detecting deception in the context of web 2 0
play

Detecting Deception in the Context of Web 2.0. Annarita Giani , - PowerPoint PPT Presentation

Mar 20, 2023 •34 likes •334 views

Detecting Deception in the Context of Web 2.0. Annarita Giani , EECS, University of California, Berkeley, CA Paul Thompson, CS Dept. Dartmouth College, Hanover, NH W2SP2007 Oakland, CA May 24, 2007 Outline 1.Motivation and Terminology

  1. Detecting Deception in the Context of Web 2.0. Annarita Giani , EECS, University of California, Berkeley, CA Paul Thompson, CS Dept. Dartmouth College, Hanover, NH W2SP2007 – Oakland, CA – May 24, 2007

  2. Outline 1.Motivation and Terminology 2.Process Query System (PQS) Approach 3.Detection of a complex attack 4.Conclusion and Acknowledgments W2SP2007 – Oakland, CA – May 24, 2007 2

  3. Cognitive Hacking The user's attention is focused on the channel. The attacker exploits this fact and uses malicious information in the channel to mislead her. Misleading information Misleading information from a web site from a web site Attacker: Makes a fake web site 1 2 Attacker: Obtains advantages 3 from user actions Victim: Acts on the 4 information from the web site W2SP2007 – Oakland, CA – May 24, 2007 3

  4. MISINFORMATION – – Lebed Lebed case case MISINFORMATION He spread fake rumors about stocks . Jonathan Lebed . Investors driven to buy shares of that stock inflating its price The SEC wanted to prosecuted him for stock fraud. The law ??? Was allowed to keep $500,000 from his “illegal” stock proceeds. "Subj: THE MOST UNDERVALUED STOCK EVER "Date: 2/03/00 3:43pm Pacific Standard Time "From: LebedTG1 "FTEC is starting to break out! Next week, this thing will EXPLODE. . . . "Currently FTEC is trading for just $2 1/2! I am expecting to see FTEC at $20 VERY SOON. "Let me explain why. . . . "The FTEC offices are extremely busy. . . . I am hearing that a number of HUGE deals are being worked on. Once we get some news from FTEC and the word gets out about the company . . . it will take-off to MUCH HIGHER LEVELS! "I see little risk when purchasing FTEC at these DIRT-CHEAP PRICES. FTEC is making TREMENDOUS PROFITS and is trading UNDER BOOK VALUE!!!" W2SP2007 – Oakland, CA – May 24, 2007 4

  5. Covert Channels The user's attention is unaware of the channel. The attacker uses a medium not perceived as a communication channel to transfer information. Attacker: Codes data into User: does not see inter- User: does not see inter- 1 inter-packet delays, taking packet delay as a packet delay as a care to avoid drawing the communication channel and communication channel and attention of the user. does not notice any does not notice any communication. communication. data 2 W2SP2007 – Oakland, CA – May 24, 2007 5

  6. Phishing The user's attention is attracted by the exploit . The information is used to lure the victim into using a new channel and then to create a false perception of reality with the goal of exploiting the user’s behavior. Misleading email to get Misleading email to get Send a fake email user attention user attention 1 Visit http://www.cit1zensbank.com 2 4 3 First name, First name, Last name Last name Account Number Account # SSN Bogus web site SSN W2SP2007 – Oakland, CA – May 24, 2007 6

  7. Cognitive Channels A cognitive channel is a communication channel between the user and the technology being used. It conveys what the user sees, reads, hears, types, etc. Cognitive Channel Network Channel SERVER CLIENT USER Focus of the current protection and detection approaches The cognitive channel is the weakest link in the whole framework. Little investigation has been done on detecting attacks on this channel. W2SP2007 – Oakland, CA – May 24, 2007 7

  8. Cognitive Attacks Our definition is from an engineering point of view. Cognitive attacks are computer attacks over a cognitive Cognitive attacks are computer attacks over a cognitive channel. They exploit the attention of the user to manipulate channel. They exploit the attention of the user to manipulate her perception of reality and/or gain advantages. her perception of reality and/or gain advantages. COGNITIVE HACKING. The user’s attention is focused on the channel. The attacker exploits this fact and uses malicious information to mislead her. COVERT CHANNELS. The user is unaware of the channel. The attacker uses a medium not perceived as a communication channel to transfer information. PHISHING. The user's attention is attracted by the exploit. The information is used to lure the victim into using a new channel and then to create a false perception of reality with the goal of exploiting the user’s behavior. W2SP2007 – Oakland, CA – May 24, 2007 8

