58 results found
Al Wahaibi S, Foley M, Maffeis S, 2023, SQIRL: Grey-box detection of SQL injection vulnerabilities using reinforcement learning, USENIX Security, Publisher: USENIX Security, Pages: 6097-6114
Web security scanners are used to discover SQL injectionvulnerabilities in deployed web applications. Scanners tendto use static rules to cover the most common injection cases,missing diversity in their payloads, leading to a high volumeof requests and false negatives. Moreover, scanners oftenrely on the presence of error messages or other significantfeedback on the target web pages, as a result of additionalinsecure programming practices by web developers.In this paper we develop SQIRL, a novel approach to detecting SQL injection vulnerabilities based on deep reinforcementlearning, using multiple worker agents and grey-box feedback.Each worker intelligently fuzzes the input fields discoveredby an automated crawling component. This approach generates a more varied set of payloads than existing scanners,leading to the discovery of more vulnerabilities. Moreover,SQIRL attempts fewer payloads, because they are generatedin a targeted fashion.SQIRL finds all vulnerabilities in our microbenchmark forSQL injection, with substantially fewer requests than mostof the state-of-the-art scanners compared with. It also significantly outperforms other scanners on a set of 14 productiongrade web applications, discovering 33 vulnerabilities, withzero false positives. We have responsibly disclosed 22 novelvulnerabilities found by SQIRL, grouped in 6 CVEs.
Foley M, Maffeis S, 2023, HAXSS: Hierarchical reinforcement learning for XSS payload generation, IEEE TrustCom 2022, Publisher: IEEE, Pages: 147-158
Web application vulnerabilities are an ongoing problem that current black-box techniques and scanners do not entirely solve, suffering in particular from a lack of payload diversity that prevents them from capturing the long tail of vulnerabilities caused by uncommon sanitisation mistakes.In order to increase the diversity of payloads that can be automatically generated in a black-box fashion, we develop a hierarchical reinforcement learning approach where agents focus separately on the tasks of escaping the current context, and evading sanitisation. We implement this in an end-to-end prototype we call HAXSS. We compare our approach against a number of state-of-the-art black-box scanners on a new micro-benchmark for XSS payload generation, and on a macro-benchmark of established vulnerableweb applications. HAXSS outperforms the other scanners on both benchmarks, identifying 131 vulnerabilities (a 20% improvement over the closest scanner), reporting 0 false positives. Finally, we demonstrate that our approach is practically useful, as HAXSS re-discovers 4 existing CVEs and discovers 5 new CVEs in 3 production-grade web applications.
Alageel A, Maffeis S, 2022, EARLYCROW: Detecting APT Malware Command and Control over HTTP(S) Using Contextual Summaries, 25th International Conference, ISC 2022, Publisher: Springer International Publishing, Pages: 290-316
Advanced Persistent Threats (APTs) are among the most sophisticated threats facing critical organizations worldwide. APTs employ specific tactics, techniques, and procedures (TTPs) which make them difficult to detect in comparison to frequent and aggressive attacks. In fact, current network intrusion detection systems struggle to detect APTs communications, allowing such threats to persist unnoticed on victims' machines for months or even years.
Rabheru R, Hanif H, Maffeis S, 2022, A Hybrid Graph Neural Network Approach for Detecting PHP Vulnerabilities, 5th IEEE Conference on Dependable and Secure Computing (IEEE DSC), Publisher: IEEE
Hanif H, Maffeis S, 2022, VulBERTa: Simplified Source Code Pre-Training for Vulnerability Detection, IEEE International Conference on Fuzzy Systems (FUZZ-IEEE) / IEEE World Congress on Computational Intelligence (IEEE WCCI) / International Joint Conference on Neural Networks (IJCNN) / IEEE Congress on Evolutionary Computation (IEEE CEC), Publisher: IEEE, ISSN: 2161-4393
Rabheru R, Hanif H, Maffeis S, 2021, DeepTective: Detection of PHP vulnerabilities using hybrid graph neural networks, Pages: 1687-1690
This paper presents DeepTective, a deep learning-based approach to detect vulnerabilities in PHP source code. DeepTective implements a novel hybrid technique that combines Gated Recurrent Units and Graph Convolutional Networks to detect SQLi, XSS and OSCI vulnerabilities leveraging both syntactic and semantic information. Experimental results show that our model outperformed related solutions on both synthetic and realistic datasets, and was able to discover 4 novel vulnerabilities in established WordPress plugins.
