Student Projects Completed in 2017-2018

Spring 2018

  • Students: Chengyu Li, Mengdi Yang

    Faculty Mentor: Lanier Watkins

    Abstract: In our paper, we list several most advanced Machine Vision tracking algorithms currently in use and maybe used in autonomous mode of DJI Phantom 4 and Mavic. Based on this assumption, we design and perform experiments to testify their existence. According to the results, we propose two passive attacks that cause the autonomous mode malfunctioning. In our paper, we also use Software Defined Radio to monitor the hopping frequency and its variation.

  • Student: Weicheng Zhang

    Faculty Mentors: Tim Leschke

    Abstract: Spam has always been irritating and overwhelming since the first day it occurred, and people has been trying to build spam filters to get rid of spams. So building such an effective and precise spam filter can be really important and meaningful. Nowadays, however, most spam filters are based on traditional methods like statistical models or keywor­­d filtering functions. These models ignore the text meaning and words’ relations in the context, and only take the occurrence of certain words into count, which will not perform well under circumstances where words in the spam show strong connections. With deep learning models getting popular, we are able to build a spam filter based on these new models and solve such problem. Moreover, using highly effective information retrieval methods for noise reduction will further improve the performance of our spam filter. In this paper, I first introduce two deep learning models for spam filtering, LSTM and CNN, which are used to accomplish the text classification task. Then, I introduce the noise reduction module based on an information retrieval tool called Elasticsearch, which helps us reduce the false positive rate of our classifier. Then, I compare the results of different approaches, and discuss why the two deep learning models with noise reduction perform 10% better than baseline model, and under what circumstances they are suitable. Finally, I discuss some possible future works that will further improve the performance of the spam filter. As the conclusion of this work, spam filter through deep learning and information retrieval outperforms traditional models, and may be the trend in the future.

  • Student: Jingchi Zhang

    Faculty Mentor: Xiangyang Li

    Abstract: Cross Site Scripting (XSS) web attacks present of the top security risks to enterprise systems. Multiple research studies and commercial solutions try to provide detection capabilities against XSS. However, most of them focus on only payloads in the first request stage of these attack. This work proposes a new XSS attack analysis approach that integrates evidences from different stages of an XSS attack instance. It correlates request and response traces in an effort to improve the performance of characterizing and detecting XSS attacks. Two Gaussian Mixture models (GMM), trained by payloads of XSS and normal web transactions respectively, analyze word embeddings in web transactions using the Word2vec technique. It is further improved by integrating these two GMM models in detection. Our experiments have used two databases of real web transaction instances. The results have shown that this approach is promising.

  • Students: Joseph Kosturko, Eric Schlieber, Sean Futch

    Faculty Mentor: Seth Nielson

    Abstract: The proliferation of additive manufacturing devices such as 3D-printers and chemical Continuous Flow Reactors (CFR) have commoditized the creation of complex physical and liquid products. CFR machines are computer-controlled pumps and mixers designed to synthesize industrial and medical chemical compounds.  Similar to many new digital products, CFRs often lack standard forms of access control and are vulnerable to physical and network-based attacks. This paper reviews the common attack vectors and vulnerabilities associated with Supervisory Control and Data Acquisition (SCADA) systems and uses these lessons to inform an initial analysis and security test of the Cole-Parmer MasterFlex CFR. Using standard penetration testing techniques, we show that the MasterFlex CFR is susceptible to multiple types of remote and local attack including query flooding, malformed ping attacks, and firmware retrieval via an “Evil Maid Attack”. We demonstrate that this lack of access control permits even trivial attacks, such as a buffer overflow or malformed ping, to have a catastrophic effect upon the CFR. The consequences of these attacks can include complete remote control of the device or a denial of access for authorized users. These attacks are trivial to perform and can potentially harm the device, nearby operators, or the users of manufactured products via cyber-physical attack. We believe that these findings in the Cole-Parmer Masterflex are indicative of similar vulnerabilities in other CFR models.

