Simulated penetration testing and mitigation analysis

Da Unternehmensnetzwerke und Internetdienste stetig komplexer werden, wird es immer schwieriger, installierte Programme, Schwachstellen und Sicherheitsprotokolle zu überblicken. Die Idee hinter simuliertem Penetrationstesten ist es, Informationen über ein Netzwerk in ein formales Modell zu transferiern und darin einen Angreifer zu simulieren. Diesem Modell fügen wir einen Verteidiger hinzu, der mittels eigener Aktionen versucht, die Fähigkeiten des Angreifers zu minimieren. Dieses zwei-Spieler Handlungsplanungsproblem nennen wir Stackelberg planning. Ziel ist es, Administratoren, Penetrationstestern und der Führungsebene dabei zu helfen, die Schwachstellen großer Netzwerke zu identifizieren und kosteneffiziente Gegenmaßnahmen vorzuschlagen. Wir schaffen in dieser Dissertation erstens die formalen und algorithmischen Grundlagen von Stackelberg planning. Indem wir dabei auf klassischen Planungsproblemen aufbauen, können wir von gut erforschten Heuristiken und anderen Techniken zur Analysebeschleunigung, z.B. symbolischer Suche, profitieren. Zweitens entwerfen wir einen Formalismus für Privilegien-Eskalation und demonstrieren die Anwendbarkeit unserer Simulation auf lokale Computernetzwerke. Drittens wenden wir unsere Simulation auf internetweite Szenarien an und untersuchen die Robustheit sowohl der E-Mail-Infrastruktur als auch von Webseiten. Viertens ermöglichen wir mittels webbasierter Benutzeroberflächen den leichten Zugang zu unseren Tools und Analyseergebnissen.As corporate networks and Internet services are becoming increasingly more complex, it is hard to keep an overview over all deployed software, their potential vulnerabilities, and all existing security protocols. Simulated penetration testing was proposed to extend regular penetration testing by transferring gathered information about a network into a formal model and simulate an attacker in this model. Having a formal model of a network enables us to add a defender trying to mitigate the capabilities of the attacker with their own actions. We name this two-player planning task Stackelberg planning. The goal behind this is to help administrators, penetration testing consultants, and the management level at finding weak spots of large computer infrastructure and suggesting cost-effective mitigations to lower the security risk. In this thesis, we first lay the formal and algorithmic foundations for Stackelberg planning tasks. By building it in a classical planning framework, we can benefit from well-studied heuristics, pruning techniques, and other approaches to speed up the search, for example symbolic search. Second, we design a theory for privilege escalation and demonstrate the applicability of our framework to local computer networks. Third, we apply our framework to Internet-wide scenarios by investigating the robustness of both the email infrastructure and the web. Fourth, we make our findings and our toolchain easily accessible via web-based user interfaces

Measurement and control of geo-location privacy on Twitter

The widespread diffusion of Online Social Networks and Media (OSNEM) has generated a huge amount of users’ personal data. As this data is often publicly available, users’ privacy is at risk. To address this issue, users may control the release of their sensitive data on OSNEM. An example of data that users rarely publish is their location. Besides being a privacy-sensitive information, location is a business-relevant data that third parties, e.g., Location-Based Service (LBS) providers, may be interested to obtain. It is, therefore, of paramount importance to understand to what extent the secrecy of location information can be violated. In this work, we investigate how users can measure the privacy of their geo-location on OSNEM and to control the factors affecting it. We define the privacy of a target user as the geographical distance between her actual unexposed location and the location estimated by an attacker. To measure privacy, we propose a novel deep learning architecture that uncovers a target user’s position based only on the publicly-available locations shared by users on Twitter. Results show that locations can be accurately unveiled for the majority of the users, thus suggesting the need for countermeasures to improve their privacy. To control privacy, we propose data perturbation techniques that users can apply to tune the public exposure of their location, and we show the resulting privacy improvements. To shed light on the factors influencing privacy, we then propose a machine learning model that measures privacy based on several users’ features (e.g., social and behavioral characteristics). Unlike the aforementioned deep learning approach, this model also allows to quantify the impact that each feature has on privacy. We observe that features related to the history of users’ visited locations proved to be the most relevant factors affecting privacy. Finally, we explore potential side effects resulting from the application of data perturbation strategies. In particular, we examine, as a study case, the trade-off between users’ privacy and the effectiveness of a proximity marketing LBS. Results suggest that privacy can be guaranteed while not significantly lowering the effectiveness of the LBS