Alageel A, Maffeis S, 2021, Hawk-Eye: holistic detection of APT command and control domains, SAC '21: The 36th ACM/SIGAPP Symposium on Applied Computing, Publisher: ACM, Pages: 1664-1673
The high complexity and low volume of APT attacks has lead to limited insight into their behavior and to a scarcity of data, hindering research on effective detection techniques. In this paper we present a comprehensive study of the usage of domains in the context of the Command and Control (C&C) infrastructure of APTs, covering 63 APT campaigns spanning the last 13 years. We discuss the APT threat model, focusing in particular on evasion techniques, and collect an extensive dataset for studying APT C&C domains.Based on the gained insight, we propose a number of novel features to detect APTs, leveraging both semantic properties of the domains themselves and structural properties of their DNS infrastructure. We build Hawk-Eye, a system to classify domain names extracted from PCAP files, and use it to evaluate the performance of the various features we studied, and compare them to malicious domain detection features from the literature. We find that a holistic approach combining selected orthogonal features achieves the best performance, with an F1-score of 98.53% and a FPR of 0.35%.
Zizzo G, Hankin C, Maffeis S, et al., 2020, Adversarial attacks on time-series intrusion detection for industrial control systems, The 19th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Publisher: Institute of Electrical and Electronics Engineers
Neural networks are increasingly used for intrusiondetection on industrial control systems (ICS). With neuralnetworks being vulnerable to adversarial examples, attackerswho wish to cause damage to an ICS can attempt to hidetheir attacks from detection by using adversarial exampletechniques. In this work we address the domain specificchallenges of constructing such attacks against autoregressivebased intrusion detection systems (IDS) in a ICS setting.We model an attacker that can compromise a subset ofsensors in a ICS which has a LSTM based IDS. The attackermanipulates the data sent to the IDS, and seeks to hide thepresence of real cyber-physical attacks occurring in the ICS.We evaluate our adversarial attack methodology on theSecure Water Treatment system when examining solely continuous data, and on data containing a mixture of discrete andcontinuous variables. In the continuous data domain our attacksuccessfully hides the cyber-physical attacks requiring 2.87 outof 12 monitored sensors to be compromised on average. Withboth discrete and continuous data our attack required, onaverage, 3.74 out of 26 monitored sensors to be compromised.
Zizzo G, Hankin C, Maffeis S, et al., 2019, Adversarial machine learning beyond the image domain, the 56th Annual Design Automation Conference 2019, Publisher: ACM Press
Machine learning systems have had enormous success in a wide range of fields from computer vision, natural language processing, and anomaly detection. However, such systems are vulnerable to attackers who can cause deliberate misclassification by introducing small perturbations. With machine learning systems being proposed for cyber attack detection such attackers are cause for serious concern. Despite this the vast majority of adversarial machine learning security research is focused on the image domain. This work gives a brief overview of adversarial machine learning and machine learning used in cyber attack detection and suggests key differences between the traditional image domain of adversarial machine learning and the cyber domain. Finally we show an adversarial machine learning attack on an industrial control system.
Barrere Cambrun M, Hankin C, Barboni A, et al., 2019, CPS-MT: a real-time cyber-physical system monitoring tool for security Research, 24th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA2018), Publisher: IEEE
Monitoring systems are essential to understand and control the behaviour of systems and networks. Cyber-physical systems (CPS) are particularly delicate under that perspective since they involve real-time constraints and physical phenomena that are not usually considered in common IT solutions. Therefore, there is a need for publicly available monitoring tools able to contemplate these aspects. In this poster/demo, we present our initiative, called CPS-MT, towards a versatile, real-time CPS monitoring tool, with a particular focus on security research. We first present its architecture and main components, followed by a MiniCPS-based case study. We also describe a performance analysis and preliminary results. During the demo, we will discuss CPS-MT’s capabilities and limitations for security applications.