  • Student: Rian Saaty

    Faculty Mentor: Matt Green

    Abstract: The project is a secure, convenient, and affordable approach for a two-factor login authentication, which can be easily implemented in any website without relying on third parties and without paying a lot of money to buy certain devices. Currently, the most common way of using two-factor login authentication is the idea of “something you know,” which can be either a password or a pin number, combined with “something you have,” which can be either a text message, security token device, or a changing number from any authentication app such as Google Authenticator. However, some of these methods are either unsecure, expensive, or can be inconvenient in case users lost access to their devices by any way. The third common factor that is also used but rarely due to its expense, “something you are” deals with biometrics authentication. This authentication factor can be very expensive to implement in insensitive websites because it requires users to own very expensive devices to authenticate themselves. Even with that in mind, some biometrics authentication factors have been fooled before. Additionally, some users will not be comfortable sharing their biometrics information unnecessarily with websites. In this paper, however, I will be explaining my approach to use biometrics in an affordable way in an authentication process that can be implemented easily in any website, which guarantees the authentication of users based on two different authentication mechanisms, their password (something users know) and their unique typing speed, a behavioral biometric measurement (something users do).

Fall 2017 Student Projects

  • Student: Apoorv Krishak

    Faculty Mentor: Xiangyang Li, Song Luo

    External Mentor: Amin Hassanzadeh (Accenture)

    Abstract: NETSAT is a toolkit for Network Security Analysis which provides a framework for collecting network information and generating comprehensive attack graphs in a network. The tool does so by using a Host Profiling Module (HPM) which basically works as a host-based vulnerability scanner and runs a service over the network hosts and provides information about them to a central server. The central server enriches this information creating vulnerability profiles for the hosts using information from public security databases – CVE, NVD, CVSS. The outputs of the HPM are converted into inputs for MulVAL which generates comprehensive attack graphs for the given scenario. MulVAL (Multi-host, Multi-stage Vulnerability Analysis Language) is an open source tool developed at Kansas State University for modeling the complete threat scenario in a network in the form of attack graphs. The toolkit currently focuses on Unix-based systems and provides:

    1. Host profiles: JSON objects with program, network and configuration details of a host
    2. Host vulnerability profiles: JSON objects with detailed vulnerability information about a host
    3. Tool for converting these profiles into an open-specification – OVAL compliant MulVAL inputs which enable the modeling of a comprehensive threat scenario in the form of attack graphs
  • Students: Aurin Chakravarty, Chanyang Shin, Prerit Chandok

    Faculty Mentors: Seth Nielson, Timothy Leschke

    Abstract: Pivoting from our survey paper that was accepted at an IEEE conference earlier this year, this capstone explores forensic and privacy considerations of wearable and home automation devices. These two devices, along with the larger Internet of Things ecosystem meld the cyber realm with the physical. While cyber focused forensics and privacy concerns have been a focus amongst academic and private researchers, there is much less attention to how IoT devices can impact physical crimes. In order to showcase some of the ways a digital forensics investigator can leverage IoT devices to obtain cyber-physical evidence, we devise a fictional scenario involving a crime a digital forensics investigators journey in solving this crime through examining various IoT data. For each method that our investigator use, we support its feasibility by conducting an experiment of our own, recreating the kind of data and derived evidence. We find the using logs and data generated by typical IoT and wearable devices reveal physical information such as user location, previous whereabouts, and other forensically useful information that may assist investigators achieve breakthrough on a case. In the course of our experimentation, we develop a user friendly python script that aids with location triangulation using 802.11x wifi signals.

