數(shù)據(jù)安全與隱私前沿
1. When Security and AI Meet. -- Tao Xie taoxie@illinois.edu http://taoxie.cs.illinois.edu/
1.1 AI and Software Engineering 智能軟件工程
(1) AI FOR Test Generation:
Microsoft Security Risk Detection : https://microsoft.com/en-us/security-risk-detection/
cloud-based-fuzz-testing
(2) 二進制碼 based risk detection: Mayhem
(3) Dynamic Symbolic Execution (DART: Godefoid et.al OKDI'05)
遍歷所有的路徑和分支語句:
Explision of Search Space: 搜索空間太大
(4) Automated Software Testing:
- Path Explision: DSN'09: fITNEX
- Method SEQUENCE EXPLOSION oopsla'11: Seeker
Shipped in VS 2015/2017
Code Hunt :
(5) Android App Testing: WeChat
(6) Intelligent Software Testing?
- Learning from others working on the same things
- Learning from others working on similar things
(7) NLP for Security Policies
- Access Control Vulnerabilities
- Access Control Policies(ACP)
- A policy rule includes four elements:
- Subject - HCP
- Action - edit
- Resource - patient's account
- Effect - deny
- A policy rule includes four elements:
- Problems of ACP Practice
- ACPs: 自然語言并沒有具體處理
- Example: A doctor can not modify the patient's account.
- Overview of Text2Policy
(8) NLP for Mobile Security
- Problems Statement:
- Is Program Analysis sufficient?
- Caveat: what does the user expect?
- GPS Tracker:
- Phone-call recorder:
- others are more subtle:
- Caveat: what does the user expect?
- Vision
- 分析應(yīng)用描述
- Straw man: Keyword Search
- Confounding effects:
- certain keywords such as 'contact' have a confounding meaning
- Semantic Interference:
- Sentences often decribe a sensitive operation such as reading contact without actually refferring to the keyword 'contact', e.g., "Also you can share the yoga exercise to your friends via Email and SMS."
- Confounding effects:
- 抽取領(lǐng)域知識 Semantic-Graph Generator
- Semantic Engine
(9) ML for mobile security:
- 分析APK全度,區(qū)分善意與惡意軟件
- Context-based Mobile security
- EnMobile: Entity-based Characterization and Analysis of Mobile Malware ICSE 2018
(10) Adversarial ML
楊俊峰 哥倫比亞大學(xué) SOSP 2017
2. 隱私保護:現(xiàn)狀與挑戰(zhàn)
- 差分隱私技術(shù)
- 全同態(tài)加密技術(shù)
2.1 數(shù)據(jù)云服務(wù):安全隱私研究
實時協(xié)同編輯軟件:Google Docs. ShareLatex, Etherpad等
- github上的敏感數(shù)據(jù)泄露
2.2 Encrypted Search: Advances and Beyond 王聰--香港城市大學(xué)
- 加密數(shù)據(jù)搜索
- Motivation
- sensitive data demands Encrypted storage
- Encrypted Search reduce risks of data breaches
2.3 大數(shù)據(jù)試驗場數(shù)據(jù)安全與管控 韓偉力
2.4 圖數(shù)據(jù)隱私-- 紀守領(lǐng)
Application-aware privacy-preserving techiques
Deep Learning or ML based privacy preservation
CCS: 圖片驗證碼:人很好識別、機器很難識別
3. Securing the Networking Foundation for Future Internet, Cloudand 5G Infrastructures -- 顧國飛:美國德州農(nóng)工大學(xué)
3.0 Problems of Legacy Network Devices
- Too Complicated:-- Control Plane
- Closed platform -- Vendor specific
- Hard to manage
- Why we care?
- Datacenter / Cloud networking
- Telecommunication Networking
- SDN/NVF is a foundation in 5G
- High cost for feature insertion for new (value=added) services
- Complext network management
- Enterprise networking
- BYOD Challenges
- too much reliance on vendors
- Home networking
- increased devices (IoT) and complexity
- why my network is not working? who can help?
- SDN -- Three layer Application layer + control layer + infrastructure layer
- Openflow Infrastructure
- SDN Operation
- Going Beyond
- The future is software defined
- SDN
- software defined storage
- software defined radio
- software defined infrastructure(VMs, NFV, Cloud, 5G)
- A new research direction: Software defined Programmable security(SDPS)
- The future is software defined
3.1 Security in the paradigam of SDN
3.2 Security in SDN -- Case Study :ConGuard
(1). Security Problems in SDN , 新的安全問題
- SDN still in infant stage
- The security of SDN itself is another major concern:
- Vulnerable/Malicious/buggy apps?
- Vulnerable controller? data plane? communication bettween data/control plane.
(2) Attacking the brain: races in the SDN control Plane
- SDN Control plane = new Achilles' Heel
- Research Questions
- ConGuard -- solution
- Detection of Harmful Race Conditions
- Exploitation of Harmful race conditions
3.3 SDN for security -- case study: Programmable BYOD Security
- Killer applications of SDN?
