37 research outputs found
Interpretable Probabilistic Password Strength Meters via Deep Learning
Probabilistic password strength meters have been proved to be the most
accurate tools to measure password strength. Unfortunately, by construction,
they are limited to solely produce an opaque security estimation that fails to
fully support the user during the password composition. In the present work, we
move the first steps towards cracking the intelligibility barrier of this
compelling class of meters. We show that probabilistic password meters
inherently own the capability of describing the latent relation occurring
between password strength and password structure. In our approach, the security
contribution of each character composing a password is disentangled and used to
provide explicit fine-grained feedback for the user. Furthermore, unlike
existing heuristic constructions, our method is free from any human bias, and,
more importantly, its feedback has a clear probabilistic interpretation. In our
contribution: (1) we formulate the theoretical foundations of interpretable
probabilistic password strength meters; (2) we describe how they can be
implemented via an efficient and lightweight deep learning framework suitable
for client-side operability.Comment: An abridged version of this paper appears in the proceedings of the
25th European Symposium on Research in Computer Security (ESORICS) 202
La satira e la storia delle emozioni. Una relazione privilegiata?
L’articolo passa in rassegna alcune interpretazioni della satira offerte da differenti discipline. Inoltre formula l’ipotesi che i testi satirici (verbali o visuali) offrano testimonianze particolarmente utili per ricostruire le emozioni relative a un certo periodo storico e a un certo contesto. Tale ipotesi è corredata da esempi raccolti nell’ambito di una ricerca dell’autore sulla stampa satirica e da altri tratti dall’attualità . Gli esempi citati includono articoli e vignette di giornali satirici degli anni Quaranta: il milanese «Il Bertoldo» e il berlinese «Ulenspiegel». Vengono analizzati inoltre alcuni commenti espressi sul web dai lettori di quotidiani on-line in relazione alla recente querela presentata da Benedetto XVI contro il giornale satirico tedesco «Titanic».The present essay discusses interpretations of satire offered by different disciplines. Furthermore it hypothesizes that both verbal and visual satirical texts provide particularly useful evidences of the emotions related to a certain historical period or a certain context. The author analyzes sources from the satirical press, which has been the subject of his PhD research, and from the current affairs in order to proof the abovementioned hypothesis. Examples include articles and cartoons from satirical periodicals of the 1940s such as «Il Bertoldo», which was published in Milan, and «Ulenspiegel», which was published in Berlin. Furthermore the author analyzes comments posted by readers of on-line newspapers in relation to the recent lawsuit taken by Pope Benedict XVI against the German satirical magazines «Titanic»
Universal Neural-Cracking-Machines: Self-Configurable Password Models from Auxiliary Data
We develop the first universal password model -- a password model that, once
pre-trained, can automatically adapt to any password distribution. To achieve
this result, the model does not need to access any plaintext passwords from the
target set. Instead, it exploits users' auxiliary information, such as email
addresses, as a proxy signal to predict the underlying target password
distribution. The model uses deep learning to capture the correlation between
the auxiliary data of a group of users (e.g., users of a web application) and
their passwords. It then exploits those patterns to create a tailored password
model for the target community at inference time. No further training steps,
targeted data collection, or prior knowledge of the community's password
distribution is required. Besides defining a new state-of-the-art for password
strength estimation, our model enables any end-user (e.g., system
administrators) to autonomously generate tailored password models for their
systems without the often unworkable requirement of collecting suitable
training data and fitting the underlying password model. Ultimately, our
framework enables the democratization of well-calibrated password models to the
community, addressing a major challenge in the deployment of password security
solutions on a large scale.Comment: v0.0
Adversarial Out-domain Examples for Generative Models
Deep generative models are rapidly becoming a common tool for researchers and
developers. However, as exhaustively shown for the family of discriminative
models, the test-time inference of deep neural networks cannot be fully
controlled and erroneous behaviors can be induced by an attacker. In the
present work, we show how a malicious user can force a pre-trained generator to
reproduce arbitrary data instances by feeding it suitable adversarial inputs.
Moreover, we show that these adversarial latent vectors can be shaped so as to
be statistically indistinguishable from the set of genuine inputs. The proposed
attack technique is evaluated with respect to various GAN images generators
using different architectures, training processes and for both conditional and
not-conditional setups.Comment: accepted in proceedings of the Workshop on Machine Learning for
Cyber-Crime Investigation and Cybersecurit
On the (In)security of Peer-to-Peer Decentralized Machine Learning
In this work, we carry out the first, in-depth, privacy analysis of
Decentralized Learning -- a collaborative machine learning framework aimed at
addressing the main limitations of federated learning. We introduce a suite of
novel attacks for both passive and active decentralized adversaries. We
demonstrate that, contrary to what is claimed by decentralized learning
proposers, decentralized learning does not offer any security advantage over
federated learning. Rather, it increases the attack surface enabling any user
in the system to perform privacy attacks such as gradient inversion, and even
gain full control over honest users' local model. We also show that, given the
state of the art in protections, privacy-preserving configurations of
decentralized learning require fully connected networks, losing any practical
advantage over the federated setup and therefore completely defeating the
objective of the decentralized approach.Comment: IEEE S&P'23 (Previous title: "On the Privacy of Decentralized Machine
Learning"
Improving Password Guessing via Representation Learning
Learning useful representations from unstructured data is one of the core
challenges, as well as a driving force, of modern data-driven approaches. Deep
learning has demonstrated the broad advantages of learning and harnessing such
representations. In this paper, we introduce a deep generative model
representation learning approach for password guessing. We show that an
abstract password representation naturally offers compelling and versatile
properties that can be used to open new directions in the extensively studied,
and yet presently active, password guessing field. These properties can
establish novel password generation techniques that are neither feasible nor
practical with the existing probabilistic and non-probabilistic approaches.
Based on these properties, we introduce:(1) A general framework for conditional
password guessing that can generate passwords with arbitrary biases; and (2) an
Expectation Maximization-inspired framework that can dynamically adapt the
estimated password distribution to match the distribution of the attacked
password set.Comment: This paper appears in the proceedings of the 42nd IEEE Symposium on
Security and Privacy (Oakland) S&P 202