  9. The Need to Correlate Events � Large amount of sensors for network monitoring – Intrusion Detection Systems – Network traces – File Integrity Checkers � Large amount of Alerts – Overloaded operators – Hard to make sense of alarms � Need a principled way of combining alerts – Reduce false alarms – Discover multistage attacks W2SP2007 – Oakland, CA – May 24, 2007 9

  10. Outline 1.Motivation and Terminology 2.Process Query System (PQS) Approach 3.Detection of a complex attack 4.Conclusion and Acknowledgments W2SP2007 – Oakland, CA – May 24, 2007 10

  11. Process Query System Observable events coming from sensors Observable events coming from sensors Hypothesis Models Hypothesis Models PQS ENGINE Tracking Tracking Algorithms Algorithms W2SP2007 – Oakland, CA – May 24, 2007 11

  12. Framework for Process Detection An Environment Indictors and Warnings FORWARD PROBLEM 6 129.170.46.3 is at high risk 129.170.46.33 is a stepping stone INVERSE PROBLEM ...... that that detect are complex attacks used 5 consists of and anticipate 1 for the next steps Hypotheses control Multiple Processes Track 1 λ 1 = router failure Track 2 Track 3 λ 2 = worm λ 3 = scan Hypothesis 1 Hypothesis 2 that produce 2 that 4 that PQS resolves into are seen Unlabelled Sensor Reports Events as ……. ……. Time Time 3 Real World Process Detection (PQS) W2SP2007 – Oakland, CA – May 24, 2007 12

  13. Hierarchical PQS Architecture TIER 1 TIER 1 TIER 1 TIER 2 TIER 2 TIER 2 Models Observations Hypothesis Observations Models Hypothesis Scanning Events PQS More Complex Models Snort IP Tables Infection Events PQS Snort Tripwire PQS Events PQS Data Access Samba RESULTS Exfiltration PQS Events Flow and Covert Channel Sensor W2SP2007 – Oakland, CA – May 24, 2007 13

  14. Hidden Discrete Event System Models Dynamical systems with discrete state spaces that are: Causal - next state depends only on the past Hidden – states are not directly observed Observable - observations conditioned on hidden state are independent of previous states Example. Hidden Markov Model N States M Observation symbols State transition Probability Matrix, A Observation Symbols Distribution, B Initial State Distribution π HDESM models are general W2SP2007 – Oakland, CA – May 24, 2007 14

  15. HDESM Process Detection Problem Identifying and tracking several (casual discrete state) stochastic processes (HDESM’s) that are only partially observable. TWO MAIN CLASSES OF PROBLEMS Hidden State Estimation: Determine the “best” hidden states sequence of a particular process that accounts for a given sequence of observations. Discrete Sources Separation: :Determine the “most likely” process-to-observation association W2SP2007 – Oakland, CA – May 24, 2007 15

  16. Discrete Source Separation Problem HDESM Example (HMM): 3 states + transition probabilities n observable events: a,b,c,d,e,… Pr( state | observable event ) given/known Observed event sequence: ….abcbbbaaaababbabcccbdddbebdbabcbabe…. Catalog of Processes Which combination of which process models “best” accounts for the observations? Events not associated with a known process are “ANOMALIES”. W2SP2007 – Oakland, CA – May 24, 2007 16

  17. An analogy.... What does hbeolnjouolor mean? Events are: h b e o l n j o u o l o r Models = French + English words (+ grammars!) hbeolnjoulor = hello + bonjour Intermediate hypotheses include tracks: ho + be W2SP2007 – Oakland, CA – May 24, 2007 17

  18. PQS in Computer Security 5 1 2 8 7 Internet 12 DIB:s BGP IPTables Snort W BRIDGE o r m DMZ E x f i l t r a t i o n WWW Mail PQS P observations h i s h observations i n g ENGINE WS Tripwire Samhain WinXP LINUX W2SP2007 – Oakland, CA – May 24, 2007 18

  19. Outline 1.Motivation and Terminology 2.Process Query System (PQS) Approach 3.Detection of a complex attack 4.Conclusion and Acknowledgments W2SP2007 – Oakland, CA – May 24, 2007 19

  20. Complex Phishing Attack Steps Web page, Stepping … as usual browses the web and … Madame X stone …. visits a web page. 1 inserts username and password. ( the same used to access his machine) accesses user machine using 100.20.3.127 2 5 165.17.8.126 username and password a t t a records username c k uploads some code s t and password h e v i c t i m 3 4 Victim downloads some data Attacker 6 51.251.22.183 100.10.20.9 W2SP2007 – Oakland, CA – May 24, 2007 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Detecting Hoaxes, Frauds and Deception in Writing Style Online Sadia Afroz, Michael Brennan and

Detecting Hoaxes, Frauds and Deception in Writing Style Online Sadia Afroz, Michael Brennan and

