arXiv - CS - Cryptography and Security最新文献_第9页

The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach SBOM 生成器对 Python 漏洞评估的影响：比较与新方法

arXiv - CS - Cryptography and Security Pub Date : 2024-09-10 DOI: arxiv-2409.06390

Giacomo Benedetti, Serena Cofano, Alessandro Brighente, Mauro Conti

{"title":"The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach","authors":"Giacomo Benedetti, Serena Cofano, Alessandro Brighente, Mauro Conti","doi":"arxiv-2409.06390","DOIUrl":"https://doi.org/arxiv-2409.06390","url":null,"abstract":"The Software Supply Chain (SSC) security is a critical concern for both users\u0000and developers. Recent incidents, like the SolarWinds Orion compromise, proved\u0000the widespread impact resulting from the distribution of compromised software.\u0000The reliance on open-source components, which constitute a significant portion\u0000of modern software, further exacerbates this risk. To enhance SSC security, the\u0000Software Bill of Materials (SBOM) has been promoted as a tool to increase\u0000transparency and verifiability in software composition. However, despite its\u0000promise, SBOMs are not without limitations. Current SBOM generation tools often\u0000suffer from inaccuracies in identifying components and dependencies, leading to\u0000the creation of erroneous or incomplete representations of the SSC. Despite\u0000existing studies exposing these limitations, their impact on the vulnerability\u0000detection capabilities of security tools is still unknown. In this paper, we perform the first security analysis on the vulnerability\u0000detection capabilities of tools receiving SBOMs as input. We comprehensively\u0000evaluate SBOM generation tools by providing their outputs to vulnerability\u0000identification software. Based on our results, we identify the root causes of\u0000these tools' ineffectiveness and propose PIP-sbom, a novel pip-inspired\u0000solution that addresses their shortcomings. PIP-sbom provides improved accuracy\u0000in component identification and dependency resolution. Compared to\u0000best-performing state-of-the-art tools, PIP-sbom increases the average\u0000precision and recall by 60%, and reduces by ten times the number of false\u0000positives.","PeriodicalId":501332,"journal":{"name":"arXiv - CS - Cryptography and Security","volume":"166 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2024-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142201335","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Ransomware Detection Using Machine Learning in the Linux Kernel 在 Linux 内核中使用机器学习检测勒索软件

arXiv - CS - Cryptography and Security Pub Date : 2024-09-10 DOI: arxiv-2409.06452

Adrian Brodzik, Tomasz Malec-Kruszyński, Wojciech Niewolski, Mikołaj Tkaczyk, Krzysztof Bocianiak, Sok-Yen Loui

引用次数: 0

Catch Me if You Can: Detecting Unauthorized Data Use in Deep Learning Models 有本事来抓我：检测深度学习模型中未经授权的数据使用

arXiv - CS - Cryptography and Security Pub Date : 2024-09-10 DOI: arxiv-2409.06280

Zitao Chen, Karthik Pattabiraman

{"title":"Catch Me if You Can: Detecting Unauthorized Data Use in Deep Learning Models","authors":"Zitao Chen, Karthik Pattabiraman","doi":"arxiv-2409.06280","DOIUrl":"https://doi.org/arxiv-2409.06280","url":null,"abstract":"The rise of deep learning (DL) has led to a surging demand for training data,\u0000which incentivizes the creators of DL models to trawl through the Internet for\u0000training materials. Meanwhile, users often have limited control over whether\u0000their data (e.g., facial images) are used to train DL models without their\u0000consent, which has engendered pressing concerns. This work proposes MembershipTracker, a practical data provenance tool that\u0000can empower ordinary users to take agency in detecting the unauthorized use of\u0000their data in training DL models. We view tracing data provenance through the\u0000lens of membership inference (MI). MembershipTracker consists of a lightweight\u0000data marking component to mark the target data with small and targeted changes,\u0000which can be strongly memorized by the model trained on them; and a specialized\u0000MI-based verification process to audit whether the model exhibits strong\u0000memorization on the target samples. Overall, MembershipTracker only requires the users to mark a small fraction\u0000of data (0.005% to 0.1% in proportion to the training set), and it enables the\u0000users to reliably detect the unauthorized use of their data (average 0%\u0000FPR@100% TPR). We show that MembershipTracker is highly effective across\u0000various settings, including industry-scale training on the full-size\u0000ImageNet-1k dataset. We finally evaluate MembershipTracker under multiple\u0000classes of countermeasures.","PeriodicalId":501332,"journal":{"name":"arXiv - CS - Cryptography and Security","volume":"7 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2024-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142201336","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

On the Weaknesses of Backdoor-based Model Watermarking: An Information-theoretic Perspective 论基于后门的模型水印的弱点：信息论视角

arXiv - CS - Cryptography and Security Pub Date : 2024-09-10 DOI: arxiv-2409.06130

