AI-driven Security

[On-going Project] (Semi-) Automated Evolving IDS Loop

We design and implement a framework for an ever-evolving network intrusion detection system based on both signature and anomaly based detection mechanisms. Not only focusing on detection, the framework aims to make an intrusion detection system evolving based on observed events to improve its accuracy.

I am looking for graduated students/postdocs on this project.

 – Role: implementing the framework with Python and conducting experiments.
 – The program will include the weekly discussion on the project and the weekly internal lecture (online/offline) about computer networks and security by Prof. Hyunwoo Lee.
 – You will learn what intrusion detection systems are, how they detect anomalies, and what challenges the systems should address.

[On-going Project] AI Model Security Evaluation Framework

We design and implement a framework to evaluate AI models against adversarial events. We will study adversarial attacks targeting AI models and develop a framework to evaluate the models against known attacks and generate samples to make the models resilient to the attacks.

I am looking for graduated students/postdocs on this project.

 – Role: reading the papers, listing the known adversarial ML attacks, and implementing the framework based on Python. You will be one of the coauthors of the paper if you contribute to this project.
 – The program will include the weekly discussion on the project and the weekly internal lecture (online/offline) about computer networks and security by Prof. Hyunwoo Lee. 
 – You will learn adversarial machine learning techniques, Python programming skills to implement the system.

[On-going Project] A Framework to Create Labeled Dataset for IoT Security

We design and implement a framework to automatically generate labeled dataset for IoT security. As threat patterns evolve over time and are diversified and complicated with multiple steps, it is challenging to get suitable labeled datasets in a short time to avoid such attacks in a timely manner. To address the issue, we are developing the framework. Furthermore, research communities will benefit from our framework since the framework can provide sufficient number of datasets to design and implement useful detection systems.

I am looking for graduated students/postdocs on this project.

– Role: reading the whitepapers about the APT attacks, implementing the framework, and generating the datasets
– The program will include the weekly discussion on the project and the weekly internal lecture (online/offline) about computer networks and security by Prof. Hyunwoo Lee.
– You will learn how attackers perform attacks in multisteps, what the framework is, and what the challenges are for the machine learning techniques.

AppSniffer: Towards Robust Mobile App Fingerprinting Against VPN

App fingerprinting is a useful data analysis technique for network administrators, marketing agencies, and security analysts. Although there have been many app fingerprinting techniques, it is challenging to identify mobile apps if they are running over vitual private networks (VPNs) as VPNs changes patterns of networking packets that mobile apps generate and thus, none of them successfully identifies mobile apps over VPNs. To overcome such a shortcoming, we propose a framework, dubbed AppSniffer, to identify mobile apps running over VPN, using AI techniques. It uses a two-stage classification process for mobile app fingerprinting. In the first stage, AppSniffer distinguishes VPN traffic from normal traffic; in the second stage, it uses the optimal model for each traffic type. Specifically, we proposes a stacked ensemble model using Light Gradient Boosting Machine (LightGBM) and a FastAI library-based neural network model to identify applications’ traffic when a VPN is used.  This work is collaborative work with KENTECH, SKKU, and Purdue, and is published at WWW ’23 [Paper].

IoTEDef: An Infection-Identifying and Self-Evolving System for IoT Early Defense from Multi-Step Attacks

IoTEDef is an IDS to do early detection before an attacker acquires a foothold. It models a multi-step attack based on a cyber kill-chain framework. It improves an early detector based on observations of later attack events. To understand the context of the multi-step attack, it leverages the attention mechanism that is widely used in the NLP techniques. This research is collaborated with Purdue University and CISCO Research.

This work is published at ESORICS ’22 [Paper].

Verifying Security Properties of Systems

[On-going Project] Security Analysis of Energy Systems

We aims to verify security of protocols used in energy systems based on specifications such as IEC 61850, IEC 62351, or IEEE 1547.3. To analyze the security of the systems, we leverage the formal method (e.g., modeling the system by finite state machines and verifying security properties on their execution).

I am looking for graduated students/postdocs on this project.
 – Role: reading the specifications and understanding how the energy systems work. You will be one of the coauthors of the paper if you contribute to this project.
 – The program will include the weekly discussion on the project and the weekly internal lecture (online/offline) about computer networks and security by Prof. Hyunwoo Lee. 
 – You will learn computer networks, protocols, security concepts, energy systems, and formal verification.

