Skip to main content
Springer Nature Link
Log in

A Logic-Based Reasoner for Discovering Authentication Vulnerabilities Between Interconnected Accounts

  • Conference paper
  • First Online:
Emerging Technologies for Authorization and Authentication (ETAA 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11263))

Abstract

With users being more reliant on online services for their daily activities, there is an increasing risk for them to be threatened by cyber-attacks harvesting their personal information or banking details. These attacks are often facilitated by the strong interconnectivity that exists between online accounts, in particular due to the presence of shared (e.g., replicated) pieces of user information across different accounts. In addition, a significant proportion of users employs pieces of information, e.g. used to recover access to an account, that are easily obtainable from their social networks accounts, and hence are vulnerable to correlation attacks, where a malicious attacker is either able to perform password reset attacks or take full control of user accounts.

This paper proposes the use of verification techniques to analyse the possible vulnerabilities that arises from shared pieces of information among interconnected online accounts. Our primary contributions include a logic-based reasoner that is able to discover vulnerable online accounts, and a corresponding tool that provides modelling of user accounts, their interconnections, and vulnerabilities. Finally, the tool allows users to perform security checks of their online accounts and suggests possible countermeasures to reduce the risk of compromise.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://www.owasp.org/index.php/Credential_stuffing.

  2. 2.

    The predicate similar(AB) states that A and B are very similar to each other and by knowing A the attacker can infer easily B, and vice versa.

  3. 3.

    http://xsb.sourceforge.net/.

  4. 4.

    We give together with the countermeasures their corresponding rules as represented by the reasoner.

References

  1. Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceedings of the Conference on Computer and Communications Security, pp. 217–224 (2002)

    Google Scholar 

  2. Baier, C., Katoen, J.P.: Principles of Model Checking (Representation and Mind Series). The MIT Press (2008)

    Google Scholar 

  3. Ben-Meir, E.: Sentry MBA: A Tale of the Most Popular Credential Stuffing Attack Tool (2017). https://blog.cyberint.com/sentry-mba-a-tale-of-the-most-popular-credential-stuffing-attack-tool

  4. Bras, T.L.: Online overload - its worse than you thought, July 2015. https://blog.dashlane.com/infographic-online-overload-its-worse-than-you-thought/

  5. Data, S.: 100 worst passwords of 2017 (2017). https://s13639.pcdn.co/wp-content/uploads/2017/12/Top-100-Worst-Passwords-of-2017a.pdf

  6. Gosling, S.D., Gaddis, S., Vazire, S.: Personality impressions based on Facebook profiles. In: ICWSM (2007)

    Google Scholar 

  7. Idika, N., Bhargava, B.: Extending attack graph-based security metrics and aggregating their application. IEEE Trans. Dependable Secure Comput. 9(1), 75–85 (2012)

    Article  Google Scholar 

  8. Jajodia, S., Noel, S., O’Berry, B.: Topological analysis of network attack vulnerability. In: Kumar, V., Srivastava, J., Lazarevic, A. (eds.) Managing Cyber Threats. Massive Computing, vol. 5, pp. 247–266. Springer, Boston (2005). https://doi.org/10.1007/0-387-24230-9_9

    Chapter  Google Scholar 

  9. Jha, S., Sheyner, O., Wing, J.: Two formal analyses of attack graphs. In: Proceedings of the Workshop on Computer Security Foundations, pp. 49–63 (2002)

    Google Scholar 

  10. Kosinski, M., Stillwell, D., Graepel, T.: Private traits and attributes are predictable from digital records of human behavior. In: Proceedings of the National Academy of Sciences (2013). https://doi.org/10.1073/pnas.1218772110, http://www.pnas.org/content/early/2013/03/06/1218772110

    Article  Google Scholar 

  11. Li, W., Vaughn, R.B.: Cluster security research involving the modeling of network exploitations using exploitation graphs. In: 2006 Sixth IEEE International Symposium on Cluster Computing and the Grid, CCGRID 2006, vol. 2, pp. 26–26, May 2006

    Google Scholar 

  12. Lippmann, R., et al.: Validating and restoring defense in depth using attack graphs. In: Proceedings of the 2006 IEEE Conference on Military Communications, pp. 981–990. MILCOM 2006. IEEE Press, Piscataway, NJ, USA (2006)

