Ev Even Turing Sho Shoul uld So Sometimes No Not Be Be Ab Able - PowerPoint PPT Presentation

Ev Even Turing Sho Shoul uld So Sometimes No Not Be Be Ab Able To To Te Tell: Mi Mimicking Hu Humanoid Us Usage Be Behav avior or fo for Ex Expl ploratory St Stud udies of of On Online e Ser ervices es Stephan Wiefling 1 , Nils Gruschka 2 , Luigi Lo Iacono 1 1 TH Köln – University of Applied Sciences 2 University of Oslo Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 1

Mo Motiva tivatio tion Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 2

Mo Motiva tivatio tion § Algorithms impact our society § Technical aspects hidden behind user interfaces § Data availability needed for reliable research Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 3

Mo Motiva tivatio tion § Most online services are black boxes § Lack of transparency hinders ? research § Reverse engineering needed Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 4

Re Reve verse en engi gineer eering is is co complicat cated… Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 5

Re Reve verse en engi gineer eering is is co complicat cated… § No unique path to conduct such an analysis § Services implement countermeasures Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 6

Re Reve verse en engi gineer eering is is co complicat cated… § No unique path to conduct such an analysis § Services implement countermeasures à Camouflage measures needed Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 7

HOSIT Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 8

Humanoid Online Service Inspection Tool HOSIT Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 9

Ov Over erview ew 1. 1. Tool Tool 2. Proof of Concept 3. Conclusion Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 10

In Insp spectio ion To Tool § Simulates human-like browsing behavior on online services § All actions have to be predefined by the HOSIT researchers § Reliable and reproducible research § Based on Puppeteer API Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 11

In Insp spectio ion To Tool Conductor Study Training Inspection Procedures Procedures Virtual Identities Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 12

Vi Virtua ual Identities § Define properties § Typing, clicking behavior § Interests § … Conductor Study Training Inspection Procedures Procedures Virtual Identities Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 13

Tr Training Pr Procedures § New accounts are considered suspicious § Need to create valid behavior first § Takes time Conductor Study Training Inspection Procedures Procedures Virtual Identities Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 14

Tr Training Pr Procedures § Define activities to be performed on online service § and other online services (tracking) § Executed multiple times Conductor Study Training Inspection Procedures Procedures Virtual Identities Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 15

Tr Training Pr Procedures § Let the service learn “normal” behavior § Get tracked on other websites by the service § Desired result: § Get labeled as “normal” user Conductor Study Training Inspection Procedures Procedures Virtual Identities Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 16

In Insp spectio ion Pr Procedures § Create unusual behavior at online service § Analyze services’ reaction to unusual behavior Conductor Study Training Inspection Procedures Procedures Virtual Identities Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 17

In Insp spectio ion To Tool Conductor Study Training Inspection Procedures Procedures Virtual Identities API API HOSIT Framework Human User Imitation Log Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 18

In Insp spectio ion To Tool § Executes the actions Conductor Study Training Inspection § Adds human-imitating Procedures Procedures Virtual Identities behavior to function calls § Properties of virtual identity API API HOSIT Framework Human User Imitation Log Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 19

In Insp spectio ion To Tool § Logs all actions with Conductor Study Training Inspection screenshots Procedures Procedures Virtual Identities § Reproducibility API API HOSIT Framework Human User Imitation Log Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 20

In Insp spectio ion To Tool Conductor Study Training Inspection Procedures Procedures Virtual Identities API API HOSIT Framework Inspected Service Human User Imitation Log Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 21

Why do we need another browser automation tool? Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 22

Cl Click Be Behavio ior * Pu Puppeteer 0. 0.13. 13.0 HO HOSIT IT * Komandur et al.: Relation between mouse button click duration and muscle contraction time. In: EMBC '08. (Aug 2008) Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 23

Typ Typing Sp Speed t t Constant delay Randomized variations* Pu Puppeteer 0. 0.13. 13.0 HO HOSIT IT * Drury, C.G., Hoffmann, E.R.: A model for movement time on data-entry keyboards. Ergonomics 35(2) (Feb 1992) Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 24

Bo Bot De Detection Pr Prote tectio tion Pu Puppeteer 0. 0.13. 13.0 HO HOSIT IT Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 25

Br Browsin ing Be Behavio ior Cha Chang nges Pe Persona A Pe Persona B Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 26

Mo More Fu Func nctions ons § Common workflows integrated § Search query generator § CAPTCHA solving § Scrolling § Select tabs Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 27

Ex Examp mple Sc Scrip ipt § Opens a search engine § Clicks on image search § Types random search query covered in the media § Scrolls to bottom of results Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 28

Ex Examp mple Sc Scrip ipt § Video recorded at October 22 nd , 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 29

Ov Over erview ew 1. Tool 2. 2. Pr Proof f of of Co Concept ept 3. Conclusion Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 30

Pr Proof f of of Co Conc ncept pt § Study on Risk-based Authentication* § Required human-like behavior from clients * Wiefling et al.: Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild. In: IFIP SEC ’19. (Jun 2019) Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 31

IP address User agent ... Username Password Risk estimation Risk: Low Medium High Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 32

IP: Aalborg, DK Chrome Windows 10 ... Username Password Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 33

IP: Aalborg, DK Chrome Windows 10 „Same device as ... always“ Username Password Risk estimation Low risk Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 34

IP: Ber Berlin, n, DE Chrome An Andro roid 8 8.1 .1 ... Username Password Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 35

IP: Ber Berlin, n, DE Chrome „There‘s An Andro roid 8 8.1 .1 something different here“ ... Username Password Additional Risk estimation Authentication Medium risk Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 36

IP: Ber Berlin, n, DE Chrome „There‘s Andro An roid 8 8.1 .1 something different here“ ... Username Password Additional Risk estimation Authentication Medium risk Proof for additional authentication Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 37

IP: Ne New York, US* Ph PhantomJS Li Linux ... Username Password * Known spam IP address Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 38

IP: Ne New York, US* PhantomJS Ph „Very likely a Linux Li hacker“ ... Username Password Risk estimation High risk * Known spam IP address Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 39