发布求助
文献互助 智能选刊 最新文献

Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security最新文献

筛选
英文 中文
Process-Aware Cyberattacks for Thermal Desalination Plants 热脱盐工厂的过程感知网络攻击
Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security Pub Date : 2019-07-02 DOI: 10.1145/3321705.3329805
Prashant Hari Narayan Rajput, P. Rajput, Marios Sazos, M. Maniatakos
{"title":"Process-Aware Cyberattacks for Thermal Desalination Plants","authors":"Prashant Hari Narayan Rajput, P. Rajput, Marios Sazos, M. Maniatakos","doi":"10.1145/3321705.3329805","DOIUrl":"https://doi.org/10.1145/3321705.3329805","url":null,"abstract":"In 2017, desalination industry was contracted to produce 99.8 million m3/d of fresh water globally. In regions with a natural shortage of fresh water, desalination contributes up to 70% of drinking water. While state-of-the-art research has focused on securing the power grid, water treatment plants, and other critical infrastructure, not much attention has been given towards desalination plants. In this work, we perform interdisciplinary cyber threat analysis on a desalination plant model, presenting cyberattacks and analyzing their effect on the plant performance and equipment both from economics and mechanical engineering perspective. Our analysis shows that cyber actors can perform extensive financial damage by affecting the performance of the plant. We also perform control volume analysis and finite element analysis studies to investigate the possibility of Stuxnet-like attacks with the potential to cause mechanical damage and equipment failure.","PeriodicalId":189657,"journal":{"name":"Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security","volume":"5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-07-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126063219","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 10
Purchased Fame: Exploring the Ecosystem of Private Blog Networks 购买名声:探索私人博客网络的生态系统
Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security Pub Date : 2019-07-02 DOI: 10.1145/3321705.3329830
Tom van Goethem, N. Miramirkhani, W. Joosen, Nick Nikiforakis
{"title":"Purchased Fame: Exploring the Ecosystem of Private Blog Networks","authors":"Tom van Goethem, N. Miramirkhani, W. Joosen, Nick Nikiforakis","doi":"10.1145/3321705.3329830","DOIUrl":"https://doi.org/10.1145/3321705.3329830","url":null,"abstract":"For many, a browsing session starts by entering relevant keywords in a popular search engine. The websites that users thereafter land on are often determined by their position in the search results. Although little is known about the proprietary ranking algorithms employed by popular search engines, it is strongly suspected that the incoming links have a significant influence on the outcome. This has lead to the inception of various black-hat SEO techniques that aim to deceive search engines to promote a specific website. In this paper, we present the first extensive study on the ecosystem of a novel type of black-hat SEO, namely the trade of artificially created backlinks through private blog networks (PBNs). Our study is three-pronged: first, we perform an exploratory analysis, through which we capture intrinsic information of the ecosystem and measure the effectiveness of backlinks. Next, we develop and present an ML-driven methodology that detects PBN sites with an accuracy of 98.7% by leveraging various content-based and linking-based features intrinsic to the operation of the ecosystem. Finally, in a large-scale experiment involving more than 50,000 websites, we expose large networks of backlink operations, finding thousands of websites engaged in PBNs.","PeriodicalId":189657,"journal":{"name":"Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security","volume":"23 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-07-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124664507","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 7
Exploiting Determinism in Lattice-based Signatures: Practical Fault Attacks on pqm4 Implementations of NIST Candidates 利用基于格的签名中的确定性:NIST候选pqm4实现的实际故障攻击
Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security Pub Date : 2019-07-02 DOI: 10.1145/3321705.3329821
P. Ravi, M. P. Jhanwar, James Howe, A. Chattopadhyay, S. Bhasin
{"title":"Exploiting Determinism in Lattice-based Signatures: Practical Fault Attacks on pqm4 Implementations of NIST Candidates","authors":"P. Ravi, M. P. Jhanwar, James Howe, A. Chattopadhyay, S. Bhasin","doi":"10.1145/3321705.3329821","DOIUrl":"https://doi.org/10.1145/3321705.3329821","url":null,"abstract":"In this paper, we analyze the implementation level fault vulnerabilities of deterministic lattice-based signature schemes. In particular, we extend the practicality of skip-addition fault attacks through exploitation of determinism in Dilithium and qTESLA signature schemes, which are two leading candidates for the NIST standardization of post-quantum cryptography. We show that single targeted faults injected in the signing procedure allow to recover an important portion of the secret key. Though