Reading Group

Note: The "Reading Group" has been suspended since Fall 2022, and may be resumed sometime in the future. Please stay tuned.

Introduction

  • The "Reading Group for Networking, Systems, and Security" is a bi-weekly meeting series for all relevant and interested faculty and research students in the Department of Computer Science at the University of Oregon. All other audience are also welcome.
  • In each meeting, we will have a student give a presentation on one of the following items and lead the discussion: (1) the student's own research, if sufficiently mature; (2) a paper from a top conference; (3) a tutorial on a system, tool, algorithm, or theory; (4) a survey of an area or topic. To make the best use of time, regarding "(2)", "(3)" and "(4)", the presenter may consider choosing papers that relate to one's own research and those that one presumably would read anyway. In the future, we also plan to have talks from our faculty members or external speakers.
  • Each meeting should not be longer than 1 hour, including Q & A.
  • Location and time (for Spring 2022): Zoom, 4-5 PM on Tuesday.

Schedule

Date Speaker Title Abstract
05/31/2022 [Cancelled]
05/17/2022 Sabira Khanam Shorna Paper Review: Compromised or Attacker-Owned: A Large Scale Classification and Study of Hosting Domains of Malicious URLs [Show]
The mitigation action against a malicious website may differ greatly depending on how that site is hosted. If it is hosted under a private apex domain, where all its subdomains and pages are under the apex domain owner’s direct control, we could block at the apex domain level. If it is hosted under a public apex domain though (e.g., a web hosting service provider), it would be more appropriate to block at the subdomain level. Further, for the former case, the private apex domain may be legitimate but compromised, or maybe attacker-generated, which, again, would warrant different mitigation actions: attacker-owned apex domains could be blocked permanently, while only temporarily for compromised ones. In this paper, we study over eight hundred million Virus-Total (VT) URL scans from Aug. 1, 2019 to Nov. 18, 2019 and build the first content agnostic machine learning models to distinguish between the above mentioned different types of apex domains hosting malicious websites. Specifically, we first build a highly accurate model to distinguish between public and private apex domains. Then we build additional models to further distinguish compromised domains from attacker-owned ones. Utilizing our trained models, we conduct a large-scale study of the host domains of malicious websites. We observe that even though public apex domains are less than 1% of the apexes hosting malicious websites, they amount to a whopping 46.5% malicious web pages seen in VT URL feeds during our study period. 19.5% of these public malicious websites are compromised. Out of the remaining websites (53.5%), which are hosted on private apexes, we observe that attackers mostly compromise benign websites (65.6%) to launch their attacks, whereas only 34.4% of malicious websites are hosted on domains registered by attackers. Overall, we observe the concerning trend that the majority (81.7%) of malicious websites are hosted under apex domains that attackers do not own.
05/03/2022 Jiaming Yuan Paper Review: Forward and Backward Private Conjunctive Searchable Symmetric Encryption [Show]
I will introduce the paper "Forward and Backward Private Conjunctive Searchable Symmetric Encryption," published on NDSS 2021. The paper proposed searchable symmetric encryption (SSE) for dynamic updates and conjunctive keywords search. It achieves forward and backward privacy. Forward privacy makes it hard for the server to correlate an update operation with previously executed search operations. Backward privacy limits the amount of information learned by the server about documents that have already been deleted from the database.
04/19/2022 Anthony Dario Paper Review: Optimal Admission Control Mechanism Design for Time-Sensitive Services in Edge Computing [Show]
Edge computing is a promising solution for reducing service latency by provisioning time-sensitive services directly from the network edge. However, upon workload peaks at the resource-limited edge, an edge service has to queue service requests, incurring high waiting time. Such quality of service (QoS) degradation ruins the reputation and reduces the long-term revenue of the service provider. To address this issue, we propose an admission control mechanism for time-sensitive edge services. Specifically, we allow the service provider to offer admission advice to arriving requests regarding whether to join for service or balk to seek alternatives. Our goal is twofold: maximizing revenue of the service provider and ensuring QoS if the provided admission advice is followed. To this end, we propose a threshold structure that estimates the highest length of the request queue. Leveraging such a threshold structure, we propose O2A, a mechanism to balance the trade-off between increasing revenue from accepting more requests and guaranteeing QoS by advising requests to balk. Rigorous analysis shows that O2A achieves the goal and that the provided admission advice is optimal for end-users to follow. We further validate O2A through trace-driven simulations with both synthetic and real-world service request traces.
04/05/2022 [Cancelled]
