Ensemble of Example-Dependent Cost-Sensitive Decision Trees

Several real-world classification problems are example-dependent cost-sensitive in nature, where the costs due to misclassification vary between examples and not only within classes. However, standard classification methods do not take these costs into account, and assume a constant cost of misclassification errors. In previous works, some methods that take into account the financial costs into the training of different algorithms have been proposed, with the example-dependent cost-sensitive decision tree algorithm being the one that gives the highest savings. In this paper we propose a new framework of ensembles of example-dependent cost-sensitive decision-trees. The framework consists in creating different example-dependent cost-sensitive decision trees on random subsamples of the training set, and then combining them using three different combination approaches. Moreover, we propose two new cost-sensitive combination approaches; cost-sensitive weighted voting and cost-sensitive stacking, the latter being based on the cost-sensitive logistic regression method. Finally, using five different databases, from four real-world applications: credit card fraud detection, churn modeling, credit scoring and direct marketing, we evaluate the proposed method against state-of-the-art example-dependent cost-sensitive techniques, namely, cost-proportionate sampling, Bayes minimum risk and cost-sensitive decision trees. The results show that the proposed algorithms have better results for all databases, in the sense of higher savings.Comment: 13 pages, 6 figures, Submitted for possible publicatio

Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces

Embedded devices are becoming more widespread, interconnected, and web-enabled than ever. However, recent studies showed that these devices are far from being secure. Moreover, many embedded systems rely on web interfaces for user interaction or administration. Unfortunately, web security is known to be difficult, and therefore the web interfaces of embedded systems represent a considerable attack surface. In this paper, we present the first fully automated framework that applies dynamic firmware analysis techniques to achieve, in a scalable manner, automated vulnerability discovery within embedded firmware images. We apply our framework to study the security of embedded web interfaces running in Commercial Off-The-Shelf (COTS) embedded devices, such as routers, DSL/cable modems, VoIP phones, IP/CCTV cameras. We introduce a methodology and implement a scalable framework for discovery of vulnerabilities in embedded web interfaces regardless of the vendor, device, or architecture. To achieve this goal, our framework performs full system emulation to achieve the execution of firmware images in a software-only environment, i.e., without involving any physical embedded devices. Then, we analyze the web interfaces within the firmware using both static and dynamic tools. We also present some interesting case-studies, and discuss the main challenges associated with the dynamic analysis of firmware images and their web interfaces and network services. The observations we make in this paper shed light on an important aspect of embedded devices which was not previously studied at a large scale. We validate our framework by testing it on 1925 firmware images from 54 different vendors. We discover important vulnerabilities in 185 firmware images, affecting nearly a quarter of vendors in our dataset. These experimental results demonstrate the effectiveness of our approach

Evaluation of open pit slope stability using various slope angles and element types

