Modeling Security Weaknesses to Enable Practical Run-time Defenses

Abstract

Security weaknesses are sometimes caused by patterns in human behaviors. However, it can be difficult to identify such patterns in a practical, yet accurate way. In order to fix security weaknesses, it is crucial to identify them. Useful systems to identify security weaknesses must be accurate enough to guide users’ decisions, but also be lightweight enough to produce results in a reasonable time frame. Inthis thesis, we show how machine-learning techniques allow us to detect security weaknesses that result from patterns in human behavior faster and more efficientlythan current approaches, enabling new, practical run-time defenses. We present two applications to support this thesis. First, we use neural networks to identify users’ weak passwords and show how to make this approach practical for fully client-side password feedback. One problemwith current password feedback is that users can get either quick but often incorrect feedback by using heuristics or accurate but slow feedback by simulating adversarialguessing. In contrast, we found that our approach to password guessing is both more accurate and more compact in implementation than previous ones, which enables us to more practically estimate resistance to password-guessing attacks in real timeon client machines. Second, we use deep learning models to identify client-side cross-site scriptingvulnerabilities in JavaScript code. We collected JavaScript functions from hundreds of thousands of web pages and using a taint-tracking-enabled browser labeled themaccording to whether they were vulnerable to cross-site scripting. We trained deep neural networks to classify source code as safe or as potentially vulnerable. Wedemonstrate how our models can be used as a lightweight building block to selectively enable other defenses, e.g., taint tracking