09:00-09:30

Registration

09:30-09:40

Opening Remarks

09:40-10:20

Keynote Speech:

“MODEL CHECKING: My 27-Year Quest to Overcome the State Explosion Problem”

Edmund M. Clarke (CMU)

In 1981, Edmund M. Clarke and E. Allen Emerson, working in the USA, and Joseph Sifakis working independently in France, authored seminal papers that founded what has become the highly successful field of Model Checking.  This verification technology provides an algorithmic means of determining whether an abstract model---representing, for example, a hardware or software design---satisfies a formal specification expressed as a temporal logic formula.  Moreover, if the property does not hold, the method identifies a counterexample execution that shows the source of the problem.

The progression of Model Checking to the point where it can be successfully used for complex systems has required the development of sophisticated means of coping with what is known as the state explosion problem.  Great strides have been made on this problem over the past 27 years by what is now a very large international research community.  As a result many major hardware and software companies are beginning to use Model Checking in practice.  Examples of its use include the verification of VLSI circuits, communication protocols, software device drivers, real-time embedded systems, and security algorithms. 

The work of Clarke, Emerson, and Sifakis continues to be central to the success of this research area.  Their work over the years has led to the creation of new logics for specification, new verification algorithms, and surprising theoretical results.  Model Checking tools, created by both academic and industrial teams, have resulted in an entirely novel approach to verification and test case generation.   This approach, for example, often enables engineers in the electronics industry to design complex systems with considerable assurance regarding the correctness of their initial designs.  Model Checking promises to have an even greater impact on the hardware and software industries in the future.  (ACM Turing Award Citation)

10:20-11:00

“What Are We Trying to Prove? Why Logic Matters for Computer Security?”

Peter Lee (CMU)

11:00-11:20

Break

11:20-11:55

“Grey: A Practical Logic-based Access-control System”

Lujo Bauer (CMU)

Grey is an access-control system in which smartphones serve as the device by which users exercise and delegate their authority. In an ongoing deployment in a building on our campus, Grey is used daily by about 30 people to control access to office doors and log in to computers.  Grey has several distinguishing features, including the use of logic-based techniques to achieve high assurance and support for ad-hoc delegation: users can modify their security policy at the time and place of their choosing, including dynamically, in response to access attempts that would otherwise fail.
In this talk I will outline several of the underlying practical challenges of building such a system and some related recent results, including leveraging observed behavior to aid in policy creation and verifying that the system meets users' needs in practice.

11:55-12:30

“BitBlaze: a New Approach to Computer Security via Binary Analysis”

Dawn Song (UCB)

In this talk, I will present the BitBlaze project, a new approach to computer security via binary analysis.  In particular, BitBlaze focuses on building a unified binary analysis platform and using it to provide novel solutions to a broad spectrum of different security problems.  The binary analysis platform is designed to enable accurate analysis, provide an extensible architecture, and combines static and dynamic analysis as well as program verification techniques to satisfy the common needs of security applications.  By extracting security-related properties from binary programs directly, BitBlaze enables a principled, root-cause based approach to computer security, offering novel and effective solutions, as demonstrated with over a dozen different security applications, including in-depth malware analysis, vulnerability discovery, diagnosis, and defense, patch-based exploit generation, and reverse engineering of protocol formats.  I will give an overview of the BitBlaze project and present some recent results on more powerful techniques for symbolic execution and model extraction enabling more effective vulnerability discovery and diagnosis and malware analysis.

12:30 – 13:20 Lunch Break        13:00 – 14:00 Demo

II. Wireless and Sensor Network Security

14:00 -17:00    Session Chairs:  Shiuhpyng Shieh and Tien-Ruey Hsiang

14:00-14:30

“Wireless and Software Security”

Wen-Guey Tzeng (NCTU), Shih-Kun Huang (NCTU), Wei-Chung Teng (NTUST) 

 1. Key Establishment Schemes against Storage Bounded Adversaries in Wireless Sensor Networks

We re-examine the attacking scenario about wireless sensor networks and propose the storage-bounded adversary model for wireless sensor networks, in which the adversary's storage is bounded.  We propose two key establishment schemes for establishing shared keys for neighboring sensor nodes in the storage-bounded adversary model.  The first scheme needs special beacon nodes for broadcasting random bits.  In the second scheme, some sensor nodes play the role of beacon nodes.

