skip to main content


Search for: All records

Award ID contains: 1809000

Note: When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external site maintained by the publisher. Some full text articles may not yet be available without a charge during the embargo (administrative interval).
What is a DOI Number?

Some links on this page may take you to non-federal websites. Their policies may differ from this site.

  1. Abstract

    In this paper, we introduce DRIFT, a system for detecting command and control (C2) domain names in Internet of Things–scale botnets. Using an intrinsic feature of malicious domain name queries prior to their registration (perhaps due to clock drift), we devise a difference‐based lightweight feature for malicious C2 domain name detection. Using NXDomain query and response of a popular malware, we establish the effectiveness of our detector with 99% accuracy and as early as more than 48 hours before they are registered. Our technique serves as a tool of detection where other techniques relying on entropy or domain generating algorithms reversing are impractical.

     
    more » « less
  2. Vulnerabilities have a detrimental effect on end-users and enterprises, both direct and indirect; including loss of private data, intellectual property, the competitive edge, performance, etc. Despite the growing software industry and a push towards a digital economy, enterprises are increasingly considering security as an added cost, which makes it necessary for those enterprises to see a tangible incentive in adopting security. Furthermore, despite data breach laws that are in place, prior studies have suggested that only 4% of reported data breach incidents have resulted in litigation in federal courts, showing the limited legal ramifications of security breaches and vulnerabilities. In this paper, we study the hidden cost of software vulnerabilities reported in the National Vulnerability Database (NVD) through stock price analysis. Towards this goal, we perform a high-fidelity data augmentation to ensure data reliability and to estimate vulnerability disclosure dates as a baseline for estimating the implication of software vulnerabilities. We further build a model for stock price prediction using the NARX Neural Network model to estimate the effect of vulnerability disclosure on the stock price. Compared to prior work, which relies on linear regression models, our approach is shown to provide better accuracy. Our analysis also shows that the effect of vulnerabilities on vendors varies, and greatly depends on the specific software industry. Whereas some industries are shown statistically to be affected negatively by the release of software vulnerabilities, even when those vulnerabilities are not broadly covered by the media, some others were not affected at all. 
    more » « less
  3. Distributed Denial-of-Service (DDoS) is a big threat to the security and stability of Internet-based services today. Among the recent advanced application-layer DDoS attacks, the Very Short Intermittent DDoS (VSI-DDoS) is the attack, which can bypass existing detection systems and significantly degrade the QoS experienced by users of web services. However, in order for the VSI-DDoS attack to work effectively, bots participating in the attack should be tightly synchronized, an assumption that is difficult to be met in reality. In this paper, we conducted a quantitative analysis to understand how a minimal deviation from perfect synchronization in botnets affects the performance and effectiveness of the VSI-DDoS attack. We found that VSI-DDoS became substantially less effective. That is, it lost 85.7% in terms of effectiveness under about 90ms synchronization inaccuracy, which is a very small inaccuracy under normal network conditions. 
    more » « less
  4. Ransomware is a malware that encrypts victim's data, where the decryption key is released after a ransom is paid by the data owner to the attacker. Many ransomware attacks were reported recently, making anti-ransomware a crucial need in security operation, and an issue for the security community to tackle. In this paper, we propose a new approach to defending against ransomware inside NAND flash-based SSDs. To realize the idea of defense-inside-SSDs, both a lightweight detection technique and a perfect recovery algorithm to be used as a part of SSDs firmware should be developed. To this end, we propose a new set of lightweight behavioral features on ran-somware's overwriting pattern, which are invariant across various ransomwares. Our features rely on observing the block I/O request headers only, and not the payload. For perfect and instant recovery, we also propose using the delayed deletion feature of SSDs, which is intrinsic to NAND flash. To demonstrate their feasibility, we implement our algorithms atop an open-channel SSD as a working prototype called SSD-Insider. In experiments using eight real-world and two in-house ransomwares with various background applications running, SSD-Insider achieved a detection accuracy 0% FRR/FAR in most scenarios, and only 5% FAR when heavy overwriting resembling ransomware's data wiping occurs. SSD-Insider detects ransomware activity within 10s, and recovers instantly an infected SSD within 1s with 0% data loss. The additional software overheads incurred by the SSD-Insider is just 147 ns and 254 ns for 4-KB reads and writes, respectively, which is negligible considering NAND chip latency (50-1000 μs). 
    more » « less
  5. We introduce DigitalSeal, a transaction authentication tool that works in both online and offline use scenarios. Digi-talSeal is a digital scanner that reads transaction information sent by an issuing entity of the DigitalSeal reader for authentication, and the information is encoded using a specially crafted bar-code. DigitalSeal views various pieces of transaction information for users to verify and proceed with transaction authentication. DigitalSeal is generic, and is capable of reading information viewed on paper, computer monitors (similarly, kiosk monitors), and mobile phones. A prototype of DigitalSeal is built using a Arduino UNO, four LLS05-A sensors, four TCRT5000 sensors, a 1602 LCD and a 9V battery. 
    more » « less