faults injected in the signing procedure do not recover all the secret key elements, we propose a novel forgery algorithm that allows the attacker to sign any given message with only the extracted portion of the secret key. We perform experimental validation of our attack using Electromagnetic fault injection on reference implementations taken from the pqm4 library, a benchmarking and testing framework for post quantum cryptographic implementations for the ARM Cortex-M4 microcontroller. We also show that our attacks break two well known countermeasures known to protect against skip-addition fault attacks. We further propose an efficient mitigation strategy against our attack that exponentially increases the attacker's complexity at almost zero increase in computational complexity.","PeriodicalId":189657,"journal":{"name":"Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security","volume":"5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-07-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130380093","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 26
A Data Life Cycle Modeling Proposal by Means of Formal Methods 基于形式化方法的数据生命周期建模建议
Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security Pub Date : 2019-07-02 DOI: 10.1145/3321705.3331003
Madalina G. Ciobanu, F. Fasano, F. Martinelli, F. Mercaldo, A. Santone
{"title":"A Data Life Cycle Modeling Proposal by Means of Formal Methods","authors":"Madalina G. Ciobanu, F. Fasano, F. Martinelli, F. Mercaldo, A. Santone","doi":"10.1145/3321705.3331003","DOIUrl":"https://doi.org/10.1145/3321705.3331003","url":null,"abstract":"Data usually evolve according to specific processes, with the consequent possibility to identify a profile of evolution: the values it may assume, the frequencies at which it changes, the temporal variation in relation to other data, or other constraints that are directly connected to the reference domain. A violation of these conditions could be the signal of different menaces that threat the system, as well as: attempts of a tampering or a cyber attack, a failure in the system operation, a bug in the applications which manage the life cycle of data. To detect such violations is not straightforward as processes could be unknown or hard to extract. In this paper we propose an approach to model the data life cycle by observing the data evolution in its life cycle. Thus, we represent users able to alter data through timed automata. Through model checking, the obtained profile of evolution can be used to detect anomalies in relational database, data warehouse and big data.","PeriodicalId":189657,"journal":{"name":"Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-07-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129181025","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 5
Flexibly and Securely Shape Your Data Disclosed to Others 灵活、安全地塑造向他人披露的数据
Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security Pub Date : 2019-07-02 DOI: 10.1145/3321705.3329851
Qingqing Xie, Yantian Hou, Ke Cheng, Gaby G. Dagher, Liangmin Wang, Shucheng Yu
{"title":"Flexibly and Securely Shape Your Data Disclosed to Others","authors":"Qingqing Xie, Yantian Hou, Ke Cheng, Gaby G. Dagher, Liangmin Wang, Shucheng Yu","doi":"10.1145/3321705.3329851","DOIUrl":"https://doi.org/10.1145/3321705.3329851","url":null,"abstract":"This work is to enhance existing fine-grained access control to support a more expressive access policy over arithmetic operation results. We aim to enable data owners to flexibly bind a user's identity with his/her authorized access target according to a given access control policy, which indicates how a piece of data obfuscated by different noises. To this end, we design a cryptographic primitive that decouples the noisy data to two components, one associated with user identity, and the other one shared and dynamically changes, with the composite of these two components evaluated and revealed at user sides. The security of our scheme is formally proven using game based approach. We implement our system on a commercial cloud platform and use extensive experiments to validate its functionality and performance.","PeriodicalId":189657,"journal":{"name":"Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security","volume":"20 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-07-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131796319","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 1
EPISODE: Efficient Privacy-PreservIng Similar Sequence Queries on Outsourced Genomic DatabasEs 外包基因组数据库中有效的保护隐私的相似序列查询
Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security Pub Date : 2019-07-02 DOI: 10.1145/3321705.3329800
T. Schneider, Oleksandr Tkachenko
