Shouhuai Xu | University of Colorado at Colorado Springs (original) (raw)
Papers by Shouhuai Xu
Secure group communications are a mechanism facilitating protected transmission of messages from ... more Secure group communications are a mechanism facilitating protected transmission of messages from a sender to multiple receivers, and many emerging applications in both wired and wireless networks need the support of such a mechanism. There have been many secure group communication schemes in wired networks, which can be directly adopted in, or appropriately adapted to, wireless networks such as mobile ad hoc networks (MANETs) and sensor networks. In this paper we show that the popular group communication schemes that we have examined are vulnerable to the following attack: An outside adversary who compromises a certain legitimate group member could obtain all past and present group keys (and thus all the messages protected by them); this is in sharp contrast to the widely-accepted belief that a such adversary can only obtain the present group key (and thus the messages protected by it). In order to understand and deal with the attack, we formalize two security models for stateful and stateless group communication schemes. We show that some practical methods can make a subclass of existing group communication schemes immune to the attack.
The recently proposed cybersecurity dynamics approach aims to understand cybersecurity from a hol... more The recently proposed cybersecurity dynamics approach aims to understand cybersecurity from a holistic perspective by modeling the evolution of the global cybersecurity state. These models describe the interactions between the various kinds of cyber attacks and the various kinds of cyber defenses that take place in complex networks. In this paper, we study a particular kind of cybersecurity dynamics caused by the interactions between two classes of attacks (called push-based attacks and pull-based attacks) and two classes of defenses (called preventive and reactive defenses). The dynamics was previously shown to be globally stable in a special regime of the parameter universe of a model with node-independent and edge-independent parameters, but little is known beyond this regime. In this paper, we prove that the dynamics is globally stable in the entire parameter universe of a more general model with node-dependent and edge-dependent parameters. This means that the dynamics always converges to a unique equilibrium. We also prove that the dynamics converges exponentially to the equilibrium except for a particular parameter regime, in which the dynamics converges polynomially. Since it is often difficult to compute the equilibrium, we propose bounds of the equilibrium and numerically show that these bounds are tighter than those proposed in the literature.
A class of the preventive and reactive cyber defense dynamics has recently been proven to be glob... more A class of the preventive and reactive cyber defense dynamics has recently been proven to be globally convergent, meaning that the dynamics always converges to a unique equilibrium whose location only depends on the values of the model parameters (but not the initial state of the dynamics). In this paper, we unify the aforementioned class of preventive and reactive cyber defense dynamics models and the closely related class of N-intertwined epidemic models into a single framework. We prove that the unified dynamics is still globally convergent under some mild conditions, which are naturally satisfied by the two specific classes of dynamics models mentioned above and are inevitable when analyzing a more general framework. We also characterize the convergence speed of the unified dynamics. As a corollary, we obtain that the N-intertwined epidemic model and its extension are globally convergent, together with a full characterization on their convergence speed, which is only partially addressed in the literature.
Voice Control Systems (VCSs) offer a convenient interface for issuing voice commands to smart dev... more Voice Control Systems (VCSs) offer a convenient interface for issuing voice commands to smart devices. However, VCS security has yet to be adequately understood and addressed as evidenced by the presence of two classes of attacks: (i) inaudible attacks, which can be waged when the attacker and the victim are in proximity to each other; and (ii) audible attacks, which can be waged remotely by embedding attack signals into audios. In this paper, we introduce a new class of attacks, dubbed near-ultrasound inaudible trojan (NUIT). NUIT attacks achieve the best of the two classes of attacks mentioned above: they are inaudible and can be waged remotely. Moreover, NUIT attacks can achieve end-to-end unnoticeability, which is important but has not been paid due attention in the literature. Another feature of NUIT attacks is that they exploit victim speakers to attack victim microphones and their associated VCSs, meaning the attacker does not need to use any special speaker. We demonstrate the feasibility of NUIT attacks and propose an effective defense against them.
Our homes are increasingly employing various kinds of Internet of Things (IoT) devices, leading t... more Our homes are increasingly employing various kinds of Internet of Things (IoT) devices, leading to the notion of smart homes. While this trend brings convenience to our daily life, it also introduces cyber risks. To mitigate such risks, the demand for smart home cyber insurance has been growing rapidly. However, there are no studies on analyzing the competency of smart home cyber insurance policies offered by cyber insurance vendors (i.e., insurers), where 'competency' means the insurer is profitable and smart home owners are not overly charged with premiums and/or deductibles. In this paper, we propose a novel framework for pricing smart home cyber insurance, which can be adopted by insurers in practice. Our case studies show, among other things, that insurers are over charging smart home owners in terms of premiums and deductibles.