Zizzo G, Hankin C, Maffeis S, et al., 2019, Deep Latent Defence., CoRR, Vol: abs/1910.03916
Zizzo G, Hankin C, Maffeis S, et al., 2019, Intrusion Detection for Industrial Control Systems: Evaluation Analysis and Adversarial Attacks., CoRR, Vol: abs/1911.04278
Arceri V, Maffeis S, 2016, Abstract domains for type juggling, Numerical and Symbolic Abstract Domains (NSAD), Publisher: Elsevier, ISSN: 1571-0661
Bella G, Maffeis S, 2016, Special track on computer security: editorial message, SAC 20116, Publisher: ACM, Pages: 2031-2032
Hothersall-Thomas C, Maffeis S, Novakovic C, 2015, BrowserAudit: Automated testing of browser security features, New York, NY, 2015 International Symposium on Software Testing and Analysis, Publisher: Association for Computing Machinery, Pages: 37-47
The security of the client side of a web application relies on browser features such as cookies, the same-origin policy and HTTPS. As the client side grows increasingly powerful and sophisticated, browser vendors have stepped up their offering of security mechanisms which can be leveraged to protect it. These are often introduced experimentally and informally and, as adoption increases, gradually become standardised (e.g., CSP, CORS and HSTS). Considering the diverse landscape of browser vendors, releases, and customised versions for mobile and embedded devices, there is a compelling need for a systematic assessment of browser security. We present BrowserAudit, a tool for testing that a deployed browser enforces the guarantees implied by the main standardised and experimental security mechanisms. It includes more than 400 fully-automated tests that exercise a broad range of security features, helping web users, application developers and security researchers to make an informed security assessment of a deployed browser. We validate BrowserAudit by discovering both fresh and known security-related bugs in major browsers.
Bella G, Maffeis S, 2015, 2015 Special Track on Computer Security, Pages: 2125-2126
Bansal C, Bhargavan K, Delignat-Lavaud A, et al., 2014, Discovering concrete attacks on website authorization by formal analysis, Journal of Computer Security, Vol: 22, Pages: 601-657
Filaretti D, Maffeis S, 2014, An Executable Formal Semantics of PHP, European Conference on Object-Oriented Programming (ECOOP'14), Pages: 120-145
Bansal C, Bhargavan K, Delignat-Lavaud A, et al., 2013, Keys to the Cloud: Formal Analysis and Concrete Attacks on Encrypted Web Storage, Conference on Principles of Security and Trust (POST'13), Pages: 126-146
Bhargavan K, Delignat-Lavaud A, Maffeis S, 2013, Language-based defenses against untrusted browser origins, 22nd Usenix Security Symposium, Pages: 653-670
Maffeis S, Rezk T, 2012, PLAS'12 - Proceedings of Programming Languages and Analysis for Security: Preface, PLAS'12 - Proceedings of Programming Languages and Analysis for Security
Bansal C, Bhargavan K, Maffeis S, 2012, Discovering Concrete Attacks on Website Authorization by Formal Analysis, 25th Computer Security Foundations Symposium, Pages: 247-262, ISSN: 1940-1434
Maffeis S, Mitchell JC, Taly A, 2010, Object Capabilities and Isolation of Untrusted Web Applications, Symposium on Security and Privacy, Publisher: IEEE COMPUTER SOC, Pages: 125-140, ISSN: 1081-6011
Maffeis S, Mitchell JC, Taly A, 2010, Object capabilities and isolation of untrusted web applications, Departmental Technical Report: 10/6, Publisher: Department of Computing, Imperial College London, 10/6
This data is extracted from the Web of Science and reproduced under a licence from Thomson Reuters. You may not copy or re-distribute this data in whole or in part without the written consent of the Science business of Thomson Reuters.