An efficient confidentiality-preserving Proof of Ownership for deduplication

Data storage in the cloud is becoming widespread. Deduplication is a key mechanism to decrease the operating costs cloud providers face, due to the reduction of replicated data storage. Nonetheless, deduplication must deal with several security threats such as honest-but-curious servers or malicious users who may try to take ownership of files they are not entitled to. Unfortunately, state-of-the-art solutions present weaknesses such as not coping with honest-but-curious servers, deployment problems, or lacking a sound security analysis. In this paper we present a novel Proof of Ownership scheme that uses convergent encryption and requires neither trusted third parties nor complex key management. The experimental evaluation highlights the efficiency and feasibility of our proposal that is proven to be secure under the random oracle model in the bounded leakage setting. (C) 2015 Elsevier Ltd. All rights reserved

Analysis of update delays in signature-based network intrusion detection systems

Network Intrusion Detection Systems (NIDS) monitor network traffic looking for attempts to compromise the security of the system they protect. Signature-based NIDS rely on a set of known attack patterns to match malicious traffic. Accordingly, they are unable to detect a specific attack until a specific signature for the corresponding vulnerability is created, tested, released and deployed. Although vital, the delay in the updating process of these systems has not been studied in depth. This paper presents a comprehensive statistical analysis of this delay in relation to the vulnerability disclosure time, the updates of vulnerability detection systems (VDS), the software patching releases and the publication of exploits. The widely deployed NIDS Snort and its detection signatures release dates have been used. Results show that signature updates are typically available later than software patching releases. Moreover, Snort rules are generally released within the first 100 days from the vulnerability disclosure and most of the times exploits and the corresponding NIDS rules are published with little difference. Implications of these results are drawn in the context of security policy definition. This study can be easily kept up to date due to the methodology used.Publicad

Improving network intrusion detection by means of domain-aware genetic programming

Proceeding of: International Conference on Availability, Reliability, and Security, 2010. ARES '10, 15-18 February 2010, Krakow, PolandOne of the central areas in network intrusion detection is how to build effective systems that are able to distinguish normal from intrusive traffic. In this paper we explore the use of Genetic Programming (GP) for such a purpose. Although GP has already been studied for this task, the inner features of network intrusion detection have been systematically ignored. To avoid the blind use of GP shown in previous research, we guide the search by means of a fitness function based on recent advances on IDS evaluation. For the experimental work we use a well-known dataset (i.e. KDD- 99) that has become a standard to compare research although its drawbacks. Results clearly show that an intelligent use of GP achieves systems that are comparable (and even better in realistic conditions) to top state-of-the-art proposals in terms of effectiveness, improving them in efficiency and simplicity.This work was partially supported by CDTI, Ministerio de Industria, Turismo y Comercio of Spain in collaboration with Telefónica I+D, Project SEGUR@ CENIT-2007 2004Publicad

Adaptive agents applied to intrusion detection

Proceeding of: Multi-agent systems and applications III : 3rd International Central and Eastern European Conference on Multi-Agent Systems, CEEMAS 2003 Prague, Czech Republic, June 16–18, 2003This paper proposes a system of agents that make predictions over the presence of intrusions. Some of the agents act as predictors implementing a given Intrusion Detection model, sniffing out the same traffic. An assessment agent weights the forecasts of such predictor agents, giving a final binary conclusion using a probabilistic model. These weights are continuously adapted according to the previous performance of each predictor agent. Other agent establishes if the prediction from the assessor agent was right or not, sending him back the results. This process is continually repeated and runs without human interaction. The effectiveness of our proposal is measured with the usual method applied in Intrusion Detection domain: Receiver Operating Characteristic curves (detection rate versus false alarm rate). Results of the adaptive agents applied to intrusion detection improve ROC curves as it is shown in this paper.Publicad