2. CT-Exploit: Controllable Taintedness for Automated Exploit Generator

If unauthorized users cannot execute code needing normal authorization, we mean this code section to be a forbidden area. We want to explore if the full path coverage tester can generate suitable input without authorization to enter a forbidden area of a software system, especially for mobile platforms. To enter the forbidden area (FA), we have designed a framework, called CT-Exploit, with three components: a failure detector and taint tracker called BEAGLE, a Concolic tester called ALERT, and a high level property checker called CAST. If we encounter a software failure, especially, with a corrupted control and data state, the execution will be brought into a fuzz state by some kind of tainted input. Based on the uncontrolled input, we want to test if they are controllable tainted input, called their taintedness. The CT-Exploit framework will generate input to automatically enter FA with specified properties, which is evaluated with several benchmark programs, not currently with plausible input by fuzzers like zzuf and catchconv.

3. A Node Identification in Wireless Sensor Networks Utilizing Time Synchronization

Node identification is one of the most important issues to wireless sensor network security. Current approaches use cryptographic authentication and certification tools to ensure node identification, while this talk introduces an intuitive method to identify a node by measuring its clock skew. This method is based on our observation that every sensor node has a unique clock skew value that is different from any other node. Flooding Time Synchronization Protocol (FTSP) is used as the tool to measure clock skew, and current experimental data show that almost all measured clock skews of one sensor node vary inside a tiny bound. For any two nodes that both clock skews are very close to each other, a classifying function is proposed to check the line continuity of contiguous measured clock skews. As a result, the proposed method has successfully identified every node in experiments performed by my laboratory. Applications of this method, like Sybil attack detection, will also be discussed if time permits.

14:30-15:00

“SWOON: a Secure Wireless Overlay Observation Network Testbed”

Yu-Lun Huang (NCTU), Chien-Hua Chiu ( NTU), Bo-Ting Chen ( NCTU),

Chih-Yuan Wang ( NTUST), Cing-Hao Liou ( NTUST), Mao-Jie Lin (NCKU),

Shiuan-Tzuo Shen (NCTU), Tzu-I Yang (NCTU), Yu-Kai Hsiao (TKU),

Zong-Syun Lin (NCTU)

1. A Plug-in Architecture for SWOON

Wireless security is important because more and more applications move to wireless networks. However, testing wireless security is hard because the infrastructure is too big and too expensive. In addition, we must contain all the attacks in the testbed without letting them jump out to the real networks and affect normal users. To solve this problem, we built SWOON, which is the first wireless security testbed. SWOON use emulation, not simulation, which means that we can use real machines to do real measurements and get real results. In this semester, we re-architected SWOON with a plug-in architecture. Plug-in architecture is a modern design approach which provides great flexibility and modularity. New features can be written and compiled separately as plug-ins, and users can dynamically add these plug-ins to the main program as they need. With the plug-in architecture designed, we can develop new attacks without any change to the SWOON core architecture and hence make SWOON become more stable and more extendable.

2. Implementing Verifiable Order Statistics for Secure Aggregation

In-network aggregation can save significant bandwidth in a distributed query systems, but is subject to attack by adversaries. Prior work addressed settings where data sources are trusted, but the aggregation infrastructure needs to be secured. We study extensions that also make aggregate queries robust to adversarial data sources, which can inject spurious values into the data stream to be aggregated. Wagner observed that the field of robust statistics can provide tools here, since robust estimators (medians, trimmed means, median absolute deviations, etc.) provide formal guarantees on the degree to which perturbed data can have an effect on aggregate results. This raises the challenge of developing verifiable in-network algorithms for robust estimators. Many of the natural robust estimators are built on order statistics, so we focus here on verifiable techniques for in-network computation of order statistics. To our knowledge, there is no mechanism guarantees both the efficiency and verifiability of the order statistics computation. In this work, we present the FM3 Proof Sketch aggregation protocol, which efficiently and securely computes various approximate order statistics including medians, median absolute deviations, quantiles, ranks, and frequent items). We derive robustness and approximation guarantees for those queries in adversarial environments, and demonstrate empirically that our scheme is practically useful via experiments on real and synthetic data.

3. Using reputation to guide long-term archival storage

Network storage system may suffer unexpected system failures, which causes the loss of valuable files of users. We design a long-term archival data storage system that uses reputation for users to select reliable storage servers with minimum cost. Erasure-code is used to create redundancy to improve a file's survivability. To calculate the reputation of a server, we employ a provable data possession (PDP) scheme to verify data integrity on servers, which also induces a meaningful measure of servers' reliability. Simulations show that our reputation system successfully helps a user to determine the number of required servers, given a desired file survival probability.

