Abstract: Packet floods targeting a victim's incoming bandwidth are notoriously difficult to defe... more Abstract: Packet floods targeting a victim's incoming bandwidth are notoriously difficult to defend against. While a number of solutions have been proposed, such as network capabilities, third-party traffic scrubbing, and overlay-based protection, most suffer from drawbacks that limit their applicability in practice.
We now describe a cost parameterizable and salted block cipher that we call eksblowfish for expen... more We now describe a cost parameterizable and salted block cipher that we call eksblowfish for expensive key schedule blowfish. Eksblowfish is designed to take user-chosen passwords as keys and resist attacks on those keys. As its base we use the blowfish [15] block cipher by Schneier, which is well-established and has been fairly well analyzed.
Password guessing attacks can be categorized by the amount of interaction they require with an au... more Password guessing attacks can be categorized by the amount of interaction they require with an authentication system. In on-line attacks, the perpetrator must make use of an authentication system to check each guess of a password. In off-line attacks, an attacker obtains information--such as a password hash--that allows him to check password guesses on his own, with no further access to the system. On-line attacks are generally considerably slower than off-line ones.
Abstract: We present an automated, scalable, method for crafting dynamic responses to real-time n... more Abstract: We present an automated, scalable, method for crafting dynamic responses to real-time network requests. Specifically, we provide a flexible technique based on natural language processing and string alignment techniques for intelligently interacting with protocols trained directly from raw network traffic. We demonstrate the utility of our approach by creating a low-interaction web-based honeypot capable of luring attacks from search worms targeting hundreds of different web applications.
Inflection points come at you without warning and quickly recede out of reach. We may be nearing ... more Inflection points come at you without warning and quickly recede out of reach. We may be nearing one now. If so, we are now about to play for keeps, and “we” doesn't mean just us security geeks. If anything, it's because we security geeks have not worked the necessary miracles already that an inflection point seems to be approaching at high velocity.
Abstract The main purpose of steganography is to hide the occurence of communication. While most ... more Abstract The main purpose of steganography is to hide the occurence of communication. While most methods in use today are invisible to the observer's senses, mathematical analysis may reveal statistical discrepancies in the stego medium. These discrepancies expose the fact that hidden communication is happening. This paper presents a new method to preserve the statistical properties of the cover medium.
Résumé Le présent mémoire décrit une nouvelle méthode d'échange de clés pour le protocole Secure ... more Résumé Le présent mémoire décrit une nouvelle méthode d'échange de clés pour le protocole Secure Shell (SSH). Il permet au serveur SSH de proposer au client de nouveaux groupes sur lesquels effectuer l'échange de clés Diffie-Hellman. Les groupes proposés ne sont pas nécessairement fixés et peuvent changer dans le temps.
ABSTRACT The Linux Scalability Project is adapting Linux for use in enterprise-scale networking e... more ABSTRACT The Linux Scalability Project is adapting Linux for use in enterprise-scale networking environments. We focus on kernel algorithms and data structures that scale poorly when presented with thousands or tens of thousands of simultaneous service requests. For example, we uncovered a “thundering herd” problem in the accept system call. A few dozen lines of code corrects this behavior to awaken only one, instead of all, waiting threads.
Das Internet entstand vor uber 20 Jahren als ein Versuch, das Rechnernetz des Amerikanischen Vert... more Das Internet entstand vor uber 20 Jahren als ein Versuch, das Rechnernetz des Amerikanischen Verteidigungsministeriums mit verschiedenen anderen Funk-und Satellitennetzen zu verbinden. Das sogenannte ARPAnet war insbesondere darauf ausgelegt, teilweisen Ausf allen durch Bombensch aden zu widerstehen und trotzdem noch funktionsf ahig zu sein, also auch dann, wenn ganze Teile des Netzes versagen 4].