A multi-agent scanner to detect stored-XSS vulnerabilities

Proceeding of: 2010 International Conference for Internet Technology and Secured Transactions (ICITST), 8 to 11 November 2010 London, England, United KingdomThe cross-site scripting (XSS) has become a common vulnerability of many web sites and web applications. XSS consists in the exploitation of input validation flaws, with the purpose of injecting arbitrary script code which is later executed at the web browser of the victim. One interesting possibility to prevent this type of vulnerability is the use of vulnerability scanners. However, current scanners are capable of detecting just one of the two main modalities of XSS attacks. This paper introduces a novel multi–agent system for the automated scanning of web sites to detect the presence of XSS vulnerabilities exploitable by an stored–XSS attack. The rate of detection of the system is evaluated in two different scenarios.This work has been partially supported by CDTI (Ministerio de Industria, Turismo y Comercio of Spain) in collaboration with Telefonica I+D, Project SEGUR@ with reference CENIT-2007 2004Publicad

Randomized Anagram Revisited

When compared to signature-based Intrusion Detection Systems (IDS), anomaly detectors present the potential advantage of detecting previously unseen attacks, which makes them an attractive solution against zero-day exploits and other attacks for which a signature is unavailable. Most anomaly detectors rely on machine learning algorithms to derive a model of normality that is later used to detect suspicious events. Such algorithms, however, are generally susceptible to evasion by means of carefully constructed attacks that are not recognized as anomalous. Different strategies to thwart evasion have been proposed over the last years, including the use of randomization to make somewhat uncertain how each packet will be processed. In this paper we analyze the strength of the randomization strategy suggested for Anagram, a well-known anomaly detector based on n-gram models. We show that an adversary who can interact with the system for a short period of time with inputs of his choosing will be able to recover the secret mask used to process packets. We describe and discuss an efficient algorithm to do this and report our experiences with a prototype implementation. Furthermore, we show that the specific form of randomization suggested for Anagram is a double-edged sword, as knowledge of the mask makes evasion easier than in the non-randomized case. We finally discuss a simple countermeasure to prevent our attacks.Publicad

Key-recovery attacks on KIDS, a keyed anomaly detection system

Most anomaly detection systems rely on machine learning algorithms to derive a model of normality that is later used to detect suspicious events. Some works conducted over the last years have pointed out that such algorithms are generally susceptible to deception, notably in the form of attacks carefully constructed to evade detection. Various learning schemes have been proposed to overcome this weakness. One such system is Keyed IDS (KIDS), introduced at DIMVA "10. KIDS" core idea is akin to the functioning of some cryptographic primitives, namely to introduce a secret element (the key) into the scheme so that some operations are infeasible without knowing it. In KIDS the learned model and the computation of the anomaly score are both key-dependent, a fact which presumably prevents an attacker from creating evasion attacks. In this work we show that recovering the key is extremely simple provided that the attacker can interact with KIDS and get feedback about probing requests. We present realistic attacks for two different adversarial settings and show that recovering the key requires only a small amount of queries, which indicates that KIDS does not meet the claimed security properties. We finally revisit KIDS' central idea and provide heuristic arguments about its suitability and limitations

Trends, problems and misconceptions on testing Network Intrusion Detection Systems effectiveness

Network Intrusion Detection Systems (NIDS) are hardware or software systems that are used to identify and respond to intrusions in computer networks. An intrusion is a deliberate or accidental unauthorized access to or activity against any of the elements of the network. Evaluation of how effective different intrusion detection technologies are becomes mandatory, in order to know which is the one that better fits in a particular scenario. Nevertheless this is not an easy task. This chapter reviews the main problems regarding testing effectiveness: the absence of standard test methodologies and metrics, the drawbacks of current datasets, the different requirements for testing different technologies, etc. These conditions make evaluation difficult not only for the industry but also for researchers. Scientific proposals are often näively compared. We focus on providing evidence of this situation by means of supporting examples. Some guidelines for the future are finally proposed