An Evasion Attack against ML-based Phishing URL Detectors

Background: Over the year, Machine Learning Phishing URL classification (MLPU) systems have gained tremendous popularity to detect phishing URLs proactively. Despite this vogue, the security vulnerabilities of MLPUs remain mostly unknown. Aim: To address this concern, we conduct a study to understand the test time security vulnerabilities of the state-of-the-art MLPU systems, aiming at providing guidelines for the future development of these systems. Method: In this paper, we propose an evasion attack framework against MLPU systems. To achieve this, we first develop an algorithm to generate adversarial phishing URLs. We then reproduce 41 MLPU systems and record their baseline performance. Finally, we simulate an evasion attack to evaluate these MLPU systems against our generated adversarial URLs. Results: In comparison to previous works, our attack is: (i) effective as it evades all the models with an average success rate of 66% and 85% for famous (such as Netflix, Google) and less popular phishing targets (e.g., Wish, JBHIFI, Officeworks) respectively; (ii) realistic as it requires only 23ms to produce a new adversarial URL variant that is available for registration with a median cost of only $11.99/year. We also found that popular online services such as Google SafeBrowsing and VirusTotal are unable to detect these URLs. (iii) We find that Adversarial training (successful defence against evasion attack) does not significantly improve the robustness of these systems as it decreases the success rate of our attack by only 6% on average for all the models. (iv) Further, we identify the security vulnerabilities of the considered MLPU systems. Our findings lead to promising directions for future research. Conclusion: Our study not only illustrate vulnerabilities in MLPU systems but also highlights implications for future study towards assessing and improving these systems.Comment: Draft for ACM TOP

Understanding the Heterogeneity of Contributors in Bug Bounty Programs

Background: While bug bounty programs are not new in software development, an increasing number of companies, as well as open source projects, rely on external parties to perform the security assessment of their software for reward. However, there is relatively little empirical knowledge about the characteristics of bug bounty program contributors. Aim: This paper aims to understand those contributors by highlighting the heterogeneity among them. Method: We analyzed the histories of 82 bug bounty programs and 2,504 distinct bug bounty contributors, and conducted a quantitative and qualitative survey. Results: We found that there are project-specific and non-specific contributors who have different motivations for contributing to the products and organizations. Conclusions: Our findings provide insights to make bug bounty programs better and for further studies of new software development roles.Comment: 6 pages, ESEM 201

Entanglement-assisted quantum turbo codes

An unexpected breakdown in the existing theory of quantum serial turbo coding is that a quantum convolutional encoder cannot simultaneously be recursive and non-catastrophic. These properties are essential for quantum turbo code families to have a minimum distance growing with blocklength and for their iterative decoding algorithm to converge, respectively. Here, we show that the entanglement-assisted paradigm simplifies the theory of quantum turbo codes, in the sense that an entanglement-assisted quantum (EAQ) convolutional encoder can possess both of the aforementioned desirable properties. We give several examples of EAQ convolutional encoders that are both recursive and non-catastrophic and detail their relevant parameters. We then modify the quantum turbo decoding algorithm of Poulin et al., in order to have the constituent decoders pass along only "extrinsic information" to each other rather than a posteriori probabilities as in the decoder of Poulin et al., and this leads to a significant improvement in the performance of unassisted quantum turbo codes. Other simulation results indicate that entanglement-assisted turbo codes can operate reliably in a noise regime 4.73 dB beyond that of standard quantum turbo codes, when used on a memoryless depolarizing channel. Furthermore, several of our quantum turbo codes are within 1 dB or less of their hashing limits, so that the performance of quantum turbo codes is now on par with that of classical turbo codes. Finally, we prove that entanglement is the resource that enables a convolutional encoder to be both non-catastrophic and recursive because an encoder acting on only information qubits, classical bits, gauge qubits, and ancilla qubits cannot simultaneously satisfy them.Comment: 31 pages, software for simulating EA turbo codes is available at http://code.google.com/p/ea-turbo/ and a presentation is available at http://markwilde.com/publications/10-10-EA-Turbo.ppt ; v2, revisions based on feedback from journal; v3, modification of the quantum turbo decoding algorithm that leads to improved performance over results in v2 and the results of Poulin et al. in arXiv:0712.288

Flavor SU(3) analysis of charmless B meson decays to two pseudoscalar mesons

Global fits to charmless B --> PP decays in the framework of flavor SU(3) symmetry are updated and improved without reference to the \sin2\beta measured from the charmonium decay modes. Fit results directly constrain the (\bar\rho,\bar\eta) vertex of the unitarity triangle, and are used to predict the branching ratios and CP asymmetries of all decay modes, including those of the B_s system. Different schemes of SU(3) breaking in decay amplitude sizes are analyzed. The major breaking effect between strangeness-conserving and strangeness-changing decays can be accounted for by including a ratio of decay constants in tree and color-suppressed amplitudes. The possibility of having a new physics contribution to K \pi decays is also examined from the data fitting point of view.Comment: 22 pages and 2 figures; some comments and references added; more references added, version to appear in journa

The 2004 UTfit Collaboration Report on the Status of the Unitarity Triangle in the Standard Model

Using the latest determinations of several theoretical and experimental parameters, we update the Unitarity Triangle analysis in the Standard Model. The basic experimental constraints come from the measurements of |V_ub/V_cb|, Delta M_d, the lower limit on Delta M_s, epsilon_k, and the measurement of the phase of the B_d - anti B_d mixing amplitude through the time-dependent CP asymmetry in B^0 to J/psi K^0 decays. In addition, we consider the direct determination of alpha, gamma, 2 beta + gamma and cos(2 beta) from the measurements of new CP-violating quantities, recently performed at the B factories. We also discuss the opportunities offered by improving the precision of the various physical quantities entering in the determination of the Unitarity Triangle parameters. The results and the plots presented in this paper can also be found at http://www.utfit.org, where they are continuously updated with the newest experimental and theoretical results.Comment: 32 pages, 17 figures. High resolution figures and updates can be found at http://www.utfit.org v2: misprints correcte

Can there be any new physics in b -> d penguins

We analyze the possibility of observing new physics effects in the $b \to d$ penguin amplitudes. For this purpose, we consider the decay mode $B \to K^0 \bar K^0$, which has only $b \to d$ penguin contributions. Using the QCD factorization approach, we find very tiny CP violating effects in the standard model for this process. Furthermore, we show that the minimal supersymmetric standard model with $LR$ mass insertion and R-parity violating supersymmetric model can provide substantial CP violation effects. Observation of sizable CP violation in this mode would be a clear signal of new physics.Comment: Published versio