4. Detecting Virtualization Resistant Behavior in Modern Malware

We use the enhanced behavior distance algorithm to distinguish the malware sample is Anti-VM malware or not. Try to improve the correctness of malware analysis result, and reduce the loss rate of malware detection.

5. Profiling User behavior by Digital Forensic Technique

Traditionally there are several ways to recognize users, such as face recognition, handwriting and fingerprinting. All of them are doing well on recognizing users, but the equipments needed are not easily obtained and deployed. In this paper we develop an algorithm to profile and recognize users by their own habits. The algorithm is implemented by ranking commands into scores, then plotting them versus input sequence. This is much more efficient than the traditional ways. Besides, we overcame the problems of delay and bias. The experiment result showed an acceptable recognition rate. Furthermore, we can improve the recognition by other novel techniques since we successfully transfer user behavior into wavelet. Also we can apply our work in visualizing user behavior and remote device recognition.

6. Anonymous Routing for Asymmetric Communication Wireless Mesh Networks

In wireless networks, we usually use symmetric encryption to ensure the confidentiality and integrity of data during the data forwarding procedure and to make sure the data can correct reach the destination, we need a correct and reliable routing path. But in the wireless mesh networks (WMNs), it combines several kinds of wireless communication networks and device such as laptop, cell phone or sensor node. The devices in WMNs usually have different resource such as computation, communication and energy, so two communication device may have unbalance resource. Most ad hoc routing protocol and key establishment scheme usually assume every device have the same communication and computation capability, but in WMNs, this would be false, if these protocols used in WMNs, they may not achieve the same effectiveness and efficiency in MANETs. But eavesdropping or modifying may easily occurred during data forwarding over wireless channels. If these protocols don't perform perfectly like in MANETs, the secret data may be exposed or create a wrong routing path in WMNs. Therefore, these protocols may not suit for WMNs. Although data encryption can protect the content exchanged between users, analysis of communication patterns may reveal valuable information about end users and their relationships. Using anonymous paths for communication provides security and privacy against traffic analysis. In order to provide a reliable data transmission and data confidentiality and integrity, moreover, to protect the privacy of user, we proposed the Anonymous Routing for Asymmetric Communication Wireless Mesh Networks.

15:00-15:40

Break and DEMO

15:40-15:50

“Detection & Response Strategies to Attacks on Control Systems”

Zong Syun Lin (NCTU)

SCADA (Supervisor Control And Data Acquisition) systems integrate monitoring and computing capabilities to stabilize safety-critical processes. Any disruption of these systems can cause serious damage to people who depend on them. To analyze how these attacks affect the control system, we perform DoS attacks and integrity attacks on the simplified Tennessee Eastman chemical plant. And we design a new architecture with an internal module and an Intrusion detection system to protect against the cyber attacks. The internal module is a linear model of the whole plant. It is used to simulate the working state and output of this plant. Then the IDS can compare the real and simulated signals to judge whether the system is under attack. If the IDS detects the plant is compromised, it switches to use the simulated signals to prevent the fake signals crashing the plant.

15:50-16:00

“Profiling_user_behavior_by_digital_forensics_technique”

Tzu-I Yang (NCTU)

Traditionally there are several ways to recognize users, such as face recognition, handwriting and fingerprinting.  In practice, it exists a critical problem that the equipments needed are not easily obtained. In this paper we develop an algorithm to profile and recognize users by their own habits without delay and bias. The algorithm is implemented by ranking user input commands into scores, then plotting them versus input sequence. The experiment result shows an acceptable recognition rate and performance. Furthermore, we can improve the recognition by transferring user behavior into wavelet. We can apply our work in visualizing user behavior and remote device recognition in advanced.

16:00-16:10

“Detecting Virtualization Resistant Behavior in Modern Malware”

Mao-Jie Lin (NCKU)

Malware is an important topic of security threat research. Many researchers try to use Virtual Machine system to monitor the malware behavior, and the process of malware analysis will not affect the physical environment. Some malware authors don't want their malware to be analyzed in VM(Virtual Machine) environment, because the analyzer can get much information about the malware in VM environment. There are many Anti-VM techniques which are used to ward off the collection, analysis and reverse engineering features of the VM environment.

This paper presents a solution to detect Anti-VM techniques. We collect the behavior information from the malware sample, and use the enhanced behavior distance algorithm to distinguish the malware is Anti-VM malware or not. We try to improve the correctness of malware analysis result, and reduce the loss rate of malware detection.

