Controlled Data Sharing for Collaborative Predictive Blacklisting

Although sharing data across organizations is often advocated as a promising way to enhance cybersecurity, collaborative initiatives are rarely put into practice owing to confidentiality, trust, and liability challenges. In this paper, we investigate whether collaborative threat mitigation can be realized via a controlled data sharing approach, whereby organizations make informed decisions as to whether or not, and how much, to share. Using appropriate cryptographic tools, entities can estimate the benefits of collaboration and agree on what to share in a privacy-preserving way, without having to disclose their datasets. We focus on collaborative predictive blacklisting, i.e., forecasting attack sources based on one's logs and those contributed by other organizations. We study the impact of different sharing strategies by experimenting on a real-world dataset of two billion suspicious IP addresses collected from Dshield over two months. We find that controlled data sharing yields up to 105% accuracy improvement on average, while also reducing the false positive rate.Comment: A preliminary version of this paper appears in DIMVA 2015. This is the full version. arXiv admin note: substantial text overlap with arXiv:1403.212

A Critical Overview of Privacy in Machine Learning

This article reviews privacy challenges in machine learning and provides a critical overview of the relevant research literature. The possible adversarial models are discussed, a wide range of attacks related to sensitive information leakage is covered, and several open problems are highlighted

Genetic and morphological studies of Trichosirocalus species introduced to North America, Australia and New Zealand for the biological control of thistles

Trichosirocalus horridus sensu lato has been used as a biological control agent of several invasive thistles (Carduus spp., Cirsium spp. and Onopordum spp.) since 1974. It has been recognized as a single species until 2002, when it was split into three species based on morphological characters: T. horridus, Trichosirocalus briesei and Trichosirocalus mortadelo, each purported to have different host plants. Because of this taxonomic change, uncertainty exists as to which species were released in various countries; furthermore, there appears to be some exceptions to the purported host plants of some of these species. To resolve these questions, we conducted an integrative taxonomic study of the T. horridus species complex using molecular genetic and morphological analyses of specimens from three continents. Both mitochondrial cytochrome c oxidase subunit I and nuclear elongation factor 1α markers clearly indicate that there are only two distinct species, T. horridus and T. briesei. Molecular evidence, morphological analysis and host plant associations support the synonymy of T. horridus (Panzer, 1801) and T. mortadelo Alonso-Zarazaga & Sánchez-Ruiz, 2002. We determine that T. horridus has been established in Canada, USA, New Zealand and Australia and that T. briesei is established in Australia. The former species was collected from Carduus, Cirsium and Onopordum spp. in the field, whereas the latter appears to be specific to Onopordum

Undetectable Communication: The Online Social Networks Case

Online Social Networks (OSNs) provide users with an easy way to share content, communicate, and update others about their activities. They also play an increasingly fundamental role in coordinating and amplifying grassroots movements, as demonstrated by recent uprisings in, e.g., Egypt, Tunisia, and Turkey. At the same time, OSNs have become primary targets of tracking, profiling, as well as censorship and surveillance. In this paper, we explore the notion of undetectable communication in OSNs and introduce formal definitions, alongside system and adversarial models, that complement better understood notions of anonymity and confidentiality. We present a novel scheme for secure covert information sharing that, to the best of our knowledge, is the first to achieve undetectable communication in OSNs. We demonstrate, via an open-source prototype, that additional costs are tolerably low

The Asp272-Glu282 Region of Platelet Glycoprotein Ib Interacts with the Heparin-binding Site of -Thrombin and Protects the Enzyme from the Heparin-catalyzed Inhibition by Antithrombin III

Platelet glycoprotein Ib (GpIb) mediates interaction with both von Willebrand factor and thrombin. Thrombin binds to GpIb via its heparin-binding site (HBS) (De Candia, E., De Cristofaro, R., De Marco, L., Mazzucato, M., Picozzi, M., and Landolfi, R. (1997) Thromb. Haemostasis 77, 735–740; De Cristofaro, R., De Candia, E., Croce, G., Morosetti, R., and Landolfi, R. (1998) Biochem. J. 332, 643–650). To identify the thrombin-binding domain on GpIbα, we examined the effect of GpIbα1–282, a GpIbα fragment released by the cobra venom mocarhagin on the heparin-catalyzed rate of thrombin inhibition by antithrombin III (AT). GpIbα1–282 inhibited the reaction in a dose-dependent and competitive fashion. In contrast, the GpIbα1–271 fragment, produced by exposing GpIbα1–282 to carboxypeptidase Y, had no effect on thrombin inhibition by the heparin-AT complex. Measurements of the apparent equilibrium constant of the GpIbα1–282 binding to thrombin as a function of different salts (NaCl and tetramethyl-ammonium chloride) concentration (0.1–0.2 M) indicated a large salt dependence (Γ± = −4.5), similar to that pertaining to the heparin binding to thrombin. The importance of thrombin HBS in its interaction with GpIbα was confirmed using DNA aptamers, which specifically bind to either HBS (HD22) or the fibrinogen recognition site of thrombin (HD1). HD22, but not HD1, inhibited thrombin binding to GpIbα1–282. Furthermore, the proteolytic derivative γT-thrombin, which lacks the fibrinogen recognition site, binds to GpIbα via its intact HBS in a reaction that is inhibited by HD22. Neither α- nor γT-thrombin bound to GpIbα1–271, suggesting that the Asp272–Glu282 region of GpIbα may act as a “heparin-like” ligand for the thrombin HBS, thereby inhibiting heparin binding to thrombin. It was also demonstrated that intact platelets may dose-dependently inhibit the heparin-catalyzed thrombin inhibition by AT at enzyme concentrations <5 nM. Altogether, these findings show that thrombin HBS binds to the region of GpIbα involving the Asp272–Glu282 segment, protecting the enzyme from the inactivation by the heparin-AT system

