Conference Paper

LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Prior works (5GReasoner [41], LTEInspector [39], Touching the Untouchables [44]) have investigated RRC and NAS vulnerabilities, but are limited to open-source tools for LTE (e. g., srsLTE) and theoretical protocol evaluations for 5G. Practical 5G experimentation on PWS vulnerabilities and attacks have not been conducted. ...
... Thus an attacker can abuse these messages in order to exploit network users' RRC connections. The manipulation of these messages is apparent in past works on LTE [39,44] and 5G [20,41]. We confirm them and make them part of our PWS attacks. ...
... (5) Unprotected Paging Messages. Paging messages lack cryptographic protection, and thus are susceptible to spoofing and forgery [39,40]. Even though security enhancements have been considered and implemented [10,50] on 5G SA; temporary identifier usage (5G-TMSI or I-RNTI) instead of permanent, removal of long-term permanent paging identifier, robust randomization and frequently refreshing the temporary identifiers, the lack of integrityprotection and authentication render the aforementioned defenses inadequate for PWS cases. ...
Preprint
Full-text available
The Public Warning System (PWS) is an essential part of cellular networks and a country's civil protection. Warnings can notify users of hazardous events (e.g., floods, earthquakes) and crucial national matters that require immediate attention. PWS attacks disseminating fake warnings or concealing precarious events can have a serious impact, causing fraud, panic, physical harm, or unrest to users within an affected area. In this work, we conduct the first comprehensive investigation of PWS security in 5G networks. We demonstrate five practical attacks that may impact the security of 5G-based Commercial Mobile Alert System (CMAS) as well as Earthquake and Tsunami Warning System (ETWS) alerts. Additional to identifying the vulnerabilities, we investigate two PWS spoofing and three PWS suppression attacks, with or without a man-in-the-middle (MitM) attacker. We discover that MitM-based attacks have more severe impact than their non-MitM counterparts. Our PWS barring attack is an effective technique to eliminate legitimate warning messages. We perform a rigorous analysis of the roaming aspect of the PWS, incl. its potentially secure version, and report the implications of our attacks on other emergency features (e.g., 911 SIP calls). We discuss possible countermeasures and note that eradicating the attacks necessitates a scrupulous reevaluation of the PWS design and a secure implementation.
... With the methods of discovering protocol flaws becoming more intelligent and diverse in recent years [4] [41] [42] [43], relevant researchers have disclosed various security issues in both LTE and 5G mobile networks. Most of these revealed security vulnerabilities are based on the exploits of unprotected messages in mobile networks. ...
... The adversary can send an Identity Request message to instruct the UE to reveal its IMSI in the response message. Due to the AKA linkability vulnerability, by replaying an unauthenticated Authentication Request or a Security Mode Command message, the attacker can distinguish between the target UE and other UEs based on the difference in the response messages [3] [4]. Both IMSI catching and AKA linkability attacks are used to identify target users and track their locations, causing serious mobile privacy issues. ...
... Besides, the SQN exposure can also be exploited to derive location attacks even if the leak of permanent identity (through IMSI catching) and the AKA linkability vulnerability were fixed. The authentication relay attack [4] is a 4G MitM attack that relays all the necessary signalling messages (including unprotected initial messages) between the victim UE and the commercial network by setting up a fake base station and a fake UE. This attack enables an adversary to spoof a UE's location in the core network and thus poison the target user's location history. ...
Preprint
As an important public infrastructure, the security and reliability of mobile networks have a profound impact on people's production and life. Although the security of LTE/5G networks has been improved a lot, there are still some unprotected messages being transmitted between the cellular network and device, due to the symmetric key-based security architecture and the trade-off between the security and other criteria like network availability. By exploiting these messages, various security attacks have been proposed and demonstrated against commercial mobile networks in existing literature, such as user location tracking, bidding-down, and DoS attacks. To address this security issue, in this paper, we aim to protect these unauthenticated messages in mobile networks using digital signatures. We design a two-level Hierarchical Identity-Based Signature (HIBS) solution in detail in terms of different aspects such as keys generation and provisioning procedures, replay mitigation, and cell selection. The proposed solution also supports the protection of individual vulnerable RRC and NAS layer signalling in addition to authenticating the base station. We evaluated the efficiency and feasibility of several existing HIBS schemes and implemented the most efficient of them (Schnorr-HIBS) in a 5G standalone network using open-source software. The implementation results further proved the feasibility of the solution in practice.
... The IMEI catching is feasible in both 2G/Global System for Mobile Communications (GSM) and 3G/Universal Mobile Telecommunication System (UMTS). However, with the methods of discovering LTE flaws becoming more intelligent and diverse [29,75,59,57], cellular security researchers have disclosed various security problems on different LTE layers in the air interface. Furthermore, with the widely available and affordable Software-Defined Radio (SDR) tools, they demonstrated a large number of practical attacks against commercial LTE mobile networks by exploiting these vulnerabilities, such as International Mobile Subscriber Identity (IMSI) catching [100,109], user location tracking and Denial of Service (DoS) attacks [134,64], and LTE layer-two manipulation attacks [127,129]. ...
... Meanwhile, paging with IMSI is also allowed in LTE by the 3GPP specifications for the recovery from some abnormal scenarios, e.g., the TMSI is not available due to a network failure. By continually paging with IMSI, an attacker can make the target UE locally delete existing bearer contexts and detach itself from the LTE network and thus suffer DoS [57,14,123]. For the sake of reducing battery consumption, the UE in RRC idle state wakes up to receive radio signals only once during every Discontinuous Reception (DRX) cycle. ...
... The UE will return to the RRC connected state upon receiving a paging message carrying its identifier. Therefore, by periodically sending spoofed paging messages to target UEs, an attacker can let these victims never enter back into the RRC idle state, causing battery drain attacks [57,123]. Golde et al. [46] demonstrated the possibility to leverage a race condition in the paging protocol to hijack mobile terminated services in GSM. ...
Article
The 4G/Long Term Evolution (LTE) has become the dominant mobile access technology worldwide so far, while the development of the 5G/NR (New Radio) cellular network is also accelerating. Like the previous generations of mobile networks, the LTE network has encountered many security problems during its practical implementation and use process, which are exploited by various wild attacks. Given the similarities between 5G and LTE in the protocol stack of air interface, it is an excellent opportunity to secure 5G mobile networks by reviewing existing attacks against LTE from the perspective of protocol layers. Motivated by this, a full view of the security attacks on the LTE protocol stack is organized and presented by layer in this paper. We propose a simple but effective method to investigate the existing attacks on LTE. We classify the attacks and review their impacts, causes, and defenses for each layer. After analyzing the current remediation situations of these attacks, we found that most security issues have been theoretically fixed through the countermeasures proposed in academic literature and 3GPP standards. However, whether the existing mobile networks have implemented these patches in practice remains to be verified. Moreover, we also noticed that there are still some unsolved security problems in the 5G air interface. Based on the survey results, we finally provide future work directions aiming to improve the air interface security of mobile networks by addressing these remaining security issues and practical security testing on deployed cellular networks.
... Hussain et al. [4] first presented this approach, exploited it to analyze three critical procedures (i.e., attach, paging, and detach procedures) of the 4G LTE network, and uncovered ten new attacks and nine prior attacks in the LTE network. And then, Hu et al. [13] used this systematic approach to study the registration procedure, authentication procedure, deregistration procedure, security mode command procedure, service request procedure, and identification procedure in the 5G network for analyzing the NAS layer signaling security. ...
... NAS security ensures that the signaling between UE and AMF can be transmitted securely on the control plane, while AS security aims to deliver RRC messages and IP packets securely. Potential for IMSI/SUPI catching in some protocol edge cases, such as when an unauthenticated emergency call is maliciously triggered Device fingerprinting using exposed device capabilities Identification attacks, bidding down attacks, and battery draining attacks [7] Exploiting unprotected device capabilities' information identification attacks, bidding down attacks, and battery drain attacks against cellular devices Location tracking Location leaks [7] Link device fingerprints to SUPI and track user's location Silent downgrade to GSM Man-in-the-middle attacks, SMS snooping, and phone call [2,4,6,7] Silent GSM downgrade using preauthentication messages from a malicious base station broadcasting a Mobile Country and Network Code (MCC-MNC) of a network with no public key provisioned in the USIM Attach/Tracking Area Update (TAU) request DoS [2,4,6] DoS of 5G mobile devices caused by malicious base stations broadcasting a valid MCC-MNC combination for a network with no public key provisioned in the USIM ...
... NAS security ensures that the signaling between UE and AMF can be transmitted securely on the control plane, while AS security aims to deliver RRC messages and IP packets securely. Potential for IMSI/SUPI catching in some protocol edge cases, such as when an unauthenticated emergency call is maliciously triggered Device fingerprinting using exposed device capabilities Identification attacks, bidding down attacks, and battery draining attacks [7] Exploiting unprotected device capabilities' information identification attacks, bidding down attacks, and battery drain attacks against cellular devices Location tracking Location leaks [7] Link device fingerprints to SUPI and track user's location Silent downgrade to GSM Man-in-the-middle attacks, SMS snooping, and phone call [2,4,6,7] Silent GSM downgrade using preauthentication messages from a malicious base station broadcasting a Mobile Country and Network Code (MCC-MNC) of a network with no public key provisioned in the USIM Attach/Tracking Area Update (TAU) request DoS [2,4,6] DoS of 5G mobile devices caused by malicious base stations broadcasting a valid MCC-MNC combination for a network with no public key provisioned in the USIM ...