  • Students: Qiqing Huang, Likitha Satish, Bayan Al Muhander

    Faculty Mentor: Xiangyang Li

    External Mentor: Jay Chen (Accenture)

    Abstract: Web application attacks were and are still being classified on the top application security risks. There are several studies as well as commercial solutions that provide XSS vulnerability detection platforms. However, most of them were employing their techniques to detect the first stage of such an attack. In fact, an XSS attack usually incurs a request and response sequence of multi-stage web transactions between attacker, victim and web-server, in order to succeed. In this paper, we are presenting an approach for integrating the evidences of an XSS attack from more than one stage, correlating such request/response evidences from these stages together to improve the accuracy of detecting XSS attacks. Correlation of such information is supported by the capability provided by the BlockChain technique. Specifically, we built up Hidden Markov Model models using the bag of words technique in representing web requests/responses for XSS and normal web transactions respectively, and integrate their scores in detection. In experimentation we set up a testbed to generate and collect realistic XSS and normal web traffic using real datasets from web traffic and vulnerability databases. The approach has shown a good detection rate and proves the possibility to correlate multi-stages attack.

  • Students: Yuandi Xia, Jinglun Liu, Bowei Zhang

    Faculty Mentor: Song Luo

    Abstract: The paper uses the dataset of Comprehensive, Multi-Source Cyber-Security Events from Los Alamos national laboratory, in the paper the authors provide both the supervised learning method and the unsupervised learning method to detect the bad behavior, also known as the red team data. The paper introduces the theory of the self-organizing map, a type of artificial neural network, and the procedure to build the self-organizing map to do the unsupervised learning to detect the abnormal authentication events. As the performance of self-organizing map model is not ideal for the cluster, the paper also uses the supervised learning algorithm, including the logistic regression model and the decision tree model, to train the dataset and compare their performances with the performance of self-organizing map. According to the result of the experiment, the performance of supervised learning algorithms is much better than the self-organizing map algorithm, and the performance of logistic regression model is better than the decision tree model. Besides, the paper covers all the steps to do a machine learning model from data preparation, feature selection to building and train the learning model and evaluation of the model performance.

  • Students: Chenning Zhang, Yuwei Zhang

    Faculty Mentor: Song Luo

    External Mentor: Bayan Bruss (Capital One)

    Abstract: Recently, there is such an increase in reported incidents of security breaches that compromises the user’s personal data. This implies that current models of collecting and controlling massive amount of personal data by the third parties have evident leaks. Also, the trend of Bitcoin has gradually demonstrated that storing data with a decentralized network is trustful and stable in financial field. In this paper, we propose a distributed network system with the application of blockchain that stores the user’s personal data with also an RSA encryption/ decryption which ensures that the user will get control of his or her own access policies of personal data that doesn’t need a breachable mechanism from a third party. The method we propose in this paper is not all like the Bitcoin, the user’s personal data does not have to be financial. The transactions between application and user carry not only data, but also encrypted messages, and signatures which based on the RSA key exchange policy. The permissions of accessing user’s personal data is defined by the user his or her own in the policy. This solution allows distributed auditability, which prevents a malicious third party from playing the man-in-the-middle attack. Finally, we discuss some possible future works which extent to blockchain that could harness the way of protecting personal data to becoming trustful for the society in the future.

  • Students: Guangyi Cao, Yunlong Guo

    Faculty Mentor: Joel Coffman

    Abstract: This project based on an open sourced GitHub project is called PyKMIP1 which supports secure key management service over the network. The Key Management Interoperability Protocol (KMIP) supplies a good platform for key management through a client/server communication protocol for the storage and maintenance of secret objects such as keys. Because of its interoperability, it enables deploying a key management infrastructure to manage keys. To reach a higher level of security, we focus on the key management part and try to find some ways to make it more secure. After assessing Trusted Platform Module (TPM) security against online attacks and offline attacks, we believe that TPM is a good fit for this purpose. We can use a TPM to help us encrypt and decrypt our keys. Therefore we need to integrate the TPM with PyKMIP. To fulfill the key management, we also add two functions, encryption and decryption by using tpm-tools2 into the open-source PyKMIP project exploiting the TPM security features. Analysis and testing results reveal that PyKMIP using a TPM for secure key storage can improve its security.

