2017年浙江大學(xué)網(wǎng)絡(luò)空間安全青年科學(xué)家論壇--12月20日會議簡紀

數(shù)據(jù)安全與隱私前沿

1. When Security and AI Meet. -- Tao Xie taoxie@illinois.edu http://taoxie.cs.illinois.edu/

1.1 AI and Software Engineering 智能軟件工程

(1) AI FOR Test Generation:
Microsoft Security Risk Detection : https://microsoft.com/en-us/security-risk-detection/
cloud-based-fuzz-testing

(2) 二進制碼 based risk detection: Mayhem

(3) Dynamic Symbolic Execution (DART: Godefoid et.al OKDI'05)
遍歷所有的路徑和分支語句:

Explision of Search Space: 搜索空間太大

(4) Automated Software Testing:

  • Path Explision: DSN'09: fITNEX
  • Method SEQUENCE EXPLOSION oopsla'11: Seeker
    Shipped in VS 2015/2017
    Code Hunt :

(5) Android App Testing: WeChat

(6) Intelligent Software Testing?

  • Learning from others working on the same things
  • Learning from others working on similar things

(7) NLP for Security Policies

  • Access Control Vulnerabilities
  • Access Control Policies(ACP)
    • A policy rule includes four elements:
      • Subject - HCP
      • Action - edit
      • Resource - patient's account
      • Effect - deny
  • Problems of ACP Practice
    • ACPs: 自然語言并沒有具體處理
    • Example: A doctor can not modify the patient's account.
  • Overview of Text2Policy

(8) NLP for Mobile Security

  • Problems Statement:
  • Is Program Analysis sufficient?
    • Caveat: what does the user expect?
      • GPS Tracker:
      • Phone-call recorder:
      • others are more subtle:
  • Vision
    • 分析應(yīng)用描述
    • Straw man: Keyword Search
      • Confounding effects:
        • certain keywords such as 'contact' have a confounding meaning
      • Semantic Interference:
        • Sentences often decribe a sensitive operation such as reading contact without actually refferring to the keyword 'contact', e.g., "Also you can share the yoga exercise to your friends via Email and SMS."
    • 抽取領(lǐng)域知識 Semantic-Graph Generator
    • Semantic Engine

(9) ML for mobile security:

  • 分析APK全度,區(qū)分善意與惡意軟件
  • Context-based Mobile security
  • EnMobile: Entity-based Characterization and Analysis of Mobile Malware ICSE 2018

(10) Adversarial ML
楊俊峰 哥倫比亞大學(xué) SOSP 2017

2. 隱私保護:現(xiàn)狀與挑戰(zhàn)

  • 差分隱私技術(shù)
  • 全同態(tài)加密技術(shù)
2.1 數(shù)據(jù)云服務(wù):安全隱私研究

實時協(xié)同編輯軟件:Google Docs. ShareLatex, Etherpad等

  • github上的敏感數(shù)據(jù)泄露
2.2 Encrypted Search: Advances and Beyond 王聰--香港城市大學(xué)
  • 加密數(shù)據(jù)搜索
  • Motivation
    • sensitive data demands Encrypted storage
    • Encrypted Search reduce risks of data breaches
2.3 大數(shù)據(jù)試驗場數(shù)據(jù)安全與管控 韓偉力
2.4 圖數(shù)據(jù)隱私-- 紀守領(lǐng)

Application-aware privacy-preserving techiques

Deep Learning or ML based privacy preservation

CCS: 圖片驗證碼:人很好識別、機器很難識別

3. Securing the Networking Foundation for Future Internet, Cloudand 5G Infrastructures -- 顧國飛:美國德州農(nóng)工大學(xué)

3.0 Problems of Legacy Network Devices
  • Too Complicated:-- Control Plane
  • Closed platform -- Vendor specific
  • Hard to manage
  • Why we care?
    • Datacenter / Cloud networking
    • Telecommunication Networking
      • SDN/NVF is a foundation in 5G
      • High cost for feature insertion for new (value=added) services
      • Complext network management
    • Enterprise networking
      • BYOD Challenges
      • too much reliance on vendors
    • Home networking
      • increased devices (IoT) and complexity
      • why my network is not working? who can help?
  • SDN -- Three layer Application layer + control layer + infrastructure layer
  • Openflow Infrastructure
  • SDN Operation
  • Going Beyond
    • The future is software defined
      • SDN
      • software defined storage
      • software defined radio
      • software defined infrastructure(VMs, NFV, Cloud, 5G)
    • A new research direction: Software defined Programmable security(SDPS)
3.1 Security in the paradigam of SDN
3.2 Security in SDN -- Case Study :ConGuard

(1). Security Problems in SDN , 新的安全問題

  • SDN still in infant stage
  • The security of SDN itself is another major concern:
    • Vulnerable/Malicious/buggy apps?
    • Vulnerable controller? data plane? communication bettween data/control plane.