    Google Scholar 

  13. Muñoz-González, L., Sgandurra, D., Barrere, M., Lupu, E.C.: Exact inference techniques for the analysis of bayesian attack graphs. IEEE Trans. Dependable Secure Comput. PP(99), 1 (2017). https://doi.org/10.1109/TDSC.2016.2627033

  14. Muñoz-González, L., Sgandurra, D., Paudice, A., Lupu, E.C.: Efficient attack graph analysis through approximate inference. ACM Trans. Priv. Secur. 20(3), 10:1–10:30 (2017). https://doi.org/10.1145/3105760

    Article  Google Scholar 

  15. Ortalo, R., Deswarte, Y., Kaâniche, M.: Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Trans. Softw. Eng. 25(5), 633–650 (1999)

    Article  Google Scholar 

  16. Ou, X., Boyer, W., McQueen, M.: A scalable approach to attack graph generation. In: Proceedings of ACM Conference on Computer and Communications Security, pp. 336–345 (2006)

    Google Scholar 

  17. Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: a logic-based network security analyzer. In: Proceedings of the 14th Conference on USENIX Security Symposium - Volume 14, SSYM 2005, p. 8. USENIX Association, Berkeley, CA, USA (2005)

    Google Scholar 

  18. Pepitone, J.: Hack attack exposes major gap in Amazon and Apple security, August 2012. http://money.cnn.com/2012/08/07/technology/mat-honan-hacked/

  19. Poolsappasit, N., Dewri, R., Ray, I.: Dynamic security risk management using Bayesian attack graphs. IEEE Trans. Dependable Secure Comput. 9(1), 61–74 (2012)

    Article  Google Scholar 

  20. Rabkin, A.: Personal knowledge questions for fallback authentication: security questions in the era of Facebook. In: Proceedings of the 4th Symposium on Usable Privacy and Security, SOUPS 2008, pp. 13–23. ACM, New York (2008)

    Google Scholar 

  21. Ritchey, R.W., Ammann, P.: Using model checking to analyze network vulnerabilities. In: Proceeding of 2000 IEEE Symposium on Security and Privacy, S P 2000, pp. 156–165 (2000)

    Google Scholar 

  22. Sgandurra, D., Karafili, E., Lupu, E.: Formalizing threat models for virtualized systems. In: Ranise, S., Swarup, V. (eds.) Data and Applications Security and Privacy XXX, pp. 251–267. Springer International Publishing, Cham (2016). https://doi.org/10.1007/978-3-319-41483-6_18

    Chapter  Google Scholar 

  23. Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.: Automated generation and analysis of attack graphs. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 273–284 (2002)

    Google Scholar 

  24. Sheyner, O., Wing, J.: Tools for generating and analyzing attack graphs. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2003. LNCS, vol. 3188, pp. 344–371. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30101-1_17

    Chapter  MATH  Google Scholar 

Download references

Acknowledgments

Erisa Karafili was supported by the European Union’s H2020 research and innovation programme under the Marie SkÅ‚odowska-Curie grant agreement No 746667. This work builds upon research funded by the Engineering and Physical Sciences Research Council (EPSRC) through grants EP/L022729/1 and EP/N023242/1.

Author information

Authors and Affiliations

  1. Department of Computing, Imperial College London, London, England

    Erisa Karafili & Emil Lupu

  2. Information Security Group, Royal Holloway, University of London, Egham, England

    Daniele Sgandurra

Authors
  1. Erisa Karafili
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Daniele Sgandurra
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Emil Lupu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Erisa Karafili .

Editor information

Editors and Affiliations

  1. IIT-CNR, Pisa, Italy

    Andrea Saracino

  2. IIT-CNR, Pisa, Italy

    Paolo Mori

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Karafili, E., Sgandurra, D., Lupu, E. (2018). A Logic-Based Reasoner for Discovering Authentication Vulnerabilities Between Interconnected Accounts. In: Saracino, A., Mori, P. (eds) Emerging Technologies for Authorization and Authentication. ETAA 2018. Lecture Notes in Computer Science(), vol 11263. Springer, Cham. https://doi.org/10.1007/978-3-030-04372-8_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-04372-8_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-04371-1

  • Online ISBN: 978-3-030-04372-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation