Collaborative Intrusion Detection Framework: Characteristics, Adversarial Opportunities and Countermeasures
Back to Program
Complex Internet attacks may come from multiple sources, and target multiple networks and technologies. Nevertheless, Collaborative Intrusion Detection Systems (CIDS) emerges as a promising solution by using information from multiple sources to gain a better understanding of objective and impact of complex Internet attacks. CIDS also help to cope with classical problems of Intrusion Detection Systems (IDS) such as zero-day attacks, high false alarm rates and architectural challenges, e. g., centralized designs exposing the Single-Point-of-Failure. Improved complexity on the other hand gives raise to new exploitation opportunities for adversaries. The contribution of this paper is twofold. We first investigate related research on CIDS to identify the common building blocks and to understand vulnerabilities of the Collaborative Intrusion Detection Framework (CIDF). Second, we focus on the problem of anonymity preservation in a decentralized intrusion detection related message exchange scheme. We use techniques from design theory to provide multi-path peer-to-peer communication scheme where the adversary can not perform better than guessing randomly the originator of an alert message.

Integrity of the Web Content: The Case of Online Advertising
Back to Program
Online advertising is a major source of revenues in the Internet. In this paper, we identify a number of vulnerabilities of current ad serving systems. We describe how an adversary can exploit these vulnerabilities to divert part of the ad revenue stream for its own benefit. We propose a collaborative secure scheme to fix this problem. The solution relies on the fact that most of online advertising networks own digital authentication certificates and can become a source of trust. We also explain why the deployment of this solution would benefit the Web browsing security in general.

Homogeneity as an Advantage: It Takes a Community to Protect an Application
Back to Program
We examine how to turn the scale of a large homogeneous software deployment from an operational and security disadvantage into an advantageous application community that can detect, diagnose, and recover from its own operational faults and malicious attacks. We propose a system called VERNIER that provides a virtualized execution environment in conjunction with collaborative diagnosis and response functions using a knowledge-sharing infrastructure. We report on the preliminary implementation of the system, its experimental evaluation, and lessons learned during development.

Collaborative Algorithm for Reducing False Acceptance Error Rate of Face Recognition Based Admission Control System
Back to Program
In this paper we discuss the problem of collaborative monitoring of unauthorized persons, trying to deceive a face recognition based admission control system. We propose an efficient collaborative scheme, based on the TPP algorithm proposed in [2], that relies on probabilistic local information flooding. Combining their collective knowledge, the various units of the system can identify malicious attackers trying to deceive the system and gain an unauthorized access. We analytically show that the False Acceptance Rate of the system is significantly reduced, using only O(ln n) messages sent by each unit (n being the number of cameras). This process is also shown to converge in O(ln n) time.

Analyzing Group Communication for Preventing Accidental Data Leakage via Email
Back to Program
Modern business activities rely on extensive email exchange. Email "wrong recipients" mistakes have become widespread, and the severe damage caused by such mistakes constitutes a disturbing problem both for organizations and for individuals. Various solutions attempt to analyze email exchange for preventing emails to be sent to wrong recipients. However there is still no satisfying solution: many email addressing mistakes are not detected and in many cases correct recipients are wrongly marked as potential addressing mistake. In this paper we present a new approach for preventing emails "slip-ups" in organizations. The approach is based on analysis of emails exchange among members of the organization and identification of groups of members that exchange emails with common topics. Each member's topics are then used during the enforcement phase for detecting potential leakage. When a new email is composed and about to be sent, each email recipient is analyzed. A recipient is approved if the email's content belongs to at least one of the topics common to the sender and the recipient. We evaluated the new approach by comparing its detection performance to a baseline approach using the Enron Email dataset. Our evaluation results suggests that group communication analysis improves the performance of a baseline email classifier, which classifies a new email based only on emails exchanged in the past between the sender of the email and each of the recipients.

Evolutionary Synthesis of Collective Behavior
Back to Program
In the present position paper, I explore biologically-inspired computational processes that allow complex high-level collective behaviors to arise from low-level artificial agents (swarmers) — automatically. In contrast to similar projects, I seek elimination of technical constraints that narrow the free development of biology-analogous behavioral patterns. The result of such swarm evolutions is a fascinating variety of biological, yet completely transparent, analyzable behavior. Results include the spontaneous evolution of an exploration strategy that recently has been mathematically proven to be the optimal one under the conditions given. The work (which is part of my diploma thesis [11]) originally contributes to the field of synthetic biology and the goal was to make evolution milestones in biological swarm collaboration visible. However, I feel that high-level behavior generation techniques can be migrated to the field of collaborative security and suggest approaches to do so.

SocialFilter: Introducing Social Trust to Collaborative Spam Mitigation
Back to Program
We propose SocialFilter, a trust-aware collaborative spam mitigation system. SocialFilter enables nodes with no email classification functionality to query the network on whether a host is a spammer. It employs trust inference to weigh the reports concerning spamming hosts that collaborating spam-detecting nodes (reporters) submit to the system. Subsequently, SocialFilter weighs the spam reports according to the trustworthiness of their reporters to derive a measure of the system's belief that a host is a spammer. To the best of our knowledge, SocialFilter is the first collaborative unwanted traffic mitigation system that assesses the trustworthiness of the reporters by both auditing their reports and by leveraging the social network of the reporters' administrators. The design and evaluation of SocialFilter offers us the following lessons: a) it is plausible to introduce Sybil-resilient OSN-based trust inference mechanisms to improve the reliability and the attack-resilience of collaborative spam mitigation; b) using social links to obtain the trustworthiness of reports concerning spammers can result in comparable spam-blocking effectiveness with approaches that use social links to rate-limit spam (e.g., Ostra [Mislove-NSDI-08]); c) unlike Ostra, in the absence of reports that incriminate benign email senders, SocialFilter yields no false positives.

The Conundrum of Declarative Security HTTP Response Headers: Lessons Learned
Back to Program
The stringency of attacks has grown simultaneously with the development of the web. To combat some of the new attacks, declarative security has been proposed in the form of HTTP response headers from the server side. The declarative model provides an extensible set of security parameters in form of HTTP responses. In this, browsers can respond with a requested security mechanism. This paper explores the state of HTTP declarative security and how it is being applied today.