Abstract Linux introduces POSIX Real Time signals to report I/O activity on multiple connections ... more Abstract Linux introduces POSIX Real Time signals to report I/O activity on multiple connections with more scalability than traditional models. In this paper we explore ways of improving the scalability and performance of POSIX RT signals even more by measuring system call latency and by creating bulk system calls that can deliver multiple signals at once.
Abstract Phishing is form of identity theft that combines social engineering techniques and sophi... more Abstract Phishing is form of identity theft that combines social engineering techniques and sophisticated attack vectors to harvest financial information from unsuspecting consumers. Often a phisher tries to lure her victim into clicking a URL pointing to a rogue page. In this paper, we focus on studying the structure of URLs employed in various phishing attacks. We find that it is often possible to tell whether or not a URL belongs to a phishing attack without requiring any knowledge of the corresponding page data.
Die Thermodynamik ist eine ph anomenologische Theorie und bedeutet die Lehre von der bewegten W a... more Die Thermodynamik ist eine ph anomenologische Theorie und bedeutet die Lehre von der bewegten W arme. Es handelt sich also um Umwandlungsprozesse, an denen W arme beteiligt ist. Damit betri t die Thermodynamik fast alle Lebensvorg ange. Die zentralen Begri e der Thermodynamik sind Temperatur und W arme Nol93, Kuh82]. Dabei versteht man unter W arme die ungeordnete Bewegungsenergie von Teilchen. Diese Begri e lassen sich nur sinnvoll auf Viel-Teilchen-Systeme mit in der Regel > 1023 Teilchen anwenden.
Reliable network demographics are quickly becoming a much sought-after digital commodity. However... more Reliable network demographics are quickly becoming a much sought-after digital commodity. However, as the need for more refined Internet demographics has grown, so too has the tension between privacy and utility. Unfortunately, current techniques lean too much in favor of functional requirements over protecting the privacy of users.
Abstract SSH is a widely used application that provides secure remote login. It uses strong crypt... more Abstract SSH is a widely used application that provides secure remote login. It uses strong cryptography to provide authentication and confidentiality. The IETF SecSH working group is developing SSH v2, an improved SSH protocol that fixes cryptographic and design flaws in the SSH v1 protocol. SSH v2 compatible server software is widespread.
Abstract The availability of off-the-shelf exploitation toolkits for compromising hosts, coupled ... more Abstract The availability of off-the-shelf exploitation toolkits for compromising hosts, coupled with the rapid rate of exploit discovery and disclosure, has made exploit or vulnerability-based detection far less effective than it once was. For instance, the increasing use of metamorphic and polymorphic techniques to deploy code injection attacks continues to confound signature-based detection techniques. The key to detecting these attacks lies in the ability to discover the presence of the injected code (or, shellcode).
Abstract To provide scalable, early warning and analysis of new Internet threats like worms or au... more Abstract To provide scalable, early warning and analysis of new Internet threats like worms or automated attacks, we propose a globally distributed, hybrid monitoring architecture that can capture and analyze new vulnerabilities and exploits as they occur. To achieve this, our architectures increases the exposure of high-interaction honeypots to these threats by employing low-interaction honeypots as frontend content filters.
ABSTRACT Malicious web sites that compromise vulnerable computers are an ever-present threat on t... more ABSTRACT Malicious web sites that compromise vulnerable computers are an ever-present threat on the web. The purveyors of these sites are highly motivated and quickly adapt to technologies that try to protect users from their sites. This paper studies the resulting arms race between detection and evasion from the point of view of Google's Safe Browsing infrastructure, an operational web-malware detection system that serves hundreds of millions of users.
As the web has become vital for our day-to-day transactions, it has also become an attractive ave... more As the web has become vital for our day-to-day transactions, it has also become an attractive avenue for cyber crime. Financially motivated, the crime we see on the Web today is quite different from the more traditional network attacks. A few years ago adversaries heavily relied on remotely exploiting servers identified by scanning the Internet for vulnerable network services. Autonomously spreading computer worms such as Code Red and SQL Slammer were examples of such scanning attacks.