Article
Full-text available
mailto: 5G network makes our lives delicate and more pleasant, and its security will impact the operation of the entire society. Compared with the LTE network, 5G brings up many new security features and possesses more sophisticated and robust security mechanisms, while there are still many potential security issues with the 5G network. Therefore, the security analysis of the 5G network is highly crucial. Null security algorithm (i.e., NEA0 and NIA0) is used in normal communication, a security vulnerability that exists and has not been fully addressed in the LTE network, but in the 5G network, no studies have been performed to demonstrate whether this security vulnerability still exists so far. Therefore, in this paper, we apply a systematic approach based on the principle of model checking to verify. We conduct an in-depth analysis of the signaling interaction and security mechanism for the attach procedure in the 5G network. And then, we model UE and AMF into two synchronous communication finite-state machines, extract the desired properties from 3GPP relevant specifications, and construct an adversary model to test the system’s security. By observing the operation of state machines and analyzing relevant protocol behavior, we discover that faulty security algorithm selection could result in the acceptance of the null security algorithm (i.e., NEA0 and NIA0) on the side of the core network, and attackers can exploit this to trigger IP spoofing attacks and SUPI catching attacks on the victim UE. We analyze the root cause of these network attacks and propose an anomaly detection method to avoid these network attacks from being launched effectively.
... Problem. Recent work has demonstrated the effectiveness of formal verification in identifying logical vulnerabilities in 4G LTE [2] and 5G NR [3] protocols. Most of these proposals, however, primarily focus on developing a standalone security and privacy analysis framework for verifying specifications of protocols on a manually constructed simplified model, which is hardly an option for commercial-scale complex implementations. ...
... Challenge. Prior work [2], [3], [10], [11] evaluating the design of cellular network protocols represents the high-level protocol interactions with finite state machines (FSMs) and evaluates the FSMs against desired security and privacy properties. Such approaches can also be naturally applied to the FSM's of 4G LTE protocol implementations. ...
... For model checking, like LTEInspector [2], we combine the reasoning powers of the symbolic model checker and a cryptographic protocol verifier to detect logical vulnerabilities that adhere to the cryptographic constructs of the protocol. The reason behind combining the model checker and cryptographic protocol verifier is to: (i) efficiently capture all the desired properties that we have observed; (ii) reason about rich temporal properties (e.g., safety, liveliness, correspondence) that could not be captured if one of them is solely used. ...
Conference Paper
Full-text available
Cellular protocol implementations must comply with the specifications, and the security and privacy requirements. These implementations, however, often deviate from the security and privacy requirements due to under specifications in cellular standards, inherent protocol complexities, and design flaws inducing logical vulnerabilities. Detecting such logical vulnerabilities in the complex and stateful 4G LTE protocol is challenging due to operational dependencies on internal-states, and intertwined complex protocol interactions among multiple participants. In this paper, we address these challenges and develop ProChecker which-(1) extracts a precise semantic model as a finite-state machine of the implementation by combining dynamic testing with static instrumentation, and (2) verifies the properties against the extracted model by combining a symbolic model checker and a cryptographic protocol verifier. We demonstrate the effectiveness of ProChecker by evaluating it on a closed-source and two of the most popular open-source 4G LTE control-plane protocol implementations with 62 properties. ProChecker unveiled 3 new protocol-specific logical attacks, 6 implementation issues, and detected 14 prior attacks. The impact of the attacks range from denial-of-service, broken integrity, encryption, and replay protection to privacy leakage.
... Along with global-scale communication, cellular networks facilitate a wide range of critical applications and services including earthquake and tsunami warning system (ETWS), telemedicine, and smart-grid electricity distribution. Unfortunately, cellular networks, including the most recent generation, have been often plagued with debilitating attacks due to design weaknesses [29], [30], [31], [11] and deployment slip-ups [52], [36], [26], [42]. Implications of these attacks range from intercepting and eavesdropping messages, tracking users' locations, and disrupting cellular services, which in turn may severely affect the security and privacy of both individual users and primary operations of a nation's critical infrastructures. ...
... In addition to it, although a majority of the existing work focus on discovering new attacks through analysis of the control-plane protocol specification or deployment [29], [30], [52], [36], [11], [31], [26], [42], only a handful of efforts have focused on proposing defense mechanisms or any apparatus to detect attack occurrences [20], [39], [44], [55], [32]. Unfortunately, these proposed mechanisms are far from being widely adopted since they suffer from one of the following limitations: (i) Requires modifications to an already deployed cellular network protocol [32] which require network operator cooperation; (ii) Focuses on identifying particular attacks and hence are not easily extensible [20], [39], [44], [55]; and (iii) Fails to handle realistic scenarios (e.g., roaming) [32]. ...
... For instance, not using encryption for protecting traffic is considered a vulnerability in our presentation. Even though null encryption is permitted by the specification on the NAS layer [1], we argue that this is an unsafe practice since subsequent NAS traffic (e.g., SMS over NAS [36], [29]) would be exposed in plaintext. ...
... ToRPEDO is not only applicable to 4G but also to the current version of 5G. Once the attacker knows the victim's paging occasion from ToRPEDO, the attacker can hijack the victim's paging channel [4]. This would consequently enable the attacker to mount a denial-of-service attack by injecting fabricated, empty paging messages, thus blocking the victim from receiving any pending services (e.g., SMS). ...
... This would consequently enable the attacker to mount a denial-of-service attack by injecting fabricated, empty paging messages, thus blocking the victim from receiving any pending services (e.g., SMS). The attacker can also inject fabricated emergency messages (e.g., Amber alert) using paging channel hijacking [4]. With ToRPEDO, the attacker can also detect the victim's presence in any cellular area provided that the attacker has a sniffer in that area. ...
... One exceptional case we considered is to block UE test from receiving the paging message from the network. For this, we rely on a prior attack called paging channel hijacking [4]. We also established a sniffer to pick up any paging messages containing IMSI. ...
... Along with global-scale communication, cellular networks facilitate a wide range of critical applications and services including earthquake and tsunami warning system (ETWS), telemedicine, and smart-grid electricity distribution. Unfortunately, cellular networks, including the most recent generation, have been often plagued with debilitating attacks due to design weaknesses [31,32,33,14] and deployment slip-ups [56, 38,28,45]. Implications of these attacks range from intercepting and eavesdropping messages, tracking users' locations, and disrupting cellular services, which in turn may severely affect the security and privacy of both individual users and primary operations of a nation's critical infrastructures. ...
... In addition to it, although a majority of the existing work focus on discovering new attacks through analysis of the control-plane protocol specification or deployment [31,32,56,38,14,33,28,45], only a handful of efforts have focused on proposing defense mechanisms or any apparatus to detect attack occurrences [23,42,47,59,34]. Unfortunately, these proposed mechanisms are far from being widely adopted since they suffer from one of the following limitations: (i) Requires modifications to an already deployed cellular network protocol [34] which require network operator cooperation; (ii) Focuses on identifying particular attacks and hence are not easily extensible [23,42,47,59]; and (iii) Fails to handle realistic scenarios (e.g., roaming) [34]. ...
... For instance, not using encryption for protecting traffic is considered a vulnerability in our presentation. Even though null encryption is permitted by the specification on the NAS layer [1], we argue that this is an unsafe practice since subsequent NAS traffic (e.g., SMS over NAS [38,31]) would be exposed in plaintext. ...
Preprint
End-user-devices in the current cellular ecosystem are prone to many different vulnerabilities across different generations and protocol layers. Fixing these vulnerabilities retrospectively can be expensive, challenging, or just infeasible. A pragmatic approach for dealing with such a diverse set of vulnerabilities would be to identify attack attempts at runtime on the device side, and thwart them with mitigating and corrective actions. Towards this goal, in the paper we propose a general and extendable approach called Phoenix for identifying n-day cellular network control-plane vulnerabilities as well as dangerous practices of network operators from the device vantage point. Phoenix monitors the device-side cellular network traffic for performing signature-based unexpected behavior detection through lightweight runtime verification techniques. Signatures in Phoenix can be manually-crafted by a cellular network security expert or can be automatically synthesized using an optional component of Phoenix, which reduces the signature synthesis problem to the language learning from the informant problem. Based on the corrective actions that are available to Phoenix when an undesired behavior is detected, different instantiations of Phoenix are possible: a full-fledged defense when deployed inside a baseband processor; a user warning system when deployed as a mobile application; a probe for identifying attacks in the wild. One such instantiation of Phoenix was able to identify all 15 representative n-day vulnerabilities and unsafe practices of 4G LTE networks considered in our evaluation with a high packet processing speed (~68000 packets/second) while inducing only a moderate amount of energy overhead (~4mW).
... Arapinis et al. modeled and analyzed the security of 3G protocols using a formal approach to expose new threats to user privacy in 3G, proposed a remediation scheme for this problem and verified the effectiveness of the remediation scheme by a formal analysis tool [12]. Hussain et al. used the ProVerif tool to analyze security threats in LTE networks [13]. Basin et al. used Tamarin Prover, a security protocol verification tool, to conduct a comprehensive and systematic security assessment of 5G security models [14]. ...
... AVISPA is a highly automated protocol security validation tool. In recent years, the formal analysis of 5G-related protocols is mostly done by AVISPA [18], ProVerif [13], and Tamarin Prover [15]. Over the years, many scholars have used AVISPA to analyze the security of proposed solutions. ...
Article
Full-text available
As the signaling processing center of 5G, the security and stability of the 5G Core Network (5GC) are of great importance for 5G. The current 5GC consists of multiple mutually independent Network Functions (NFs). However, the NF service access procedure does not match NF service requests and business processes. NFs can request authorized services for access at any time, which poses a security threat to NFs and user data. This paper proposes a security enhancement scheme for NF service access procedures based on the business process, which realizes the management of the NF business process. The NRF adds a token identifier field bound to the business process in the access token and establishes an access token repository to store the token identifier. NF Service Producer introduces an access token re-signature mechanism and a shared repository of responded access tokens. The security of the proposed scheme is verified by theoretical analysis and formal analysis, and the performance of the proposed scheme is evaluated in terms of response rate and resource consumption. The experimental results show that the proposed scheme can meet the security requirement with little efficiency degradation under the condition of increasing certain resource loss.
