against one specific attack model, the expression of secret key rates of the two-way protocol are derived against all accessible attack models. It is found that there is an optimal two-mode attack to minimize the performance of the protocol in terms of both secret key rates and maximal transmission distances. We identify the optimal two-mode attack, give the specific attack model of the optimal two-mode attack and show the performance of the two-way protocol against the optimal two-mode attack. Even under the optimal two-mode attack, the performances of two-way protocol are still better than the corresponding one-way protocol, which shows the advantage of making a double use of the quantum channel and the potential of long-distance secure communication using two-way protocol.

Conditional differential attacks on Grain-128a stream cipher

Abstract: The well-known stream cipher Grain-128a is the new version of Grain-128. While Grain-128 is vulnerable against several introduced attacks, Grain-128a is claimed to be secure against all known attacks and observations on Grain-128. So far the only published single-key attack on Grain-128a is the conditional differential cryptanalysis proposed by Michael Lehmann et al. at CANS 2012. In their analysis, a distinguishing attack on 189-round Grain-128a in a weak-key setting was proposed. In this study, the authors present two new conditional differential attacks on Grain-128a, i.e. attack A and attack B. In attack A, the authors successfully retrieve 18 secret key expressions for 169-round Grain-128a. To the best of our knowledge, attack A is the first attack to retrieve secret key expressions for reduced Grain-128a. In attack B, the authors extend the distinguishing attack against Grain-128a up to 195 rounds in a weak-key setting. Thus far, attack B is the best known attack for reduced Grain-128a as far as the number of rounds attacked is concerned. Hopefully, the authors’ reflections on the design of Grain-128a provide insights on such compact stream ciphers.

Local Cyber-physical Attack with Leveraging Detection in Smart Grid

Abstract: A well-designed attack in the power system can cause an initial failure and then results in large-scale cascade failure. Several works have discussed power system attack through false data injection, line-maintaining attack, and line-removing attack. However, the existing methods need to continuously attack the system for a long time, and, unfortunately, the performance cannot be guaranteed if the system states vary. To overcome this issue, we consider a new type of attack strategy called combinational attack which masks a line-outage at one position but misleads the control center on line outage at another position. Therefore, the topology information in the control center is interfered by our attack. We also offer a procedure of selecting the vulnerable lines of its kind. The proposed method can effectively and continuously deceive the control center in identifying the actual position of line-outage. The system under attack will be exposed to increasing risks as the attack continuously. Simulation results validate the efficiency of the proposed attack strategy.

An Algorithm for Moderating DoS Attack in Web Based Application

Abstract: The denial of service attack is the most powerful damaging attacks used by hackers to harm a business or organization. This attack is one of most dangerous cyber-attacks. It causes service outages and the loss of millions, depending on the time of attack. In past few years, the use of the attack has enlarged due to the accessibility of free tools. This tool can be blocked simply by having a good firewall, but an extensive and clever DoS attack can avoid most of the restrictions. A Denial of Service attacks against web sites occur when a hacker attempts to make the web server, or servers, unavailable for legitimate users and finally, to take the service slowing them down. This is attained by flooding the server's request queue with fake requests. After this, server will not be capable to handle the requests of genuine users. For some time, it was thought that these types of attacks were generally used against large companies, government sites, and activist sites as a form of protest to interrupt their web presence. In general, there are two forms of the DoS attack. The first form is on that can crash a server. The second form of DoS attack only floods a service. Online Vulnerability Scanner is a tool which is capable to detect DoS Attack in web application and compare its performance. We proposed an aegis algorithm which can be used to moderate DoS attack in web application Vulnerability.

Keep Pies Away from Kids: A Raspberry Pi Attacking Tool

Abstract: The focus of this short paper has been to use a Raspberry Pi device to perform certain network attacks and exploit vulnerabilities in existing systems. To this end, we developed a new attack tool that can be installed on a Raspberry Pi and allows novice users to perform a Man-in-the-Middle attack and a small-scale Denial-of-Service attack. The first attack has been designed in such a way so that the attacker can gather credentials of legitimate users even when they try to visit websites that are running under SSL/TLS and they have enabled the HSTS protocol. Regarding the second attack, the attacker has the ability to control a set of malicious Raspberry Pi's and intentionally attempt to stop legitimate users from accessing services. The attacker can select a specific target in the network and overload the corresponding device by sending several fake requests. Throughout this work, we discovered that although security protocols have become more effective over the years it is still considerably easy to launch certain attacks with the main aim to breach users' privacy or restrict service to certain users.