Aoting Hu, Yanzhi Chen, Renjie Xie, Adrian Weller

{"title":"On the Weaknesses of Backdoor-based Model Watermarking: An Information-theoretic Perspective","authors":"Aoting Hu, Yanzhi Chen, Renjie Xie, Adrian Weller","doi":"arxiv-2409.06130","DOIUrl":"https://doi.org/arxiv-2409.06130","url":null,"abstract":"Safeguarding the intellectual property of machine learning models has emerged\u0000as a pressing concern in AI security. Model watermarking is a powerful\u0000technique for protecting ownership of machine learning models, yet its\u0000reliability has been recently challenged by recent watermark removal attacks.\u0000In this work, we investigate why existing watermark embedding techniques\u0000particularly those based on backdooring are vulnerable. Through an\u0000information-theoretic analysis, we show that the resilience of watermarking\u0000against erasure attacks hinges on the choice of trigger-set samples, where\u0000current uses of out-distribution trigger-set are inherently vulnerable to\u0000white-box adversaries. Based on this discovery, we propose a novel model\u0000watermarking scheme, In-distribution Watermark Embedding (IWE), to overcome the\u0000limitations of existing method. To further minimise the gap to clean models, we\u0000analyze the role of logits as watermark information carriers and propose a new\u0000approach to better conceal watermark information within the logits. Experiments\u0000on real-world datasets including CIFAR-100 and Caltech-101 demonstrate that our\u0000method robustly defends against various adversaries with negligible accuracy\u0000loss (< 0.1%).","PeriodicalId":501332,"journal":{"name":"arXiv - CS - Cryptography and Security","volume":"52 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2024-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142201451","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Conditional Encryption with Applications to Secure Personalized Password Typo Correction 条件加密与个性化密码错别字校正安全应用

arXiv - CS - Cryptography and Security Pub Date : 2024-09-10 DOI: arxiv-2409.06128

Mohammad Hassan Ameri, Jeremiah Blocki

{"title":"Conditional Encryption with Applications to Secure Personalized Password Typo Correction","authors":"Mohammad Hassan Ameri, Jeremiah Blocki","doi":"arxiv-2409.06128","DOIUrl":"https://doi.org/arxiv-2409.06128","url":null,"abstract":"We introduce the notion of a conditional encryption scheme as an extension of\u0000public key encryption. In addition to the standard public key algorithms\u0000($mathsf{KG}$, $mathsf{Enc}$, $mathsf{Dec}$) for key generation, encryption\u0000and decryption, a conditional encryption scheme for a binary predicate $P$ adds\u0000a new conditional encryption algorithm $mathsf{CEnc}$. The conditional\u0000encryption algorithm $c=mathsf{CEnc}_{pk}(c_1,m_2,m_3)$ takes as input the\u0000public encryption key $pk$, a ciphertext $c_1 = mathsf{Enc}_{pk}(m_1)$ for an\u0000unknown message $m_1$, a control message $m_2$ and a payload message $m_3$ and\u0000outputs a conditional ciphertext $c$. Intuitively, if $P(m_1,m_2)=1$ then the\u0000conditional ciphertext $c$ should decrypt to the payload message $m_3$. On the\u0000other hand if $P(m_1,m_2) = 0$ then the ciphertext should not leak any\u0000information about the control message $m_2$ or the payload message $m_3$ even\u0000if the attacker already has the secret decryption key $sk$. We formalize the\u0000notion of conditional encryption secrecy and provide concretely efficient\u0000constructions for a set of predicates relevant to password typo correction. Our\u0000practical constructions utilize the Paillier partially homomorphic encryption\u0000scheme as well as Shamir Secret Sharing. We prove that our constructions are\u0000secure and demonstrate how to use conditional encryption to improve the\u0000security of personalized password typo correction systems such as TypTop. We\u0000implement a C++ library for our practically efficient conditional encryption\u0000schemes and evaluate the performance empirically. We also update the\u0000implementation of TypTop to utilize conditional encryption for enhanced\u0000security guarantees and evaluate the performance of the updated implementation.","PeriodicalId":501332,"journal":{"name":"arXiv - CS - Cryptography and Security","volume":"44 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2024-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142201633","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

How to Verify Any (Reasonable) Distribution Property: Computationally Sound Argument Systems for Distributions 如何验证任何（合理的）分布属性：计算合理的分布论证系统

arXiv - CS - Cryptography and Security Pub Date : 2024-09-10 DOI: arxiv-2409.06594