(2) Attacking the brain: races in the SDN control Plane

  • SDN Control plane = new Achilles' Heel
  • Research Questions
    • ConGuard -- solution
    • Detection of Harmful Race Conditions
    • Exploitation of Harmful race conditions
3.3 SDN for security -- case study: Programmable BYOD Security
  • Killer applications of SDN?
    • reducing energy in data center networks
    • WAN VM Migration
    • how about security?
      • Can SDN enable new capabilities to improve network security?
  • Exemplar SDN Security Apps
    • Firewall
    • DDoS Detection
    • Scan Detection
    • Reflector network
    • Tarpit
    • Dynamic quarantine
    • and more...
  • App Store> Security as an Apps
    • Security as a app
    • Security as a service
  • Challenges and Our Contributions
    • develop security apps is Hard
      • FRESCO: a new app development framework for modular, composable security services [NDSS'13]
    • It is not convenient to install/use security devices/services for cloud tenants
      • CloudWatcher/NetSecVisor/BYOCVisor: a new security monitoring service model [Network security virtualization] based on SDN
    • Leverage the advantages of SDN when no SDN data plane infrastructure
      • NDSS'16 work
  • NDSS'16 --Towards SDN-Defined Programmable BYOD (Bring Your Own Device) Security

4. 基于靈活策略的云網(wǎng)絡(luò)資源控制 -- 陳焰 浙江大學(xué)網(wǎng)絡(luò)空間安全研究中心

  • SDNKeeper
    • 運營商網(wǎng)絡(luò)
    • Cloud providers
    • SDN落地部署的關(guān)鍵:網(wǎng)絡(luò)資源安全
    • SDNKeeper 系統(tǒng)架構(gòu)
4.1 林曉東-- 加拿大勞瑞爾大學(xué)副教授
4.2 Ye Wu-- Privacy Protection based SMC applications--privcy leakage(DP SMC Forensics)
  • Privacy preserving correlation Analysis
    • A Toy Example
  • Securing Master Key with SMC: solution Overview
  • Privacy Preserving Data Query
  • Privacy Preserving Maching Learning
  • Privacy Preserving Challenges
  • Data Security Scenario
4.3 Chunyi Peng-- Purdue University 移動網(wǎng)絡(luò)安全 https://www.cs.purdue.edu/homes/chunyi/
  • Mobile Network
    • large-sale wireless network Infrastructure
  • Expected to be More Secure
    • Internet: designed without embedded security features
    • Mobile network
      • User authentication and key agreement(AKA)
      • User authorization (explicit/implicit)
      • Encryption(IPSEC)
      • Access control (from both UE and Internet)
        • Firewall, tenants
      • Closed System
  • IP Spoofing [CCS'14]
    • ip assigned by the network, authentication for L2 data pipes
    • But, Spoofing on L3 is possible
  • VoLTE abuse [CCS'15]
    • VoLTE: IP packets for voice data and siganling
    • But, exploited for norma data packet
  • SMS Sender-ID Spoofing [CSS'16]
    • Authentication for the sender is required
    • But, SMS Sender (in SIP header) can be spoofed
  • Why: Gap between security and the operations it intends to project
  • Change Factors & Security Implications
    • Closed-> Open
      • Expose attack vectors to adversaries
      • E.g, IP
    • Security states: isolated user
      • But requires a full-path security (creation, storage, use, verification)
    • Missing Components
      • Monitor and detection (Security KPI)
      • Runtime traceback and mutual-authentication(not at the start only)
      • Provenance for troubleshooting (deterrence)
    • 5G opportunity: NFV (flexible & extensible)
4.4 趙志峰-- 浙大 An intelligent software defined security architecture and collaborative defense testbed [zhaozf@zju.edu.cn] OpenStack + OpenDaylight = testbed
  • An Intelligent Honeynet based on Software defined security [WCSP'17]
  • 利用AI與attackers對話,
  • A Machine learning based Intrusion detection system. [IET Networks'17]
    • K-means進行分流优俘、隨機森林做特征分類
  • Collaborative defense testbed [生成數(shù)據(jù)]
4.5 程越強 -- 百度資深安全科學(xué)家 Towards Trusted path establishment: from endpoints to cloud
  • Root of Trust(RoT) Candidates
    • Trusted Hardware as RoT
    • Hard Math Problems as RoT
  • Endpoint Trust establishment
    • starting from root of Trust
    • Extending trust chain in a layered system
  • Trusted Path applications
    • Secure Element + trustZone
      • Fingerprint Protection
    • Trusted Processor + Enclave
      • Efficient Secure Multiparty Computation (SMC)
      • Efficient Verifiable Computation
  • Trusted Path in Baidu
    • Trust chain upon Hardware RoT in layered System
      • Rust SGX Enclave - Verifiable and isolated execution environment
      • MesaLock Linux - memory safe user Space
    • MesaLink Connecting all of them
      • Post-quatum cryptographic support
      • Memory safe language - without memory corruptions
  • Trusted Path Still Challenging
    • Root key previsioning and management
    • Complex hardware architecture
    • Vulnerabilities in Implementation
    • Side channel threat, e.g., for Intel SGX
  • Q/A
    • 移動網(wǎng)絡(luò)安全:3G 4G 5G安全吧彪,運營過程中的Gap慌申,
    • SGX 的成熟雷激、WAPI WIFI Security

