数据安全与隐私前沿
1. When Security and AI Meet. -- Tao Xie taoxie@illinois.edu http://taoxie.cs.illinois.edu/
1.1 AI and Software Engineering 智能软件工程
(1) AI FOR Test Generation:
Microsoft Security Risk Detection : https://microsoft.com/en-us/security-risk-detection/
cloud-based-fuzz-testing
(2) 二进制码 based risk detection: Mayhem
(3) Dynamic Symbolic Execution (DART: Godefoid et.al OKDI'05)
遍历所有的路径和分支语句:
Explision of Search Space: 搜索空间太大
(4) Automated Software Testing:
- Path Explision: DSN'09: fITNEX
- Method SEQUENCE EXPLOSION oopsla'11: Seeker
Shipped in VS 2015/2017
Code Hunt :
(5) Android App Testing: WeChat
(6) Intelligent Software Testing?
- Learning from others working on the same things
- Learning from others working on similar things
(7) NLP for Security Policies
- Access Control Vulnerabilities
- Access Control Policies(ACP)
- A policy rule includes four elements:
- Subject - HCP
- Action - edit
- Resource - patient's account
- Effect - deny
- A policy rule includes four elements:
- Problems of ACP Practice
- ACPs: 自然语言并没有具体处理
- Example: A doctor can not modify the patient's account.
- Overview of Text2Policy
(8) NLP for Mobile Security
- Problems Statement:
- Is Program Analysis sufficient?
- Caveat: what does the user expect?
- GPS Tracker:
- Phone-call recorder:
- others are more subtle:
- Caveat: what does the user expect?
- Vision
- 分析应用描述
- Straw man: Keyword Search
- Confounding effects:
- certain keywords such as 'contact' have a confounding meaning
- Semantic Interference:
- Sentences often decribe a sensitive operation such as reading contact without actually refferring to the keyword 'contact', e.g., "Also you can share the yoga exercise to your friends via Email and SMS."
- Confounding effects:
- 抽取领域知识 Semantic-Graph Generator
- Semantic Engine
(9) ML for mobile security:
- 分析APK,区分善意与恶意软件
- Context-based Mobile security
- EnMobile: Entity-based Characterization and Analysis of Mobile Malware ICSE 2018
(10) Adversarial ML
杨俊峰 哥伦比亚大学 SOSP 2017
2. 隐私保护:现状与挑战
- 差分隐私技术
- 全同态加密技术
2.1 数据云服务:安全隐私研究
实时协同编辑软件:Google Docs. ShareLatex, Etherpad等
- github上的敏感数据泄露
2.2 Encrypted Search: Advances and Beyond 王聪--香港城市大学
- 加密数据搜索
- Motivation
- sensitive data demands Encrypted storage
- Encrypted Search reduce risks of data breaches
2.3 大数据试验场数据安全与管控 韩伟力
2.4 图数据隐私-- 纪守领
Application-aware privacy-preserving techiques
Deep Learning or ML based privacy preservation
CCS: 图片验证码:人很好识别、机器很难识别
3. Securing the Networking Foundation for Future Internet, Cloudand 5G Infrastructures -- 顾国飞:美国德州农工大学
3.0 Problems of Legacy Network Devices
- Too Complicated:-- Control Plane
- Closed platform -- Vendor specific
- Hard to manage
- Why we care?
- Datacenter / Cloud networking
- Telecommunication Networking
- SDN/NVF is a foundation in 5G
- High cost for feature insertion for new (value=added) services
- Complext network management
- Enterprise networking
- BYOD Challenges
- too much reliance on vendors
- Home networking
- increased devices (IoT) and complexity
- why my network is not working? who can help?
- SDN -- Three layer Application layer + control layer + infrastructure layer
- Openflow Infrastructure
- SDN Operation
- Going Beyond
- The future is software defined
- SDN
- software defined storage
- software defined radio
- software defined infrastructure(VMs, NFV, Cloud, 5G)
- A new research direction: Software defined Programmable security(SDPS)
- The future is software defined
3.1 Security in the paradigam of SDN
3.2 Security in SDN -- Case Study :ConGuard
(1). Security Problems in SDN , 新的安全问题
- SDN still in infant stage
- The security of SDN itself is another major concern:
- Vulnerable/Malicious/buggy apps?
- Vulnerable controller? data plane? communication bettween data/control plane.
(2) Attacking the brain: races in the SDN control Plane
- SDN Control plane = new Achilles' Heel
- Research Questions
- ConGuard -- solution
- Detection of Harmful Race Conditions
- Exploitation of Harmful race conditions
3.3 SDN for security -- case study: Programmable BYOD Security
- Killer applications of SDN?