03/09/2022 Chris Misa Hunting for DDoS Sources among the Prefix Trees [Show]
Despite wide-ranging efforts in the research community, defending against DDoS attacks from an enterprise or ISP perspective is still an open, challenging question. While recent work has demonstrated that programmable switch hardware provides a cost effective method for defending against such attacks, the proposed systems rely on statistical methods that introduce non-negligible false positives and operate essentially as black boxes, impenetrable to runtime introspection. In this work we argue that DDoS defense systems should instead focus on the traffic monitoring capabilities of programmable switch hardware to execute more precise deployment of mitigation mechanisms. In particular, we leverage the observation that attack sources are not uniformly distributed across IP address space to develop an iterative, prefix-based method for identifying attack sources. Our initial evaluation shows that our method can reduce false-positive rates by up to two orders of magnitude while still mitigated 99% of attack traffic.
02/23/2022 [Cancelled]
02/09/2022 Sanidhay Arora Decentralized Finance Security and Flash Loans [Show]
Decentralized Finance (DeFi) is a blockchain-powered peer-to-peer financial system. Two years ago the total value locked in DeFi systems was approximately $700M, now, as of February 2022, it stands at around $200B. This presentation aims to delineate the DeFi ecosystem along the following axes: its primitives, its operational protocol types, and its security. Next, a distinction between technical security and economic security, which is largely unexplored, thereby synthesizing insights from computer science, economics, and finance. Then, discuss some open research challenges and basic fundamentals of Automated Market Maker based Decentralized Exchanges (AMM-based DEXs). Finally, to understand what are flash loans and the security aspects concerning flash loans in DeFi, especially AMM-DEXs.
01/26/2022 Jared Hall DRAEC: A Real-Time Edge Computing Framework for Enforcing Operational Policy in CPS-IoT Systems [Show]
As Cyber Physical-Internet of Things Systems (CPS-IoT Systems) continue to advance, we have noticed an expansion of the variety of entity types deployed in these systems. With this expansion, the complexity of handling vastly different communication protocols, processes, and data within the system in a timely manner has become a significant challenge. This expansion is especially pertinent for CPS-IoT control systems that leverage this data to manage a user’s physical environment (e.g., smart home or smart factory) autonomously since these data sources possess far more characteristics than the scalar data acquired by traditional CPS-IoT entities, which leads to an increase in processing time. One potential method of quickly processing this data is to push essential computation concerning the Transitional State Change (TSC) feedback loop from the cloud to the edge of the system. In this paper, we propose DRAEC, a novel edge computing framework that uses agent-based Artificial Intelligence (AI) and Complex-Event Processing (CEP) to significantly decrease the latency of the TSC feedback loop and subsequently increase the system’s scalability. This increase in performance is achieved by using a CEP system to synthesize discreet events from CPS-IoT entity telemetry, which our novel Dynamic Reactive Agent then uses to quickly generate and enforce controls on a user’s physical environment via a user-defined operational policy. We then present supporting results, showing that our novel edge computing framework enables a CPS-IoT control system to outperform a cloud-centric variant by 20-43x (depending on the connection type) when comparing the latency of the TSC feedback loop; it also enables support of significantly larger scale (10-100x) systems while maintaining the same level of service as the cloud-centric version.
01/12/2022 Chris Misa Dynamic Scheduling of Approximate Telemetry Queries [Show]
Network telemetry systems provide critical visibility into the state of networks. While significant progress has been made by leveraging programmable switch hardware to scale these systems to high and time-varying traffic workloads, less attention has been paid towards efficiently utilizing limited hardware resources in the face of dynamics such as the composition of traffic as well as the number and types of queries running at a given point in time. Both these dynamics have implications on resource requirements and query accuracy. In this talk, we argue that this dynamics problem motivates reframing telemetry systems as resource schedulers---a significant departure from state-of-the-art. More concretely, rather than statically partition queries across hardware and software platforms, telemetry systems ought to decide on their own and at runtime when and for how long to execute the set of active queries on the data plane. We describe our work towards this goal on a system called DynATOS. DynATOS is a hardware prototype built around a reconfigurable approach to ASIC programming which leverages a novel approximation and scheduling algorithm to expose accuracy and latency tradeoffs with respect to query execution to reduce hardware resource usage. We show that our approach is more robust than state-of-the-art methods to traffic dynamics and can execute dynamic workloads comprised of multiple concurrent and sequential queries of varied complexities on a single switch while meeting per-query accuracy and latency goals.