Advanced random time queue blocking with traffic prediction for defense of low-rate dos attacks against application servers

Abstract: Among many strategies of Denial of Services, low-rate traffic denial-of-service (DoS) attacks are more significant. This strategy denies the services of a network by detection of the vulnerabilities in performance of the application. In this research, an efficient defence methodology is developed against low-rate DoS attack in the application servers. Though, the Improved Random Time Queue Blocking (IRTQB) technique can eliminate the vulnerabilities in the network and also avoiding the attacker from capturing all the server queue positions by defining a spatial similarity metric (SSM). However, the differentiation of the attack requests from the legitimate users’ is not always efficient since only the source IP addresses and the record timestamp are considered in the SSM. It was improved by using Advanced Random Time Queue Blocking (ARTQB) scheme that employed Bandwidth utilization of attacker in IRTQB to detect the DoS attack that normally consumes a huge number of resources of the server. However, this method becomes ineffective when the attack consumes more network traffic. In this paper, an efficient detection technique called Advanced Random Time Queue Blocking with Traffic Prediction (ARTQB-TP) is proposed for defining SSM which contains, Source IP, timestamp, Bandwidth between two requests and the difference between the attack traffic and legitimate traffic. The ARTQB-TP technique is utilized to reduce the attack efficiency in 18 different server configurations which are more vulnerable to the DoS attacks and where the attacks may also have a chance to improve its effectiveness. Experimental results show that the proposed system performs better protection of application servers against the LRDoS attacks by solving its impacts on any kind of server architectures and reduced the attack efficiencies of all the types of attack strategies.

Insider Attack Identification and Prevention in Collection-Oriented Dataflow-Based Processes

Abstract: We introduce an approach of automatically identifying attacks by insider agents on dataflow-based processes having a collection-oriented data model and then improving the processes to prevent the attacks against them. Some process data, if used by some agents via steps at certain points of timeline, will lead to a privacy attack. A manual identification of these vulnerable data and rogue agents is quite tedious; thus, our approach automatically performs these identifications. We model a process and an attack based on a directed acyclic graph, with steps, reading and writing data, and controlled by agents. Then, we perform a declarative implementation to find out if this attack model can be mapped onto the process model based on some similarity criteria. If these criteria are met, we conclude that the attack model is “similar enough” to the process model to be successfully realized through it. Each possible way of mapping shows an avenue of attack on the process. Agent collusion scenarios are also identified. Finally, our approach automatically identifies process improvement opportunities and iteratively exploits them, thereby eliminating attack avenues.

On Feasibility and Performance of Rowhammmer Attack

Abstract: In this paper we study the Rowhammer sidechannel attack and evaluate its feasibility on practical exploitation scenarios in Linux. Currently, all the implementations released, capable of performing the Rowhammer attack, require elevated privileges. This is a very strong requirement which, in a sense, puts ths attack into the theoretical spectrum. The purpose of this report is to explore different techniques that would allow the execution of the Rowhammer attack in userspace. More specifically, we provide two implementations, each of them having different strength of requirements but with one characteristic in common: the capability of executing the Rowhammer attack without elevated privileges. At the end, we see that not only it was possible to reach similar levels of performance with the programs that required elevated privileges, but in some cases even outperform them, in both native and virtual environments.

Gain : Practical Key-Recovery Attacks on Round-Reduced PAEQ

Abstract: This work presents practical key-recovery attacks on round-reduced variants of CAESAR Round 2 candidate PAEQ by analyzing it in the light of guess-and-determine analysis. The attack developed here targets the mode of operation along with diffusion inside the AES based internal permutation AESQ. The first attack uses a guess-and-invert technique leading to a meet-in-the-middle attack that is able to recover the key for 6 out of the 20 rounds of paeq-64/80/128 with reduced key entropy of \(1,2^{16}\) and \(2^{32}\) respectively. The second analysis extends the attack to 7 rounds using a invert-and-guess strategy which results in reduced key-space of \(2^{24},2^{32}\) and \(2^{40}\) for the same PAEQ variants. Finally, an 8-round attack is mounted using a guess-invert-guess strategy which works on any of the three variants with a complexity of \(2^{48}\). Moreover, unlike the CICO attack mounted by the designers which works with only AESQ, our 8-round attack additionally takes into account the mode of operation of PAEQ.

Adversary Group Decision-Making Regarding Choice of Attack Methods: Expecting the Unexpected

Abstract: Anticipating whether an adversary group will continue to use their usual (“conventional”), expected attack methods is important for military and counterterrorism practitioners tasked with protecting the security of others. Conventional attack methods are by their nature easier to plan and prepare for whilst “innovative” methods may take those responsible for security and counterterrorism by surprise and, as such, may have more impact and more serious consequences. The present study aimed to develop understanding of how, when, and why adversary groups might decide to use conventional attack methods or opt to do something innovative instead. A literature review was conducted and findings were applied to develop a thorough understanding of the decision-making process that underlies an adversary group's choice of attack method. Identified are three stages preceding the execution of an attack: a) “strategic direction”; b) “incubation”; and c) “planning and preparation,” plus “overarching” and “contextual” fact...