16:10-16:20

“Exploiting Multi-core Processor on Network Intrusion Detection”

Bo-Ting Chen (NCTU)

It is easy for network intrusion detection system (NIDS) to exhaust the computing resource of a network device when performing computing-intensive operations such as running DPI algorithms or handling heavy network traffic. The cheapest way to get more CPU cycle is to use a multi-core processor, but traditional NIDS are executed in single thread, which could utilize one core at a time with the other idled. In this research, we propose a parallelized NIDS to take advantage of multi-core processors by executing multiple NIDS in a multi-core system. We assign each NIDS one-on-one to a core; and also introduce a kernel space classifier to distribute packets and balance the load among cores in our system.

16:20-16:30

“Implementing Verifiable Order Statistics for Secure Aggregation”

Chih-Yuan Wang (NTUST)

In-network aggregation can save signi_cant bandwidth in a distributed query systems, but is subject to attack by adversaries. Prior work addressed settings where data sources are trusted, but the aggregation infrastructure needs to be secured. We study extensions that also make aggregate queries robust to adversarial data sources, which can inject spurious values into the data stream to be aggregated. Wagner observed that the _eld of robust statistics can provide tools here, since robust estimators (medians, trimmed means, median absolute deviations, etc.) provide formal guarantees on the degree to which perturbed data can have an e_ect on aggregate results. This raises the challenge of developing verifiable in-network algorithms for robust estimators. Many of the natural robust estimators are built on order statistics, so we focus here on veri_able techniques for in-network computation of order statistics. To our knowledge, there is no mechanism guarantees both the e_ciency and veri_ability of the order statistics computation. In this work, we present the FM3 Proof Sketch aggregation protocol, which e_ciently and securely compute various approximate order statistics including medians, median absolute deviations, quantiles, ranks, and frequent items). We derive robustness and approximation guarantees for those queries in adversarial environments, and demonstrate empirically that our scheme is practically useful via experiments on real and synthetic data.

16:30-16:40

“Anonymous Routing Protocol for Asymmetric Communication Wireless Mesh Networks”

Yu-Kai Hsiao (TKU)

In wireless networks, we usually use symmetric encryption to ensure the confidentiality and integrity of data during the data forwarding procedure and to make sure the data can correct reach the destination, we need a correct and reliable routing path. But in the wireless mesh networks (WMNs), it combines several kinds of wireless communication networks and device such as laptop, cell phone or sensor node. The devices in WMNs usually have different resource such as computation, communication and energy, so two communication device may have unbalance resource. Most ad hoc routing protocol and key establishment scheme usually assume every device have the same communication and computation capability, but in WMNs, this would be false, if these protocols used in WMNs, they may not achieve the same effectiveness and efficiency in MANETs. But eavesdropping or modifying may easily occurred during data forwarding over wireless channels. If these protocols don't perform perfectly like in MANETs, the secret data may be exposed or create a wrong routing path in WMNs. Therefore, these protocols may not suit for WMNs. Although data encryption can protect the content exchanged between users, analysis of communication patterns may reveal valuable information about end users and their relationships. Using anonymous paths for communication provides security and privacy against traffic analysis. In order to provide a reliable data transmission and data confidentiality and integrity, moreover, to protect the privacy of user, we proposed the Anonymous Routing for Asymmetric Communication Wireless Mesh Networks.

16:40-16:50

“Loop Detection and Query Reduction on Catchconv”

Shiuan-Tzuo Shen (NCTU)

“How to ensure whether a program is reliable or not?” is a major issue in software security. Concolic testing is an important and useful technique to examine the tested program with a high coverage rate. Concolic testing performs both concrete execution and symbolic execution simultaneously and dynamically generates good test inputs that make the tested program take a new execution path. Catchconv implements Concolic testing technique and tries to find out implicit vulnerabilities in a program. However, Catchconv is not efficient enough to test large programs. Symbolic execution is somehow complex and takes too much time to be done. Moreover, a loop makes a program execute the same set of code blocks repeatly, and symbolic execution may issue too many constraint queries and spend too much time for a loop. Since the performance limits of Catchconv, we try to reduce the number of constraints queries to the constraint solver and hope that Catchconv can be more efficient and more effective.

16:50-17:00

“A long-term System based on Reputation”

Cing-Hao Liou ( NTUST)

Network storage system may suffer unexpected system failures, which causes the loss of valuable files of users. We design a long-term archival data storage system that uses reputation for users to select reliable storage servers with minimum cost. Erasure-code is used to create redundancy to improve a file's survivability. To calculate the reputation of a server, we employ a provable data possession (PDP) scheme to verify data integrity on servers, which also induces a meaningful measure of servers' reliability. Simulations show that our reputation system successfully help a user to determine the number of required servers, given a desired file survival probability.

