-
LLMs for Cyber Security: New Opportunities
Authors:
Dinil Mon Divakaran,
Sai Teja Peddinti
Abstract:
Large language models (LLMs) are a class of powerful and versatile models that are beneficial to many industries. With the emergence of LLMs, we take a fresh look at cyber security, specifically exploring and summarizing the potential of LLMs in addressing challenging problems in the security and safety domains.
Large language models (LLMs) are a class of powerful and versatile models that are beneficial to many industries. With the emergence of LLMs, we take a fresh look at cyber security, specifically exploring and summarizing the potential of LLMs in addressing challenging problems in the security and safety domains.
△ Less
Submitted 17 April, 2024;
originally announced April 2024.
-
Mitigating Bias in Machine Learning Models for Phishing Webpage Detection
Authors:
Aditya Kulkarni,
Vivek Balachandran,
Dinil Mon Divakaran,
Tamal Das
Abstract:
The widespread accessibility of the Internet has led to a surge in online fraudulent activities, underscoring the necessity of shielding users' sensitive information from cybercriminals. Phishing, a well-known cyberattack, revolves around the creation of phishing webpages and the dissemination of corresponding URLs, aiming to deceive users into sharing their sensitive information, often for identi…
▽ More
The widespread accessibility of the Internet has led to a surge in online fraudulent activities, underscoring the necessity of shielding users' sensitive information from cybercriminals. Phishing, a well-known cyberattack, revolves around the creation of phishing webpages and the dissemination of corresponding URLs, aiming to deceive users into sharing their sensitive information, often for identity theft or financial gain. Various techniques are available for preemptively categorizing zero-day phishing URLs by distilling unique attributes and constructing predictive models. However, these existing techniques encounter unresolved issues. This proposal delves into persistent challenges within phishing detection solutions, particularly concentrated on the preliminary phase of assembling comprehensive datasets, and proposes a potential solution in the form of a tool engineered to alleviate bias in ML models. Such a tool can generate phishing webpages for any given set of legitimate URLs, infusing randomly selected content and visual-based phishing features. Furthermore, we contend that the tool holds the potential to assess the efficacy of existing phishing detection solutions, especially those trained on confined datasets.
△ Less
Submitted 16 January, 2024;
originally announced January 2024.
-
The Evolution of DNS Security and Privacy
Authors:
Levente Csikor,
Dinil Mon Divakaran
Abstract:
DNS, one of the fundamental protocols of the TCP/IP stack, has evolved over the years to protect against threats and attacks. This study examines the risks associated with DNS and explores recent advancements that contribute towards making the DNS ecosystem resilient against various attacks while safeguarding user privacy.
DNS, one of the fundamental protocols of the TCP/IP stack, has evolved over the years to protect against threats and attacks. This study examines the risks associated with DNS and explores recent advancements that contribute towards making the DNS ecosystem resilient against various attacks while safeguarding user privacy.
△ Less
Submitted 1 December, 2023;
originally announced December 2023.
-
ZEST: Attention-based Zero-Shot Learning for Unseen IoT Device Classification
Authors:
Binghui Wu,
Philipp Gysel,
Dinil Mon Divakaran,
Mohan Gurusamy
Abstract:
Recent research works have proposed machine learning models for classifying IoT devices connected to a network. However, there is still a practical challenge of not having all devices (and hence their traffic) available during the training of a model. This essentially means, during the operational phase, we need to classify new devices not seen in the training phase. To address this challenge, we…
▽ More
Recent research works have proposed machine learning models for classifying IoT devices connected to a network. However, there is still a practical challenge of not having all devices (and hence their traffic) available during the training of a model. This essentially means, during the operational phase, we need to classify new devices not seen in the training phase. To address this challenge, we propose ZEST -- a ZSL (zero-shot learning) framework based on self-attention for classifying both seen and unseen devices. ZEST consists of i) a self-attention based network feature extractor, termed SANE, for extracting latent space representations of IoT traffic, ii) a generative model that trains a decoder using latent features to generate pseudo data, and iii) a supervised model that is trained on the generated pseudo data for classifying devices. We carry out extensive experiments on real IoT traffic data; our experiments demonstrate i) ZEST achieves significant improvement (in terms of accuracy) over the baselines; ii) SANE is able to better extract meaningful representations than LSTM which has been commonly used for modeling network traffic.