  • Students: Haoruo Zhang, Digvijay Singh

    Faculty Mentor: Xiangyang Li

    Abstract: Behavioral biometrics  systems establish one  user’s identity based on patterns recognition carried out on behavioral characteristics manifested through HCI. Such systems are expected to help assist the process of identification and authentication with high accuracy, being least intrusion and at low cost. However, user behaviors can vary significantly with different hardware platforms, software environment, and application- specific contexts. There has been a lack of research on behavioral biometrics under the context of a specific application. Specially it is hard to collect user data in real world settings to assess how well behavioral biometrics can discriminate users. This work aims to strengthen authentication based on user groups by analyzing user behavioral biometrics on an open-source webmail application. The data are collected form a large user experiment conducted on Amazon Mechanical Turks. Off-line and online analytic schemes are proposed for analysis of their applicability. Experimental results suggest that the user group identity can be efficiently and accurately inferred from users’ operational integration with the system, with accuracy rates of 84.80% and 74.70%, respectively as of identity attribution and authentication.

  • Students: James Schaffter, Matthew Alpert

    Faculty Mentor: Lanier Watkins

    Abstract: Wireless smart meters provide additional functionality and convenience when compared to traditional analog meters. Millions of these devices have been integrated into smart grids across the United States. This rapid integration comes at a cost, as leveraged vulnerabilities within these devices and their implementations would prove disastrous.

    In this capstone, vulnerabilities are discovered in a testbed consisting of devices used by the energy sector in the field. Discovered vulnerabilities are subjected research and exploit in a safe environment, thus demonstrating their impact on security and privacy. Based on the findings of vulnerability exploitation, a large-scale attack scenario is theorized. A framework for assessing smart grid devices is then proposed. The proposed framework advocates for a whole system approach to assessing the security of smart grid devices.

  • Student: Joshua Ciocco

    Faculty Mentor: Lanier Watkins

    Abstract: The small unmanned aerial systems (sUAS) market has grown into a multi-billion dollar industry and is expected to increase in size in the coming years despite security concerns. Many of these devices continue to possess vulnerabilities that can be exploited, thus increasing the likelihood of damage or injury. In this paper, we present an exploit that results in a denial of service (DOS) campaign against three Wi-fi enabled sUASes, including Parrot Bebop 2, 3DR Solo, and DJI Phantom 3 Standard. Furthermore, our experiments demonstrate that the exploit successfully circumvents the WPA2 security protocol, which is implemented in each of these devices as a countermeasure for previously discovered vulnerabilities. Our findings illustrate that vulnerabilities exist in the communication protocol for at least several sUASes. We also offer some solutions that possibly mitigate these vulnerabilities in hopes of helping vendors make their devices safer and more secure to

    operate in the future.

  • Student: Kirk Sabnani

    Faculty Mentor: Anton Dahbura, Matthew Green

    External Mentor: Krishan Sabnani (Alcatel-Lucent)

    Abstract: Signal, a protocol implemented as both a standalone app available on iOS, Android, and desktop devices, as well as by various third-parties, including WhatsApp, Facebook, and Google, provides end-to-end encryption for instant messaging by incorporating a number of novel security features. Notwithstanding its implementation by various third parties, Signal has been under-analyzed, with a first public security analysis of it only completed in 2016 by researchers from University of Oxford, Queensland University of Technology, and McMaster University. With that in mind, users should be confident that these applications, in fact, provide secure messaging using the protocol as advertised, yet conformance to the protocol specification has not been done; meaning that trust in implementations is primarily based on good faith. This work builds on the first public security analysis completed in 2016, as well as previous successful work done on conformance testing non-cryptographic protocols for telecommunications applications, to apply conformance test sequences to a cryptographic protocol, in this case, Signal, specifically Open Whisper Systems’ implementation, in order to determine whether it behaves as the agreed specification would. It is important to note that this is not a check for correctness of the protocol as an encryption standard rather that an implementation conforms to the agreed specification.