... ℎ are charging facilities following a predictable or attacker-manipulated schedule. This can be achieved by manipulating the communication of charge points as described in Sections 7.2, 8 and Annex A, or by hijacking their cellular connections using one of the proven methods [9,18,37,49,51,53,65,69]. ...
... Alternatively, a WiFi access could be used. Moreover, a cellular connection by itself would not hold the attacker back due to the known security issues of the existing mobile communication standards like GSM [9], SS7 [53], UMTS [49], and LTE [37,65]. So lack of authentication and integrity protection allow the attacker to eavesdrop or redirect mobile traffic of charge points in the area via a false base station [18,51,69]. ...
... As the safety cost and termination condition are primarily related to the safety testing purpose, this paper focuses on variants of the first two components, i.e. the state-action exploration mechanisms (assuming the same but arbitrarily selected cost and termination condition). This fundamentally covers most of the so-called adversarial safety testing algorithms [8] that prioritize the exploration of critical states, hostile testing actions and high-risk testing policies based on data-driven learning [7], [9], [10], [11], [12], [13], [14], [15], [16], analytical modeling [17], [18] and expert knowledge [19], [20], [21], [22], [23]. It is commonly believed that an adversarial testing approach would accelerate the testing process [6], [8], provide worst-case safety guarantee, enhance robustness and resilience of the SR against perturbations [24]. ...
... (iii) Otherwise, the above aggressiveness comparison still remains valid if Φ 2 δ does not deviate too much from Φ 1 δ with the allowed deviation formally justified by (17c) using the sets of centroids Φ 1 s and Φ 2 s (line [12][13]. (iv) The last possible outcome is that Φ 1 δ differs from Φ 2 δ significantly (line [15][16][17], one thus relies on the formal quantification (see Algorithm 4 in Appendix D) of the ϵδ-almost safe set for T E π 2 to give the comparison outcome. ...
Preprint
Full-text available
This paper studies the class of scenario-based safety testing algorithms in the black-box safety testing configuration. For algorithms sharing the same state-action set coverage with different sampling distributions, it is commonly believed that prioritizing the exploration of high-risk state-actions leads to a better sampling efficiency. Our proposal disputes the above intuition by introducing an impossibility theorem that provably shows all safety testing algorithms of the aforementioned difference perform equally well with the same expected sampling efficiency. Moreover, for testing algorithms covering different sets of state-actions, the sampling efficiency criterion is no longer applicable as different algorithms do not necessarily converge to the same termination condition. We then propose a testing aggressiveness definition based on the almost safe set concept along with an unbiased and efficient algorithm that compares the aggressiveness between testing algorithms. Empirical observations from the safety testing of bipedal locomotion controllers and vehicle decision-making modules are also presented to support the proposed theoretical implications and methodologies.
... Even worse, there are always gaps between the customized MP implementations and the standard MP specification, such as the differences on the configuration, parameter semantics, and interaction logic. Therefore, previous work on analyzing the high-level protocol specifications [23,27,28,34] is hardly applicable in the IoT context. Complex and closed-source MP workflow. ...
... In the meanwhile, numbers of verification tools are developed such as ProVerif [24] and Tamarin [17]. Those tools with formal verification have been proved valuable in assessing the security of protocols, such as TLS 1.3 [23,28], LTE [34] and 5G AKA [22,27]. By contrast, our framework focuses on the security analysis on protocol implementations. ...
Preprint
Facilitated by messaging protocols (MP), many home devices are connected to the Internet, bringing convenience and accessibility to customers. However, most deployed MPs on IoT platforms are fragmented and are not implemented carefully to support secure communication. To the best of our knowledge, there is no systematic solution to perform automatic security checks on MP implementations yet. To bridge the gap, we present MPInspector, the first automatic and systematic solution for vetting the security of MP implementations. MPInspector combines model learning with formal analysis and operates in three stages: (a) using parameter semantics extraction and interaction logic extraction to automatically infer the state machine of an MP implementation, (b) generating security properties based on meta properties and the state machine, and (c) applying automatic property based formal verification to identify property violations. We evaluate MPInspector on three popular MPs, including MQTT, CoAP and AMQP, implemented on nine leading IoT platforms. It identifies 252 property violations, leveraging which we further identify eleven types of attacks under two realistic attack scenarios. In addition, we demonstrate that MPInspector is lightweight (the average overhead of end-to-end analysis is ~4.5 hours) and effective with a precision of 100% in identifying property violations.
... For instance, an attacker may launch additional attacks by downgrading to a vulnerable 2G/3G connection or leveraging unprotected RRC and NAS messages to get sensitive data (e. g., IMSI, IMEI) as in [31,35,42]. Furthermore, modifying messages and manipulating the user-plane traffic [43,44] might also be possible after UE reattachment to the genuine network. ...
... We have repeatedly witnessed serious vulnerabilities that affect 5G's predecessors [27,31,42,44,45], but also 5G itself [20,47], even though its security baseline is more robust. Security flaws have been uncovered regarding various network components, such [21], the unprotected RRC and NAS messages [35], the insecure roaming protocols (e. g., Diameter and SS7) [29] and the unencrypted sensitive information (IMSI, IMEI, etc.) [24,39]. ...
... To further evaluate the detection performance of our model, we consider the authentication synchronization failure attack described in [51]. This attack aims at causing a DoS against a target UE by sending many attach requests to the MME. ...
... We simulated the authentication synchronization failure attack as described in [51] by reconnecting a UE many times to cause multiple AIR messages to be sent by the MME to the HSS to generate a new test dataset. The experiment result recorded on the corresponding test dataset presents comparable F1-score (0.84), precision (0.89) and recall (0.83) to those reported for the RSR attack. ...
Chapter
Application-layer protocols are widely adopted for signaling in telecommunication networks such as the 5G networks. However, they can be subject to application-layer attacks that are hardly detected by existing traditional network-based security tools that often do not support telecommunication-specific applications. To address this issue, we propose in this work AutoGuard, a proactive anomaly detection solution that employs application-layer Performance Measurement (PM) counters to train two different Deep Learning (DL) techniques, namely, Long Short Term Memory (LSTM) networks and AutoEncoders (AEs). We leverage recent advancements in Machine Learning (ML) that show the advantages brought by combining multiple ML models to build a dual-intelligence approach allowing the proactive detection of application layer anomalies. Our proposed dual-intelligence solution promotes signaling workload forecasting and anomaly prediction as a proactive security control in 5G networks. As a proof of concept, we implement our approach for the proactive detection of Diameter-related signaling attacks on the Home Subscriber Server (HSS) core network function. To evaluate our solution, we conduct a set of experiments using data collected from a real 5G testbed. Our results show the effectiveness of our dual intelligence approach on proactively detecting signaling anomalies with a precision reaching 0.86.
... Researches into LTE security vulnerabilities help to understand security threats on the proposed security model design framework. In [5], LTEInspector is proposed, which analyzes the LTE system by leveraging the combined power of a symbolic model checker and a protocol verifier through a model-based adversarial testing approach. For 3 critical procedures of the 4G LTE protocol (attach, paging, and detach), 10 novel and 9 known attacks were found using LTEInspector. ...
... e attacks caused a denial of service, phishing messages, and eavesdropping/manipulation of the data traffic. Table 2 summarizes the characteristics of the approaches in [5][6][7]. ...
Article
Full-text available
National disasters can threaten national security and require several organizations to integrate the functionalities to correspond to the event. Many countries are constructing a nationwide mobile communication network infrastructure to share information and promptly communicate with corresponding organizations. Public Safety Long-Term Evolution (PS-LTE) is a communication mechanism adopted in many countries to achieve such a purpose. Organizations can increase the efficiency of public protection and disaster relief (PPDR) operations by securely connecting the services run on their legacy networks to the PS-LTE infrastructure. This environment allows the organizations to continue facilitating the information and system functionalities provided by the legacy network. The vulnerabilities in the environment, which differ from commercial LTE, need to be resolved to connect the network securely. In this study, we propose a security model design framework to derive the system architecture and the security requirements targeting the restricted environment applied by certain technologies for a particular purpose. After analyzing the PPDR operation environment’s characteristics under the PS-LTE infrastructure, we applied the framework to derive the security model for organizations using PPDR services operated in their legacy networks through this infrastructure. Although the proposed security model design framework is applied to the specific circumstance in this research, it can be generally adopted for the application environment.
... Specifically for LTE, analysis in [8] gives comprehensive coverage on number of security aspects of the LTE system. Security researchers developed and used specific analysis tools to analyze and evaluate the weakness of the mobile system such as in [12]. ...
... In this message, the ME provides the generated tokens T RspB . (12) The CN in PLMN-1 compares the received T RxpB and T ExpB . ...
... All the attacks in our demonstration ( §V) leverage well-known data manipulation techniques.11 Our framework complements those that do not assume ML (e.g.,[72]). ...
Preprint
Full-text available
Fifth Generation (5G) networks must support billions of heterogeneous devices while guaranteeing optimal Quality of Service (QoS). Such requirements are impossible to meet with human effort alone, and Machine Learning (ML) represents a core asset in 5G. ML, however, is known to be vulnerable to adversarial examples; moreover, as our paper will show, the 5G context is exposed to a yet another type of adversarial ML attacks that cannot be formalized with existing threat models. Proactive assessment of such risks is also challenging due to the lack of ML-powered 5G equipment available for adversarial ML research. To tackle these problems, we propose a novel adversarial ML threat model that is particularly suited to 5G scenarios, and is agnostic to the precise function solved by ML. In contrast to existing ML threat models, our attacks do not require any compromise of the target 5G system while still being viable due to the QoS guarantees and the open nature of 5G networks. Furthermore, we propose an original framework for realistic ML security assessments based on public data. We proactively evaluate our threat model on 6 applications of ML envisioned in 5G. Our attacks affect both the training and the inference stages, can degrade the performance of state-of-the-art ML systems, and have a lower entry barrier than previous attacks.
