516 research outputs found
The Impact of Exposed Passwords on Honeyword Efficacy
Honeywords are decoy passwords that can be added to a credential database; if
a login attempt uses a honeyword, this indicates that the site's credential
database has been leaked. In this paper we explore the basic requirements for
honeywords to be effective, in a threat model where the attacker knows
passwords for the same users at other sites. First, we show that for
user-chosen (vs. algorithmically generated, i.e., by a password manager)
passwords, existing honeyword-generation algorithms largely fail to achieve
reasonable tradeoffs between false positives and false negatives in this threat
model. Second, we show that for users leveraging algorithmically generated
passwords, state-of-the-art methods for honeyword generation will produce
honeywords that are not sufficiently deceptive, yielding many false negatives.
Instead, we find that only a honeyword-generation algorithm that uses the same
password generator as the user can provide deceptive honeywords in this case.
However, when the defender's ability to infer the generator from the (one)
account password is less accurate than the attacker's ability to infer the
generator from potentially many, this deception can again wane. Taken together,
our results provide a cautionary note for the state of honeyword research and
pose new challenges to the field
CharBot: A Simple and Effective Method for Evading DGA Classifiers
Domain generation algorithms (DGAs) are commonly leveraged by malware to
create lists of domain names which can be used for command and control (C&C)
purposes. Approaches based on machine learning have recently been developed to
automatically detect generated domain names in real-time. In this work, we
present a novel DGA called CharBot which is capable of producing large numbers
of unregistered domain names that are not detected by state-of-the-art
classifiers for real-time detection of DGAs, including the recently published
methods FANCI (a random forest based on human-engineered features) and LSTM.MI
(a deep learning approach). CharBot is very simple, effective and requires no
knowledge of the targeted DGA classifiers. We show that retraining the
classifiers on CharBot samples is not a viable defense strategy. We believe
these findings show that DGA classifiers are inherently vulnerable to
adversarial attacks if they rely only on the domain name string to make a
decision. Designing a robust DGA classifier may, therefore, necessitate the use
of additional information besides the domain name alone. To the best of our
knowledge, CharBot is the simplest and most efficient black-box adversarial
attack against DGA classifiers proposed to date
- …