  • Student: Ningyuan Bao, Mengying Hu

    Faculty Mentor: Seth Nielson

    Abstract: The Internet of Things (IoT) is getting its popularity in these years, while it is hard to find a simple, but powerful simulator to test the security of various IoT protocols. In this capstone project, we design and implement a traffic IoT simulator, which is further migrated to a virtual network environment to for security experiments. We have done comprehensive tests to analyze the performance of the simulator system, and the results are promising.

  • Students: Purushottam A. Kulkarni, Ritvik Sachdev, Praveen Malhan

    Faculty Mentor: Seth Nielson

    External Mentor: Jonathan Petit (OnBoard)

    Abstract: With the increasing automation of Unmanned Aerial Vehicles (UAVs) it has

    become necessary to secure the protocols used for the communication and automated control of the same. This project aims at implementing an automated Airborne Collision Avoidance System (ACAS) to avoid collisions in real-time using Automatic Dependent Surveillance – Broadcast (ADS-B) messages. In addition to this, we demonstrate the insecurity of traditional ADS-B against common attacks such as packet forging, replay, message modification and Man-in-the-Middle (MITM) attacks. To protect against this, we make use of the AerolinkTM Library to provide the functionality of message authentication and integrity checking through short-term cryptographic signing of the messages to protect against all of the aforementioned attacks. Finally we present our results in the form of a video demo as well as the documented results of targeted fuzzing at the protocol level for ADS-B Based ACAS-Secure.

  • Students: Venkatesh Gopal, Shikha Fadnavis

    Faculty Mentor: Joel Coffman

    Abstract: Key management is one of the biggest problems in cryptography. Traditionally, organizations stored cryptographic keys using file-based storage, which is considered to be insecure due to the lack of sufficient authentication. To overcome the issue of insecure key storage, the industry moved towards using Trusted Platforms Modules (TPMs) and Hardware Security Modules (HSMs) for storing cryptographic keys. However, simply storing keys on TPMs and HSMs doesn’t ensure security and high availability if the secure hardware module fails due to network outages, lack of sufficient resources, etc. Major cloud offerings from vendors such as OpenStack and Amazon provide high-availability key management solutions but their cost may be prohibitively high for small- and mid-scale organizations. In this paper, we propose a solution through the use of a distributed object store and TPMs to ensure secure storage of keys, high availability of sensitive data, ease of deployment, and convenient retrieval through custom metadata.

  • Students: Shirish Singh, Rohit Kumar

    Faculty Mentor: Xiangyang Li

    External Mentor: Devu Manikantan Shila (UTRC)

    Abstract: In the last couple of years, the prime focus of computing has shifted from personalcomputers to smartphones and tablets. Increasing storage space and computing power of smartphones enhance the storage and processing capacity of these portable devices. These advancements in smartphones have also paved the path towards a new age of application development. As a result, Google’s Play Store and other popular Application Stores now contain millions of freely available Android applications (Apps). The Play Store alone hosts about 2 million applications and over 65 billion downloads as of 2016. To install and use these applications on the devices, the users give them the permission to access the services (provided by the smartphone’s hardware, such as the GPS, Camera, Sensors, etc.) and the data (Phone Book, Messages, etc.) residing on their device. Many applications use third-party libraries to augment the features of the application. However, sometimes these libraries exhibit malicious behavior, which can go undetected because of the difficulties faced during the analysis of such libraries. Attributing to this reason, the security and privacy of the users’ are hampered. This paper discusses a novel technique of malware detection and classification using based on the libraries used by the applications. We employ static analysis to gather the file based artifacts of the applications. These artifacts are then used to train a machine learning model for detection and classification. We collected 4809 benign and 3278 malicious application, across all API levels, which exhibit usage of third-party libraries to train our models. The experiments performed on the data demonstrate the effectiveness of the proposed method for real-time application.