- reducing energy in data center networks
- WAN VM Migration
- how about security?
- Can SDN enable new capabilities to improve network security?
- Exemplar SDN Security Apps
- Firewall
- DDoS Detection
- Scan Detection
- Reflector network
- Tarpit
- Dynamic quarantine
- and more...
- App Store> Security as an Apps
- Security as a app
- Security as a service
- Challenges and Our Contributions
- develop security apps is Hard
- FRESCO: a new app development framework for modular, composable security services [NDSS'13]
- It is not convenient to install/use security devices/services for cloud tenants
- CloudWatcher/NetSecVisor/BYOCVisor: a new security monitoring service model [Network security virtualization] based on SDN
- Leverage the advantages of SDN when no SDN data plane infrastructure
- NDSS'16 work
- develop security apps is Hard
- NDSS'16 --Towards SDN-Defined Programmable BYOD (Bring Your Own Device) Security
4. 基于靈活策略的云網(wǎng)絡(luò)資源控制 -- 陳焰 浙江大學(xué)網(wǎng)絡(luò)空間安全研究中心
- SDNKeeper
- 運營商網(wǎng)絡(luò)
- Cloud providers
- SDN落地部署的關(guān)鍵:網(wǎng)絡(luò)資源安全
- SDNKeeper 系統(tǒng)架構(gòu)
4.1 林曉東-- 加拿大勞瑞爾大學(xué)副教授
4.2 Ye Wu-- Privacy Protection based SMC applications--privcy leakage(DP SMC Forensics)
- Privacy preserving correlation Analysis
- A Toy Example
- Securing Master Key with SMC: solution Overview
- Privacy Preserving Data Query
- Privacy Preserving Maching Learning
- Privacy Preserving Challenges
- Data Security Scenario
4.3 Chunyi Peng-- Purdue University 移動網(wǎng)絡(luò)安全 https://www.cs.purdue.edu/homes/chunyi/
- Mobile Network
- large-sale wireless network Infrastructure
- Expected to be More Secure
- Internet: designed without embedded security features
- Mobile network
- User authentication and key agreement(AKA)
- User authorization (explicit/implicit)
- Encryption(IPSEC)
- Access control (from both UE and Internet)
- Firewall, tenants
- Closed System
- IP Spoofing [CCS'14]
- ip assigned by the network, authentication for L2 data pipes
- But, Spoofing on L3 is possible
- VoLTE abuse [CCS'15]
- VoLTE: IP packets for voice data and siganling
- But, exploited for norma data packet
- SMS Sender-ID Spoofing [CSS'16]
- Authentication for the sender is required
- But, SMS Sender (in SIP header) can be spoofed
- Why: Gap between security and the operations it intends to project
- Change Factors & Security Implications
- Closed-> Open
- Expose attack vectors to adversaries
- E.g, IP
- Security states: isolated user
- But requires a full-path security (creation, storage, use, verification)
- Missing Components
- Monitor and detection (Security KPI)
- Runtime traceback and mutual-authentication(not at the start only)
- Provenance for troubleshooting (deterrence)
- 5G opportunity: NFV (flexible & extensible)
- Closed-> Open
4.4 趙志峰-- 浙大 An intelligent software defined security architecture and collaborative defense testbed [zhaozf@zju.edu.cn] OpenStack + OpenDaylight = testbed
- An Intelligent Honeynet based on Software defined security [WCSP'17]
- 利用AI與attackers對話,
- A Machine learning based Intrusion detection system. [IET Networks'17]
- K-means進行分流优俘、隨機森林做特征分類
- Collaborative defense testbed [生成數(shù)據(jù)]
4.5 程越強 -- 百度資深安全科學(xué)家 Towards Trusted path establishment: from endpoints to cloud
- Root of Trust(RoT) Candidates
- Trusted Hardware as RoT
- Hard Math Problems as RoT
- Endpoint Trust establishment
- starting from root of Trust
- Extending trust chain in a layered system
- Trusted Path applications
- Secure Element + trustZone
- Fingerprint Protection
- Trusted Processor + Enclave
- Efficient Secure Multiparty Computation (SMC)
- Efficient Verifiable Computation
- Secure Element + trustZone
- Trusted Path in Baidu
- Trust chain upon Hardware RoT in layered System
- Rust SGX Enclave - Verifiable and isolated execution environment
- MesaLock Linux - memory safe user Space
- MesaLink Connecting all of them
- Post-quatum cryptographic support
- Memory safe language - without memory corruptions
- Trust chain upon Hardware RoT in layered System
- Trusted Path Still Challenging
- Root key previsioning and management
- Complex hardware architecture
- Vulnerabilities in Implementation
- Side channel threat, e.g., for Intel SGX
- Q/A
- 移動網(wǎng)絡(luò)安全:3G 4G 5G安全吧彪,運營過程中的Gap慌申,
- SGX 的成熟雷激、WAPI WIFI Security
12月20日下午會議PPT--下載
鏈接: https://pan.baidu.com/s/1bpwcm2j 密碼: zb2f
