Computer Security & AI

SSD-Insider 

: NAND flash-based SSD 속의 랜섬웨어를 방어하는 방법 중 하나

 

랜섬웨어: ransom을 수집하기 위해 사용자의 데이터를 소유하는 악성 소프트웨어

- locker ransomware

- crypto ransomware

 

랜섬웨어에 있어 불변하는 특징들

• I/O Distribution analysis of ransomware's
  • Ransomeware's class
  • Common pattern
  • Overwriting (=unrecoverable)
• Invariant feature
  • OWID
  • OWST
  • PWIO
  • AVGWIO

 

Limitation 1) Data Loss

• - File type-based detection
  • High entropy로 인하여 easily evaded by ransomware
• - Content-based detection
  • 방대한 데이터를 모니터링해야해서 CPU와 메모리 overhead

Limitation 2) Security

 

Detection & Recovery 에서의 어려움

- Limited resources

- Limited view of ransomeware activity

- Detection latency: teh size of the time window

 

Ransomeware detection accuracy

- threshold value 3

- false alarm

 

Approach

• Overwriting patterns: 랜섬웨어의 행동은 독특함. IO 요청
• Perfect and Instant recovery - SSD's delayed deletion 
  • FTL remapping, Garbage collector, Rollback, Track of old version data
  • recovery를 위해 변경사항을 모두 추적하고, 데이터의 일관성을 보장해야 한다.

 

Large-Scale & Language-Oblivious Code Authorship Identification

 

 

DL-CAIS: System structure

 

preprocessing

- TF-IDF representations (deep representations - deep learning)

- preliminary experiment

- classification

 

Effect of Temporal Changes

temporal effects impact the accuracy of code authorship identification

 

Identification with Mixed Lanuagues

language-oblivious training and testing = 

- Using 9 code files random selected of the two language

- Authorship attributions extracted from one language can help identifying programmer when using different language

 

Identification in Obfuscated Domain

Code-to-code obfuscation 난독화 : Stunnix and Tigress

 

 

Identification with Real-world Dataset

github public repository

 

 

DFD: Adversarial Learning-based Approach to Defend Against Website Fingerprinting

 

The onion Router (TOR) : support an anonymous communication through end-to-end encryption

Website Fingerprinting: WF

WF = pattern recognition from ML

attacker first train a classifier over a set of representative traffic features, extracted from a large number of websites

이를  희생자 추적 예측을 위해 사용

 

WTF-PAD: Web-site Traffic Fingerprinting Protection with adaptive defense

 

Threat Model

Adversary

Goal: confidence reduction , untargeted misclassification, and targeted misclassification

 

Closed World, Open World

- closed: assume that users can only visit a small set of websites, taht the adversary has sampels to train his models on all of them

 

- open: realistic. the adversary can only train on a small fraction of the sites the user can visit

 

Deep Fingerprinting Defender

a client-side dummy message injection solution

- amis to conceal the sequence pattern within the packet flow and to provide a low bandwidth overhead as well

 

 

 

결론:

applying DFD with automatic update of the injection rate

can mitigate the deep learning-based WF attacks effects

as concealing the patterns and providing a secure website visiting behavior