09:30-09:50

“Methods for Software Security Verification”

Yih-Kuen Tsay (NTU)

The Software Security part (Project 311) of iCAST aims at developing fundamental and practical solutions to the assurance of software security. We have made significant progresses on two topics of focus: (1) Memory Safety Analysis of Programs with Pointers and (2) Automated Compositional Verification. The first topic concerns the problem of locating memory errors resulted from pointer manipulation that are often a cause of security vulnerabilities, while the second investigates automation of the compositional approach to alleviating the state-explosion problem for large systems. For memory safety analysis, we have developed a novel approach for combining shape analysis and arithmetic reasoning, which permits the analysis of programs that perform both data structure and arithmetic operations. A tool based on this approach has been developed and is continuously being enhanced, e.g., to treat user-defined inductive pointer structures. For compositional verification, we solved an open problem of learning an arbitrary omega-regular language, which allows us to extend learning-based automated compositional verification to liveness properties. We have also developed other learning algorithms that significantly improve the efficiency of compositional verification for the case of classic regular languages.

09:50-10:10

“1. Improving the Learning-based Approach to Compositional Verification”

“2. Memory Safety of Programs with Inductive Pointer Structures”

Yu-Fang Chen (NTU), Ming-Hsien Tsai (NTU)

1. Improving the Learning-based Approach to Compositional Verification

Automated compositional verification via machine learning techniques is seen by many as a promising approach to scale up Model Checking to large design. However, most of the currently proposed approaches do not really improve the efficiency and scalability of Model Checking. One of the main reasons is that those approaches cannot guarantee finding a best way to break a verification task down into subtasks. Algorithms for learning a minimal separating DFA of two disjoint regular languages have been proposed and adapted for different applications. One of the most important applications is learning minimal (best) contextual assumptions in automated compositional verification. We propose in this paper an efficient learning algorithm, called LSep, that learns and generates a minimal separating DFA. Our algorithm has a quadratic query complexity in the product of sizes of the minimal DFA's for the two input languages. In contrast, the most recent algorithm of Gupta et al. has an exponential query complexity in the sizes of the two DFA's. Moreover, experimental results show that our learning algorithm significantly outperforms all existing algorithms on randomly-generated example problems. We describe how our algorithm can be adapted for automated compositional verification. The adapted version is evaluated on the LTSA benchmarks and compared with other automated compositional verification approaches. The result shows that our algorithm surpasses others in 30 of 49 benchmark problems.

2. Memory Safety of Programs with Inductive Pointer Structures

Security is a complex, multi-faced issue. Experience has shown that hackers will find the weak points in a system and focus their attacks there. For example, buffer overflows, logic errors, and string manipulation errors are all vulnerabilities that can be exploited to gain access or deny service. It is these software-based vulnerabilities that formal methods seek to prevent. Over the last three years we have been developing techniques for statically detecting possible memory and termination errors in software that makes use of heap-allocated data. These techniques are implemented in the tool THOR. We present the data structure description language that THOR uses and discuss how these descriptions are translated into the entailment rules and abstraction rules used by THOR.

10:10-10:40

“SPATE: A Complete System for Public Key Management within Small Groups”

Adrian Perrig (CMU), Bo-Yin Yang (Academia Sinica)

Establishing trust between a group of individuals remains a difficult problem. Prior works assume trusted infrastructure, require an individual to trust unknown entities, or provide relatively low probabilistic guarantees of authenticity (95% for realistic settings). This work presents SPATE, a primitive that allows users to establish trust via device mobility and physical interaction. Once the SPATE protocol runs to completion, its participants’ mobile devices have authentic data that their applications can use to interact securely (i.e., the probability of a successful attack is 2−24). For this work, we leverage SPATE as part of a larger system to facilitate efficient, secure, and user-friendly collaboration via email and file-sharing services. Our implementation of SPATE on Nokia N70 smart phones allows users to establish trust in small groups of up to eight users in less than one minute. The two example SPATE applications provide increased security with no overhead noticeable to users once keys are established.

10:40-11:00

“SPATE Project and a Study of Visual Hash ( Small-group PKI-less Authenticated Trust Establishment)”

Yueh-Hsun Lin (NTHU), King-Hang Wang (NTHU), Hsu-Chun Hsiao (CMU)

Common cryptographic hash functions like MD5 and SHA-1 generate outputs with more than 28 bits. Users always find difficulties in comparing and remembering these long hashes manually. As a result, there are some works in the literature that attempt to visualize the message digest. These works are referred as the Visual Hash. In this paper, we study the performance of each visual hash scheme through a user test in comparing the message digests of these schemes. Currently, we are in the middle of the research and have obtained some preliminary result from a small pool of users. In the next phrase of the study, we will invite users from different countries to conduct the test.

