Interpretable Probabilistic Password Strength Meters via Deep Learning

Probabilistic password strength meters have been proved to be the most accurate tools to measure password strength. Unfortunately, by construction, they are limited to solely produce an opaque security estimation that fails to fully support the user during the password composition. In the present work, we move the first steps towards cracking the intelligibility barrier of this compelling class of meters. We show that probabilistic password meters inherently own the capability of describing the latent relation occurring between password strength and password structure. In our approach, the security contribution of each character composing a password is disentangled and used to provide explicit fine-grained feedback for the user. Furthermore, unlike existing heuristic constructions, our method is free from any human bias, and, more importantly, its feedback has a clear probabilistic interpretation. In our contribution: (1) we formulate the theoretical foundations of interpretable probabilistic password strength meters; (2) we describe how they can be implemented via an efficient and lightweight deep learning framework suitable for client-side operability.Comment: An abridged version of this paper appears in the proceedings of the 25th European Symposium on Research in Computer Security (ESORICS) 202

La satira e la storia delle emozioni. Una relazione privilegiata?

L’articolo passa in rassegna alcune interpretazioni della satira offerte da differenti discipline. Inoltre formula l’ipotesi che i testi satirici (verbali o visuali) offrano testimonianze particolarmente utili per ricostruire le emozioni relative a un certo periodo storico e a un certo contesto. Tale ipotesi è corredata da esempi raccolti nell’ambito di una ricerca dell’autore sulla stampa satirica e da altri tratti dall’attualità. Gli esempi citati includono articoli e vignette di giornali satirici degli anni Quaranta: il milanese «Il Bertoldo» e il berlinese «Ulenspiegel». Vengono analizzati inoltre alcuni commenti espressi sul web dai lettori di quotidiani on-line in relazione alla recente querela presentata da Benedetto XVI contro il giornale satirico tedesco «Titanic».The present essay discusses interpretations of satire offered by different disciplines. Furthermore it hypothesizes that both verbal and visual satirical texts provide particularly useful evidences of the emotions related to a certain historical period or a certain context. The author analyzes sources from the satirical press, which has been the subject of his PhD research, and from the current affairs in order to proof the abovementioned hypothesis. Examples include articles and cartoons from satirical periodicals of the 1940s such as «Il Bertoldo», which was published in Milan, and «Ulenspiegel», which was published in Berlin. Furthermore the author analyzes comments posted by readers of on-line newspapers in relation to the recent lawsuit taken by Pope Benedict XVI against the German satirical magazines «Titanic»

Universal Neural-Cracking-Machines: Self-Configurable Password Models from Auxiliary Data

We develop the first universal password model -- a password model that, once pre-trained, can automatically adapt to any password distribution. To achieve this result, the model does not need to access any plaintext passwords from the target set. Instead, it exploits users' auxiliary information, such as email addresses, as a proxy signal to predict the underlying target password distribution. The model uses deep learning to capture the correlation between the auxiliary data of a group of users (e.g., users of a web application) and their passwords. It then exploits those patterns to create a tailored password model for the target community at inference time. No further training steps, targeted data collection, or prior knowledge of the community's password distribution is required. Besides defining a new state-of-the-art for password strength estimation, our model enables any end-user (e.g., system administrators) to autonomously generate tailored password models for their systems without the often unworkable requirement of collecting suitable training data and fitting the underlying password model. Ultimately, our framework enables the democratization of well-calibrated password models to the community, addressing a major challenge in the deployment of password security solutions on a large scale.Comment: v0.0

Adversarial Out-domain Examples for Generative Models

Deep generative models are rapidly becoming a common tool for researchers and developers. However, as exhaustively shown for the family of discriminative models, the test-time inference of deep neural networks cannot be fully controlled and erroneous behaviors can be induced by an attacker. In the present work, we show how a malicious user can force a pre-trained generator to reproduce arbitrary data instances by feeding it suitable adversarial inputs. Moreover, we show that these adversarial latent vectors can be shaped so as to be statistically indistinguishable from the set of genuine inputs. The proposed attack technique is evaluated with respect to various GAN images generators using different architectures, training processes and for both conditional and not-conditional setups.Comment: accepted in proceedings of the Workshop on Machine Learning for Cyber-Crime Investigation and Cybersecurit

On the (In)security of Peer-to-Peer Decentralized Machine Learning

In this work, we carry out the first, in-depth, privacy analysis of Decentralized Learning -- a collaborative machine learning framework aimed at addressing the main limitations of federated learning. We introduce a suite of novel attacks for both passive and active decentralized adversaries. We demonstrate that, contrary to what is claimed by decentralized learning proposers, decentralized learning does not offer any security advantage over federated learning. Rather, it increases the attack surface enabling any user in the system to perform privacy attacks such as gradient inversion, and even gain full control over honest users' local model. We also show that, given the state of the art in protections, privacy-preserving configurations of decentralized learning require fully connected networks, losing any practical advantage over the federated setup and therefore completely defeating the objective of the decentralized approach.Comment: IEEE S&P'23 (Previous title: "On the Privacy of Decentralized Machine Learning"

Improving Password Guessing via Representation Learning

Learning useful representations from unstructured data is one of the core challenges, as well as a driving force, of modern data-driven approaches. Deep learning has demonstrated the broad advantages of learning and harnessing such representations. In this paper, we introduce a deep generative model representation learning approach for password guessing. We show that an abstract password representation naturally offers compelling and versatile properties that can be used to open new directions in the extensively studied, and yet presently active, password guessing field. These properties can establish novel password generation techniques that are neither feasible nor practical with the existing probabilistic and non-probabilistic approaches. Based on these properties, we introduce:(1) A general framework for conditional password guessing that can generate passwords with arbitrary biases; and (2) an Expectation Maximization-inspired framework that can dynamically adapt the estimated password distribution to match the distribution of the attacked password set.Comment: This paper appears in the proceedings of the 42nd IEEE Symposium on Security and Privacy (Oakland) S&P 202