Detecting Hoaxes, Frauds and Deception in Writing Style Online Sadia Afroz, Michael Brennan and Rachel Greenstadt Privacy, Security and Automation Lab Drexel University What do we mean by deception? Let me give an example A Gay

906 views • 65 slides
Deception Detection in Transcribed Speech and Written Text Rebecca Pottenger Background

Deception Detection in Transcribed Speech and Written Text Rebecca Pottenger Background

Deception Detection in Transcribed Speech and Written Text Rebecca Pottenger Background Detecting deception is a difficult problem Human detection accuracy is low For text: on average, correctly classify 47% of lies and 61% of

384 views • 7 slides
Detecting Voter Fraud Context in an Electronic Voting Context Introduction: Relevance of An

Detecting Voter Fraud Context in an Electronic Voting Context Introduction: Relevance of An

Detecting Voter Fraud in an Electronic Voting Detecting Voter Fraud Context in an Electronic Voting Context Introduction: Relevance of An Analysis of the Unlimited Reelection Vote in Venezuela Election Forensics Previous Research Ines

686 views • 45 slides
Deception and Estimation: Deception and Estimation: How We Fool Ourselves How We Fool Ourselves

Deception and Estimation: Deception and Estimation: How We Fool Ourselves How We Fool Ourselves

T18 Concurrent Session Thursday 06/12/2008 3:00 PM 4:30 PM Deception and Estimation: Deception and Estimation: How We Fool Ourselves How We Fool Ourselves Presented by: Linda Rising Independent Consultant Presented at: Better Software

303 views • 29 slides
Lying and Deception in Games Joel Sobel August 2, 2016 Lying and Deception Sobel What is the

Lying and Deception in Games Joel Sobel August 2, 2016 Lying and Deception Sobel What is the

Lying and Deception in Games Joel Sobel August 2, 2016 Lying and Deception Sobel What is the Talk About? Definitions: 1. Lying 2. Deception 3. Bluff and simple properties. Lying and Deception Sobel Why do this? 1. Coherence 2. To

659 views • 47 slides
On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele Lenzini, and Daniele Sgandurra June 20, 2019 Ransomware Threat 1 Ransomware Threat 1 Deception-Based Anti-Ransomware In the context of ransomware,

507 views • 22 slides
12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic graphics 2.Detecting manipulated images Photo manipulation is the application of image editing techniques to photographs in order to create an

306 views • 13 slides
Query Log Analysis Detecting Anomalies in DNS Tra ffi c at a TLD Resolver Pieter Robberechts

Query Log Analysis Detecting Anomalies in DNS Tra ffi c at a TLD Resolver Pieter Robberechts

Query Log Analysis Detecting Anomalies in DNS Tra ffi c at a TLD Resolver Pieter Robberechts Promotor: Prof. Hendrik Blockeel Thesis Defence Co-promoter: Ronald Geens Jun 30, 2017 Goal and Context Goal and Context The QLAD System Results

359 views • 31 slides
On Deception and Defection Jason Quinley Chris Ahern University of Tbingen, University of

On Deception and Defection Jason Quinley Chris Ahern University of Tbingen, University of

Cooperation and Deception Beggars and Signals Face and Other-Regarding Preferences Further Examples and Discussion On Deception and Defection Jason Quinley Chris Ahern University of Tbingen, University of Pennsylvania August 7, 2012

732 views • 50 slides
Paper Swords I Timothy 4:1-8 The Deception of Demon-Doctrines The deadliest form of evil to

Paper Swords I Timothy 4:1-8 The Deception of Demon-Doctrines The deadliest form of evil to

Paper Swords I Timothy 4:1-8 The Deception of Demon-Doctrines The deadliest form of evil to beware of, is that which has the appearance of good. deception: appears to lead you toward holiness, but eventually leads you astray demon-possession :

394 views • 6 slides
Query Log Analysis Detecting Anomalies in DNS Tra ffi c at a TLD Resolver Pieter Robberechts ,

Query Log Analysis Detecting Anomalies in DNS Tra ffi c at a TLD Resolver Pieter Robberechts ,

Query Log Analysis Detecting Anomalies in DNS Tra ffi c at a TLD Resolver Pieter Robberechts , Maarten Bosteels, Jesse Davis and Wannes Meert Goal and Context Goal and Context The QLAD System Results Conclusion DNS The Domain Name System

659 views • 26 slides
The Role of Deception in Games CMPUT 654 Leticia Wanderley 1 Agenda Social psychology

The Role of Deception in Games CMPUT 654 Leticia Wanderley 1 Agenda Social psychology