11:20-11:40

“A Trustable Reputation Scheme”

Shin-Yan Chiou (ITRI)

In online reputation systems, different mutually unrelated users contribute reputation records, rendering the reputation result neither verifiable nor trustworthy. We thus consider the problem of how to build a reputation system that is verifiably trustworthy. We present protocols for a reputation scheme that is verifiably trustworthy. Our approach has many applications such as Internet auctions, online games, social networks, etc.

11:40-11:50

“A Trustable Reputation Scheme Based on Private Relationships”

Ghita Mezzour (CMU)

Many websites provide reviews about products, restaurants, etc submitted by users to help others make purchase decisions. Fake evaluations, however, limit the usefulness of this service. In this paper we present techniques that enable users to recognize evaluations submitted by their friends as these are more trustworthy. The mechanisms preserve the privacy of the friendship relationships from the website, and the privacy of the mapping between the real identity of a user and her online identity from other users including her friends. Our approach has many applications such as Internet auctions, online games, social networks, etc.

11:50-12:00

“CITRIC Camera Mote Update”

Colby Boyer (UCB) , Leon Lin (ITRI)

The CITRIC camera mote platform was designed jointly by the University of California, Berkeley and the Industrial Technology Research Institute (ITRI) to offer flexibility and fast application development.  The platform consists of a frequency-scalable (up to 624 MHz) CPU, 16MB FLASH, and 64MB RAM, and it is capable of interfacing with a standard sensor network mote.  To enable fast application development, the platform runs embedded Linux and it has an API to access the platform's core functions.  The use of Linux and a powerful processor makes the CITRIC platform ideal for in-network processing.

This talk will cover progress over the last six months on increasing hardware production, standardizing the software API, improving the platform's performance and reliability, and outreach to other research groups to adopt this platform.  We will also walk through a deployment example to highlight security considerations when deploying a camera network.

12:00-12:10

“Algebraic Approach for Recovering Topology in Distributed Camera Networks”

Phoebus Chen (UCB)

Camera networks are widely used for tasks such as surveillance, monitoring and tracking.  In order to accomplish these tasks, knowledge of localization information such as camera locations and other geometric constraints about the environment (e.g., walls, rooms, and building layout) are typically considered to be essential.  However, this information is not always required for many tasks such as estimating the topology of camera network coverage, or coordinate-free object tracking and navigation.  We propose a simplicial representation (called CN-Complex) that can be constructed from discrete local observations from cameras, and utilize this novel representation to recover the topological information of the network coverage.  We prove that our representation captures the correct topological information from network coverage for 2.5D layouts, and demonstrate their utility in simulations as well as a real-world experimental set-up.  Our proposed approach is particularly useful in the context of ad-hoc camera networks in indoor/outdoor urban environments with distributed but limited computational power and energy.  (This work was done by Edgar Lobaton, Parvez Ahammad, and Shankar Sastry at UC Berkeley, and submitted to IPSN 2009.)

12:10-13:10 Lunch Break

13:10-13:45

“Graph Mining”

Christos Faloutsos (CMU)

How do graphs look like? How can we find patterns and anomalies in time-evolving graphs? We show some recent developments in social and computer network mining, and we focus on some methods that are promising for computer security.

13:45-14:35

“Towards Greater Depth in Network Security Monitoring”

1. Overview

2. Parallelizing Event-based Network Analysis for Efficient Execution on Multi-core Architecture

3. Integration of End-System Sensing into Network Monitoring and Forensics

Vern Paxson (UCB), Po-Ching Lin (III), Chien-Tsung Liu (III)

The pressures on implementing effective network security monitoring are growing fiercely due to rising traffic rates, the need to perform much more sophisticated forms of analysis, the importance of incorporating a wide range of network- and host-based sensing, the requirement for inline processing, and the collapse of Moore's law for sequential processing.

Responding to these pressures requires both the ability to effectively leverage parallel processing and the integration of disparate sources of monitoring information.  In this talk I will frame our ongoing development of an architecture and implementation for efficient execution of network monitoring on multicore systems, and a software system, VAST (Visibility Across Space and Time) that serves as a queryable repository for streams of events reflecting the broad spectrum of activity seen within a monitored network.

