Secure Zero-Day Detection: Wiping Off the VEP Trade-Off
Authors: 
Mingyi Zhao, 
Moti YungAuthors Info & Claims
Mingyi Zhao, Moti YungAuthors Info & ClaimsPages 35 - 45
Abstract
Governments and other bodies stockpile a significant number of zero-day vulnerabilities for offense. But at the same time, they could also have the incentive to help private and commercial organizations patch these vulnerabilities, yet doing so will leak the zero-days, thus removing their offensive capability. This is an offense-defense trade-off. On the other hand, the private organizations might want to share traffic data with the government for zero-day exploit detection, but may be simultaneously worried about abusive surveillance. In other words, these organizations face a security-privacy trade-off. These dilemmas and their trade-off nature give rise to a new problem of mutually suspicious parties working together.
In this paper, we propose an architecture called SeZeDe (Secure Zero-day Detection) which aims at wiping off the above trade-offs with two key underlying technical ideas, one which assures detection and privacy, and one which assures (delayed) accountability against abuse. Specifically, SeZeDe first integrates secure pattern matching with signature-based intrusion detection to protect the data confidentiality of both sides while still supporting main detection functionalities. Second, SeZeDe applies the idea of time-lock encryption to deter turning the detection service into a surveillance mechanism. Our prototype evaluation shows promising detection performance and applicability.
References
[1]
Lillian Ablon and Andy Bogart. 2017. Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits. Rand Corporation.
[2]
Joshua Baron, Karim El Defrawy, Kirill Minkovich, Rafail Ostrovsky, and Eric Tressler. 2013. 5PM: Secure pattern matching. Journal of Computer Security, Vol. 21, 5 (2013), 601--625.
[3]
Leyla Bilge and Tudor Dumitras. 2012. Before we knew it: an empirical study of zero-day attacks in the real world. In Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 833--844.
[4]
Dan Boneh, Joseph Bonneau, Benedikt Bünz, and Ben Fisch. 2018. Verifiable delay functions. In Annual International Cryptology Conference. Springer, 757--788.
[5]
Gwern Branwen. 2011. TIME-LOCK ENCRYPTION. https://www.gwern.net/Self-decrypting-files.
[6]
Richard Clarke and Peter Swire. 2014. The NSA Shouldn't Stockpile Web Glitches. Daily Beast, http://thebea.st/2EK5szK.
[7]
Lorenzo De Carli, Robin Sommer, and Somesh Jha. 2014. Beyond pattern matching: A concurrency model for stateful deep packet inspection. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1378--1390.
[8]
Nicolas Desmoulins, Pierre-Alain Fouque, Cristina Onete, and Olivier Sanders. 2017. Pattern Matching on Encrypted Streams, Applications to DPI. Cryptology ePrint Archive, Report 2017/148.
[9]
Karim El Defrawy and Sky Faber. 2013. Blindfolded data search via secure pattern matching. Computer, Vol. 46, 12 (2013), 68--75.
[10]
Andy Greenberg. 2017. The Shadow Brokers Mess Is What Happens When the NSA Hoards Zero-Days. Wired, http://bit.ly/2b5H6Dt.
[11]
Carmit Hazay and Tomas Toft. 2010. Computationally Secure Pattern Matching in the Presence of Malicious Adversaries. In ASIACRYPT, Vol. 10. Springer, 195--212.
[12]
Trey Herr, Bruce Schneier, and Christopher Morris. 2017. Taking stock: Estimating vulnerability rediscovery. Belfer Cyber Security Project White Paper Series.
[13]
Tibor Jager. 2015. How to Build Time-Lock Encryption. IACR Cryptology ePrint Archive, Vol. 2015 (2015), 478.
[14]
C Kruegel, D Mutz, W Robertson, G Vigna, and R Kemmerer. 2005. Reverse engineering of network signatures. In Proceedings of the AusCERT Asia Pacific Information Technology Security Conference, Gold Coast, Australia.
[15]
Rick Ledgett. 2017. No, the U.S. Government Should Not Disclose All Vulnerabilities in Its Possession. Lawfare, http://bit.ly/2mB1WQN.
[16]
Jia Liu, Saqib A Kakvi, and Bogdan Warinschi. 2015. Extractable witness encryption and timed-release encryption from bitcoin. Technical Report. Cryptology ePrint Archive.
[17]
Wenbo Mao. 2001. Timed-release cryptography. In International Workshop on Selected Areas in Cryptography. Springer, 342--357.
[18]
Jaehyun Nam, Muhammad Jamshed, Byungkwon Choi, Dongsu Han, and KyoungSoo Park. 2015. Haetae: Scaling the Performance of Network Intrusion Detection with Many-Core Processors. In International Workshop on Recent Advances in Intrusion Detection. Springer, 89--110.
