Economics of Security
Mitigating Inadvertent Insider Threats with Incentives
D. Liu, L. Jean Camp and X. Wang. In the Proceedings of the 13th International Conference on Financial Cryptography and Data Security (FC) 2009
D. Liu, L. Jean Camp and X. Wang,
Inadvertent insiders are trusted insiders who do not have malicious intent (as with malicious insiders) but do not responsibly managing security. The result is often enabling a malicious outsider to use the privileges of the inattentive insider to implement an insider attack. This risk is as old as conversion of a weak user password into root access, but the term inadvertent insider is recently coined to identify the link between the behavior and the vulnerability. In this paper, we propose to mitigate this threat using a novel risk budget mechanism that offers incentives to an insider to behave according to the risk posture set by the organization. We propose assigning an insider a risk budget, which is a specific allocation of risk points, allowing employees to take a finite number of risk-seeking choice. In this way, the employee can complete her tasks without subverting the security system, as with absolute prohibitions. In the end, the organization penalizes the insider if she fails to accomplish her task within the budget while rewards her in the presence of a surplus. Most importantly. the risk budget requires that the user make conscious visible choices to take electronic risks. We describe the theory behind the system, including specific work on the insider threats. We evaluated this approach using human-subject experiments, which demonstrate the effectiveness of our risk budget mechanism. We also present a game theoretic analysis of the mechanism.
CAPTCHA
Making CAPTCHAs Clickable
C. Richard, G. Philippe, M. Jakobsson, L. Wang and X. Wang. In Proceedings of Workshop on Mobile Computing Systems and Applications (HotMobile 2008)
We show how to convert regular keyboard-entry CAPTCHAs into clickable CAPTCHAs. The goal of this conversion is to simplify and speed-up the entry of the CAPTCHA solution, to minimize user frustration and permit the use of CAPTCHAs on devices where they would otherwise be unsuitable. We propose a technique for producing secure clickable CAPTCHAs that are well suited for use on cell phones and other mobile devices. We support the practical viability of our approach by results from a user study, and an analysis of its security guarantees.
Mix Networks
Deterring Voluntary Trace Disclosure in Re-encryption Mix Networks
P. Golle, X. Wang, M. Jakobsson and A. Tsow.In Proceedings of IEEE Symposium on Security and Privacy (IEEE S&P 2006)
An all too real threat to the privacy offered by a mix network is that individual mix administrators may volunteer partial tracing information to a coercer. While this threat can never be eliminated – coerced mix servers could simply be forced to reveal all their secret data – we can deter administrators from succumbing to coercive attacks by raising the stakes. We introduce the notion of a trace-deterring mix permutation to guarantee privacy, and show how it ensures that a collateral key (used for an arbitrary purpose) be automatically revealed given any end-to-end trace from input to output elements. However, no keying material is revealed to a party who simply knows what input element corresponds to what output element. Our techniques are sufficiently efficient to be deployed in large-scale elections, thereby providing a sort of publicly verifiable privacy guarantee. Their impact on the size of the anonymity set – while quantifiable – are not of practical concern.
Building Reliable Mix Networks with Fair Exchange
M. Reiter, X. Wang and M. Wright.In Proceedings of the 3th International Conference on Applied Cryptography and Network Security (ACNS) 2005
In this paper we present techniques by which each mix in a mix network can be paid for its services by message senders, in a way that ensures fairness and without sacrificing anonymity. We describe a payment mechanism for use in mix networks, and use this payment scheme in fair exchange mechanisms for both connection-based and messagebased mix networks. In connection-based mix networks, our protocols achieve fairness in a weak sense: no player can benefit from stopping the exchange prematurely. In message-based mix networks, by taking advantage of each mix’s next-hop neighbor as a rational third party, our exchange protocol guarantees strict fairness between initiators and mixes: either both parties successfully exchange payment and service or neither gains anything.
Fragile Mixing
M. Reiter, X. Wang. In Proceedings of 11th ACM Conference on Computer and Communication Security (CCS 2004)
No matter how well designed and engineered, a mix server offers little protection if its administrator can be convinced to log and selectively disclose correspondences between its input and output messages, either for profit or to cooperate with an investigation. In this paper we propose a technique, fragile mixing, to discourage an administrator from revealing such correspondences, assuming he is motivated to protect the unlinkability of other communications that flow through the mix (e.g., his own). Briefly, fragile mixing implements the property that any disclosure of an input-message-tooutput- message correspondence discloses all such correspondences for that batch of output messages. We detail this technique in the context of a re-encryption mix, its integration with a mix network, and incentive and efficiency issues.
DoS Containment
WRAPS: Denial-of-Service Defense through Web Referrals
X. Wang and M. Reiter.In Proceedings of the 25th IEEE Symposium on Reliable Distributed Systems (SRDS 2006)
The web is a complicated graph, with millions of websites interlinked together. In this paper, we propose to use this web sitegraph structure to mitigate flooding attacks on a website, using a new web referral architecture for privileged service (“WRAPS”). WRAPS allows a legitimate client to obtain a privilegeURL through a click on a referral hypherlink, from a website trusted by the target website. Using that URL, the client can get privileged access to the target website in a manner that is far less vulnerable to a DDoS flooding attack. WRAPS does not require changes to web client software and is extremely lightweight for referrer websites, which eases its deployment. The massive scale of the web sitegraph could deter attempts to isolate a website through blocking all referrers. We present the design of WRAPS, and the implementation of a prototype system used to evaluate our proposal. Our empirical study demonstrates that WRAPS enables legitimate clients to connect to a website smoothly in spite of an intensive flooding attack, at the cost of small overheads on the website’s ISP’s edge routers.