The Role of Deception in Games CMPUT 654 Leticia Wanderley 1 Agenda Social psychology (FAE) Example: Kasparov vs. Deep Blue Overview of deception research Poker 2x2 games Voting games Repeated games

586 views • 36 slides
Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L i L L Long ong I I Islan I l and S d S d S d Soun ound d with with NERACOOS Buoy y Observations James ODonnell, Todd Fake, Kay

815 views • 26 slides
Deception: An epistemic planned event? Shikha Singh, Deepak Khemani Department of Computer

Deception: An epistemic planned event? Shikha Singh, Deepak Khemani Department of Computer

Deception: An epistemic planned event? Shikha Singh, Deepak Khemani Department of Computer Science & Engineering IIT Madras Logic and Cognition Pre-Conference Workshop ICLA-2019 Shikha Singh, Deepak Khemani Deception: An epistemic planned

1.35k views • 111 slides
Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft Structures in

Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft Structures in

Inno Innovative Materials tive Materials Air Force Research Center for Nondestructive Testin Testing T Tech chnologies, es, I Inc. c. Laboratory Evaluation Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft

308 views • 12 slides
Detecting changes in Detecting changes in the rate the rate of a of a Poisson process

Detecting changes in Detecting changes in the rate the rate of a of a Poisson process

Detecting changes in Detecting changes in the rate the rate of a of a Poisson process Poisson process George V. Moustakides Outline Overview of the change detection problem CUSUM test and Lordens criterion The Poisson

454 views • 28 slides
Detection Architecture Giorgos Vasiliadis, FORTH-ICS, Greece Michalis Polychronakis, Columbia U.,

Detection Architecture Giorgos Vasiliadis, FORTH-ICS, Greece Michalis Polychronakis, Columbia U.,

MIDeA: A Multi-Parallel Intrusion Detection Architecture Giorgos Vasiliadis, FORTH-ICS, Greece Michalis Polychronakis, Columbia U., USA Sotiris Ioannidis, FORTH-ICS, Greece CCS 2011, 19 October 2011 Network Intrusion Detection Systems

548 views • 34 slides
GoldenEye: stream-based network packet inspection using GPUs Qian Gong, Wenji Wu, Phil DeMar The

GoldenEye: stream-based network packet inspection using GPUs Qian Gong, Wenji Wu, Phil DeMar The

FERMILAB-SLIDES-18-122-CD GoldenEye: stream-based network packet inspection using GPUs Qian Gong, Wenji Wu, Phil DeMar The 43nd IEEE Conference on Local Computer Networks October 4, 2018 This manuscript has been authored by Fermi Research

473 views • 24 slides
t rt sr P

t rt sr P

r t rst Pr t r tr

653 views • 27 slides
Opportunistic IPv6 Insight via Abusive Traffic Robert Beverly, Geoffrey Xie Naval Postgraduate

Opportunistic IPv6 Insight via Abusive Traffic Robert Beverly, Geoffrey Xie Naval Postgraduate

Opportunistic IPv6 Insight via Abusive Traffic Robert Beverly, Geoffrey Xie Naval Postgraduate School {rbeverly,xie}@nps.edu February 8, 2012 CAIDA Workshop on Active Internet Measurements R. Beverly et al. (NPS) Opportunistic IPv6 Insight

568 views • 34 slides
PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr

PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr

PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr Sec Research Analyst @ Arbor ex-TippingPoint ASI Primarily reverse malware Interests / Research DDoS Botnet tracking Malware Clustering Bug

419 views • 29 slides
Understanding Linux Malware Emanuele Cozzi 1 , Mariano Graziano 2 , Yanick Fratantonio 1 , Davide

Understanding Linux Malware Emanuele Cozzi 1 , Mariano Graziano 2 , Yanick Fratantonio 1 , Davide

Understanding Linux Malware Emanuele Cozzi 1 , Mariano Graziano 2 , Yanick Fratantonio 1 , Davide Balzarotti 1 1 EURECOM 2 Cisco Systems, Inc. IEEE Symposium on Security & Privacy, May 2018 Malware and operating systems Malware and operating

690 views • 57 slides
C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS Dimitrios A. Glynos

C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS Dimitrios A. Glynos

C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS Dimitrios A. Glynos dimitris at census-labs.com Census, Inc. Athens IT Security Conference (AthCon 2010) C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G

315 views • 30 slides
CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers a. nappa , z. xu, m.z.

CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers a. nappa , z. xu, m.z.

CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers a. nappa , z. xu, m.z. rafique, j.caballero, g.gu imdea software institute success lab, texas a&m univeristy Cybercriminals use geographically distributed servers to

652 views • 24 slides

More recommend