Your search keyword '"Tiffany Bao"' showing total 8 results

1. Cyber Autonomy in Software Security: Techniques and Tactics

Author

Yan Shoshitaishvili and Tiffany Bao

Subjects

Exploit, business.industry, Computer science, media_common.quotation_subject, Offensive, Vulnerability, Context (language use), Computer security, computer.software_genre, Software, Work (electrical), Software security assurance, business, computer, Autonomy, media_common

Abstract

Software security research traditionally focuses on the development of specific offense and defense techniques on software vulnerabilities. Software security techniques are useful in practice only to the extent they can be leveraged to achieve a goal. Different parties‐individuals, companies, or nations‐implement offensive and defensive techniques as components in holistic systems, and these systems strategically interact with each other.This chapter aims to introduce to the reader cyber autonomy in software security. We will offer a holistic view on this topic by presenting both techniques and tactics in software security. This chapter will introduce the high‐level model of cyber autonomy in software security and explain how techniques and tactics co‐work in software security, discuss current software security techniques (including vulnerability discovery, exploit generation, vulnerability patching, and vulnerability ricochet) and, once the readers have gained familiarity with the background and the context in software security that serves as the prerequisites for building a game theoretical model, will introduce the autonomous computer security game, which is the core of the chapter.

Published

2021

2. SyML: Guiding Symbolic Execution Toward Vulnerable States Through Pattern Learning

Author

Giovanni Vigna, Lukas Dresel, Kyle Zeng, Tiffany Bao, Stefano Zanero, Mario Polino, Nicola Ruaro, Christopher Kruegel, Andrea Continella, Services, Cybersecurity & Safety, and Digital Society Institute

Subjects

Symbolic execution, Cybersecurity, Computer science, business.industry, media_common.quotation_subject, Vulnerability, Crash, Replicate, Machine learning, computer.software_genre, Path (graph theory), Vulnerability discovery, Leverage (statistics), The Symbolic, Artificial intelligence, business, Function (engineering), computer, media_common

Abstract

Exploring many execution paths in a binary program is essential to discover new vulnerabilities. Dynamic Symbolic Execution (DSE) is useful to trigger complex input conditions and enables an accurate exploration of a program while providing extensive crash replayability and semantic insights. However, scaling this type of analysis to complex binaries is difficult. Current methods suffer from the path explosion problem, despite many attempts to mitigate this challenge (e.g., by merging paths when appropriate). Still, in general, this challenge is not yet surmounted, and most bugs discovered through such techniques are shallow. We propose a novel approach to address the path explosion problem: A smart triaging system that leverages supervised machine learning techniques to replicate human expertise, leading to vulnerable path discovery. Our approach monitors the execution traces in vulnerable programs and extracts relevant features - register and memory accesses, function complexity, system calls - to guide the symbolic exploration. We train models to learn the patterns of vulnerable paths from the extracted features, and we leverage their predictions to discover interesting execution paths in new programs. We implement our approach in a tool called SyML, and we evaluate it on the Cyber Grand Challenge (CGC) dataset - a well-known dataset of vulnerable programs - and on 3 real-world Linux binaries. We show that the knowledge collected from the analysis of vulnerable paths, without any explicit prior knowledge about vulnerability patterns, is transferrable to unseen binaries, and leads to outperforming prior work in path prioritization by triggering more, and different, unique vulnerabilities.

Published

2021

3. CrawlPhish: Large-scale Analysis of Client-side Cloaking Techniques in Phishing

Author

Brad Wardman, Yan Shoshitaishvili, Gail-Joon Ahn, Zhibo Sun, Haehyun Cho, RC Johnson, Alexandros Kapravelos, Tiffany Bao, Adam Oest, Adam Doupé, Shaown Sarker, Ruoyu Wang, and Penghui Zhang

Subjects

Computer Networks and Communications, business.industry, Computer science, Cloaking, Evasion (network security), Client-side, Computer security, computer.software_genre, Internet security, JavaScript, Phishing, Key (cryptography), Dynamic program analysis, ComputingMilieux_COMPUTERSANDSOCIETY, Electrical and Electronic Engineering, business, Law, computer, computer.programming_language

