DC-Area Anonymity, Privacy, and Security Seminar
Fall 2016 SeminarFriday, October 21st, 2016
1:00 p.m. - 4:30 p.m.
Location: Science and Engineering Hall (SEH), B1270 (floor B1)
The George Washington University
(800 22nd St. NW; Washington, DC)
Host: Poorvi Vora
1:00 p.m. - 1:25 p.m.
Speaker: Arjun Bhagoji (Princeton University)
Title: Dimensionality reduction as a defense against evasion attacks on machine learning classifiers [slides]
Abstract: Machine learning (ML) systems are ubiquitous in today's world but their security properties are not well understood. A wide array of attacks against these systems have been proposed in the literature over the last few years. Evasion attacks are an important category of attacks where an adversary aims to induce the misclassification of an input by making some modifications to it. Evasion attacks have been demonstrated against a variety of common ML classifiers such as Support Vector Machines, Deep Neural Networks, Convolutional Neural Networks etc. However, in spite of the relative abundance of attacks and the crucial role ML classifiers play in various sensitive applications, few defenses have been proposed against these attacks. In light of this, we propose and demonstrate the effectiveness of dimensionality reduction of data as a defense mechanism against common attacks in the literature. We demonstrate that reducing the dimension of data using techniques such as PCA significantly reduces adversarial success rates. Our defense is effective against a variety of attacks for several types of ML classifiers and can be used with minimal modification for any ML classifier. We show that there is no significant utility loss with our defense mechanism, and that it can even lead to utility gain in certain cases. Our empirical evaluation covers multiple datasets, ML classifiers, dimensionality reduction algorithms and attack strategies. We present a range of defenses for various adversarial threat models along with an analysis of their security, utility and performance tradeoffs. We also investigate the robustness of our defense against a novel attack optimized for it.
1:25 p.m. - 1:50 p.m.
Speaker: Aylin Caliskan-Islam (Princeton University)
Title: When Coding Style Survives Compilation: De-anonymizing Programmers from Executable Binaries [slides]
Abstract: The ability to identify authors of computer programs based on their coding style is a direct threat to the privacy and anonymity of programmers. While recent work found that source code can be attributed to authors with high accuracy, attribution of executable binary appears to be much more difficult. Many potentially distinguishing features present in source code, e.g. variable names, are removed in the compilation process, and compiler optimization may alter the structure of a program, further obscuring features that are known to be useful in determining authorship. We examine executable binary authorship attribution from the standpoint of machine learning, using a novel set of features that include ones obtained by decompiling the executable binary to source code. We show that many syntactical features present in source code do in fact survive compilation and can be recovered from decompiled executable binary. This allows us to use a powerful set of techniques from the domain of source code authorship attribution along with stylistic representations embedded in assembly, resulting in high accuracy de-anonymization of large set of programmers.
We demonstrate our evaluation on data from the Google Code Jam, obtaining attribution accuracy of up to 96% with 100 and 83% with 600 candidate programmers. For the first time, we demonstrate that our approach is robust to basic obfuscations, a range of compiler optimization settings, and binaries that have been stripped of their symbol tables. We perform programmer de-anonymization using both obfuscated binaries, and real world code found "in the wild" in single-author GitHub repositories and the recently leaked Nulled.IO hacker forum.
1:50 p.m. - 2:20 p.m.
Coffee Break
2:20 p.m. - 2:45 p.m.
Speaker: Rob Jansen (U.S. Naval Research Laboratory)
Title: Safely Measuring Tor [slides] [paper]
Abstract: Tor is a popular network for anonymous communication. The usage and operation of Tor is not well-understood, however, because its privacy goals make common measurement approaches ineffective or risky. We present PrivCount, a system for measuring the Tor network designed with user privacy as a primary goal. PrivCount securely aggregates measurements across Tor relays and over time to produce differentially private outputs. PrivCount improves on prior approaches by enabling flexible exploration of many diverse kinds of Tor measurements while maintaining accuracy and privacy for each. We use PrivCount to perform a measurement study of Tor of sufficient breadth and depth to inform accurate models of Tor users and traffic. Our results indicate that Tor has 710,000 users connected but only 550,000 active at a given time, that Web traffic now constitutes 91% of data bytes on Tor, and that the strictness of relays' connection policies significantly affects the type of application data they forward.
2:45 p.m. - 3:10 p.m.
Speaker: Jason Suagee (National Institute of Standards and Technology)
Title: The Dual Query Algorithm in Practice: A report on experimental results using an implementation in Python [slides]
3:10 p.m. - 3:40 p.m.
Coffee Break
3:40 p.m. - 4:05 p.m.
Speaker: Xiao Wang (University of Maryland, College Park)
Title: Faster Two-Party Computation Secure Against Malicious Adversaries in the Single-Execution Setting [slides] [paper]
Abstract: We propose a new protocol for two-party computation, secure against malicious adversaries, that is significantly faster than prior work in the single-execution (i.e., non-amortized) setting. In particular, our protocol requires only O(ρ) public key operations and ρ garbled circuits, where ρ is the statistical security parameter, whereas previous work with the same number of garbled circuits required either O(ρn) public-key operations (where n is the input/output length) or another execution of a separate malicious two-party protocol.
We implement our protocol to evaluate its performance. Our prototype is able to securely compute AES in only 65ms over a local-area network using a single thread without any pre-computation, only 3× slower than a semi-honest execution of the same functionality, and 22× faster than the best prior work in the single-execution setting. On a local-area network, our protocol requires around 20μs to process each input/output bit and around 4μs to process each AND gate, along with a fixed cost of around 23ms to compute the base oblivious transfers.
4:05 p.m. - 4:30 p.m.
Speaker: Daniel S. Roche (U.S. Naval Academy)
Title: POPE: Partial Order Preserving Encoding [slides]
Abstract: A standard technique for improving database access times is to compute and store a sorted index of some column. But if the database contents are encrypted, this sorting is impossible. The goal of Order-Preserving Encryption/Encoding (OPE) schemes is to reveal the plaintext order to the database server, thus allowing fast range queries, without revealing the full data contents. Unfortunately, a number of recent attacks on OPE have shown that revealing the order actually reveals even more information about the underlying data in many situations. Our new construction is called Partial OPE (POPE) because it only reveals a partial order of the underlying plaintexts, at least in the common use case where many insertions are followed by a relatively small number of queries. We show that this allows us to achieve better security and privacy, as well as better performance, than previous OPE schemes. This is joint work with Daniel Apon, Seung Geol Choi, and Arkady Yerukhimovich.
Directions: There are two building entrances on 22nd St. close to Eye and H Streets, respectively. See a university map here.
TransportationBy Car: There is visitor parking in the building at $23 maximum for the day. Parking entrance is on H St, between 22nd and 23rd, on the left if approaching from 23rd. For details, see here. By Metro: The workshop is 2 blocks from the Foggy Bottom Metro Station, which is on the Blue and Orange Metro lines. The Metro Station has only one exit, on 23rd and Eye (I) Streets. Note that the Orange line will be slow (every 24 minutes only) between the Vienna and West Falls Church stops due to SafeTrack. By City Bus (WMATA): See the city bus trip planner, the city bus system map, and the city bus stops near the Foggy Bottom Metro.