{"title":"EPISODE: Efficient Privacy-PreservIng Similar Sequence Queries on Outsourced Genomic DatabasEs","authors":"T. Schneider, Oleksandr Tkachenko","doi":"10.1145/3321705.3329800","DOIUrl":"https://doi.org/10.1145/3321705.3329800","url":null,"abstract":"Nowadays, genomic sequencing has become much more affordable for many people and, thus, many people own their genomic data in a digital format. Having paid for genomic sequencing, they want to make use of their data for different tasks that are possible only using genomics, and they share their data with third parties to achieve these tasks, e.g., to find their relatives in a genomic database. As a consequence, more genomic data get collected worldwide. The upside of the data collection is that unique analyses on these data become possible. However, this raises privacy concerns because the genomic data uniquely identify their owner, contain sensitive data about his/her risk for getting particular diseases, and even sensitive information about his/her family members. In this paper, we introduce EPISODE - a highly efficient privacy-preserving protocol for Similar Sequence Queries (SSQs), which can be used for finding genetically similar individuals in an outsourced genomic database, i.e., securely aggregated from data of multiple institutions. Our SSQ protocol is based on the edit distance approximation by Asharov et al. (PETS'18), which we further optimize and extend to the outsourcing scenario. We improve their protocol by using more efficient building blocks and achieve a 5-6x run-time improvement compared to their work in the same two-party scenario. Recently, Cheng et al. (ASIACCS'18) introduced protocols for outsourced SSQs that rely on homomorphic encryption. Our new protocol outperforms theirs by more than factor 24000x in terms of run-time in the same setting and guarantees the same level of security. In addition, we show that our algorithm scales for practical database sizes by querying a database that contains up to a million short sequences within a few minutes, and a database with hundreds of whole-genome sequences containing 75 million alleles each within a few hours.","PeriodicalId":189657,"journal":{"name":"Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security","volume":"81 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-07-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124530041","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 29
Pinpoint Rowhammer: Suppressing Unwanted Bit Flips on Rowhammer Attacks 精确的Rowhammer:抑制Rowhammer攻击时不需要的位翻转
Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security Pub Date : 2019-07-02 DOI: 10.1145/3321705.3329811
Sangwoo Ji, Youngjoo Ko, Saeyoung Oh, Jong Kim
{"title":"Pinpoint Rowhammer: Suppressing Unwanted Bit Flips on Rowhammer Attacks","authors":"Sangwoo Ji, Youngjoo Ko, Saeyoung Oh, Jong Kim","doi":"10.1145/3321705.3329811","DOIUrl":"https://doi.org/10.1145/3321705.3329811","url":null,"abstract":"In recent studies, sophisticated attack vectors that use a Rowhammer bug have been developed. These attacks are dangerous, given that they can corrupt data stored in arbitrary memory rows without accessing them. Successful Rowhammer attacks require to flip data of the target cell. However, non-target cells are also corrupted by the attacks. Such unwanted bit flips can lead to unexpected consequences such as an attack failure and a system crash. We propose a novel Rowhammer method, namely, Pinpoint rowhammer, which flips the target bit while suppressing unwanted bit flips. The basic idea is the use of an effective data pattern for the target bit and ineffective data patterns for non-target bits. We evaluate the proposed method by conducting 107,965 attack instances on four different dynamic random-access memory (DRAM) modules. The proposed method increases the attack success rate from 28.9% to 72.4%, when compared with the state-of-the-art method (double-sided Rowhammer). In addition, the proposed method suppresses 99.7% of the unwanted vulnerable cells.","PeriodicalId":189657,"journal":{"name":"Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-07-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132999564","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 20
Can I Opt Out Yet?: GDPR and the Global Illusion of Cookie Control 我可以退出吗?: GDPR和Cookie控制的全球错觉
Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security Pub Date : 2019-07-02 DOI: 10.1145/3321705.3329806
Iskander Sánchez-Rola, Matteo Dell'Amico, Platon Kotzias, D. Balzarotti, Leyla Bilge, Pierre-Antoine Vervier, I. Santos
{"title":"Can I Opt Out Yet?: GDPR and the Global Illusion of Cookie Control","authors":"Iskander Sánchez-Rola, Matteo Dell'Amico, Platon Kotzias, D. Balzarotti, Leyla Bilge, Pierre-Antoine Vervier, I. Santos","doi":"10.1145/3321705.3329806","DOIUrl":"https://doi.org/10.1145/3321705.3329806","url":null,"abstract":"The European Union's (EU) General Data Protection Regulation (GDPR), in effect since May 2018, enforces strict limitations on handling users' personal data, hence impacting their activity tracking on the Web. In this study, we perform an evaluation of the tracking performed in 2,000 high-traffic websites, hosted both inside and outside of the EU. We evaluate both the information presented to users and the actual tracking implemented through cookies; we find that the GDPR has impacted website behavior in a truly global way, both