Tal Herman, Guy Rothblum

{"title":"How to Verify Any (Reasonable) Distribution Property: Computationally Sound Argument Systems for Distributions","authors":"Tal Herman, Guy Rothblum","doi":"arxiv-2409.06594","DOIUrl":"https://doi.org/arxiv-2409.06594","url":null,"abstract":"As statistical analyses become more central to science, industry and society,\u0000there is a growing need to ensure correctness of their results. Approximate\u0000correctness can be verified by replicating the entire analysis, but can we\u0000verify without replication? Building on a recent line of work, we study\u0000proof-systems that allow a probabilistic verifier to ascertain that the results\u0000of an analysis are approximately correct, while drawing fewer samples and using\u0000less computational resources than would be needed to replicate the analysis. We\u0000focus on distribution testing problems: verifying that an unknown distribution\u0000is close to having a claimed property. Our main contribution is a interactive protocol between a verifier and an\u0000untrusted prover, which can be used to verify any distribution property that\u0000can be decided in polynomial time given a full and explicit description of the\u0000distribution. If the distribution is at statistical distance $varepsilon$ from\u0000having the property, then the verifier rejects with high probability. This\u0000soundness property holds against any polynomial-time strategy that a cheating\u0000prover might follow, assuming the existence of collision-resistant hash\u0000functions (a standard assumption in cryptography). For distributions over a\u0000domain of size $N$, the protocol consists of $4$ messages and the communication\u0000complexity and verifier runtime are roughly $widetilde{O}left(sqrt{N} /\u0000varepsilon^2 right)$. The verifier's sample complexity is\u0000$widetilde{O}left(sqrt{N} / varepsilon^2 right)$, and this is optimal up\u0000to $polylog(N)$ factors (for any protocol, regardless of its communication\u0000complexity). Even for simple properties, approximately deciding whether an\u0000unknown distribution has the property can require quasi-linear sample\u0000complexity and running time. For any such property, our protocol provides a\u0000quadratic speedup over replicating the analysis.","PeriodicalId":501332,"journal":{"name":"arXiv - CS - Cryptography and Security","volume":"27 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2024-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142201452","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

DroneXNFT: An NFT-Driven Framework for Secure Autonomous UAV Operations and Flight Data Management DroneXNFT：安全自主无人机操作和飞行数据管理的 NFT 驱动框架

arXiv - CS - Cryptography and Security Pub Date : 2024-09-10 DOI: arxiv-2409.06507

Khaoula Hidawi

引用次数: 0

LLM-Enhanced Software Patch Localization LLM 增强型软件补丁本地化

arXiv - CS - Cryptography and Security Pub Date : 2024-09-10 DOI: arxiv-2409.06816

Jinhong Yu, Yi Chen, Di Tang, Xiaozhong Liu, XiaoFeng Wang, Chen Wu, Haixu Tang

{"title":"LLM-Enhanced Software Patch Localization","authors":"Jinhong Yu, Yi Chen, Di Tang, Xiaozhong Liu, XiaoFeng Wang, Chen Wu, Haixu Tang","doi":"arxiv-2409.06816","DOIUrl":"https://doi.org/arxiv-2409.06816","url":null,"abstract":"Open source software (OSS) is integral to modern product development, and any\u0000vulnerability within it potentially compromises numerous products. While\u0000developers strive to apply security patches, pinpointing these patches among\u0000extensive OSS updates remains a challenge. Security patch localization (SPL)\u0000recommendation methods are leading approaches to address this. However,\u0000existing SPL models often falter when a commit lacks a clear association with\u0000its corresponding CVE, and do not consider a scenario that a vulnerability has\u0000multiple patches proposed over time before it has been fully resolved. To\u0000address these challenges, we introduce LLM-SPL, a recommendation-based SPL\u0000approach that leverages the capabilities of the Large Language Model (LLM) to\u0000locate the security patch commit for a given CVE. More specifically, we propose\u0000a joint learning framework, in which the outputs of LLM serves as additional\u0000features to aid our recommendation model in prioritizing security patches. Our\u0000evaluation on a dataset of 1,915 CVEs associated with 2,461 patches\u0000demonstrates that LLM-SPL excels in ranking patch commits, surpassing the\u0000state-of-the-art method in terms of Recall, while significantly reducing manual\u0000effort. Notably, for vulnerabilities requiring multiple patches, LLM-SPL\u0000significantly improves Recall by 22.83%, NDCG by 19.41%, and reduces manual\u0000effort by over 25% when checking up to the top 10 rankings. The dataset and\u0000source code are available at\u0000url{https://anonymous.4open.science/r/LLM-SPL-91F8}.","PeriodicalId":501332,"journal":{"name":"arXiv - CS - Cryptography and Security","volume":"57 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2024-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142201539","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

ChatGPT's Potential in Cryptography Misuse Detection: A Comparative Analysis with Static Analysis Tools ChatGPT 在密码学滥用检测中的潜力：与静态分析工具的比较分析

arXiv - CS - Cryptography and Security Pub Date : 2024-09-10 DOI: arxiv-2409.06561

Ehsan Firouzi, Mohammad Ghafari, Mike Ebrahimi

引用次数: 0

Advancing Android Privacy Assessments with Automation 利用自动化推进安卓隐私评估

arXiv - CS - Cryptography and Security Pub Date : 2024-09-10 DOI: arxiv-2409.06564

Mugdha Khedkar, Michael Schlichtig, Eric Bodden

引用次数: 0