Abstract

Phishing is a critical threat to Internet users. Although an extensive ecosystem serves to protect users, phishing websites are growing in sophistication, and they can slip past the ecosystem’s detection systems—and subsequently cause real-world damage—with the help of evasion techniques. Sophisticated client-side evasion techniques, known as cloaking, leverage JavaScript to enable complex interactions between potential victims and the phishing website, and can thus be particularly effective in slowing or entirely preventing automated mitigations. Yet, neither the prevalence nor the impact of client-side cloaking has been studied.In this paper, we present CrawlPhish, a framework for automatically detecting and categorizing client-side cloaking used by known phishing websites. We deploy CrawlPhish over 14 months between 2018 and 2019 to collect and thoroughly analyze a dataset of 112,005 phishing websites in the wild. By adapting state-of-the-art static and dynamic code analysis, we find that 35,067 of these websites have 1,128 distinct implementations of client-side cloaking techniques. Moreover, we find that attackers’ use of cloaking grew from 23.32% initially to 33.70% by the end of our data collection period. Detection of cloaking by our framework exhibited low false-positive and false-negative rates of 1.45% and 1.75%, respectively. We analyze the semantics of the techniques we detected and propose a taxonomy of eight types of evasion across three high-level categories: User Interaction, Fingerprinting, and Bot Behavior.Using 150 artificial phishing websites, we empirically show that each category of evasion technique is effective in avoiding browser-based phishing detection (a key ecosystem defense). Additionally, through a user study, we verify that the techniques generally do not discourage victim visits. Therefore, we propose ways in which our methodology can be used to not only improve the ecosystem’s ability to mitigate phishing websites with client-side cloaking, but also continuously identify emerging cloaking techniques as they are launched by attackers.

Published

2021

4. Scam Pandemic: How Attackers Exploit Public Fear through Phishing

Author

Ruoyu Wang, Penghui Zhang, Haehyun Cho, Yan Shoshitaishvili, Adam Doupé, Marzieh Bitaab, Rana Pourmohamad, Zhibo Sun, Adam Oest, Gail-Joon Ahn, Tiffany Bao, and Doowon Kim

Subjects

FOS: Computer and information sciences, Government, Computer Science - Cryptography and Security, Exploit, business.industry, Internet privacy, Phishing, Market research, Web traffic, Pandemic, Key (cryptography), The Internet, business, Cryptography and Security (cs.CR)

Abstract

As the COVID-19 pandemic started triggering widespread lockdowns across the globe, cybercriminals did not hesitate to take advantage of users' increased usage of the Internet and their reliance on it. In this paper, we carry out a comprehensive measurement study of online social engineering attacks in the early months of the pandemic. By collecting, synthesizing, and analyzing DNS records, TLS certificates, phishing URLs, phishing website source code, phishing emails, web traffic to phishing websites, news articles, and government announcements, we track trends of phishing activity between January and May 2020 and seek to understand the key implications of the underlying trends. We find that phishing attack traffic in March and April 2020 skyrocketed up to 220\% of its pre-COVID-19 rate, far exceeding typical seasonal spikes. Attackers exploited victims' uncertainty and fear related to the pandemic through a variety of highly targeted scams, including emerging scam types against which current defenses are not sufficient as well as traditional phishing which outpaced the ecosystem's collective response., 10 pages, Accepted to eCrime 2020

Published

2021

5. Everything You Ever Wanted to Know About Bitcoin Mixers (But Were Afraid to Ask)

Author

Ruoyu Wang, Jaswant Pakki, Tiffany Bao, Adam Doupé, and Yan Shoshitaishvili

Subjects

Deep Web, Cryptocurrency, Ask price, Computer science, business.industry, Obfuscation, Internet privacy, Fungibility, Transactional analysis, business, Mixing (physics), Anonymity

Abstract

The lack of fungibility in Bitcoin has forced its userbase to seek out tools that can heighten their anonymity. Third-party Bitcoin mixers use obfuscation techniques to protect participants from blockchain transaction analysis. In recent years, various centralized and decentralized Bitcoin mixing methods were proposed in academic literature (e.g., CoinJoin, CoinShuffle). Although these methods strive to create a threat-free environment for users to preserve their anonymity, public Bitcoin mixers continue to be associated with theft and poor implementation. This paper explores the public Bitcoin mixer ecosystem to identify if today’s mixing services have adopted academia’s proposed solutions. We perform real-world interactions with publicly available mixers to analyze both implementation and resistance to common threats in the mixing landscape. We present data from 21 publicly available mixing services on the deep web and clearnet.