VWAnalyzer: A Systematic Security Analysis Framework for the Voice over WiFi Protocol

Voice over WiFi (VoWiFi or WiFi-calling) is a voice service provided by mobile carriers to improve coverage. It leverages the Internet to make and receive calls. We verify the security properties of VoWiFi following the framework, VWAnalyzer, which we design and implement. We find three denial-of-service attacks.

This work is published at ASIACCS ’22 [Paper].

Analyzing Spatial Differences in the TLS Security of Delegated Web Services

To provide fast delivery, web services use content delivery networks (CDNs) where the security configurations of distributed servers may vary spatially depending on the managing entities or locations. We design an attack called the TELEPORT attack that leverages this hole in the TLS security of delegated web services. We analyze the impact of the attack in the real-world and implement the attack.

This work is published at ASIACCS ’21 [Paper].

TLS 1.3 in Practice: How TLS 1.3 Contributes to the Internet

Transport Layer Security (TLS) is the most widely used security protocol in the Internet. We analyze whether TLS 1.3, the latest version of TLS, is well deployed or not in terms of adoption, security, performance, and implementation. To this end, we adopt temporal, spatial, and platform based methodology. We analyze 687M TLS connections collected for 837 days and 3M TLS connections collected from eight different regions.

This work is published at WWW ’21 [Paper].

Design of New Security Protocols

[On-going Project] Addressing Challenges of Applying TLS in the Edge Computing

Edge computing is a promising platform that aims to provide fast processing and response for users. It is a large distributed infrastructure to locate serving machines close to users. However, it increases attack surfaces especially for edge devices which are usually considered devices with lower capabilities compared with common servers. This makes applying TLS to the edge computing platform challenging. We are extending the TLS protocol addressing such challenges.

I am looking for graduated students/postdocs on this project.
 – Role: proof-reading the source codes written in C with some assignments and setting up the testbed for the experiments. You will be one of the coauthors of the paper if you contribute to this project.
– The program will include the weekly discussion on the project and the weekly internal lecture (online/offline) about computer networks and security by Prof. Hyunwoo Lee.
– You will learn C programming with computer system concepts like caching, CPU security, and threading, and setting up the testbed with understanding computer networking concepts.

ZTLS: A DNS-based Approach to Zero Round Trip in TLS handshake

Establishing secure connections fast to end-users is crucial to online services. However, fetching the intended data securely requires a client to establish a TLS session with a server, which introduces latency due to a DNS lookup, a TCP handshake, and one round trip time (RTT) to negotiate a session key. To reduce such overheads, we propose ZTLS that eliminates the 1-RTT latency for the TLS handshake by leveraging the DNS. In ZTLS, a server distributes TLS handshake-related data (i.e., Diffie-Hellman elements), dubbed Z-data, as DNS records in advance. Then, a ZTLS client fetches Z-data during DNS lookups and derive a session key. With the session key, the client can send encrypted data along with the TLS handshake, achieving 0-RTT. This technique is one of the building blocks to secure energy systems with marginal overheads in communications. The work is collaborative work with KENTECH and SNU, and is published at WWW ’23 [Paper].

mqTLS: Toward Secure MQTT Communication with an Untrusted Broker

The publisher-subscriber (pub/sub) paradigm is one of the promising communication models to meet the requirements such as interoperability and support of heterogeneity for the Internet-of-Things (IoT). Message Queueing Telemetry Transport (MQTT), one of the protocols based on the pub/sub model, is widely used in practice with public brokers. However such brokers are intrinsically a man-in-the-middle between clients; thus, a broker can read and alter all the messages delivered from publishers to subscribers. We design and implement mqTLS, an MQTT-aware secure communication protocol among publishers, subscribers, and brokers. We define security semantics for the pub/sub model and apply this concept to the new protocol.

This work is published at ICTC ’19 [Paper].

maTLS: How to Make TLS middlebox-aware?

Middleboxes are widely deployed in order to enhance security and performance in networking. As communication over TLS becomes increasingly common, however, the end-to-end channel model of TLS undermines the efficacy of middleboxes. We design and implement the middlebox-aware TLS protocol (maTLS) that authenticates middleboxes, verifies the security parameters of segments, and audits the middleboxes’ write operations during the protocol execution. We also prove the security model of maTLS by using TAMARIN.

This work is published at NDSS ’19 [Paper].