△ Less
Submitted 12 January, 2024; v1 submitted 12 October, 2023;
originally announced October 2023.
-
Attacking logo-based phishing website detectors with adversarial perturbations
Authors:
Jehyun Lee,
Zhe Xin,
Melanie Ng Pei See,
Kanav Sabharwal,
Giovanni Apruzzese,
Dinil Mon Divakaran
Abstract:
Recent times have witnessed the rise of anti-phishing schemes powered by deep learning (DL). In particular, logo-based phishing detectors rely on DL models from Computer Vision to identify logos of well-known brands on webpages, to detect malicious webpages that imitate a given brand. For instance, Siamese networks have demonstrated notable performance for these tasks, enabling the corresponding a…
▽ More
Recent times have witnessed the rise of anti-phishing schemes powered by deep learning (DL). In particular, logo-based phishing detectors rely on DL models from Computer Vision to identify logos of well-known brands on webpages, to detect malicious webpages that imitate a given brand. For instance, Siamese networks have demonstrated notable performance for these tasks, enabling the corresponding anti-phishing solutions to detect even "zero-day" phishing webpages. In this work, we take the next step of studying the robustness of logo-based phishing detectors against adversarial ML attacks. We propose a novel attack exploiting generative adversarial perturbations to craft "adversarial logos" that evade phishing detectors. We evaluate our attacks through: (i) experiments on datasets containing real logos, to evaluate the robustness of state-of-the-art phishing detectors; and (ii) user studies to gauge whether our adversarial logos can deceive human eyes. The results show that our proposed attack is capable of crafting perturbed logos subtle enough to evade various DL models-achieving an evasion rate of up to 95%. Moreover, users are not able to spot significant differences between generated adversarial logos and original ones.
△ Less
Submitted 12 September, 2023; v1 submitted 18 August, 2023;
originally announced August 2023.
-
Phishing Detection Leveraging Machine Learning and Deep Learning: A Review
Authors:
Dinil Mon Divakaran,
Adam Oest
Abstract:
Phishing attacks trick victims into disclosing sensitive information. To counter rapidly evolving attacks, we must explore machine learning and deep learning models leveraging large-scale data. We discuss models built on different kinds of data, along with their advantages and disadvantages, and present multiple deployment options to detect phishing attacks.
Phishing attacks trick victims into disclosing sensitive information. To counter rapidly evolving attacks, we must explore machine learning and deep learning models leveraging large-scale data. We discuss models built on different kinds of data, along with their advantages and disadvantages, and present multiple deployment options to detect phishing attacks.
△ Less
Submitted 15 May, 2022;
originally announced May 2022.
-
SIERRA: Ranking Anomalous Activities in Enterprise Networks
Authors:
Jehyun Lee,
Farren Tang,
Phyo May Thet,
Desmond Yeoh,
Mitch Rybczynski,
Dinil Mon Divakaran
Abstract:
An enterprise today deploys multiple security middleboxes such as firewalls, IDS, IPS, etc. in its network to collect different kinds of events related to threats and attacks. These events are streamed into a SIEM (Security Information and Event Management) system for analysts to investigate and respond quickly with appropriate actions. However, the number of events collected for a single enterpri…
▽ More
An enterprise today deploys multiple security middleboxes such as firewalls, IDS, IPS, etc. in its network to collect different kinds of events related to threats and attacks. These events are streamed into a SIEM (Security Information and Event Management) system for analysts to investigate and respond quickly with appropriate actions. However, the number of events collected for a single enterprise can easily run into hundreds of thousands per day, much more than what analysts can investigate under a given budget constraint (time). In this work, we look into the problem of prioritizing suspicious events or anomalies to analysts for further investigation. We develop SIERRA, a system that processes event logs from multiple and diverse middleboxes to detect and rank anomalous activities. SIERRA takes an unsupervised approach and therefore has no dependence on ground truth data. Different from other works, SIERRA defines contexts, that help it to provide visual explanations of highly-ranked anomalous points to analysts, despite employing unsupervised models. We evaluate SIERRA using months of logs from multiple security middleboxes of an enterprise network. The evaluations demonstrate the capability of SIERRA to detect top anomalies in a network while outperforming naive application of existing anomaly detection algorithms as well as a state-of-the-art SIEM-based anomaly detection solution.