... Denial of service on the control plane: Generating unknown packets from the data plane to the control plane can achieve denial of service when the number of packets is high [84]. Frameworks for Vulnerability Detection: Due to the complexity of cellular networks, multiple works suggested methods to automate the process for vulnerability detection in LTE infrastructure [39], [78] and protocols [75], [49]. Those methods, with some changes, may also be used to evaluate the O-RAN security, and to detect vulnerabilities. ...
Preprint
Full-text available
The Open Radio Access Network (O-RAN) is a promising RAN architecture, aimed at reshaping the RAN industry toward an open, adaptive, and intelligent RAN. In this paper, we conducted a comprehensive security analysis of Open Radio Access Networks (O-RAN). Specifically, we review the architectural blueprint designed by the O-RAN alliance -- A leading force in the cellular ecosystem. Within the security analysis, we provide a detailed overview of the O-RAN architecture; present an ontology for evaluating the security of a system, which is currently at an early development stage; detect the primary risk areas to O-RAN; enumerate the various threat actors to O-RAN; and model potential threats to O-RAN. The significance of this work is providing an updated attack surface to cellular network operators. Based on the attack surface, cellular network operators can carefully deploy the appropriate countermeasure for increasing the security of O-RAN.
... The authentication decision model of a home network to consult a serving network during UE authentication in 4G also has many security flaws. Because the decision is made solely by the serving network, a well-organized attacker can create fake serving networks to track subscribers [59], [60]. Another big vulnerability lies in the Voice over LTE (VoLTE) service [61], [62], which uses packet-based LTE networks and IP protocol to establish voice and media calls. ...
Article
Full-text available
Sixth-generation (6G) mobile networks will have to cope with diverse threats on a space-air-ground integrated network environment, novel technologies, and an accessible user information explosion. However, for now, security and privacy issues for 6G remain largely in concept. This survey provides a systematic overview of security and privacy issues based on prospective technologies for 6G in the physical, connection, and service layers, as well as through lessons learned from the failures of existing security architectures and state-of-the-art defenses. Two key lessons learned are as follows. First, other than inheriting vulnerabilities from the previous generations, 6G has new threat vectors from new radio technologies, such as the exposed location of radio stripes in ultra-massive MIMO systems at Terahertz bands and attacks against pervasive intelligence. Second, physical layer protection, deep network slicing, quantum-safe communications , artificial intelligence (AI) security, platform-agnostic security, real-time adaptive security, and novel data protection mechanisms such as distributed ledgers and differential privacy are the top promising techniques to mitigate the attack magnitude and personal data breaches substantially.
... The authentication decision model of a home network to consult a serving network during UE authentication in 4G also has many security flaws. Because the decision is made solely by the serving network, a well-organized attacker can create fake serving networks to track subscribers [59], [60]. Another big vulnerability lies in the Voice over LTE (VoLTE) service [61], [62], which uses packet-based LTE networks and IP protocol to establish voice and media calls. ...
Preprint
Full-text available
Sixth-generation (6G) mobile networks will have to cope with diverse threats on a space-air-ground integrated network environment, novel technologies, and an accessible user information explosion. However, for now, security and privacy issues for 6G remain largely in concept. This survey provides a systematic overview of security and privacy issues based on prospective technologies for 6G in the physical, connection, and service layers, as well as through lessons learned from the failures of existing security architectures and state-of-the-art defenses. Two key lessons learned are as follows. First, other than inheriting vulnerabilities from the previous generations, 6G has new threat vectors from new radio technologies, such as the exposed location of radio stripes in ultra-massive MIMO systems at Terahertz bands and attacks against pervasive intelligence. Second, physical layer protection, deep network slicing, quantum-safe communications, artificial intelligence (AI) security, platform-agnostic security, real-time adaptive security, and novel data protection mechanisms such as distributed ledgers and differential privacy are the top promising techniques to mitigate the attack magnitude and personal data breaches substantially.
... Hussain et al. [19] proposed a systematic model-based adversarial testing approach LTEInspector that leverages the combined power of a symbolic model checker and a protocol verifier for analyzing the critical procedures of the 4G LTE network. ey exposed ten new attacks. ...
Article
Full-text available
As a newly proposed secure transport protocol, QUIC aims to improve the transport performance of HTTPS traffic and enable rapid deployment and evolution of transport mechanisms. QUIC is currently in the IETF standardization process and will potentially carry a significant portion of Internet traffic in the emerging future. An important safety goal of QUIC protocol is to provide effective data service for users. To aim this safety requirement, we propose a formal analysis method to analyze the safety of QUIC handshake protocol by using model checker SPIN and cryptographic protocol verifier ProVerif. Our analysis shows the counterexamples to safety properties, which reveal a design flaw in the current protocol specification. To this end, we also propose and verify a possible fix that is able to mitigate these flaws. 1. Introduction As a newly proposed secure transport protocol, QUIC aims to improve the transport performance of HTTPS traffic and enable rapid deployment and evolution of transport mechanisms. In the OSI reference architecture, QUIC is above the network layer and spans the transport layer, session layer, presentation layer, and application layer. It uses UDP instead of TCP in the transport layer. In the session layer and presentation layer, QUIC abandons the TLS1.2 protocol and self-encapsulates the TLS stack for protocol encryption. In the application layer, HTTP/2 is only responsible for HTTP protocol parsing, and QUIC can fulfill the functions of HTTP/2 multiplexing and link management. The position of QUIC in the HTTPS protocol stack is shown in Figure 1. Different from the traditional HTTP/2 + TLS + TCP scheme, QUIC can run completely in the user space rather than the system kernel based on UDP protocol. Therefore, QUIC can be rapidly deployed like an application program and continuously updated iteratively according to the usage requirements.
... Several weaknesses exists in 4G and 5G protocols [51]- [54]. A central challenge is that part of the control plane communication is unprotected, which exposes communication for passive eavesdropping, tracking of user equipment, -or for active tampering (DoS) or man-in-themiddle attacks. ...
Article
Full-text available
The forthcoming communication networks for public safety authorities rely on the fifth generation (5G) of mobile networking technologies. Police officers, paramedics, border guards, as well as fire and rescue personnel, will connect through commercial operator’s access network and rapidly deployable tactical bubbles. This transition from closed and dedicated infrastructure to hybrid architecture will expand the threat surface and expose mission-critical applications and sensitive information to cyber and physical adversaries. We explore and survey security architecture and enablers for prioritized public safety communication in 5G networks. We identify security threat scenarios and analyze enabling vulnerabilities, threat actors, attacks vectors, as well as risk levels. Security enablers are surveyed for tactical access and core networks, commercial infrastructure, and mission-critical applications, starting from push-to-talk and group video communication and leading to situational-awareness and remote-controlled systems. Two solutions are trialed and described in more detail: remote attestation enhanced access control for constrained devices, and securing of satellite backhauls. We also discuss future research directions highlighting the need for enablers to automate security of rapid deployments, for military-grade cost-effective customizations of commercial network services to ensure robustness, and for hardening of various types of public safety equipment.
... Many papers [5,6,7,8,9] have described the protocol vulnerabilities that permit an attacker to deceive the user equipment, and showed how to implement IMSI catching techniques over inexpensive SDR platforms. Also, other papers [10,11,12] have developed solutions -such as IMSI Catcher "Catchers" -to detect and/or thwart an IMSI catching attack in progress. ...
Article
IMSI catching attacks are a type of privacy threats designed to locate and track specific users by gathering their long-term identifiers, i.e., their International Mobile Subscriber Identity (IMSI). In order to understand how different mobile phone brands respond to different attack methods, this article makes a twofold contribution. We first address the feasibility and practicality of IMSI Catchers using off-the-shelf Software-Defined-Radio (SDR) platforms and two open source frameworks - OpenAirInterface and srsLTE. Second, we evaluate the behavior of different mobile phone brands/modems, when they are under attack. Specifically, we performed experiments on 26 4G devices and four more recent ones also supporting 5G. In each experiment we performed two different attack types, and we tested the attacks when using/not using a radio-frequency jammer specifically designed for our purposes. Our tests show that the sheer majority of the devices under test (also the last ones 3GPP Release 15 compliant) surrender even without any jamming. Finally, we have verified that network deployments have no impact — we repeated tests on four different operator’s networks —, and we also developed a portable IMSI Catcher using a Raspberry Pi4 so as to test the attacks over early 5G Non Stand-Alone deployments we could find in our cities.
... This is because a baseband implements numerous cellular protocols that have convoluted states; therefore, various stateful information should be considered in the analysis. Moreover, building a reference for logical bugs from the specifications is also not trivial [34], [35], [10], [33], [8]. Therefore, we invite future research in this field by introducing BASESPEC as an entry point. ...
... Fraud attacks with financial motive may send spam or advertising SMS messages to UEs [43] or even try to impersonate them [31], [50]. There could also be non-financial motive in which the attacker may poison UE's location [36] or send public warning messages to create panic in public [42], [56]. ...