How Much Does GenoGuard Really "Guard"? An Empirical Analysis of Long-Term Security for Genomic Data

Due to its hereditary nature, genomic data is not only linked to its owner but to that of close relatives as well. As a result, its sensitivity does not really degrade over time; in fact, the relevance of a genomic sequence is likely to be longer than the security provided by encryption. This prompts the need for specialized techniques providing long-term security for genomic data, yet the only available tool for this purpose is GenoGuard~\citehuang_genoguard:_2015. By relying on \em Honey Encryption, GenoGuard is secure against an adversary that can brute force all possible keys; i.e., whenever an attacker tries to decrypt using an incorrect password, she will obtain an incorrect but plausible looking decoy sequence. In this paper, we set to analyze the real-world security guarantees provided by GenoGuard; specifically, assess how much more information does access to a ciphertext encrypted using GenoGuard yield, compared to one that was not. Overall, we find that, if the adversary has access to side information in the form of partial information from the target sequence, the use of GenoGuard does appreciably increase her power in determining the rest of the sequence. We show that, in the case of a sequence encrypted using an easily guessable (low-entropy) password, the adversary is able to rule out most decoy sequences, and obtain the target sequence with just 2.5% of it available as side information. In the case of a harder-to-guess (high-entropy) password, we show that the adversary still obtains, on average, better accuracy in guessing the rest of the target sequences than using state-of-the-art genomic sequence inference methods, obtaining up to 15% improvement in accuracy

An Exploratory Study of User Perceptions of Payment Methods in the UK and the US

This paper presents the design and the results of a cross-cultural study of user perceptions and attitudes toward electronic payment methods. We conduct a series of semi-structured interviews involving forty participants (20 in London, UK, and 20 in Manhattan, KS, USA) to explore how individuals use the mechanisms available to them within their routine payment and banking activities. We also study their comprehension of payment processes, the perceived effort and impact of using different methods, as well as direct or indirect recollections of (suspected or actual) fraud and related interactions with banks and retailers. By comparing UK and US participants, we also elicit commonalities and differences that may help better understand, if not predict, attitudes of US customers once technologies like Chip-and-PIN are rolled out – for instance, several US participants were confused by how to use it, while UK participants found it convenient. Our results show that purchasing habits as well as the availability of rewards schemes are primary criteria influencing choices relating to payment technologies, and that inconsistencies, glitches, and other difficulties with newer technologies generate frustration sometimes leading to complete avoidance of new payment methods

MaMaDroid: Detecting Android malware by building markov chains of behavioral models (extended version)

As Android has become increasingly popular, so has malware targeting it, thus motivating the research community to propose different detection techniques. However, the constant evolution of the Android ecosystem, and of malware itself, makes it hard to design robust tools that can operate for long periods of time without the need for modifications or costly re-training. Aiming to address this issue, we set to detect malware from a behavioral point of view, modeled as the sequence of abstracted API calls. We introduce MaMaDroid, a static-analysis based system that abstracts app’s API calls to their class, package, or family, and builds a model from their sequences obtained from the call graph of an app as Markov chains. This ensures that the model is more resilient to API changes and the features set is of manageable size. We evaluate MaMaDroid using a dataset of 8.5K benign and 35.5K malicious apps collected over a period of six years, showing that it effectively detects malware (with up to 0.99 F-measure) and keeps its detection capabilities for long periods of time (up to 0.87 F-measure two years after training). We also show that MaMaDroid remarkably overperforms DroidAPIMiner, a state-of-the-art detection system that relies on the frequency of (raw) API calls. Aiming to assess whether MaMaDroid’s effectiveness mainly stems from the API abstraction or from the sequencing modeling, we also evaluate a variant of it that uses frequency (instead of sequences), of abstracted API calls. We find that it is not as accurate, failing to capture maliciousness when trained on malware samples that include API calls that are equally or more frequently used by benign apps

Paying for Likes? Understanding Facebook like fraud using honeypots

Facebook pages offer an easy way to reach out to a very large audience as they can easily be promoted using Facebook's advertising platform. Recently, the number of likes of a Facebook page has become a measure of its popularity and profitability, and an underground market of services boosting page likes, aka like farms, has emerged. Some reports have suggested that like farms use a network of profiles that also like other pages to elude fraud protection algorithms, however, to the best of our knowledge, there has been no systematic analysis of Facebook pages' promotion methods. This paper presents a comparative measurement study of page likes garnered via Facebook ads and by a few like farms. We deploy a set of honeypot pages, promote them using both methods, and analyze garnered likes based on likers' demographic, temporal, and social characteristics. We highlight a few interesting findings, including that some farms seem to be operated by bots and do not really try to hide the nature of their operations, while others follow a stealthier approach, mimicking regular users' behavior

Soros, Child Sacrifices, and {5G}: {U}nderstanding the Spread of Conspiracy Theories on {Web} Communities

This paper presents a multi-platform computational pipeline geared to identify social media posts discussing (known) conspiracy theories. We use 189 conspiracy claims collected by Snopes, and find 66k posts and 277k comments on Reddit, and 379k tweets discussing them. Then, we study how conspiracies are discussed on different Web communities and which ones are particularly influential in driving the discussion about them. Our analysis sheds light on how conspiracy theories are discussed and spread online, while highlighting multiple challenges in mitigating them