Monday, December 6, 2004
2:30 PM - 3:30 PM
3331 CS
|
John Kelsey
Certicom
Compression and Information Leakage of Plaintext
Fast Software Encryption 2002
URL: http://www.springerlink.com/link.asp?id=aflnql1jf23a5766
Cryptosystems like AES and triple-DES are designed
to encrypt a sequence of input bytes (the plaintext)
into a sequence of output bytes (the ciphertext) in
such a way that the output carries no information
about that plaintext except its length. In recent
years, concerns have been raised about
"side-channel" attacks on various
cryptosystems-attacks that make use of some kind of
leaked information about the cryptographic
operations (e.g., power consumption or timing) to
defeat them. In this paper, we describe a somewhat
different kind of side-channel provided by data
compression algorithms, yielding information about
their inputs by the size of their outputs. The
existence of some information about a compressor's
input in the size of its output is obvious; here, we
discuss ways to use this apparently very small leak
of information in surprisingly powerful ways.
|
Monday, December 13, 2004
2:30 PM - 3:30 PM
3331 CS
|
Sumeet Singh
Cristian Estan
George Varghese
Stefan Savage
Sumeet Singh, Cristian Estan, George Varghese, Stefan Savage
UCSD
Automated Worm Fingerprinting
OSDI'04
URL: http://www.cs.ucsd.edu/~savage/papers/OSDI04.pdf
Network worms are a clear and growing threat to the
security of today's Internet-connected hosts and
networks. The combination of the Internet's
unrestricted connectivity and widespread software
homogeneity allows network pathogens to exploit
tremendous parallelism in their propagation. In
fact, modern worms can spread so quickly, and so
widely, that no human-mediated reaction can hope to
contain an outbreak.
In this paper, we propose an automated approach for
quickly detecting previously unknown worms and
viruses based on two key behavioral
characteristics—a common exploit sequence together
with a range of unique sources generating infections
and destinations being targeted. More importantly,
our approach—called "content sifting"—automatically
generates precise signatures that can then be used
to filter or moderate the spread of the worm
elsewhere in the network.
Using a combination of existing and novel algorithms
we have developed a scalable content sifting
implementation with low memory and CPU
requirements. Over months of active use at UCSD, our
Earlybird prototype system has automatically
detected and generated signatures for all pathogens
known to be active on our network as well as for
several new worms and viruses which were unknown at
the time our system identified them. Our initial
experience suggests that, for a wide range of
network pathogens, it may be practical to construct
fully automated defenses—even against so-called
"zero-day" epidemics.
|