Malicious emails (including phishing, spam, and scam) are significant attacks. Despite numerous d... more Malicious emails (including phishing, spam, and scam) are significant attacks. Despite numerous defenses to counter them, they remain effective because our understanding of their psychological properties is superficial. This motivates us to investigate the psychological sophistication, or sophistication for short, of malicious emails. For this purpose, we propose an innovative framework of two pillars: Psychological Techniques (PTechs) and Psychological Tactics (PTacs). We propose metrics and grading rules for human experts to assess the sophistication of malicious emails through PTechs and PTacs. To demonstrate the usefulness of the framework, we conduct a case study based on 200 malicious emails assessed by four independent graders.
Machine Learning (ML) techniques can facilitate the automation of malicious software (malware for... more Machine Learning (ML) techniques can facilitate the automation of malicious software (malware for short) detection, but suffer from evasion attacks. Many studies counter such attacks in heuristic manners, lacking theoretical guarantees and defense effectiveness. In this article, we propose a new adversarial training framework, termed Principled Adversarial Malware Detection (PAD), which offers convergence guarantees for robust optimization methods. PAD lays on a learnable convex measurement that quantifies distribution-wise discrete perturbations to protect malware detectors from adversaries, whereby for smooth detectors, adversarial training can be performed with theoretical treatments. To promote defense effectiveness, we propose a new mixture of attacks to instantiate PAD to enhance deep neural network-based measurements and malware detectors. Experimental results on two Android malware datasets demonstrate: (i) the proposed method significantly outperforms the state-of-the-art defenses; (ii) it can harden ML-based malware detection against 27 evasion attacks with detection accuracies greater than 83.45%, at the price of suffering an accuracy decrease smaller than 2.16% in the absence of attacks; (iii) it matches or outperforms many anti-malware scanners in VirusTotal against realistic adversarial malware.
Cyber ranges mimic real-world cyber environments and are in high demand. Before building their ow... more Cyber ranges mimic real-world cyber environments and are in high demand. Before building their own cyber ranges, organizations need to deeply understand what construction supplies are available to them. A fundamental supply is the cyber range architecture, which prompts an important research question: Which cyber range architecture is most appropriate for an organization's requirements? To answer this question, we propose an innovative framework to specify cyber range requirements, characterize cyber range architectures (based on our analysis of 45 cyber range architectures), and match cyber range architectures to cyber range requirements.
Cybersecurity of space systems is an emerging topic, but there is no single dataset that document... more Cybersecurity of space systems is an emerging topic, but there is no single dataset that documents cyber attacks against space systems that have occurred in the past. These incidents are often scattered in media reports while missing many details, which we dub the missing-data problem. Nevertheless, even "lowquality" datasets containing such reports would be extremely valuable because of the dearth of space cybersecurity data and the sensitivity of space systems which are often restricted from disclosure by governments. This prompts a research question: How can we characterize real-world cyber attacks against space systems? In this paper, we address the problem by proposing a framework, including metrics, while also addressing the missingdata problem, by "extrapolating" the missing data in a principled fashion. To show the usefulness of the framework, we extract data for 72 cyber attacks against space systems and show how to extrapolate this "low-quality" dataset to derive 4,076 attack technique kill chains. Our findings include: cyber attacks against space systems are getting increasingly sophisticated; and, successful protection against on-path and social engineering attacks could have prevented 80% of the attacks.
Secure group communications are a mechanism facilitating protected transmission of messages from ... more Secure group communications are a mechanism facilitating protected transmission of messages from a sender to multiple receivers, and many emerging applications in both wired and wireless networks need the support of such a mechanism. There have been many secure group communication schemes in wired networks, which can be directly adopted in, or appropriately adapted to, wireless networks such as mobile ad hoc networks (MANETs) and sensor networks. In this paper we show that the popular group communication schemes that we have examined are vulnerable to the following attack: An outside adversary who compromises a certain legitimate group member could obtain all past and present group keys (and thus all the messages protected by them); this is in sharp contrast to the widely-accepted belief that a such adversary can only obtain the present group key (and thus the messages protected by it). In order to understand and deal with the attack, we formalize two security models for stateful and stateless group communication schemes. We show that some practical methods can make a subclass of existing group communication schemes immune to the attack.