Preprint
In recent years, there has been an increasing interest in false base station detection systems. Most of these rely on software that users download into their mobile phones. The software either performs an analysis of radio environment measurements taken by the mobile phone or reports these measurements to a server on the Internet, which then analyzes the aggregated measurements collected from many mobile phones. These systems suffer from two main drawbacks. First, they require modification to the mobile phones in the form of software and an active decision to participate from users. This severely limits the number of obtained measurements. Second, they do not make use of the information the mobile network has regarding network topology and configuration. This results in less reliable predictions than could be made. We present a network-based system for detecting false base stations that operate on any 3GPP radio access technology, without requiring modifications to mobile phones, and that allows taking full advantage of network topology and configuration information available to an operator. The analysis is performed by the mobile network based on measurement reports delivered by mobile phones as part of normal operations to maintain the wireless link. We implemented and validated the system in a lab experiment and a real operator trial. Our approach was adopted by the 3GPP standardization organization.
... O'Hanlon et al. [23] consider the interaction between 4G's authentication protocols and operator-backed WiFi services; they detail how the interaction between these can enable serious privacy violations, as well as their experiences reporting the discovered issues to the relevant stakeholders. Hussain et al. [18] combine symbolic model checking with cryptographic protocol verification for 4G's attach, detach, and paging procedures, discovering 10 new attacks, including an authentication relay attack, allowing an adversary to spoof the location of a legitimate user. ...
... Among the vulnerabilities of LTE deemed to be able to also affect 5G networks, R. Jover and V. Marojevic [14] describe IMSI exposure, and A. Shaik et al. [15] describe Denial of Service (DoS). S. R. Hussain et al. [16] describe a vulnerability that can perform a downgrade to an insecure connection, and Rupprecht et al. [17] describe a vulnerability that can perform location tracking and DNS hijacking. Fonyi [18] analyzed the security of 5G and attendant vulnerabilities in terms of confidentiality, integrity and availability. ...
Article
Full-text available
With the advent of 5G technology, the enhanced Mobile Broadband technology is translating 5G-based Internet of Things (IoT) such as smart home/building into reality. With such advances, security must mitigate greater risks associated with faster and more accessible technology. The 5G-based IoT security analysis is crucial to IoT Technology, which will eventually expand extensively into massive machine-type communications and Ultra-Reliable Low Latency Communications. This paper analyses the countermeasures and verification methods of eavesdropping vulnerabilities within IoT devices that use the current 5G Non-Standalone (NSA) network system. The network hierarchical structure of 5G-based IoT was evaluated for vulnerability analysis, performed separately for 5G Access Stratum (AS), Non-Access Stratum (NAS), and Internet Protocol (IP) Multimedia Subsystem (IMS). AS keystream reuse, NAS null-ciphering, and IMS IPsec off vulnerabilities were tested on mobile carrier networks to validate it on the 5G NSA network as well. A countermeasure against each vulnerability was presented, and our Intrusion Detection System based on these countermeasures successfully detected the presented controlled attacks.
Chapter
We introduce a linkability attack variant on 5G AKA that we call the Replay In GUTI (RIG) attack. Our attack investigates the case where the temporary identifier GUTI is used for identification. Recalling that the GUTI-based identification is the most frequently used case, the goal of the RIG attack is to check the presence of a target user in an attack area, that is by linking two Authentication and Key Agreement (AKA) sessions. We further explain how our attack works also against some enhancements of 5G AKA, in which the GUTI case is not covered. We focus on protocols where authentication requires a contribution from the User Equipment (UE). As an example of such enhancements, we discuss the works in [5, 15, 16], then we examine the protocol proposed in [2] in more detail. Moreover, we propose a USIM-compatible fix against our attack.
Chapter
Starting with GSM, cellular networks were the first systems where cryptography was applied on a large scale, authenticating millions of customers and encrypting the radio traffic. Basic ideas from GSM, like the use of SIM cards, encryption of radio traffic, challenge-and-response authentication, and roaming, have been integrated into the evolving security architectures of modern networks. Today, the weak security of GSM is much criticized, and GSM security should no longer be trusted – see the discussion on IMSI catchers in this chapter. Historically, GSM security has been impacted by the legal obligation to comply with crypto export controls [9]. The successor standards of GSM – UMTS, LTE, and 5G – have been developed in an open standardization process, and security mechanisms have been much improved. Attacks are still possible, but mitigations are available.
Article
Full-text available
As 5G telecom services evolve rapidly across a broad technological environment, network security in 5G landscape emerges as a critically challenging issue. One of typical network security tools is an intrusion prevention system (IPS) that monitors a network for malicious activity across the cyber-attack chain and takes action to prevent it. Vulnerabilities in 5G core networks become more varied and protocols become increasingly complex, whereby conventional Next Generation Firewall (NGFW) is not enough anymore to respond to cyber attacks. As a typical 5G vulnerability attack, PFCP-in-GTP and IPSec disable attack are highly complex to detect and cannot identify attackers without integrated session management. However, the 5G core network uses various protocols such as Non-Access Stratum (NAS), Hyper Text Transfer Protocol (HTTP), Packet Forwarding Control Protocol (PFCP), and GPRS Tunnelling Protocol (GTP), and packets of the interface used by each protocol are managed as identities that are difficult to identify. Analyzing the relationship of these interfaces in real time is an important key to integrated session management. In addition, unlike existing 4G, as 3rd Generation Partnership Project (3GPP) specs mandate encrypting 5G Standalone (SA) user IDs, it is much more difficult to identify from which user traffic has occurred in IPSs exclusive for cellular network. With regard to the above subject, this paper introduces an efficient session management scheme for users not affordable in conventional NFGW but necessarily useful for security systems in 5G SA. Furthermore, this study compared performances between conventional NGFWs and a 5G IPS system with the scheme employed, to ascertain that the scheme is feasibly implementable in 5G SA network. The actual test results show a detection rate of 99.7% and reasonable resource overhead (Memory usage 37.8%, CPU usage 42–44%).
Article
5G and Internet of Things (IoT) are closely related and promote each other. Network Slice (NS) technology based on Software Defined Network (SDN) and Network Function Virtualization (NFV) have changed the traditional network architecture. Subsequently, the secure access authentication of IoT terminals for 5G networks and the selection of network slice services have become important issues for the deep integration of 5G and IoT. In this paper, we propose a dual-factor access authentication scheme for IoT terminal in 5G environments with network slice selection. To be specific, IoT terminals first use Physical Unclonable Function (PUF) to ensure their own security, then use secure one-way hash function, XOR calculation, and pseudo-identities to achieve anonymous authentication, and finally establish a secure connection with the 5G core network as well as the Management Architecture and Network Orchestration (MANO) to access customized network slices. The proposed protocol can eventually realize session key negotiation between IoT terminals, 5G core network elements and MANO entities to ensure data transmission security. We verify the security of the protocol through simulation and security analysis, and demonstrate the efficiency of the protocol by comparing it with state-of-the-art schemes.
Article
We devise new attacks exploiting the unprotected data-plane signaling in cellular IoT networks (aka both NB-IoT and Cat-M). We show that, despite the deployed security mechanisms on both control-plane signaling and data-plane packet forwarding, novel data-plane signaling attacks are still feasible. The attacker can forge both uplink and downlink data-plane signaling messages that pass the current security checks used by the receiver. With the capability of forging messages, the attacker can launch attacks that exhibit a variety of attack forms beyond simplistic packet-blasting, denial-of-service (DoS) threats, including location privacy breach, packet delivery loop, prolonged data delivery, throughput limiting, radio resource draining, connection reset, and multicast disabling. Our testbed evaluation and operational network validation have confirmed the attack viability. To combat the threat, we further propose a new defense solution within the 3GPP C-IoT standard framework. It leverages the synchronized timer clock information to protect the data-plane signaling messages with low overhead.
Chapter
Understanding attack patterns and attacker behavior has always been a prominent security research topic to provide insights into adversarial trends and defense strategies. In this paper, we demonstrate the process of analyzing adversarial trends in mobile communication systems using a conceptual threat modeling framework combined with graph analysis methodologies. We model 60 attacks using the Bhadra framework [30] and conduct graph-theory-based analysis to deduce insights. We observed the attack patterns, the diversity of attack paths given an attacker’s ability or target impact, and the importance of each technique from a network graph viewpoint and discussed potential defense strategies that mobile operators can deploy accordingly. Our main contribution is demonstrating the potential of Bhadra for analyzing the security posture of an operator’s network and simplifying the complexity of the mobile networks to communicate the security analysis results.
Conference Paper
Full-text available
Web tracking and advertising (WTA) nowadays are ubiquitously performed on the web, continuously compromising users' privacy. Existing defense solutions, such as widely deployed blocking tools based on filter lists and alternative machine learning based solutions proposed in prior research, have limitations in terms of accuracy and effectiveness. In this work, we propose WtaGraph, a web tracking and advertising detection framework based on Graph Neural Networks (GNNs). We first construct an attributed homogenous multi-graph (AHMG) that represents HTTP network traffic, and formulate web tracking and advertising detection as a task of GNN-based edge representation learning and classification in AHMG. We then design four components in WtaGraph so that it can (1) collect HTTP network traffic, DOM, and JavaScript data, (2) construct AHMG and extract corresponding edge and node features, (3) build a GNN model for edge representation learning and WTA detection in the transductive learning setting, and (4) use a pre-trained GNN model for WTA detection in the inductive learning setting. We evaluate WtaGraph on a dataset collected from Alexa Top 10K websites, and show that WtaGraph can effectively detect WTA requests in both transductive and inductive learning settings. Manual verification results indicate that WtaGraph can detect new WTA requests that are missed by filter lists and recognize non-WTA requests that are mistakenly labeled by filter lists. Our ablation analysis, evasion evaluation, and real-time evaluation show that WtaGraph can have a competitive performance with flexible deployment options in practice.