△ Less
Submitted 31 March, 2022;
originally announced March 2022.
-
Markov Chain Monte Carlo-Based Machine Unlearning: Unlearning What Needs to be Forgotten
Authors:
Quoc Phong Nguyen,
Ryutaro Oikawa,
Dinil Mon Divakaran,
Mun Choon Chan,
Bryan Kian Hsiang Low
Abstract:
As the use of machine learning (ML) models is becoming increasingly popular in many real-world applications, there are practical challenges that need to be addressed for model maintenance. One such challenge is to 'undo' the effect of a specific subset of dataset used for training a model. This specific subset may contain malicious or adversarial data injected by an attacker, which affects the mod…
▽ More
As the use of machine learning (ML) models is becoming increasingly popular in many real-world applications, there are practical challenges that need to be addressed for model maintenance. One such challenge is to 'undo' the effect of a specific subset of dataset used for training a model. This specific subset may contain malicious or adversarial data injected by an attacker, which affects the model performance. Another reason may be the need for a service provider to remove data pertaining to a specific user to respect the user's privacy. In both cases, the problem is to 'unlearn' a specific subset of the training data from a trained model without incurring the costly procedure of retraining the whole model from scratch. Towards this goal, this paper presents a Markov chain Monte Carlo-based machine unlearning (MCU) algorithm. MCU helps to effectively and efficiently unlearn a trained model from subsets of training dataset. Furthermore, we show that with MCU, we are able to explain the effect of a subset of a training dataset on the model prediction. Thus, MCU is useful for examining subsets of data to identify the adversarial data to be removed. Similarly, MCU can be used to erase the lineage of a user's personal data from trained ML models, thus upholding a user's "right to be forgotten". We empirically evaluate the performance of our proposed MCU algorithm on real-world phishing and diabetes datasets. Results show that MCU can achieve a desirable performance by efficiently removing the effect of a subset of training dataset and outperform an existing algorithm that utilizes the remaining dataset.
△ Less
Submitted 28 February, 2022;
originally announced February 2022.
-
A Step Towards On-Path Security Function Outsourcing
Authors:
Jehyun Lee,
Min Suk Kang,
Dinil Mon Divakaran,
Phyo May Thet,
Videet Singhai,
Jun Seung You
Abstract:
Security function outsourcing has witnessed both research and deployment in the recent years. While most existing services take a straight-forward approach of cloud hosting, on-path transit networks (such as ISPs) are increasingly more interested in offering outsourced security services to end users. Recent proposals (such as SafeBricks and mbTLS) have made it possible to outsource sensitive secur…
▽ More
Security function outsourcing has witnessed both research and deployment in the recent years. While most existing services take a straight-forward approach of cloud hosting, on-path transit networks (such as ISPs) are increasingly more interested in offering outsourced security services to end users. Recent proposals (such as SafeBricks and mbTLS) have made it possible to outsource sensitive security applications to untrusted, arbitrary networks, rendering on-path security function outsourcing more promising than ever. However, to provide on-path security function outsourcing, there is one crucial component that is still missing -- a practical end-to-end network protocol. Thus, the discovery and orchestration of multiple capable and willing transit networks for user-requested security functions have only been assumed in many studies without any practical solutions. In this work, we propose Opsec, an end-to-end security-outsourcing protocol that fills this gap and brings us closer to the vision of on-path security function outsourcing. Opsec automatically discovers one or more transit ISPs between a client and a server, and requests user-specified security functions efficiently. When designing Opsec, we prioritize the practicality and applicability of this new end-to-end protocol in the current Internet. Our proof-of-concept implementation of Opsec for web sessions shows that an end user can easily start a new web session with a few clicks of a browser plug-in, to specify a series of security functions of her choice. We show that it is possible to implement such a new end-to-end service model in the current Internet for the majority of the web services without any major changes to the standard protocols (e.g., TCP, TLS, HTTP) and the existing network infrastructure (e.g., ISP's routing primitives).
△ Less
Submitted 1 October, 2021;
originally announced October 2021.