12/01/2021 Matthew Hall ALP WOLF: API for Link-Flood Protection with Optical Layer Functions [Show]
Distributed denial-of-service (DDoS) attacks are a clear and present threat to both today's and future network infrastructures. Attacks are constantly growing in sophistication with new threats emerging and likely amplified with other technology trends (e.g., amplification, IoT botnets, 5G connectivity). While great progress has been made in devising many types of mitigation strategies, they are found wanting in light of advanced large-scale attacks and our ability to minimize the impact of the attacks on legitimate services. In this work, we explore a new opportunity for bolstering our DDoS defense arsenal by leveraging recent advances in programmable optics. We envision an optics-enabled In-network defense for extreme Terabit DDoS attacks (ONSET). Our approach seeks to isolate and steer attack traffic by dynamic reconfiguration of (backup) wavelengths. This physical isolation of attack traffic enables finer-grained handling of suspicious flows and offers better performance for legitimate traffic in the face of large-scale attacks. In this position paper, we demonstrate the preliminary promise of this vision and identify several open problems at the intersection of security, optical, and systems communities.
11/17/2021 Zhangxiang Hu Zero-Knowledge Proof and Its Applications [Show]
Zero-Knowledge Proof (ZKP) is a cryptographic primitive that allows one party (prover) to prove to another party (verifier) that a certain statement is true without revealing or leaking any useful information. For example, in a 3 coloring problem, given a graph G, Alice can convince Bob that she knows an assignment of colors for each vertex in G such that no two adjacent vertices have the same color. During the proof, Alice leaks no information about the color assignment to Bob. ZKP is used in many privacy-related areas such as networking security, privacy-preserving machine learning, cloud computing, blockchain, etc. In this talk, I will explain what is ZKP and show how to construct ZKPs for different problems. In addition, I will introduce a special variant in ZKP: the Zero-Knowledge Succinct Non-Interactive Argument of Knowledge (ZK-SNARK) where a verifier can check if a computation (e.g., evaluation of a polynomial) is correct without actually computing it. ZK-SNARK is widely adopted in blockchain for users to check the validity of transactions without learning anything about the details of transactions. In our ongoing research, ZK-SNARK is considered a potential solution to achieve privacy in decentralized exchanges (DEX) with automated market makers (AMM).
11/03/2021 Lumin Shi The Catch-22 Attack: A New DDoS Paradigm [Show]
We introduce the Catch-22 attack, a link-flooding attack that imposes a DDoS mitigation dilemma on multiple attacked networks simultaneously — either enduring the attack or bearing undesirable side effects in attack mitigation. In this work, we survey the DDoS mitigation solutions in practice, examine their operational requirements, capability, and implications. Based on the survey result, we developed three mitigation models and evaluated the Catch-22 attack against them. This novel attack is composed of practical attack techniques. In this attack, adversaries leverage different service providers (e.g., cloud providers, residential proxy providers, DDoS-for-hire markets) as vehicles for assembling botnets. They attack multiple networks simultaneously to maximize the amount of strain on DDoS defense systems and the collateral damage incurred by defending networks, thereby wreaking havoc on wide swaths of the Internet. We show that the Catch-22 attack can cause significant collateral damage over a wide range of services to many attacked networks. Fundamentally, the Catch-22 attack is a lens to examine the design issues of the DDoS defense systems today. We quantitatively show the damage the Catch-22 attack can cause to networks with different mitigation profiles. To the best of our knowledge, no existing work has yet to present a solution for such an attack, let alone study it.
10/20/2021 Yebo Feng CJ-Sniffer: Content-Agnostic Detection of Cryptojacking in Network Traffic [Show]
With the continuous appreciation of cryptocurrency, cryptojacking, the act by which computing resources are stolen to mine cryptocurrencies, is becoming more rampant. In this talk, we introduce CryptoJacking-Sniffer (CJ-Sniffer), an easily deployable, privacy-aware approach to protecting all the devices within a network against cryptojacking. Compared with existing approaches that suffer from privacy concerns or high overhead, CJ-Sniffer only needs to access anonymized, content-agnostic metadata of network traffic from the gateway of the network to efficiently detect cryptojacking activities. After leveraging a preset statistical model to locate all cryptocurrency mining traffic, CJ-Sniffer extracts variation vectors from packet intervals and utilizes a long short-term memory (LSTM) network to further identify cryptojacking traffic. CJ-Sniffer is the first to distinguish cryptojacking traffic from normal cryptocurrency mining traffic, making it possible to only filter cryptojacking traffic, rather than blindly filtering all cryptocurrency mining traffic as is common practice.