Preprint
Telecom networks together with mobile phones must be rigorously tested for robustness against vulnerabilities in order to guarantee availability. RRC protocol is responsible for the management of radio resources and is among the most important telecom protocols whose extensive testing is warranted. To that end, we present a novel RRC fuzzer, called Berserker, for 4G and 5G. Berserker's novelty comes from being backward and forward compatible to any version of 4G and 5G RRC technical specifications. It is based on RRC message format definitions in ASN.1 and additionally covers fuzz testing of another protocol, called NAS, tunneled in RRC. Berserker uses concrete implementations of telecom protocol stack and is unaffected by lower layer protocol handlings like encryption and segmentation. It is also capable of evading size and type constraints in RRC message format definitions. Berserker discovered two previously unknown serious vulnerabilities in srsLTE -- one of which also affects openLTE -- confirming its applicability to telecom robustness.
Article
The exploit kits (EKs) are used by attackers to distribute malware automatically and silently. Existing approaches to EKs detection usually need to perform dynamic analysis on the content contained in the network traffic, which requires dumping all the network traffic and thus causes high detection overhead. Although some approaches detect EKs based on static analysis, they usually fail to restore the complete attack path because of the obstruction set by the attackers. In this paper, we propose an approach that can detect EKs based on only information extracted by static analysis. Our method builds a graph for web sessions and extracts features from the graph to perform EKs detection. The built graph catches important structural characteristics of the interaction during EK attacks that were not revealed in existing methods, with which EKs can be detected with high accuracy. The experiments show that our method works well in both the ground-truth datasets and the latest practical cases. Our method can also identify the malicious websites concealed in EKs, which can further improve the efficiency of analysis.
Preprint
Full-text available
Location based services are expected to play a major role in future generation cellular networks, starting from the incoming 5G systems. At the same time, localization technologies may be severely affected by attackers capable to deploy low cost fake base stations and use them to alter localization signals. In this paper, we concretely focus on two classes of threats: noise-like jammers, whose objective is to reduce the signal-to-noise ratio, and spoofing/meaconing attacks, whose objective is to inject false or erroneous information into the receiver. Then, we formulate the detection problems as binary hypothesis tests and solve them resorting to the generalized likelihood ratio test design procedure as well as the Latent Variable Models, which involves the expectation-maximization algorithm to estimate the unknown data distribution parameters. The proposed techniques can be applied to a large class of location data regardless the subsumed network architecture. The performance analysis is conducted over simulated data generated by using measurement models from the literature and highlights the effectiveness of the proposed approaches in detecting the aforementioned classes of attacks.
Conference Paper
Full-text available
Web-based malware equipped with stealthy cloaking and obfuscation techniques is becoming more sophisticated nowadays. In this paper, we propose J-FORCE, a crash-free forced JavaScript execution engine to systematically explore possible execution paths and reveal malicious behaviors in such malware. In particular, J-FORCE records branch outcomes and mutates them for further explorations. J-FORCE inspects function parameter values that may reveal malicious intentions and expose suspicious DOM injections. We addressed a number of technical challenges encountered. For instance, we keep track of missing objects and DOM elements, and create them on demand. To verify the efficacy of our techniques, we apply J-FORCE to detect Exploit Kit (EK) attacks and malicious Chrome extensions. We observe that J-FORCE is more effective compared to the existing tools.
Conference Paper
Full-text available
Web browsers are a key enabler of a wide range of online services, from shopping and email to banking and health services. Because these services frequently involve handling sensitive data, a wide range of web browser security policies and mechanisms has been implemented or proposed to mitigate the dangers posed by malicious code and sites. This paper describes an approach for specifying and enforcing flexible information-flow policies on the Chromium web browser. Complementing efforts that focus on information-flow enforcement on JavaScript, our approach focuses on an existing browser and encompasses a broad range of browser features, from pages and scripts to DOM elements, events, persistent state, and extensions. In our approach, which is a coarse-grained, light-weight implementation of taint tracking, entities in the browser are annotated with information-flow labels that specify policy and track information flows. We develop a detailed formal model of our approach, for which we prove noninterference. We also develop a corresponding prototype system built on top of Chromium. We demonstrate, and experimentally confirm, that the system can enforce many existing browser policies, as well as practically useful policies beyond those enforceable in standard web browsers.
Conference Paper
Full-text available
Recent advances in network traffic capturing techniques have made it feasible to record full traffic traces, often for extended periods of time. Among the applications enabled by full traffic captures, being able to automatically reconstruct user-browser interactions from archived web traffic traces would be helpful in a number of scenarios, such as aiding the forensic analysis of network security incidents. Unfortunately, the modern web is becoming increasingly complex, serving highly dynamic pages that make heavy use of scripting languages, a variety of browser plugins, and asynchronous content requests. Consequently, the semantic gap between user-browser interactions and the network traces has grown significantly, making it challenging to analyze the web traffic produced by even a single user. In this paper, we propose ClickMiner, a novel system that aims to automatically reconstruct user-browser interactions from network traces. Through a user study involving 21 participants, we collected real user browsing traces to evaluate our approach. We show that, on average, ClickMiner can correctly reconstruct between 82% and 90% of user-browser interactions with false positives between 0.74% and 1.16%, and that it outperforms reconstruction algorithms based solely on referrer-based approaches. We also present a number of case studies that aim to demonstrate how ClickMiner can aid the forensic analysis of malware downloads triggered by social engineering attacks.
Conference Paper
Full-text available
We investigate the emergence of the exploit-as-a-service model for driveby browser compromise. In this regime, attackers pay for an exploit kit or service to do the "dirty work" of exploiting a victim's browser, decoupling the complexities of browser and plugin vulnerabilities from the challenges of generating traffic to a website under the attacker's control. Upon a successful exploit, these kits load and execute a binary provided by the attacker, effectively transferring control of a victim's machine to the attacker. In order to understand the impact of the exploit-as-a-service paradigm on the malware ecosystem, we perform a detailed analysis of the prevalence of exploit kits, the families of malware installed upon a successful exploit, and the volume of traffic that malicious web sites receive. To carry out this study, we analyze 77,000 malicious URLs received from Google Safe Browsing, along with a crowd-sourced feed of blacklisted URLs known to direct to exploit kits. These URLs led to over 10,000 distinct binaries, which we ran in a contained environment. Our results show that many of the most prominent families of malware now propagate through driveby downloads--32 families in all. Their activities are supported by a handful of exploit kits, with Blackhole accounting for 29% of all malicious URLs in our data, followed in popularity by Incognito. We use DNS traffic from real networks to provide a unique perspective on the popularity of malware families based on the frequency that their binaries are installed by drivebys, as well as the lifetime and popularity of domains funneling users to exploits.
Conference Paper
Full-text available
In recent years, attacks targeting web browsers and their plugins have become a prevalent threat. Attackers deploy web pages that contain exploit code, typically written in HTML and JavaScript, and use them to compromise unsuspecting victims. Initially, static techniques, such as signature-based detection, were adequate to identify such attacks. The response from the attackers was to heavily obfuscate the attack code, rendering static techniques insufficient. This led to dynamic analysis systems that execute the JavaScript code included in web pages in order to expose malicious behavior. However, today we are facing a new reaction from the attackers: evasions. The latest attacks found in the wild incorporate code that detects the presence of dynamic analysis systems and try to avoid analysis and/or detection. In this paper, we present Revolver, a novel approach to automatically detect evasive behavior in malicious JavaScript. Revolver uses efficient techniques to identify similarities between a large number of JavaScript programs (despite their use of obfuscation techniques, such as packing, polymorphism, and dynamic code generation), and to automatically interpret their differences to detect evasions. More precisely, Revolver leverages the observation that two scripts that are similar should be classified in the same way by web malware detectors (either both scripts are malicious or both scripts are benign); differences in the classification may indicate that one of the two scripts contains code designed to evade a detector tool. Using large-scale experiments, we show that Revolver is effective at automatically detecting evasion attempts in JavaScript, and its integration with existing web malware analysis systems can support the continuous improvement of detection techniques.
Conference Paper
Full-text available
Over the last couple of years, the scope of Quality of Experience (QoE) research has been constantly extended, most recently to the field of Web QoE in the context of HTTP-based applications. In this paper, we address the question whether it is sufficient to reduce typical Web QoE assessment scenarios to the temporal aspects of waiting for task completion, which would allow to attribute the resulting logarithmic laws to well-known psychological insights on human time perception. We demonstrate that while this attribution is valid for simple waiting tasks which are typical for simple data services like e.g. file downloads, the case of interactive web browsing is much more complex. We show that this is not only because technical issues prevent bandwidth and download time from being directly correlated with each other in a simple manner, but also because user perceived web page load times strongly deviate from technical page load times. Consequently, existing approaches towards assessment and modeling of web browsing QoE have to be critically reviewed and redesigned.
Conference Paper
Full-text available
High-interaction honeyclients are the tools of choice to detect malicious web pages that launch drive-by-download attacks. Unfortunately, the approach used by these tools, which, in most cases, is to identify the side-effects of a successful attack rather than the attack itself, leaves open the possibility for malicious pages to perform evasion techniques that allow one to execute an attack without detection or to behave in a benign way when being analyzed. In this paper, we examine the security model that high-interaction honeyclients use and evaluate their weaknesses in practice. We introduce and discuss a number of possible attacks, and we test them against several popular, well-known high-interaction honeyclients. Our attacks evade the detection of these tools, while successfully attacking regular visitors of malicious web pages.
Conference Paper
Full-text available
Recovery from intrusions is typically a very time-consuming operation in current systems. At a time when the cost of human resources dominates the cost of computing resources, we argue that next generation systems should be built with automated intrusion recovery as a primary goal. In this paper, we describe the design of Taser, a system that helps in selectively recovering legitimate file-system data after an attack or local damage occurs. Taser reverts tainted, i.e. attack-dependent, file-system operations but preserves legitimate operations. This process is difficult for two reasons. First, the set of tainted operations is not known precisely. Second, the recovery process can cause conflicts when legitimate operations depend on tainted operations. Taser provides several analysis policies that aid in determining the set of tainted operations. To handle conflicts, Taser uses automated resolution policies that isolate the tainted operations. Our evaluation shows that Taser is effective in recovering from a wide range of intrusions as well as damage caused by system management errors.