Purpose. The objective of this study is to demonstrate a method to select the optimal slope angle related to three principal factors: safety, productivity and mining costs. Also, it aims to investigate the accuracy of numerical analysis using different element types and order. Methods. Series of two-dimensional elasto-plastic finite-element models has been constructed at various slope angles (e.g. 40°, 45°, 50°, 55°, 60°, 65°, and 70°) and different element types (e.g. 3-noded triangle (T3), 6-noded triangle (T6), 4-noded quadrilateral (Q4) and 8-noded quadrilateral (Q8).The results are presented, discussed and compared at various slope angles and element types in terms of critical strength reduction factor (CSRF) or its equivalent factor of safety (FOS), total rock slope displacement, mine production and mining costs. Findings. The results reveal that, the mine productivity increases as slope angle increases, however, slope stability deteriorates. Alternatively, the factor of safety (FOS) decreases as slope angle becomes steeper (e.g. minimum factor of safety is obtained at highest steep angle of 70°). Despite of the increasing in computation time, the analysis shows that, the accuracy of the modelling increases when adopting high-order element types (e.g. 8-noded quadrilateral and 6-noded triangle elements). Originality. This study provides a methodology for the application of the numerical modelling methods on open pit mine. As a result, the mine planners will be able to know ahead of time the optimal slope angle with respect to safety, production and mining costs. Practical implications. This study sheds light on the usefulness of adopting numerical modelling analysis in the feasibility studies to determine and compare mining costs against safety and slope angle.Мета. Розробка методики для підбору оптимального кута нахилу борта кар’єру з видобутку мідно-нікелевих руд з урахуванням трьох головних чинників: безпека, продуктивність та витрати, а також перевірка точності чисельного аналізу при використанні елементів різного типу і порядку. Методика. Побудовано серії двовимірних пружно-пластичних кінцево-елементних моделей (КЕМ) для різних кутів нахилу борта кар’єру (наприклад, 40°, 45°, 50°, 55°, 60°, 65° і 70°) та з елементами різного типу (3-вузловий трикутник (T3), 6-вузловий трикутник (T6), 4-вузловий чотирикутник (Q4) і 8-вузловий чотирикутник (Q8)). Чисельне моделювання виконано у програмному продукті Rock and Soil 2-Dimensional Analysis Program. В якості критерію руйнування прийнято критерій міцності Кулона-Мора. Результати. Дослідження показали, що продуктивність шахти зростає зі збільшенням кута нахилу борта кар’єру; однак при цьому зменшується його стійкість, і навпаки, чим крутіше кут нахилу борта, тим менше коефіцієнт безпеки. Так, мінімальному значенню коефіцієнта безпеки відповідає найбільший кут нахилу 70°. Незважаючи на більш тривалі обчислення, аналіз показав, що точність моделювання зростає при використанні елементів високого порядку (8-вузлового чотирикутника і 6-вузлового трикутника). Наукова новизна. Розроблено новий методичний підхід для застосування чисельного моделювання для оцінки стійкості бортів кар’єрів з точки зору граничного коефіцієнта зниження міцності або його еквівалентного коефіцієнта безпеки, загального зсуву схилів, продуктивності та витрат на видобуток. Практична значимість. Дослідження доводять ефективність застосування чисельного моделювання для визначення доцільності витрат при різних кутах нахилу борта для забезпечення безпеки робіт. В результаті його застосування проектувальники кар’єрів зможуть заздалегідь спланувати оптимальний кут нахилу борта з урахуванням безпеки, продуктивності і витрат.Цель. Разработка методики для подбора оптимального угла наклона борта карьера по добыче медно-никелевых руд с учетом трех главных факторов: безопасность, производительность и затраты, а также проверка точности численного анализа при использовании элементов различного типа и порядка. Методика. Построены серии двумерных упругопластических конечно-элементных моделей (КЭМ) для разных углов наклона борта карьера (например, 40°, 45°, 50°, 55°, 60°, 65° и 70°) и с элементами разного типа (3-узловой треугольник (T3), 6-узловой треугольник (T6), 4-узловой четырехугольник (Q4) и 8-узловой четырехугольник (Q8)). Численное моделирование выполнено в программном продукте Rock and Soil 2-Dimensional Analysis Program. В качестве критерия разрушения принят критерий прочности Кулона-Мора. Результаты. Исследования показали, что производительность шахты растет с увеличением угла наклона борта карьера, однако при этом уменьшается его устойчивость, и наоборот, чем круче угол наклона борта, тем меньше коэффициент безопасности. Так, минимальному значению коэффициента безопасности соответствует самый большой угол наклона 70°. Несмотря на более длительные вычисления, анализ показал, что точность моделирования возрастает при использовании элементов высокого порядка (8-узлового четырехугольника и 6-узлового треугольника). Научная новизна. Разработан новый методический подход для применения численного моделирования для оценки устойчивости бортов карьеров с точки зрения предельного коэффициента снижения прочности или его эквивалентного коэффициента безопасности, общего смещения склонов, производительности и затрат на добычу. Практическая значимость. Исследования доказывают эффективность применения численного моделирования для определения целесообразности затрат при различных углах наклона борта для обеспечения безопасности работ. В результате его применения проектировщики шахт смогут заранее спланировать оптимальный угол наклона борта с учетом безопасности, производительности и затрат.The authors acknowledge the support of Rocscience Inc. for getting a free two-week full-version of RS2D (Rock-Soil two-dimensional finite-element analysis program). The authors are grateful for their support

Mitigating CSRF attacks on OAuth 2.0 Systems

Many millions of users routinely use Google, Facebook and Microsoft to log in to websites supporting OAuth 2.0 and/or OpenID Connect. The security of OAuth 2.0 and OpenID Connect is therefore of critical importance. Unfortunately, as previous studies have shown, real-world implementations of both schemes are often vulnerable to attack, and in particular to crosssite request forgery (CSRF) attacks. In this paper we propose a new and practical technique which can be used to mitigate CSRF attacks against both OAuth 2.0 and OpenID Connect. Index Terms-OAuth 2.0, OpenID Connect, CSRF

Analysing the Security of Google's implementation of OpenID Connect

Many millions of users routinely use their Google accounts to log in to relying party (RP) websites supporting the Google OpenID Connect service. OpenID Connect, a newly standardised single-sign-on protocol, builds an identity layer on top of the OAuth 2.0 protocol, which has itself been widely adopted to support identity management services. It adds identity management functionality to the OAuth 2.0 system and allows an RP to obtain assurances regarding the authenticity of an end user. A number of authors have analysed the security of the OAuth 2.0 protocol, but whether OpenID Connect is secure in practice remains an open question. We report on a large-scale practical study of Google's implementation of OpenID Connect, involving forensic examination of 103 RP websites which support its use for sign-in. Our study reveals serious vulnerabilities of a number of types, all of which allow an attacker to log in to an RP website as a victim user. Further examination suggests that these vulnerabilities are caused by a combination of Google's design of its OpenID Connect service and RP developers making design decisions which sacrifice security for simplicity of implementation. We also give practical recommendations for both RPs and OPs to help improve the security of real world OpenID Connect systems

Your Code Is My Code: Exploiting a Common Weakness in OAuth 2.0 Implementations

Many millions of users routinely use their Google, Facebook and Microsoft accounts to log in to websites supporting OAuth 2.0-based single sign on. The security of OAuth 2.0 is therefore of critical importance, and it has been widely examined both in theory and in practice. In this paper we disclose a new class of practical attacks on OAuth 2.0 implementations, which we call Partial Redirection URI Manipulation Attacks. An attack of this type can be used by an attacker to gain a victim user’s OAuth 2.0 code (a token representing a right to access user data) without the user’s knowledge; this code can then be used to impersonate the user to the relevant relying party website. We examined 27 leading OAuth 2.0 identity providers, and found that 19 of them are vulnerable to these attacks