The recently proposed cybersecurity dynamics approach aims to understand cybersecurity from a hol... more The recently proposed cybersecurity dynamics approach aims to understand cybersecurity from a holistic perspective by modeling the evolution of the global cybersecurity state. These models describe the interactions between the various kinds of cyber attacks and the various kinds of cyber defenses that take place in complex networks. In this paper, we study a particular kind of cybersecurity dynamics caused by the interactions between two classes of attacks (called push-based attacks and pull-based attacks) and two classes of defenses (called preventive and reactive defenses). The dynamics was previously shown to be globally stable in a special regime of the parameter universe of a model with node-independent and edge-independent parameters, but little is known beyond this regime. In this paper, we prove that the dynamics is globally stable in the entire parameter universe of a more general model with node-dependent and edge-dependent parameters. This means that the dynamics always converges to a unique equilibrium. We also prove that the dynamics converges exponentially to the equilibrium except for a particular parameter regime, in which the dynamics converges polynomially. Since it is often difficult to compute the equilibrium, we propose bounds of the equilibrium and numerically show that these bounds are tighter than those proposed in the literature.
A class of the preventive and reactive cyber defense dynamics has recently been proven to be glob... more A class of the preventive and reactive cyber defense dynamics has recently been proven to be globally convergent, meaning that the dynamics always converges to a unique equilibrium whose location only depends on the values of the model parameters (but not the initial state of the dynamics). In this paper, we unify the aforementioned class of preventive and reactive cyber defense dynamics models and the closely related class of N-intertwined epidemic models into a single framework. We prove that the unified dynamics is still globally convergent under some mild conditions, which are naturally satisfied by the two specific classes of dynamics models mentioned above and are inevitable when analyzing a more general framework. We also characterize the convergence speed of the unified dynamics. As a corollary, we obtain that the N-intertwined epidemic model and its extension are globally convergent, together with a full characterization on their convergence speed, which is only partially addressed in the literature.
Voice Control Systems (VCSs) offer a convenient interface for issuing voice commands to smart dev... more Voice Control Systems (VCSs) offer a convenient interface for issuing voice commands to smart devices. However, VCS security has yet to be adequately understood and addressed as evidenced by the presence of two classes of attacks: (i) inaudible attacks, which can be waged when the attacker and the victim are in proximity to each other; and (ii) audible attacks, which can be waged remotely by embedding attack signals into audios. In this paper, we introduce a new class of attacks, dubbed near-ultrasound inaudible trojan (NUIT). NUIT attacks achieve the best of the two classes of attacks mentioned above: they are inaudible and can be waged remotely. Moreover, NUIT attacks can achieve end-to-end unnoticeability, which is important but has not been paid due attention in the literature. Another feature of NUIT attacks is that they exploit victim speakers to attack victim microphones and their associated VCSs, meaning the attacker does not need to use any special speaker. We demonstrate the feasibility of NUIT attacks and propose an effective defense against them.
Our homes are increasingly employing various kinds of Internet of Things (IoT) devices, leading t... more Our homes are increasingly employing various kinds of Internet of Things (IoT) devices, leading to the notion of smart homes. While this trend brings convenience to our daily life, it also introduces cyber risks. To mitigate such risks, the demand for smart home cyber insurance has been growing rapidly. However, there are no studies on analyzing the competency of smart home cyber insurance policies offered by cyber insurance vendors (i.e., insurers), where 'competency' means the insurer is profitable and smart home owners are not overly charged with premiums and/or deductibles. In this paper, we propose a novel framework for pricing smart home cyber insurance, which can be adopted by insurers in practice. Our case studies show, among other things, that insurers are over charging smart home owners in terms of premiums and deductibles.
Malicious emails (including phishing, spam, and scam) are significant attacks. Despite numerous d... more Malicious emails (including phishing, spam, and scam) are significant attacks. Despite numerous defenses to counter them, they remain effective because our understanding of their psychological properties is superficial. This motivates us to investigate the psychological sophistication, or sophistication for short, of malicious emails. For this purpose, we propose an innovative framework of two pillars: Psychological Techniques (PTechs) and Psychological Tactics (PTacs). We propose metrics and grading rules for human experts to assess the sophistication of malicious emails through PTechs and PTacs. To demonstrate the usefulness of the framework, we conduct a case study based on 200 malicious emails assessed by four independent graders.