directly and indirectly: USA-based websites behave similarly to EU-based ones, while third-party opt-out services reduce the amount of tracking even for websites which do not put any effort in respecting the new law. On the other hand, we find that tracking remains ubiquitous. In particular, we found cookies that can identify users when visiting more than 90% of the websites in our dataset - and we also encountered a large number of websites that present deceiving information, making it it very difficult, if at all possible, for users to avoid being tracked.","PeriodicalId":189657,"journal":{"name":"Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security","volume":"31 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-07-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122553804","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 140
From Attacker Models to Reliable Security 从攻击者模型到可靠的安全性
Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security Pub Date : 2019-07-02 DOI: 10.1145/3321705.3329915
H. Mantel
{"title":"From Attacker Models to Reliable Security","authors":"H. Mantel","doi":"10.1145/3321705.3329915","DOIUrl":"https://doi.org/10.1145/3321705.3329915","url":null,"abstract":"Attack trees are a popular graphical notation for capturing threats to IT systems. They can be used to describe attacks in terms of attacker goals and attacker actions. By focusing on the viewpoint of a single attacker and on a particular attacker goal in the creation of an attack tree, one reduces the conceptual complexity of threat modeling substantially. Aspects not covered by attack trees, like the behavior of the system under attack, can then be described using other models to enable a security analysis based on a combination of the models. Despite the high popularity of attack trees in security engineering for many years, some pitfalls in their use were identified only recently. In this talk, I will point out such difficulties, outline how attack trees can be used in combination with system models, and clarify the consequences of different combinations for security analysis results. After a security analysis of an abstract model, the insights gained need to be mapped to reality. I will introduce an automata-based model of run-time monitors and will show how defenses in this model can be realized at runtime with the CliSeAu system.","PeriodicalId":189657,"journal":{"name":"Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security","volume":"22 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-07-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114178997","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 1
Design Procedure of Knowledge Base for Practical Attack Graph Generation 实用攻击图生成知识库设计过程
Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security Pub Date : 2019-07-02 DOI: 10.1145/3321705.3329853
Masaki Inokuchi, Yoshinobu Ohta, Shunichi Kinoshita, T. Yagyu, Orly Stan, Ron Bitton, Y. Elovici, A. Shabtai
{"title":"Design Procedure of Knowledge Base for Practical Attack Graph Generation","authors":"Masaki Inokuchi, Yoshinobu Ohta, Shunichi Kinoshita, T. Yagyu, Orly Stan, Ron Bitton, Y. Elovici, A. Shabtai","doi":"10.1145/3321705.3329853","DOIUrl":"https://doi.org/10.1145/3321705.3329853","url":null,"abstract":"Cyber security assessment is an essential activity for understanding the security risks in an enterprise environment. While many tools have been developed in order to evaluate the security risks for individual hosts, it is still a challenge to identify multi-hop cyber security risks in a large-scale environment. An attack graph, which provides a comprehensive view of attacks, assists in identifying high-risk attack paths and efficiently deploying countermeasures. Several frameworks which generate an attack graph from system information and knowledge base have also been developed in the past. Although these tools are widely adopted, their expression capabilities are insufficient. The expansion of knowledge base is needed to handle comprehensive attack scenario. In this research, we developed an attack graph generation system by extending the MulVAL framework which is widely adopted due to its high extensibility. We designed and implemented knowledge base (also known as \"interaction rules\" in the MulVAL framework) for practical attack graph generation. A structured design procedure is necessary to construct a knowledge base that enables comprehensive analysis, which is highly important for actual risk assessment. We describe the design procedure, design considerations and implementation of our rule set. Additionally, we demonstrate the improvement to the generated attack graph by the implemented rules in a case study.","PeriodicalId":189657,"journal":{"name":"Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security","volume":"49 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-07-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121124264","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 10
下一页 尾页
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术官方微信