Published

2021

6. MuTent: Dynamic Android Intent Protection with Ownership-Based Key Distribution and Security Contracts

Author

Ruoyu Wang, Tiffany Bao, Jaejong Baek, Pradeep Kumar Duraisamy Soundrapandian, Yan Shoshitaishvili, Gail-Joon Ahn, and Adam Doupé

Subjects

business.industry, Computer science, Key distribution, Android (operating system), Encryption, business, Computer security, computer.software_genre, computer

Published

2021

7. HoneyPLC: A Next-Generation Honeypot for Industrial Control Systems

Author

Yan Shoshitaishvili, Tiffany Bao, Adam Doupé, Gail-Joon Ahn, Ruoyu Wang, Carlos E. Rubio-Medrano, and Efrén López-Morales

Subjects

Service (systems architecture), Honeypot, business.industry, Computer science, Programmable logic controller, Context (language use), Industrial control system, computer.software_genre, Computer security, Malware, Attack patterns, The Internet, business, computer

Abstract

Industrial Control Systems (ICS) provide management and control capabilities for mission-critical utilities such as the nuclear, power, water, and transportation grids. Within ICS, Programmable Logic Controllers (PLCs) play a key role as they serve as a convenient bridge between the cyber and the physical worlds, e.g., controlling centrifuge machines in nuclear power plants. The critical roles that ICS and PLCs play have made them the target of sophisticated cyberattacks that are designed to disrupt their operation, which creates both social unrest and financial losses. In this context, honeypots have been shown to be highly valuable tools for collecting real data, e.g., malware payload, to better understand the many different methods and strategies that attackers use. However, existing state-of-the-art honeypots for PLCs lack sophisticated service simulations that are required to obtain valuable data. Worse, they cannot adapt while ICS malware keeps evolving, and attack patterns become more sophisticated. To overcome these shortcomings, we present HoneyPLC, a high-interaction, extensible, and malware collecting honeypot supporting a broad spectrum of PLCs models and vendors. Results from our experiments show that HoneyPLC exhibits a high level of camouflaging: it is identified as real devices by multiple widely used reconnaissance tools, including Nmap, Shodan's Honeyscore, the Siemens Step7 Manager, PLCinject, and PLCScan, with a high level of confidence. We deployed HoneyPLC on Amazon AWS and recorded a large amount of interesting interactions over the Internet, showing not only that attackers are in fact targeting ICS systems, but also that HoneyPLC can effectively engage and deceive them while collecting data samples for future analysis.

Published

2020

8. Matched and Mismatched SOCs

Author

Tiffany Bao, Yan Shoshitaishvili, Ananta Soneji, Ziming Zhao, Gail-Joon Ahn, Adam Doupé, and Faris Bugra Kokulu

Subjects

021110 strategic, defence & security studies, Focus (computing), Knowledge management, Computer science, business.industry, 0211 other engineering and technologies, 020206 networking & telecommunications, 02 engineering and technology, Interview data, Work (electrical), 0202 electrical engineering, electronic engineering, information engineering, Research studies, Incident management (ITSM), business, Qualitative research, Security operations center

Abstract

Organizations, such as companies and governments, created Security Operations Centers (SOCs) to defend against computer security attacks. SOCs are central defense groups that focus on security incident management with capabilities such as monitoring, preventing, responding, and reporting. They are one of the most critical defense components of a modern organization's defense. Despite their critical importance to organizations, and the high frequency of reported security incidents, only a few research studies focus on problems specific to SOCs. In this study, to understand and identify the issues of SOCs, we conducted 18 semi-structured interviews with SOC analysts and managers who work for organizations from different industry sectors. Through our analysis of the interview data, we identified technical and non-technical issues that exist in SOC. Moreover, we found inherent disagreements between SOC managers and their analysts that, if not addressed, could entail a risk to SOC efficiency and effectiveness. We distill these issues into takeaways that apply both to future academic research and to SOC management. We believe that research should focus on improving the efficiency and effectiveness of SOCs.

Published

2019