14:35-14:50

“The First Taiwanese ESM Software: UGuard”

Jason Lee (ISSDU)

UGuard is the first Enterprise Security Management (ESM) software developed in Taiwan. It is developed based on 4 years experience of ISSDU in offering security outsourcing services and integration of security operation centers. UGuard will help the enterprises to easily manage their incident response process.

14:50-15:10

“System Dynamics Based Insider Threats Modeling”

Sang-Chin Yang (NDU)

Insider threat is resulted from the legitimate users abusing their privileges and cause tremendous damage or losses. Not always being friends, insiders can be main threats to the organization. With limited capability in countering insiders’ abnormal behaviors, many security technologies have been researched to prevent threats only from external attacks. This paper presents a dynamic model to build and simulate insider behaviors. This paper also provides simulation-based experiments to demonstrate the ability of the model to create insider behavior profiles. The critical challenge of this research is to effectively reduce the time between defection and preparation to attack. The objective is to discover the threat indicators to predict and prevent insider attacks.

15:10-15:30

Break

15:30-16:10

“Network Security and Management”

Chi-Sung Laih (NCKU), Yi-Leh Wu (NTUST), Meng-Chang Chen (Academia Sinica),

Chia-Mei Chen (NSYSU)

1. Overview

2. The Design and Implementation of Hybrid Web Application IDS

3. IDEAS: Intrusion Detection and Event Analysis System

Intrusion Detection and Event Analysis system (IDEAs) has been developed by the iCAST project in the past two and half years for supporting analysis capability of the Security Operation Center (SOC). The IDEAs provides a complete user interface for managers to monitor network events of the entire environment in real time. The kernel analysis component is based on the Library of Learning Algorithm for Security Applications (LLASA) which provides several state-of-the-art machine learning and statistical learning algorithms to support diverse information security applications. Until now, IDEAs is capable to collect network traffics information in real-time, analyzes the statistics of network flow, correlates analysis result, figures the attack graph with response mechanism and simulates the system security of environment dependable and analyzes IDEAs interface. The kernel analysis mechanisms supplied by the LLASA provides several classification, clustering, associations and data preprocessing approaches. 

Based on prior work in iCAST, the goal of this project is to automatically identify what types of novel attack are included in the attacks and recognize malicious intention of the attackers from the alert correlation results.  We aim to enhance the detection ability of novel attacks under IDEAs and LLASA from both aspects: retrieving knowledge form domain experts and developing advanced analysis techniques from machine learning. Because only a few labeled data are available in the network security applications, we will apply semi-supervised learning paradigm to use massive unlabeled data to help supervised learning. In the aspect of system development, we will seamlessly integrate IDEAs and LLASA for customization under different environments, whereas analyzers can dynamically deploy and evaluate the analysis paradigms.

4. Profiling Internet Attack Behaviors and Scalable Network Forensics

5. Botnet detection based on network behavior

16:10-16:20

“The Design and Implementation of Web Application IDS”

Ming-Kung Sun (NCKU)

The Intrusion Detection System (IDS) is a software tool used to detect unauthorized access to a computer system or network. It gathers and analyzes information from various areas within networks to identify possible security breaches. The IDS is capable of detecting all types of malicious network traffic and computer usage. It can be classified into misuse detection, anomaly detection and hybrid/compound detection. The anomaly detections are broadly used for novel and unknown attacks detection by profiling the normal system/network behavior which enables them to be extremely effective in finding and foiling both known as well as unknown or ‘‘zero day’’ attacks. However, current anomaly detection based IDSs generate an un-manageable amount of alerts every day, and most of these alerts are false alerts. This research focuses on alert correlate provides techniques to correlate and aggregate similar or logically connected low level alerts from heterogeneous IDSs. In addition, we use machine learning related algorithm to profile normal behaviors and recognize novel malicious intention of the web traffic (e.g. Attribute length, Hidden Markov Model, Token finder and so on). This project intends to automatically identify what novel attack types are included in the attacks and recognize malicious intention of the attackers from the alert correlation results. It can significantly improve the monitoring capability by taking a hybrid approach that consist of both anomaly as well as signature detection strategies.

16:20-16:30

“Finding Trajectory of Malicious Behaviors using Relational Activity Graph”

Ching-Hao Mao (NTUST)

Variations may occur for the same type of attack, when the attacker changes the action order, when the attacker tries to make the attack stealthier, or when different versions of the attack appear. Even if the attacker is doing the same thing in temporal, the scenario may appear different under different system environment of the victims. Using relational graphical representation to correlate the alerts generated by Intrusion Detection system (IDS) is capable to find the dependency behavior's insight for detecting multi-steps attacks and stealthy attacks.  Existing methods either need more assets or vulnerability information, or they attempt to hierarchically integrate network flow information, that is need more correlated efforts.  In this study, we proposed a novel alert correlation method via capturing mutual information from the alerts relations, naming relational activity graphs.  Based on the relational activity graphs, we use dimension reduction techniques, Isomap, to profile the trajectory of malicious behaviors based on the graph similarity measuring mechanism.