Denial of Service Attacks and Defenses in Decentralized Trust Management
J. Li, N. Li, X. Wang, and T. Yu. In Proceedings of the Second International Conference on Security and Privacy in Communication Networks (SecureComm 2006)
Trust management is an approach to scalable and flexible access control in decentralized systems. In trust management, a server often needs to evaluate a chain of credentials submitted by a client; this requires the server to perform multiple expensive digital signature verifications. In this paper, we study low-bandwidth Denial-of-Service (DoS) attacks that exploit the existence of trust management systems to deplete server resources. Although the threat of DoS attacks has been studied for some application-level protocols such as authentication protocols, we show that it is especially destructive for trust management systems. Exploiting the delegation feature in trust management languages, an attacker can forge a long credential chain to force a server to consume a large amount of computing resource. Using game theory as an analytic tool, we demonstrate that unprotected trust management servers will easily fall prey to a witty attacker who moves smartly. We report our empirical study of existing trust management systems, which manifests the gravity of this threat. We also propose a defense technique using credential caching, and show that it is effective in the presence of intelligent attackers.
Defending Against Denial-of-Service Attacks with Puzzle Auctions
X. Wang and M.K. Reiter. In Proceedings of IEEE Symposium on Security and Privacy (IEEE S&P 2004)
Although client puzzles represent a promising approach to defend against certain classes of denial-of-service attacks, several questions stand in the way of their deployment in practice: e.g., how to set the puzzle difficulty in the presence of an adversary with unknown computing power, and how to integrate the approach with existing mechanisms. In this paper, we attempt to address these questions with a new puzzle mechanism called the puzzle auction. Our mechanism enables each client to "bid" for resources by tuning the difficulty of the puzzles it solves, and to adapt its bidding strategy in response to apparent attacks. We analyze the effectiveness of our auction mechanism and further demonstrate it using an implementation within the TCP protocol stack of the Linux kernel. Our implementation has several appealing properties. It effectively defends against SYN flooding attacks, is fully compatible with TCP, and even provides a degree of interoperability with clients with unmodified kernels: Even without a puzzle-solving kernel, a client still can connect to a puzzle auction server under attack (albeit less effectively than those with puzzle-solving kernels, and at the cost of additional server expense).
Misc
Stealth Attacks on Vehicular Wireless Networks
M. Jakobosson, X. Wang and S. Wetzel. In Proceedings of IEEE Vehicular Technology Conference 2004-Fall (VTC 2004)
In this position paper we discuss various issues related to so-called stealth attacks. We elaborate on stealth attacks in the context of three common types of wireless networks, namely ad hoc networks, hybrid networks, and sensor networks. We consider the relevance of these settings to various vehicular environments; e.g., emergency and rescue operations, military operations, and theft recovery. Along with this, we discuss adversarial models. We furthermore explore the level of threat in a set of example situations and discuss potential tools that could be used to reduce the severity of stealth attacks in these contexts.
Learning Near-Pareto-Optimal Conventions in Polynomial Time
X. Wang and T.Sandholm. In Proceedings of the 17th Neural Information Processing Systems: Natural and Synthetic conference (NIPS 2003)
We study how to learn to play a Pareto-optimal strict Nash equilibrium when there exist multiple equilibria and agents may have different preferences among the equilibria. We focus on repeated coordination games of non-identical interest where agents do not know the game structure up front and receive noisy payoffs. We design efficient near-optimal algorithms for both the perfect monitoring and the imperfect monitoring setting(where the agents only observe their own payoffs and the joint actions).
Reinforcement Learning to Play an Optimal Nash Equilibrium in Team Markov Games
X. Wang and T. Sandholm. In Proceedings of the 16th Neural Information Processing Systems: Natural and Synthetic conference (NIPS 2002)
Multiagent learning is a key problem in AI. In the presence of multiple Nash equilibria, even agents with non-conflicting interests may not be able to learn an optimal coordination policy. The problem is exaccerbated if the agents do not know the game and independently receive noisy payoffs. So, multiagent reinforfcement learning involves two interrelated problems: identifying the game and learning to play. In this paper, we present optimal adaptive learning, the first algorithm that converges to an optimal Nash equilibrium with probability 1 in any team Markov game. We provide a convergence proof, and show that the algorithm’s parameters are easy to set to meet the convergence conditions.
(Im)possibility of Safe Exchange Mechanism Design
T. Sandholm and X. Wang. In Proceedings of National Conference on Artificial Intelligence (AAAI 2002)
Safe exchange is a key issue in multiagent systems, especially in electronic transactions where nondelivery is a major problem. In this paper we present a unified framework for modeling safe exchange mechanisms. It captures the disparate earlier approaches as well as new safe exchange mechanisms (e.g., reputation locking). Being an overarching framework, it also allows us to study what is inherently possible and impossible in safe exchange. We study this under different game-theoretic solution concepts, with and without a trusted third party, and with an offline third party that only gets involved if the exchange fails. The results vary based on the generality of the exchange setting, the existence (or creative construction) of special types of items to be exchanged, and the magnitude of transfer costs, defection costs, and escrow fees. Finally, we present an incentive-compatible negotiation protocol for selecting the best safe exchange mechanism when the agents do not know each others’ costs for the different alternatives.