-
A Survey of Privacy-Preserving Techniques for Encrypted Traffic Inspection over Network Middleboxes
Authors:
Geong Sen Poh,
Dinil Mon Divakaran,
Hoon Wei Lim,
Jianting Ning,
Achintya Desai
Abstract:
Middleboxes in a computer network system inspect and analyse network traffic to detect malicious communications, monitor system performance and provide operational services. However, encrypted traffic hinders the ability of middleboxes to perform such services. A common practice in addressing this issue is by employing a "Man-in-the-Middle" (MitM) approach, wherein an encrypted traffic flow betwee…
▽ More
Middleboxes in a computer network system inspect and analyse network traffic to detect malicious communications, monitor system performance and provide operational services. However, encrypted traffic hinders the ability of middleboxes to perform such services. A common practice in addressing this issue is by employing a "Man-in-the-Middle" (MitM) approach, wherein an encrypted traffic flow between two endpoints is interrupted, decrypted and analysed by the middleboxes. The MitM approach is straightforward and is used by many organisations, but there are both practical and privacy concerns. Due to the cost of the MitM appliances and the latency incurred in the encrypt-decrypt processes, enterprises continue to seek solutions that are less costly. There were discussion on the many efforts required to configure MitM. Besides, MitM violates end-to-end privacy guarantee, raising privacy concerns and issues on compliance especially with the rising awareness on user privacy. Furthermore, some of the MitM implementations were found to be flawed. Consequently, new practical and privacy-preserving techniques for inspection over encrypted traffic were proposed. We examine them to compare their advantages, limitations and challenges. We categorise them into four main categories by defining a framework that consist of system architectures, use cases, trust and threat models. These are searchable encryption, access control, machine learning and trusted hardware. We first discuss the man-in-the-middle approach as a baseline, then discuss in details each of them, and provide an in-depth comparisons of their advantages and limitations. By doing so we describe practical constraints, advantages and pitfalls towards adopting the techniques. We also give insights on the gaps between research work and industrial deployment, which leads us to the discussion on the challenges and research directions.
△ Less
Submitted 12 January, 2021;
originally announced January 2021.
-
DiffPerf: Towards Performance Differentiation and Optimization with SDN Implementation
Authors:
Walid Aljoby,
Xin Wang,
Dinil Mon Divakaran,
Tom Z. J. Fu,
Richard T. B. Ma
Abstract:
Continuing the current trend, Internet traffic is expected to grow significantly over the coming years, with video traffic consuming the biggest share. On the one hand, this growth poses challenges to access providers (APs), who have to upgrade their infrastructure to meet the growing traffic demands as well as find new ways to monetize their network resources. On the other hand, despite numerous…
▽ More
Continuing the current trend, Internet traffic is expected to grow significantly over the coming years, with video traffic consuming the biggest share. On the one hand, this growth poses challenges to access providers (APs), who have to upgrade their infrastructure to meet the growing traffic demands as well as find new ways to monetize their network resources. On the other hand, despite numerous optimizations of the underlying transport protocol, a user's utilization of network bandwidth and is thus the user's perceived quality still being largely affected by network latency and buffer size. To address both concerns, we propose DiffPerf, a class-based differentiation framework, that, at a macroscopic level dynamically allocates bandwidth to service classes pre-defined by the APs, and at a microscopic level statistically differentiates and isolates user flows to help them achieve better performance. We implement DiffPerf on OpenDaylight SDN controller and programmable Barefoot Tofino switch and evaluate it from an application perspective for MPEG-DASH video streaming. Our evaluations demonstrate the practicality and flexibility that DiffPerf provides APs with capabilities through which a spectrum of qualities are provisioned at multiple classes. Meanwhile, it assists in achieving better fairness and improving overall user's perceived quality within the same class.
△ Less
Submitted 6 December, 2020;
originally announced December 2020.