Conference Paper
Full-text available
As AJAX applications gain popularity, client-side JavaScript code is becoming increasingly complex. However, few automated vulnerability analysis tools for JavaScript exist. In this paper, we describe the first system for exploring the execution space of JavaScript code using symbolic execution. To handle JavaScript code’s complex use of string operations, we design a new language of string constraints and implement a solver for it. We build an automatic end-to-end tool, Kudzu, and apply it to the problem of finding client-side code injection vulnerabilities. In experiments on 18 live web applications, Kudzu automatically discovers 2 previously unknown vulnerabilities and 9 more that were previously found only with a manually-constructed test suite.
Conference Paper
Full-text available
By supplying dieren t versions of a web page to search en- gines and to browsers, a content provider attempts to cloak the real content from the view of the search engine. Seman- tic cloaking refers to dierences in meaning between pages which have the eect of deceiving search engine ranking al- gorithms. In this paper, we propose an automated two-step method to detect semantic cloaking pages based on dier- ent copies of the same page downloaded by a web crawler and a web browser. The rst step is a ltering step, which generates a candidate list of semantic cloaking pages. In the second step, a classier is used to detect semantic cloaking pages from the candidates generated by the ltering step. Experiments on manually labeled data sets show that we can generate a classier with a precision of 93% and a re- call of 85%. We apply our approach to links from the dmoz Open Directory Project and estimate that more than 50,000 of these pages employ semantic cloaking.
Conference Paper
Detecting and explaining the nature of attacks in distributed web services is often difficult -- determining the nature of suspicious activity requires following the trail of an attacker through a chain of heterogeneous software components including load balancers, proxies, worker nodes, and storage services. Unfortunately, existing forensic solutions cannot provide the necessary context to link events across complex workflows, particularly in instances where application layer semantics (e.g., SQL queries, RPCs) are needed to understand the attack. In this work, we present a transparent provenance-based approach for auditing web services through the introduction of Network Provenance Functions (NPFs). NPFs are a distributed architecture for capturing detailed data provenance for web service components, leveraging the key insight that mediation of an application's protocols can be used to infer its activities without requiring invasive instrumentation or developer cooperation. We design and implement NPF with consideration for the complexity of modern cloud-based web services, and evaluate our architecture against a variety of applications including DVDStore, RUBiS, and WikiBench to show that our system imposes as little as 9.3% average end-to-end overhead on connections for realistic workloads. Finally, we consider several scenarios in which our system can be used to concisely explain attacks. NPF thus enables the hassle-free deployment of semantically rich provenance-based auditing for complex applications workflows in the Cloud.
Conference Paper
We present PANDA, an open-source tool that has been purpose-built to support whole system reverse engineering. It is built upon the QEMU whole system emulator, and so analyses have access to all code executing in the guest and all data. PANDA adds the ability to record and replay executions, enabling iterative, deep, whole system analyses. Further, the replay log files are compact and shareable, allowing for repeatable experiments. A nine billion instruction boot of FreeBSD, e.g., is represented by only a few hundred MB. PANDA leverages QEMU's support of thirteen different CPU architectures to make analyses of those diverse instruction sets possible within the LLVM IR. In this way, PANDA can have a single dynamic taint analysis, for example, that precisely supports many CPUs. PANDA analyses are written in a simple plugin architecture which includes a mechanism to share functionality between plugins, increasing analysis code re-use and simplifying complex analysis development. We demonstrate PANDA's effectiveness via a number of use cases, including enabling an old but legitimately purchased game to run despite a lost CD key, in-depth diagnosis of an Internet Explorer crash, and uncovering the censorship activities and mechanisms of an IM client.
Conference Paper
We present SymJS, a comprehensive framework for automatic testing of client-side JavaScript Web applications. The tool contains a symbolic execution engine for JavaScript, and an automatic event explorer for Web pages. Without any user intervention, SymJS can automatically discover and explore Web events, symbolically execute the associated JavaScript code, refine the execution based on dynamic feedbacks, and produce test cases with high coverage. The symbolic engine contains a symbolic virtual machine, a string-numeric solver, and a symbolic executable DOM model. SymJS's innovations include a novel symbolic virtual machine for JavaScript Web, symbolic+dynamic feedback directed event space exploration, and dynamic taint analysis for enhancing event sequence construction. We illustrate the effectiveness of SymJS on standard JavaScript benchmarks and various real-life Web applications. On average SymJS achieves over 90% line coverage for the benchmark programs, significantly outperforming existing methods.
Conference Paper
Security analytics is a catchall term for vulnerability assessment and intrusion detection leveraging security logs from a wide array of Security Analytics Sources (SASs), which include firewalls, VPNs, and endpoint instrumentation. Today, nearly all security analytics systems suffer from a lack of even basic data protections. An adversary can eavesdrop on SAS outputs and advanced malware can undetectably suppress or tamper with SAS messages to conceal attacks. We introduce PillarBox, a tool that enforces integrity for SAS data even when such data is buffered on a compromised host within an adversarially controlled network. Additionally, PillarBox (optionally) offers stealth, concealing SAS data and potentially even alerting rules on a compromised host. Using data from a large enterprise and on-host performance measurements, we show experimentally that PillarBox has minimal overhead and is practical for real-world systems.
Conference Paper
Sequential key generators produce a forward-secure sequence of symmetric cryptographic keys and are traditionally based on hash chains. An inherent disadvantage of such constructions is that they do not offer a fast-forward capability, i.e., lack a way to efficiently skip a large number of keys - a functionality often required in practice. This limitation was overcome only recently, with the introduction of seekable sequential key generators (SSKGs). The only currently known construction is based on the iterated evaluation of a shortcut one-way permutation, a factoring-based - and hence in practice not too efficient - building block. In this paper we revisit the challenge of marrying forward-secure key generation with seekability and show that symmetric primitives like PRGs, block ciphers, and hash functions suffice for obtaining secure SSKGs. Our scheme is not only considerably more efficient than the prior number-theoretic construction, but also extends the seeking functionality in a way that we believe is important in practice. Our construction is provably (forward-)secure in the standard model.
Conference Paper
JavaScript is widely used for writing client-side web applications and is getting increasingly popular for writing mobile applications. However, unlike C, C++, and Java, there are not that many tools available for analysis and testing of JavaScript applications. In this paper, we present a simple yet powerful framework, called Jalangi, for writing heavy-weight dynamic analyses. Our framework incorporates two key techniques: 1) selective record-replay, a technique which enables to record and to faithfully replay a user-selected part of the program, and 2) shadow values and shadow execution, which enables easy implementation of heavy-weight dynamic analyses. Our implementation makes no special assumption about JavaScript, which makes it applicable to real-world JavaScript programs running on multiple platforms. We have implemented concolic testing, an analysis to track origins of nulls and undefined, a simple form of taint analysis, an analysis to detect likely type inconsistencies, and an object allocation profiler in Jalangi. Our evaluation of Jalangi on the SunSpider benchmark suite and on five web applications shows that Jalangi has an average slowdown of 26X during recording and 30X slowdown during replay and analysis. The slowdowns are comparable with slowdowns reported for similar tools, such as PIN and Valgrind for x86 binaries. We believe that the techniques proposed in this paper are applicable to other dynamic languages.
Conference Paper
During debugging, a developer must repeatedly and manually reproduce faulty behavior in order to inspect different facets of the program's execution. Existing tools for reproducing such behaviors prevent the use of debugging aids such as breakpoints and logging, and are not designed for interactive, random-access exploration of recorded behavior. This paper presents Timelapse, a tool for quickly recording, reproducing, and debugging interactive behaviors in web applications. Developers can use Timelapse to browse, visualize, and seek within recorded program executions while simultaneously using familiar debugging tools such as breakpoints and logging. Testers and end-users can use Timelapse to demonstrate failures in situ and share recorded behaviors with developers, improving bug report quality by obviating the need for detailed reproduction steps. Timelapse is built on Dolos, a novel record/replay infrastructure that ensures deterministic execution by capturing and reusing program inputs both from the user and from external sources such as the network. Dolos introduces negligible overhead and does not interfere with breakpoints and logging. In a small user evaluation, participants used Timelapse to accelerate existing reproduction activities, but were not significantly faster or more successful in completing the larger tasks at hand. Together, the Dolos infrastructure and Timelapse developer tool support systematic bug reporting and debugging practices.
Conference Paper
Software vulnerabilities have had a devastating effect on the Internet. Worms such as CodeRed and Slammer can compromise hundreds of thousands of hosts within hours or even minutes, and cause millions of dollars of damage (25, 42). To successfully combat these fast auto- matic Internet attacks, we need fast automatic attack de- tection and filtering mechanisms. In this paper we propose dynamic taint analysis for au- tomatic detection of overwrite attacks, which include most types of exploits. This approach does not need source code or special compilation for the monitored program, and hence works on commodity software. To demonstrate this idea, we have implemented TaintCheck, a mechanism that can perform dynamic taint analysis by performing binary rewriting at run time. We show that TaintCheck reliably detects most types of exploits. We found that TaintCheck produced no false positives for any of the many different programs that we tested. Further, we describe how Taint- Check could improve automatic signature generation in several ways.