Finally, we apply supervised learning classification to detect the trajectory of malicious behaviors.  The proposed method is easier to plug in existed intrusion detection system without extra configuration and modification.  The evaluations from three datasets, two benchmark datasets (DARPA 1999,2000) and a real world dataset gathered from a Security Operation Center (SOC) in Taiwan support our approach.  The proposed system performs well in alarm reduction and multi-steps attacks detection.

16:30-16:40

“Anomaly Detection via Incremental and Decremental PCA”

Yi-Ren Yeh (NTUST)

In network communication, a small amount of abnormal behavior is hidden among a large amount of normal behavior. An outlier detection method can be used for detecting the small amount of abnormal behavior in the extremely unbalanced data distribution. In this article, we explore the variation of principal components when removing or adding an instance and propose angle-based outlier detection methods, incremental and decremental principal component analysis, for clarifying data and detecting the attacks from network communication. We also study the quick updating of the principal components for the effective computation and satisfying the on-line demand. Numerical experiments show that our proposed method is effective in computation time and anomaly detection.

16:40-16:50

“NetFlow Based Botnet Detection”

Hsiao-Chung Lin (NSYSU)

The paper focuses on detecting botnets from the network traffic data. Botnets are hard to detect because their activities are subtle and do not disrupt the network, in contrast to DoS (Denial of Service) attacks and worms. We extract some features from NetFlow data and use flow correlation to figure out related flows. After correlating related flows, the partition-based clustering algorithm is applied for on-line detecting IRC (internet Relay Chat) based botnets. The experiment results show that we can detect communications of IRC based botnets.

16:50-17:00

“Rx2V: A PCRE-extended Generator for High Efficient FPGA-based Pattern Matching”

Yuan-Chin Wen (NTU)

Network Intrusion Detection System (NIDS) generally utilizes complex syntax to be matched with raw data from network to identify whether if the data is malicious or not. Syntax, also known as a signature, is on behalf of one behavior of intrusive attack. Most of these signatures are composed with specific patterns and options, which are provided by illustrious network security software such as SNORT and Bro. In tradition, the most computation-intensive part during the procedure of deep packet inspection, packet header classification and payload recognition included, is patterns scanning and matching. With fast-growing of high throughput network, such as 10Gbps, the trend is towards by means of hardware-assisted or full-hardware solution to offload pattern matching procedure with Field Programmable Gate Array (FPGA). In this paper, we provide a circuit generator which generates Non-deterministic Finite Automata (NFA) corresponds to given Perl Compatible Regular Expression (PCRE). Besides, we also provide an optimized method, called context sharing (CS), to reduce 33% usage of logic elements in FPGA.

17:00-17:10

“Behavior Profiling of Internet Attacks”

Shun-Wen Hsiao (NTU), Chang-Huan Wu (NTU)

Internet attacks involve continuously evolving evasion techniques using increasingly sophisticated mechanisms to outwit the existing detection techniques. Conventional detection systems that use a combination of signature-based and rule-based anomaly detection techniques no longer offer sufficient protection. It is difficult to predict what form or strategy the next malware attack will take, which poses a great challenge to the design of a robust intrusion detection system. Profiling is an important area in traditional criminal investigations. In cyberspace security, the key issue in profiling is how to identify the distinctive characteristics of attacks that are robust and can be manipulated to prevent further intrusions.

In our work, we automatically specify specific characteristics to generate attack symptoms that can be identified in hostile, intrusive, annoying activities. We observed that attacks are conducted through interactions between attacker and victim hosts to progress vulnerability exploitation over the network. Hence, the interactions of protocols and services used between the attacker and victim are modeled to construct the behavior profile. We focus on the activities that deviate from the expected behaviors of the protocols and services.

We propose cross-level tracking of correlation of deviated network activities to infer attack symptoms. We also propose an attack assessment model and method to provide timely and robust identification of malicious activity and ad hoc intrusion. We believe behavior-based detection is a promising alternative which is robust and practical to detect the future sophisticated worm, such as polymorphism, slow propagation, and even unknown attacks. We propose and prototype Gestalt, a system that profiles abnormal, deviated behaviors of Internet attacks.