-
On the Feasibility and Enhancement of the Tuple Space Explosion Attack against Open vSwitch
Authors:
Levente Csikor,
Vipul Ujawane,
Dinil Mon Divakaran
Abstract:
Being a crucial part of networked systems, packet classification has to be highly efficient; however, software switches in cloud environments still face performance challenges. The recently proposed Tuple Space Explosion (TSE) attack exploits an algorithmic deficiency in Open vSwitch (OVS). In TSE, legitimate low-rate attack traffic makes the cardinal linear search algorithm in the Tuple Space Sea…
▽ More
Being a crucial part of networked systems, packet classification has to be highly efficient; however, software switches in cloud environments still face performance challenges. The recently proposed Tuple Space Explosion (TSE) attack exploits an algorithmic deficiency in Open vSwitch (OVS). In TSE, legitimate low-rate attack traffic makes the cardinal linear search algorithm in the Tuple Space Search (TSS) algorithm to spend an unaffordable time for classifying each packet resulting in a denial-of-service (DoS) for the rest of the users. In this paper, we investigate the feasibility of TSE from multiple perspectives. Besides showing that TSE is still efficient in the newer version of OVS, we show that when the kernel datapath is compiled from a different source, it can degrade its performance to ~1% of its baseline with less than 1 Mbps attack rate. Finally, we show that TSE is much less effective against OVS-DPDK with userspace datapath due to the enhanced ranking process in its TSS implementation. Therefore, we propose TSE 2.0 to defeat the ranking process and achieve a complete DoS against OVS-DPDK. Furthermore, we present TSE 2.1, which achieves the same goal against OVS-DPDK running on multiple cores without significantly increasing the attack rate.
△ Less
Submitted 18 November, 2020;
originally announced November 2020.
-
Cost-aware Feature Selection for IoT Device Classification
Authors:
Biswadeep Chakraborty,
Dinil Mon Divakaran,
Ido Nevat,
Gareth W. Peters,
Mohan Gurusamy
Abstract:
Classification of IoT devices into different types is of paramount importance, from multiple perspectives, including security and privacy aspects. Recent works have explored machine learning techniques for fingerprinting (or classifying) IoT devices, with promising results. However, existing works have assumed that the features used for building the machine learning models are readily available or…
▽ More
Classification of IoT devices into different types is of paramount importance, from multiple perspectives, including security and privacy aspects. Recent works have explored machine learning techniques for fingerprinting (or classifying) IoT devices, with promising results. However, existing works have assumed that the features used for building the machine learning models are readily available or can be easily extracted from the network traffic; in other words, they do not consider the costs associated with feature extraction. In this work, we take a more realistic approach, and argue that feature extraction has a cost, and the costs are different for different features. We also take a step forward from the current practice of considering the misclassification loss as a binary value, and make a case for different losses based on the misclassification performance. Thereby, and more importantly, we introduce the notion of risk for IoT device classification. We define and formulate the problem of cost-aware IoT device classification. This being a combinatorial optimization problem, we develop a novel algorithm to solve it in a fast and effective way using the Cross-Entropy (CE) based stochastic optimization technique. Using traffic of real devices, we demonstrate the capability of the CE based algorithm in selecting features with minimal risk of misclassification while kee** the cost for feature extraction within a specified limit.
△ Less
Submitted 21 April, 2021; v1 submitted 2 September, 2020;
originally announced September 2020.
-
GEE: A Gradient-based Explainable Variational Autoencoder for Network Anomaly Detection
Authors:
Quoc Phong Nguyen,
Kar Wai Lim,
Dinil Mon Divakaran,
Kian Hsiang Low,
Mun Choon Chan
Abstract:
This paper looks into the problem of detecting network anomalies by analyzing NetFlow records. While many previous works have used statistical models and machine learning techniques in a supervised way, such solutions have the limitations that they require large amount of labeled data for training and are unlikely to detect zero-day attacks. Existing anomaly detection solutions also do not provide…
▽ More
This paper looks into the problem of detecting network anomalies by analyzing NetFlow records. While many previous works have used statistical models and machine learning techniques in a supervised way, such solutions have the limitations that they require large amount of labeled data for training and are unlikely to detect zero-day attacks. Existing anomaly detection solutions also do not provide an easy way to explain or identify attacks in the anomalous traffic. To address these limitations, we develop and present GEE, a framework for detecting and explaining anomalies in network traffic. GEE comprises of two components: (i) Variational Autoencoder (VAE) - an unsupervised deep-learning technique for detecting anomalies, and (ii) a gradient-based fingerprinting technique for explaining anomalies. Evaluation of GEE on the recent UGR dataset demonstrates that our approach is effective in detecting different anomalies as well as identifying fingerprints that are good representations of these various attacks.
△ Less
Submitted 15 March, 2019;
originally announced March 2019.