Machine Learning (ML) techniques can facilitate the automation of malicious software (malware for... more Machine Learning (ML) techniques can facilitate the automation of malicious software (malware for short) detection, but suffer from evasion attacks. Many studies counter such attacks in heuristic manners, lacking theoretical guarantees and defense effectiveness. In this article, we propose a new adversarial training framework, termed Principled Adversarial Malware Detection (PAD), which offers convergence guarantees for robust optimization methods. PAD lays on a learnable convex measurement that quantifies distribution-wise discrete perturbations to protect malware detectors from adversaries, whereby for smooth detectors, adversarial training can be performed with theoretical treatments. To promote defense effectiveness, we propose a new mixture of attacks to instantiate PAD to enhance deep neural network-based measurements and malware detectors. Experimental results on two Android malware datasets demonstrate: (i) the proposed method significantly outperforms the state-of-the-art defenses; (ii) it can harden ML-based malware detection against 27 evasion attacks with detection accuracies greater than 83.45%, at the price of suffering an accuracy decrease smaller than 2.16% in the absence of attacks; (iii) it matches or outperforms many anti-malware scanners in VirusTotal against realistic adversarial malware.
Cyber ranges mimic real-world cyber environments and are in high demand. Before building their ow... more Cyber ranges mimic real-world cyber environments and are in high demand. Before building their own cyber ranges, organizations need to deeply understand what construction supplies are available to them. A fundamental supply is the cyber range architecture, which prompts an important research question: Which cyber range architecture is most appropriate for an organization's requirements? To answer this question, we propose an innovative framework to specify cyber range requirements, characterize cyber range architectures (based on our analysis of 45 cyber range architectures), and match cyber range architectures to cyber range requirements.
Cybersecurity of space systems is an emerging topic, but there is no single dataset that document... more Cybersecurity of space systems is an emerging topic, but there is no single dataset that documents cyber attacks against space systems that have occurred in the past. These incidents are often scattered in media reports while missing many details, which we dub the missing-data problem. Nevertheless, even "lowquality" datasets containing such reports would be extremely valuable because of the dearth of space cybersecurity data and the sensitivity of space systems which are often restricted from disclosure by governments. This prompts a research question: How can we characterize real-world cyber attacks against space systems? In this paper, we address the problem by proposing a framework, including metrics, while also addressing the missingdata problem, by "extrapolating" the missing data in a principled fashion. To show the usefulness of the framework, we extract data for 72 cyber attacks against space systems and show how to extrapolate this "low-quality" dataset to derive 4,076 attack technique kill chains. Our findings include: cyber attacks against space systems are getting increasingly sophisticated; and, successful protection against on-path and social engineering attacks could have prevented 80% of the attacks.
IEEE T-IFS, 2021
Data breach is a major cybersecurity problem that has caused huge financial losses and compromise... more Data breach is a major cybersecurity problem that has caused huge financial losses and compromised many indi-viduals' privacy (e.g., social security numbers). This calls for deeper understanding about the data breach risk. Despite the substantial amount of attention that has been directed toward the issue, many fundamental problems are yet to be investigated. In this paper, we initiate the study of modeling and predicting risk in enterprise-level data breaches. This problem is challenging because of the sparsity of breaches experienced by individual enterprises over time, which immediately disqualifies standard statistical models because there are not enough data to train such models. As a first step towards tackling the problem, we propose an innovative statistical framework to leverage the dependence between multiple time series. In order to validate the framework, we apply it to a dataset of enterprise-level breach incidents. Experimental results show its effectiveness in modeling and predicting enterprise-level breach incidents.
The importance of security metrics can hardly be overstated. Despite the attention that has been ... more The importance of security metrics can hardly be overstated. Despite the attention that has been paid by the academia, government and industry in the past decades, this important problem stubbornly remains open. In this survey, we present a survey of knowledge on security metrics. The survey is centered on a novel taxonomy, which classifies security metrics into four categories: metrics for measuring the system vulnera-bilities, metrics for measuring the defenses, metrics for measuring the threats, and metrics for measuring the situations. The insight underlying the taxonomy is that situations (or outcomes of cyber attack-defense interactions) are caused by certain threats (or attacks) against systems that have certain vulnerabilities (including human factors) and employ certain defenses. In addition to systematically reviewing the security metrics that have been proposed in the literature, we discuss the gaps between the state of the art and the ultimate goals.