- reducing energy in data center networks
- WAN VM Migration
- how about security?
- Can SDN enable new capabilities to improve network security?
- Exemplar SDN Security Apps
- Firewall
- DDoS Detection
- Scan Detection
- Reflector network
- Tarpit
- Dynamic quarantine
- and more...
- App Store> Security as an Apps
- Security as a app
- Security as a service
- Challenges and Our Contributions
- develop security apps is Hard
- FRESCO: a new app development framework for modular, composable security services [NDSS'13]
- It is not convenient to install/use security devices/services for cloud tenants
- CloudWatcher/NetSecVisor/BYOCVisor: a new security monitoring service model [Network security virtualization] based on SDN
- Leverage the advantages of SDN when no SDN data plane infrastructure
- NDSS'16 work
- develop security apps is Hard
- NDSS'16 --Towards SDN-Defined Programmable BYOD (Bring Your Own Device) Security
4. 基于灵活策略的云网络资源控制 -- 陈焰 浙江大学网络空间安全研究中心
- SDNKeeper
- 运营商网络
- Cloud providers
- SDN落地部署的关键:网络资源安全
- SDNKeeper 系统架构
4.1 林晓东-- 加拿大劳瑞尔大学副教授
4.2 Ye Wu-- Privacy Protection based SMC applications--privcy leakage(DP SMC Forensics)
- Privacy preserving correlation Analysis
- A Toy Example
- Securing Master Key with SMC: solution Overview
- Privacy Preserving Data Query
- Privacy Preserving Maching Learning
- Privacy Preserving Challenges
- Data Security Scenario
4.3 Chunyi Peng-- Purdue University 移动网络安全 https://www.cs.purdue.edu/homes/chunyi/
- Mobile Network
- large-sale wireless network Infrastructure
- Expected to be More Secure
- Internet: designed without embedded security features
- Mobile network
- User authentication and key agreement(AKA)
- User authorization (explicit/implicit)
- Encryption(IPSEC)
- Access control (from both UE and Internet)
- Firewall, tenants
- Closed System
- IP Spoofing [CCS'14]
- ip assigned by the network, authentication for L2 data pipes
- But, Spoofing on L3 is possible
- VoLTE abuse [CCS'15]
- VoLTE: IP packets for voice data and siganling
- But, exploited for norma data packet
- SMS Sender-ID Spoofing [CSS'16]
- Authentication for the sender is required
- But, SMS Sender (in SIP header) can be spoofed
- Why: Gap between security and the operations it intends to project
- Change Factors & Security Implications
- Closed-> Open
- Expose attack vectors to adversaries
- E.g, IP
- Security states: isolated user
- But requires a full-path security (creation, storage, use, verification)
- Missing Components
- Monitor and detection (Security KPI)
- Runtime traceback and mutual-authentication(not at the start only)
- Provenance for troubleshooting (deterrence)
- 5G opportunity: NFV (flexible & extensible)
- Closed-> Open
4.4 赵志峰-- 浙大 An intelligent software defined security architecture and collaborative defense testbed [zhaozf@zju.edu.cn] OpenStack + OpenDaylight = testbed
- An Intelligent Honeynet based on Software defined security [WCSP'17]
- 利用AI与attackers对话,
- A Machine learning based Intrusion detection system. [IET Networks'17]
- K-means进行分流、随机森林做特征分类
- Collaborative defense testbed [生成数据]
4.5 程越强 -- 百度资深安全科学家 Towards Trusted path establishment: from endpoints to cloud
- Root of Trust(RoT) Candidates
- Trusted Hardware as RoT
- Hard Math Problems as RoT
- Endpoint Trust establishment
- starting from root of Trust
- Extending trust chain in a layered system
- Trusted Path applications
- Secure Element + trustZone
- Fingerprint Protection
- Trusted Processor + Enclave
- Efficient Secure Multiparty Computation (SMC)
- Efficient Verifiable Computation
- Secure Element + trustZone
- Trusted Path in Baidu
- Trust chain upon Hardware RoT in layered System
- Rust SGX Enclave - Verifiable and isolated execution environment
- MesaLock Linux - memory safe user Space
- MesaLink Connecting all of them
- Post-quatum cryptographic support
- Memory safe language - without memory corruptions
- Trust chain upon Hardware RoT in layered System
- Trusted Path Still Challenging
- Root key previsioning and management
- Complex hardware architecture
- Vulnerabilities in Implementation
- Side channel threat, e.g., for Intel SGX
- Q/A
- 移动网络安全:3G 4G 5G安全,运营过程中的Gap,
- SGX 的成熟、WAPI WIFI Security
12月20日下午会议PPT--下载
链接: https://pan.baidu.com/s/1bpwcm2j 密码: zb2f