Abstract: Packet floods targeting a victim's incoming bandwidth are notoriously difficult to defe... more Abstract: Packet floods targeting a victim's incoming bandwidth are notoriously difficult to defend against. While a number of solutions have been proposed, such as network capabilities, third-party traffic scrubbing, and overlay-based protection, most suffer from drawbacks that limit their applicability in practice.
We now describe a cost parameterizable and salted block cipher that we call eksblowfish for expen... more We now describe a cost parameterizable and salted block cipher that we call eksblowfish for expensive key schedule blowfish. Eksblowfish is designed to take user-chosen passwords as keys and resist attacks on those keys. As its base we use the blowfish [15] block cipher by Schneier, which is well-established and has been fairly well analyzed.
Password guessing attacks can be categorized by the amount of interaction they require with an au... more Password guessing attacks can be categorized by the amount of interaction they require with an authentication system. In on-line attacks, the perpetrator must make use of an authentication system to check each guess of a password. In off-line attacks, an attacker obtains information--such as a password hash--that allows him to check password guesses on his own, with no further access to the system. On-line attacks are generally considerably slower than off-line ones.
Abstract: We present an automated, scalable, method for crafting dynamic responses to real-time n... more Abstract: We present an automated, scalable, method for crafting dynamic responses to real-time network requests. Specifically, we provide a flexible technique based on natural language processing and string alignment techniques for intelligently interacting with protocols trained directly from raw network traffic. We demonstrate the utility of our approach by creating a low-interaction web-based honeypot capable of luring attacks from search worms targeting hundreds of different web applications.
Inflection points come at you without warning and quickly recede out of reach. We may be nearing ... more Inflection points come at you without warning and quickly recede out of reach. We may be nearing one now. If so, we are now about to play for keeps, and “we” doesn't mean just us security geeks. If anything, it's because we security geeks have not worked the necessary miracles already that an inflection point seems to be approaching at high velocity.
Abstract The main purpose of steganography is to hide the occurence of communication. While most ... more Abstract The main purpose of steganography is to hide the occurence of communication. While most methods in use today are invisible to the observer's senses, mathematical analysis may reveal statistical discrepancies in the stego medium. These discrepancies expose the fact that hidden communication is happening. This paper presents a new method to preserve the statistical properties of the cover medium.
Résumé Le présent mémoire décrit une nouvelle méthode d'échange de clés pour le protocole Secure ... more Résumé Le présent mémoire décrit une nouvelle méthode d'échange de clés pour le protocole Secure Shell (SSH). Il permet au serveur SSH de proposer au client de nouveaux groupes sur lesquels effectuer l'échange de clés Diffie-Hellman. Les groupes proposés ne sont pas nécessairement fixés et peuvent changer dans le temps.
ABSTRACT The Linux Scalability Project is adapting Linux for use in enterprise-scale networking e... more ABSTRACT The Linux Scalability Project is adapting Linux for use in enterprise-scale networking environments. We focus on kernel algorithms and data structures that scale poorly when presented with thousands or tens of thousands of simultaneous service requests. For example, we uncovered a “thundering herd” problem in the accept system call. A few dozen lines of code corrects this behavior to awaken only one, instead of all, waiting threads.
Das Internet entstand vor uber 20 Jahren als ein Versuch, das Rechnernetz des Amerikanischen Vert... more Das Internet entstand vor uber 20 Jahren als ein Versuch, das Rechnernetz des Amerikanischen Verteidigungsministeriums mit verschiedenen anderen Funk-und Satellitennetzen zu verbinden. Das sogenannte ARPAnet war insbesondere darauf ausgelegt, teilweisen Ausf allen durch Bombensch aden zu widerstehen und trotzdem noch funktionsf ahig zu sein, also auch dann, wenn ganze Teile des Netzes versagen 4].