[19]
Kartik Nayak, Daniel Marino, Petros Efstathopoulos, and Tudor Dumitracs. 2014. Some vulnerabilities are different than others. In International Workshop on Recent Advances in Intrusion Detection. Springer, 426--446.
[20]
Tavis Ormandy. 2011. Sophail: A critical analysis of sophos antivirus. Proceedings of Black Hat USA (2011).
[21]
Andy Ozment. 2005. The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting. In Workshop on the Econ. of Information Security.
[22]
M Zubair Rafique and Juan Caballero. 2013. Firma: Malware clustering and network signature generation with mixed network behaviors. In International Workshop on Recent Advances in Intrusion Detection. Springer, 144--163.
[23]
Daniel relax Oberhaus. 2017. A Programmer Solved a 20-Year-Old, Forgotten Crypto Puzzle. Wired, https://bit.ly/2PCRQgm.
[24]
relax The Electronic Frontier Foundation. 2016. Vulnerabilities Equities Process (VEP). http://bit.ly/2ra8WtB.
[25]
relax The FBI Cyber Division. 2014. Snort Signatures for Mitigation Against Open Secure Socket Layer Heartbleed Extension Vulnerability. http://bit.ly/2EPEerG.
[26]
relax The United States Government. 2017. Vulnerabilities Equities Policy and Process for the United States Government. http://bit.ly/2z3rkHT.
[27]
Ronald L Rivest, Adi Shamir, and David A Wagner. 1996. Time-lock puzzles and timed-release crypto. Technical Report. Massachusetts Institute of Technology.
[28]
Martin Roesch et almbox. 1999. Snort: Lightweight intrusion detection for networks. In Lisa, Vol. 99. 229--238.
[29]
Bruce Schneier. 2015. Hacking Team, Computer Vulnerabilities, and the NSA. http://bit.ly/2D9LFJP.
[30]
Felix Schuster, Manuel Costa, Cédric Fournet, Christos Gkantsidis, Marcus Peinado, Gloria Mainar-Ruiz, and Mark Russinovich. 2015. VC3: Trustworthy data analytics in the cloud using SGX. In Security and Privacy (SP), 2015 IEEE Symposium on. IEEE, 38--54.
[31]
Justine Sherry, Chang Lan, Raluca Ada Popa, and Sylvia Ratnasamy. 2015. Blindbox: Deep packet inspection over encrypted traffic. In ACM SIGCOMM Computer Communication Review, Vol. 45. ACM, 213--226.
[32]
Ruowen Wang, Peng Ning, Tao Xie, and Quan Chen. 2013. MetaSymploit: Day-One Defense against Script-based Attacks with Security-Enhanced Symbolic Analysis. In USENIX Security Symposium. 65--80.
[33]
Christian Wressnegger, Kevin Freeman, Fabian Yamaguchi, and Konrad Rieck. 2017. Automatically Inferring Malware Signatures for Anti-Virus Assisted Attacks. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. ACM, 587--598.
[34]
Xingliang Yuan, Xinyu Wang, Jianxiong Lin, and Cong Wang. 2016. Privacy-preserving deep packet inspection in outsourced middleboxes. In Computer Communications, IEEE INFOCOM 2016-The 35th Annual IEEE International Conference on. IEEE, 1--9.
Index Terms
- Secure Zero-Day Detection: Wiping Off the VEP Trade-Off
Recommendations
Deep Learning for Zero-day Malware Detection and Classification: A Survey
Zero-day malware is malware that has never been seen before or is so new that no anti-malware software can catch it. This novelty and the lack of existing mitigation strategies make zero-day malware challenging to detect and defend against. In recent ...
Predicting Zero-day Malicious IP Addresses
SafeConfig '17: Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber DefenseBlacklisting IP addresses is an important part of enterprise security today. Malware infections and Advanced Persistent Threats can be detected when blacklisted IP addresses are contacted. It can also thwart phishing attacks by blocking suspicious ...
Thwarting zero-day polymorphic worms with network-level length-based signature generation
It is crucial to detect zero-day polymorphic worms and to generate signatures at network gateways or honeynets so that we can prevent worms from propagating at their early phase. However, most existing network-based signatures are specific to exploit ...
Comments
Information & Contributors
Information
Published In
November 2019
59 pages
ISBN:9781450368407
DOI:10.1145/3338511
- General Chairs:
- Liqun Chen,
- Chris Mitchell,
- Program Chairs:
- Thanassis Giannetsos,
- Daniele Sgandurra
Copyright © 2019 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 15 November 2019
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
CCS '19
Sponsor:
CCS '19: 2019 ACM SIGSAC Conference on Computer and Communications Security
November 15, 2019
London, United Kingdom
Upcoming Conference
CCS '25
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 220Total Downloads
- Downloads (Last 12 months)13
- Downloads (Last 6 weeks)2
Reflects downloads up to 05 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in