Conference Paper
Current intrusion detection systems point out suspicious states or events but do not show how the suspicious state or events relate to other states or events in the system. We show how to enrich an IDS alert with information about how those alerts causally lead to or result from other events in the system. By enriching IDS alerts with this type of causal information, we can leverage existing IDS alerts to learn more about the suspected attack. Backward causal graphs can be used to nd which host allowed a multi-hop attack (such as a worm) to enter a local network; forward causal graphs can be used to nd the other hosts that were affected by the multi-hop attack. We demonstrate this use of causality on a local network by tracking the Slapper worm, a manual attack that spreads via several attack vectors, and an e-mail virus. Causality can also be used to correlate distinct network and host IDS alerts. We demonstrate this use of causality by correlating Snort and host IDS alerts to reduce false positives on a testbed system connected to the Internet.
Conference Paper
JavaScript is a browser scripting language that allows developers to create sophisticated client-side interfaces for web applications. However, JavaScript code is also used to carry out attacks against the user's browser and its extensions. These attacks usually result in the download of additional malware that takes complete control of the victim's platform, and are, therefore, called "drive-by downloads." Unfortunately, the dynamic nature of the JavaScript language and its tight integration with the browser make it difficult to detect and block malicious JavaScript code. This paper presents a novel approach to the detection and analysis of malicious JavaScript code. Our approach combines anomaly detection with emulation to automatically identify malicious JavaScript code and to support its analysis. We developed a system that uses a number of features and machine-learning techniques to establish the characteristics of normal JavaScript code. Then, during detection, the system is able to identify anomalous JavaScript code by emulating its behavior and comparing it to the established profiles. In addition to identifying malicious code, the system is able to support the analysis of obfuscated code and to generate detection signatures for signature-based systems. The system has been made publicly available and has been used by thousands of analysts.
Conference Paper
Analyzing intrusions today is an arduous, largely manual task because system administrators lack the information and tools needed to understand easily the sequence of steps that occurred in an attack. The goal of BackTracker is to identify automatically potential sequences of steps that occurred in an intrusion. Starting with a single detection point (e.g., a suspicious file), BackTracker identifies files and processes that could have affected that detection point and displays chains of events in a dependency graph. We use BackTracker to analyze several real attacks against computers that we set up as honeypots. In each case, BackTracker is able to highlight effectively the entry point used to gain access to the system and the sequence of steps from that entry point to the point at which we noticed the intrusion. The logging required to support BackTracker added 9% overhead in running time and generated 1.2 GB per day of log data for an operating-system intensive workload.
Conference Paper
RETRO repairs a desktop or server after an adversary compromises it, by undoing the adversary's changes while preserving legitimate user actions, with minimal user involvement. During normal operation, RETRO records an action history graph, which is a detailed dependency graph describing the system's execution. RETRO uses refinement to describe graph objects and actions at multiple levels of abstraction, which allows for precise dependencies. During repair, RETRO uses the action history graph to undo an unwanted action and its indirect effects by first rolling back its direct effects, and then reexecuting legitimate actions that were influenced by that change. To minimize user involvement and re-execution, RETRO uses predicates to selectively re-execute only actions that were semantically affected by the adversary's changes, and uses compensating actions to handle external effects. An evaluation of a prototype of RETRO for Linux with 2 real-world attacks, 2 synthesized challenge attacks, and 6 attacks from previous work, shows that RETRO can often repair the system without user involvement, and avoids false positives and negatives from previous solutions. These benefits come at the cost of 35-127% in execution time overhead and of 4-150 GB of log space per day, depending on the workload. For example, a HotCRP paper submission web site incurs 35% slowdown and generates 4 GB of logs per day under the workload from 30 minutes prior to the SOSP 2007 deadline.
Conference Paper
Mugshot is a system that captures every event in an ex- ecuting JavaScript program, allowing developers to de- terministically replay past executions of web applica- tions. Replay is useful for a variety of reasons: failure analysis using debugging tools, performance evaluation, and even usability analysis of a GUI. Because Mugshot can replay every execution step that led to a failure, it is far more useful for performing root-cause analysis than today's commonly deployed client-based error reporting systems—core dumps and stack traces can only give de- velopers a snapshot of the system after a failure has oc- curred. Many logging systems require a specially instru- mented execution environment like a virtual machine or a custom program interpreter. In contrast, Mugshot's client-side component is implemented entirely in stan- dard JavaScript, providing event capture on unmodified client browsers. Mugshot imposes low overhead in terms of storage (20-80KB/minute) and computation (slow- downs of about 7% for games with high event rates). This combination of features—a low-overhead library that runs in unmodified browers—makes Mugshot one of the first capture systems that is practical to deploy to every client and run in the common case. With Mugshot, developers can collect widespread traces from programs in the field, gaining a visibility into application execution that is typically only available in a controlled develop- ment environment.
Conference Paper
For the most part, forensic analysis of computer systems requires that one first identify suspicious objects or events, and then examine them in enough detail to form a hypothesis as to their cause and effect. Sadly, while our ability to gather vast amounts of data has improved significantly over the past two decades, it is all too often the case that we tend to lack detailed information just when we need it the most. Simply put, the current state of computer forensics leaves much to be desired. In this paper, we attempt to improve on the state of the art by providing a forensic platform that transparently monitors and records data access events within a virtualized environment using only the abstractions exposed by the hypervisor. Our approach monitors accesses to objects on disk and follows the causal chain of these accesses across processes, even after the objects are copied into memory. Our forensic layer records these transactions in a version-based audit log that allows for faithful, and efficient, reconstruction of the recorded events and the changes they induced. To demonstrate the utility of our approach, we provide an extensive empirical evaluation, including a real-world case study demonstrating how our platform can be used to reconstruct valuable information about the what, when, and how, after a compromised has been detected.
Zozzle: Fast and precise in-browser javascript malware detection
  • C Curtsinger
  • B Livshits
  • B Zorn
  • C Seifert
C. Curtsinger, B. Livshits, B. Zorn, and C. Seifert, "Zozzle: Fast and precise in-browser javascript malware detection," in USENIX Conference on Security, ser. SEC'11. Berkeley, CA, USA: USENIX Association, 2011, pp. 3-3. [Online]. Available: http://dl.acm.org/citation.cfm?id=2028067.2028070
A general approach for effciently accelerating softwarebased dynamicdata flow tracking on commodity hardware
  • K Jee
  • G Portokalidis
  • V P Kemerlis
  • S Ghosh
  • D I August
  • A D Keromytis
K. Jee, G. Portokalidis, V. P. Kemerlis, S. Ghosh, D. I. August, and A. D. Keromytis, "A general approach for effciently accelerating softwarebased dynamicdata flow tracking on commodity hardware," in USENIX Symposium on Networked Systems Design and Implementation, ser. NSDI, 2012.
Phpecho cms 2.0-rc3 -(forum) cross-site scripting cookie stealing/blind
  • Joss
JosS. (2009) Phpecho cms 2.0-rc3 -(forum) cross-site scripting cookie stealing/blind. [Online]. Available: https://www.exploit-db.com/ exploits/9014/
libdft: practical dynamic data flow tracking for commodity systems
  • V P Kemerlis
  • G Portokalidis
  • K Jee
  • A D Keromytis
V. P. Kemerlis, G. Portokalidis, K. Jee, and A. D. Keromytis, "libdft: practical dynamic data flow tracking for commodity systems," in ACM SIGPLAN/SIGOPS conference on Virtual Execution Environments, 2012.
Rozzle: De-cloaking internet malware
  • C Kolbitsch
  • B Livshits
  • B Zorn
  • C Seifert
C. Kolbitsch, B. Livshits, B. Zorn, and C. Seifert, "Rozzle: De-cloaking internet malware," in IEEE Symposium on Security and Privacy, 2012.
High accuracy attack provenance via binary-based execution partition
  • K H Lee
  • X Zhang
  • D Xu
K. H. Lee, X. Zhang, and D. Xu, "High accuracy attack provenance via binary-based execution partition," in Network and Distributed System Security Symposium, ser. NDSS, 2013.
The unexpected dangers of dynamic javascript
  • S Lekies
  • B Stock
  • M Wentzel
  • M Johns
S. Lekies, B. Stock, M. Wentzel, and M. Johns, "The unexpected dangers of dynamic javascript," in 24th USENIX Security Symposium (USENIX Security 15). Washington, D.C.: USENIX Association, 2015, pp. 723-735. [Online]. Available: https://www.usenix.org/conference/ usenixsecurity15/technical-sessions/presentation/lekies
MPI: Multiple Perspective Attack Investigation with Semantic Aware Execution Partitioning
  • S Ma
  • J Zhai
  • F Wang
  • K H Lee
  • X Zhang
  • D Xu
S. Ma, J. Zhai, F. Wang, K. H. Lee, X. Zhang, and D. Xu, "MPI: Multiple Perspective Attack Investigation with Semantic Aware Execution Partitioning," in USENIX Conference on Security Symposium, ser. Usenix Security, 2017.
Record and replay framework
  • Mozilla
Mozilla, "Record and replay framework," http://rr-project.org/.
Webcapsule: Towards a lightweight forensic engine for web browsers
  • C Neasbitt
  • B Li
  • R Perdisci
  • L Lu
  • K Singh
  • K Li
C. Neasbitt, B. Li, R. Perdisci, L. Lu, K. Singh, and K. Li, "Webcapsule: Towards a lightweight forensic engine for web browsers," in ACM SIGSAC Conference on Computer and Communications Security, ser. CCS '15, 2015.
Towards measuring and mitigating social engineering software download attacks
  • T Nelms
  • R Perdisci
  • M Antonakakis
  • M Ahamad
T. Nelms, R. Perdisci, M. Antonakakis, and M. Ahamad, "Towards measuring and mitigating social engineering software download attacks," in USENIX Conference on Security Symposium, ser. SEC'16, 2016.
ReJS: Time-travel debugging for browser-based applications
  • J Vilk
  • J Mickens
  • M Marron
J. Vilk, J. Mickens, and M. Marron, "ReJS: Time-travel debugging for browser-based applications," in Microsoft Research -Technical Report, 2016.