12月20日下午會議PPT--下載
鏈接: https://pan.baidu.com/s/1bpwcm2j 密碼: zb2f

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
  • 序言:七十年代末访圃,一起剝皮案震驚了整個濱河市厨幻,隨后出現(xiàn)的幾起案子,更是在濱河造成了極大的恐慌腿时,老刑警劉巖况脆,帶你破解...
    沈念sama閱讀 218,546評論 6 507
  • 序言:濱河連續(xù)發(fā)生了三起死亡事件,死亡現(xiàn)場離奇詭異圈匆,居然都是意外死亡漠另,警方通過查閱死者的電腦和手機,發(fā)現(xiàn)死者居然都...
    沈念sama閱讀 93,224評論 3 395
  • 文/潘曉璐 我一進店門跃赚,熙熙樓的掌柜王于貴愁眉苦臉地迎上來笆搓,“玉大人,你說我怎么就攤上這事纬傲÷埽” “怎么了?”我有些...
    開封第一講書人閱讀 164,911評論 0 354
  • 文/不壞的土叔 我叫張陵叹括,是天一觀的道長算墨。 經(jīng)常有香客問我,道長汁雷,這世上最難降的妖魔是什么净嘀? 我笑而不...
    開封第一講書人閱讀 58,737評論 1 294
  • 正文 為了忘掉前任,我火速辦了婚禮侠讯,結(jié)果婚禮上挖藏,老公的妹妹穿的比我還像新娘。我一直安慰自己厢漩,他們只是感情好膜眠,可當我...
    茶點故事閱讀 67,753評論 6 392
  • 文/花漫 我一把揭開白布惫恼。 她就那樣靜靜地躺著鸟蜡,像睡著了一般。 火紅的嫁衣襯著肌膚如雪恤煞。 梳的紋絲不亂的頭發(fā)上癞松,一...
    開封第一講書人閱讀 51,598評論 1 305
  • 那天函卒,我揣著相機與錄音适瓦,去河邊找鬼驯遇。 笑死,一個胖子當著我的面吹牛捎琐,可吹牛的內(nèi)容都是我干的抑钟。 我是一名探鬼主播,決...
    沈念sama閱讀 40,338評論 3 418
  • 文/蒼蘭香墨 我猛地睜開眼野哭,長吁一口氣:“原來是場噩夢啊……” “哼!你這毒婦竟也來了幻件?” 一聲冷哼從身側(cè)響起拨黔,我...
    開封第一講書人閱讀 39,249評論 0 276
  • 序言:老撾萬榮一對情侶失蹤,失蹤者是張志新(化名)和其女友劉穎绰沥,沒想到半個月后篱蝇,有當?shù)厝嗽跇淞掷锇l(fā)現(xiàn)了一具尸體,經(jīng)...
    沈念sama閱讀 45,696評論 1 314
  • 正文 獨居荒郊野嶺守林人離奇死亡徽曲,尸身上長有42處帶血的膿包…… 初始之章·張勛 以下內(nèi)容為張勛視角 年9月15日...
    茶點故事閱讀 37,888評論 3 336
  • 正文 我和宋清朗相戀三年零截,在試婚紗的時候發(fā)現(xiàn)自己被綠了。 大學(xué)時的朋友給我發(fā)了我未婚夫和他白月光在一起吃飯的照片秃臣。...
    茶點故事閱讀 40,013評論 1 348
  • 序言:一個原本活蹦亂跳的男人離奇死亡涧衙,死狀恐怖,靈堂內(nèi)的尸體忽然破棺而出奥此,到底是詐尸還是另有隱情弧哎,我是刑警寧澤,帶...
    沈念sama閱讀 35,731評論 5 346
  • 正文 年R本政府宣布稚虎,位于F島的核電站撤嫩,受9級特大地震影響,放射性物質(zhì)發(fā)生泄漏蠢终。R本人自食惡果不足惜序攘,卻給世界環(huán)境...
    茶點故事閱讀 41,348評論 3 330
  • 文/蒙蒙 一、第九天 我趴在偏房一處隱蔽的房頂上張望寻拂。 院中可真熱鬧程奠,春花似錦、人聲如沸兜喻。這莊子的主人今日做“春日...
    開封第一講書人閱讀 31,929評論 0 22
  • 文/蒼蘭香墨 我抬頭看了看天上的太陽。三九已至帕识,卻和暖如春泛粹,著一層夾襖步出監(jiān)牢的瞬間,已是汗流浹背肮疗。 一陣腳步聲響...
    開封第一講書人閱讀 33,048評論 1 270
  • 我被黑心中介騙來泰國打工晶姊, 沒想到剛下飛機就差點兒被人妖公主榨干…… 1. 我叫王不留,地道東北人伪货。 一個月前我還...
    沈念sama閱讀 48,203評論 3 370
  • 正文 我出身青樓们衙,卻偏偏與公主長得像,于是被迫代替她去往敵國和親碱呼。 傳聞我的和親對象是個殘疾皇子蒙挑,可洞房花燭夜當晚...
    茶點故事閱讀 44,960評論 2 355

推薦閱讀更多精彩內(nèi)容