Abstract Linux introduces POSIX Real Time signals to report I/O activity on multiple connections ... more Abstract Linux introduces POSIX Real Time signals to report I/O activity on multiple connections with more scalability than traditional models. In this paper we explore ways of improving the scalability and performance of POSIX RT signals even more by measuring system call latency and by creating bulk system calls that can deliver multiple signals at once.
Abstract Phishing is form of identity theft that combines social engineering techniques and sophi... more Abstract Phishing is form of identity theft that combines social engineering techniques and sophisticated attack vectors to harvest financial information from unsuspecting consumers. Often a phisher tries to lure her victim into clicking a URL pointing to a rogue page. In this paper, we focus on studying the structure of URLs employed in various phishing attacks. We find that it is often possible to tell whether or not a URL belongs to a phishing attack without requiring any knowledge of the corresponding page data.
Die Thermodynamik ist eine ph anomenologische Theorie und bedeutet die Lehre von der bewegten W a... more Die Thermodynamik ist eine ph anomenologische Theorie und bedeutet die Lehre von der bewegten W arme. Es handelt sich also um Umwandlungsprozesse, an denen W arme beteiligt ist. Damit betri t die Thermodynamik fast alle Lebensvorg ange. Die zentralen Begri e der Thermodynamik sind Temperatur und W arme Nol93, Kuh82]. Dabei versteht man unter W arme die ungeordnete Bewegungsenergie von Teilchen. Diese Begri e lassen sich nur sinnvoll auf Viel-Teilchen-Systeme mit in der Regel > 1023 Teilchen anwenden.
Reliable network demographics are quickly becoming a much sought-after digital commodity. However... more Reliable network demographics are quickly becoming a much sought-after digital commodity. However, as the need for more refined Internet demographics has grown, so too has the tension between privacy and utility. Unfortunately, current techniques lean too much in favor of functional requirements over protecting the privacy of users.
Abstract SSH is a widely used application that provides secure remote login. It uses strong crypt... more Abstract SSH is a widely used application that provides secure remote login. It uses strong cryptography to provide authentication and confidentiality. The IETF SecSH working group is developing SSH v2, an improved SSH protocol that fixes cryptographic and design flaws in the SSH v1 protocol. SSH v2 compatible server software is widespread.
Abstract The availability of off-the-shelf exploitation toolkits for compromising hosts, coupled ... more Abstract The availability of off-the-shelf exploitation toolkits for compromising hosts, coupled with the rapid rate of exploit discovery and disclosure, has made exploit or vulnerability-based detection far less effective than it once was. For instance, the increasing use of metamorphic and polymorphic techniques to deploy code injection attacks continues to confound signature-based detection techniques. The key to detecting these attacks lies in the ability to discover the presence of the injected code (or, shellcode).
Abstract To provide scalable, early warning and analysis of new Internet threats like worms or au... more Abstract To provide scalable, early warning and analysis of new Internet threats like worms or automated attacks, we propose a globally distributed, hybrid monitoring architecture that can capture and analyze new vulnerabilities and exploits as they occur. To achieve this, our architectures increases the exposure of high-interaction honeypots to these threats by employing low-interaction honeypots as frontend content filters.
ABSTRACT Malicious web sites that compromise vulnerable computers are an ever-present threat on t... more ABSTRACT Malicious web sites that compromise vulnerable computers are an ever-present threat on the web. The purveyors of these sites are highly motivated and quickly adapt to technologies that try to protect users from their sites. This paper studies the resulting arms race between detection and evasion from the point of view of Google's Safe Browsing infrastructure, an operational web-malware detection system that serves hundreds of millions of users.
As the web has become vital for our day-to-day transactions, it has also become an attractive ave... more As the web has become vital for our day-to-day transactions, it has also become an attractive avenue for cyber crime. Financially motivated, the crime we see on the Web today is quite different from the more traditional network attacks. A few years ago adversaries heavily relied on remotely exploiting servers identified by scanning the Internet for vulnerable network services. Autonomously spreading computer worms such as Code Red and SQL Slammer were examples of such scanning attacks.
Uploads