Security and Trust Management

This book constitutes the refereed proceedings of the 12th International Workshop on Security and Trust Management, STM 2016, held in Heraklion, Crete, Greece, in September 2016, in conjunction with the 21st European Symposium Research in Computer Security, ESORICS 2016. The 13 full papers together with 2 short papers were carefully reviewed and selected from 34 submissions. the focus on the workshop was on following topics: access control, data protection, mobile security, privacy, security and trust policies, trust models

Honey@home: A New Approach to Large-Scale Threat Monitoring

Honeypots have been shown to be very useful for accurately detecting attacks, including zero-day threats, at a reasonable cost and without false positives. However, there are two pressing problems with existing approaches. The first problem is that timely detection requires deployment of honeypots in a large fraction of the network address space, many organizations cannot afford. The second problem is that attackers are evolving, and it has been shown that it is not difficult for them to identify honeypots and develop blacklists to avoid them when launching an attack. In response to these problems, we propose a new architecture that enables large-scale deployment at low cost, while making it harder for attackers to maintain accurate blacklists. Th

Performance analysis of content matching intrusion detection systems

A central question in the design and evaluation of a Network Intrusion Detection System (nIDS) is whether it is possible to define a practical, accurate and meaningful performance evaluation methodology. In this direction, we examine how nIDS performance interacts with experiment parameters such as traffic characteristics, nIDS rulesets, string matching algorithms and processor architecture. Our results indicate that nIDS performance is sensitive to the both packet and ruleset content, yet this sensitivity seems to be bounded, allowing us to craft and experiment with synthetic traces and rulesets. Our experiments also show that experiments on a single trace and processor architecture are likely to be misleading; effective nIDS evaluation therefore requires careful consideration of a fairly extensive set of scenarios

ORIGINAL PAPER Network-level polymorphic shellcode detection using emulation

Abstract Significant progress has been made in recent years towards preventing code injection attacks at the network level. However, as state-of-the-art attack detection technology becomes more prevalent, attackers are likely to evolve, employing techniques such as polymorphism and metamorphism to defeat these defenses. A major outstanding question in security research and engineering is thus whether we can proactively develop the tools needed to contain advanced polymorphic and metamorphic attacks. While recent results have been promising, most of the existing proposals can be defeated using only minor enhancements to the attack vector. In fact, some publicly-available polymorphic shellcode engines are currently one step ahead of the most advanced publicly-documented network-level detectors. In this paper, we present a heuristic detection method that scans network traffic streams for the presence of previously unknown polymorphic shellcode. In contrast to previous work, our approach relies on a NIDSembedded CPU emulator that executes every potential instruction sequence in the inspected traffic, aiming to identify the execution behavior of polymorphic shellcode. Our analysis demonstrates that the proposed M. Polychronakis (B) · E. P. Markato

A Top-10 Approach to Prefetching on the Web

In the World Wide Web bottlenecks close to popular servers are very common. These bottlenecks can be attributed to the servers' lack of computing power and the network traffic induced by the increased number of access requests. One way to eliminate these bottlenecks is through the use of caching. However, several recent studies suggest that the maximum hit rate achievable by any caching algorithm is just 40 % to 50%. Prefetching techniques may be employed to further increase the cache hit rate, by anticipating and prefetching future client requests. This paper proposes a Top-10 approach to prefetching, which combines the servers' active knowledge of their most popular documents (their Top-10) with client access profiles. Based on these profiles, clients request and servers forward to them, regularly, their most popular documents. The scalability of the approach lays in that a web server's clients may beproxy servers, which inturn forward their Top-10 to their frequent clients which maybeproxies as well, resulting in a dynamic hierarchical scheme, responsive to users access patterns as they evolve over time. We use trace driven simulation based on access logs from various servers to evaluate Top-10 prefetching. Performance results suggest that the proposed policy can anticipate more than 40 % of a client's requests while increasing network traffic by no more than 10 % in most cases

Using reference counters in Update Based Coherent Memory

Abstract. As the disparity between processor and memory speed continues to widen, the exploitation of locality of reference in shared-memory multiprocessors becomes an increasingly important problem in parallel processing. In this paper, we explore the problem of managing locality atthe operating system level. In speci c, we study the use of reference counters in making informed decisions about page placement andmovement. We use trace-driven simulation of real applications to evaluate the e ectiveness of reference counters in providing useful hints to the memory manager of the operating system. Our main conclusion is that reference counters provide a simple and inexpensive mechanism for detecting the reference patterns of pages and making robust page placement decisions that result in signi cant performance improvement.

A Lower Bound for the Closest Pair Problem

We prove a lower bound on the number of distance queries necessary to solve the closest pair problem in a set of binary strings. We show that given a set of \ell^d binary strings of length 2 \cdot \ell \cdot d+1, at least \Omega (\ell ^{d+1}) pairwise distance queries have to be made by any decision tree algorithm that finds the pair of closest strings. In the course of proving this lower bound, we examine a graph theoretic problem related to lattice graphs. The nodes and edges of a lattice graph correspond to points and links of a d-dimensional grid. We consider the problem of distinguishing a lattice graph \cal L _{d,\ell} of dimension d with \ell^d nodes from its subgraph \cal L' _{d,\ell}; the latter is induced by removing the edges of a single node across one dimension. We derive a lower bound of \Omega (\ell^{d+1}) on the number of adjacency matrix queries made by any decision-tree algorithm that solves the problem

Lightweight Transactions on Networks of Workstations

Although transactions have been a valuable abstraction of atomicity, persistency, and recoverability, they have not been widely used in programming environments today, mostly because of their high overheads that have been driven by the low performance of magnetic disks. A major challenge in transaction-based systems is to remove the magnetic disk from the critical path of transaction management. In this paper we present PERSEAS , a transaction library for main memory databases that decouples the performance of transactions from the magnetic disk speed. Our system is based on a layer of reliable main memory that provides fast and recoverable storage of data. We have implemented our system as a user-level library on top of the Windows NT operating system in a network of workstations connected with the SCI interconnection network. Our experimental results suggest that PERSEAS achieves performance that is orders of magnitude better than traditional recoverable main memory systems. 1 Intro..