  • Students: Shuaichen Wu, Xiaoyi Rao, Qianrui Qiu

    Faculty Mentor: Timothy Leschke

    Abstract: The widespread of spam emails has extremely compromised email users, influenced the operation order of email service, and damaged the Internet security and social stability. This paper did research on the methods of email filter in text classification. The spam email filtering algorithm based on machine learning improves the solution efficiency of spam email problem. This paper focuses on the accuracy of email filter algorithms and the prediction on unclassified emails. There are four main algorithms that are used in this paper, including Naïve Bayes algorithm, Decision Tree, KNN algorithm, and Logistic Regression. This paper first did data preparation to make all features (words) of the email text show in the matrix. Then we calculated the accuracy of these four algorithms on spam email filter and discussed their results.

  • Students: Vedasagar Karthykeyan, Xiaohang Yu, Zuo Wang

    Faculty Mentor: Seth Nielson, Lanier Watkins

    External Mentor: Mark Munoz (APL)

    Abstract: The AIS data is really massive and consists of huge number of unvalidated cyber threat indicators and defensive measures. These indicators are really helpful for protecting against similar attacks but will not eliminate more sophisticated attacks. Thus it is necessary to come up with models and algorithms that can automatically predict the maliciousness of new indicators and suggest measures accordingly. The main objective of this project shall be to clean and prune the massive AIS data and extract the most useful features that can predict the maliciousness of the indicators. Then we shall be using Machine Learning models and Artificial Intelligence algorithms to the dataset to validate the data and help narrow down the AIS to a 1% that an analyst can use and trust.

  • Students: Chao Lei, Wenjun Li

    Faculty Mentor: Seth Nielson

    Abstract: Nowadays, botnets have become one of the major attacks on current Internet due to their enormous benefits. Meanwhile, honeypots have been deployed in many network security defense systems. Since honeypots are set to attract botnet compromises and become spies in revealing botnet membership and botnet controller behaviors, they are widely used by system defenders in botnet defense. Therefore, attackers constructing and maintaining botnets will be forced to find ways to detect and avoid honeypot traps. In our research, we implement a “two-stage reconnaissance worm” mentioned in Ping’s research [1], which can considerably improve the efficiency of spreading and accuracy of the P2P worm, proved its efficiency, and we also explore a new honeypot detection fighting technology.

  • Students: Yong Wu, Zheng Qu, Ran Liu

    Faculty Mentor: Timothy Leschke

    Abstract: After AlexNet[29] was proposed in 2012, Deep Neural Networks (DNNs) classifiers have been widely implemented in many industries, such as autonomous driving, mobile check deposit, etc. However, almost all well-trained machine learning classifiers have been recently found to be vulnerable to adversarial examples, which may cause classifiers to misclassify with high confidence, especially the models with linearity. The adversarial examples, which looks almost the same as the original ones, are indistinguishable to the human eyes. In this project, we explain how the general adversarial attack works, especially on the state-of-the-art classifier with convolutional neural networks like ResNet, as well as what damages it can bring to the classifiers. We proposed a “gradient ascent with noise” approach to craft adversarial sample, experimented the approach with ImageNet sub dataset, achieving decent accuracy with small perturbation rate.

  • Students: Yunchao Liu, Yue Guan

    Faculty Mentor: Song Luo

    Abstract: With the increasing trend on cyber-attacks, malicious software including virus, worms, Trojans etc. is one of the main security issues that happens on computer systems. It is often combined with different attack methods and leverage vulnerabilities after getting access to the system. However, there is a huge amount of malicious software and it renders the normal security defenses in different ways. In addition, malware events are various and obfuscated at static status. It could be better if we can get the signatures with dynamic binary analysis during runtime. In this paper, we will find a way to prototype several classic malwares and test for a best automatic classification algorithm according to the prediction accuracy. We facilitate machine learning technique to deploy the algorithm. Nowadays, machine learning is a booming field. It applies in a variety industry such as business, science, etc. to help us solving problems. We demonstrate some popular machine learning algorithms including Bayes naive Gaussian, Random Forest, Neural Network, and k-Nearest Neighbors to help us identifying novel classes of malwares. In addition, we compare the accuracy of those algorithms and choose one which has better performance to achieve our goal.

  • Students: Zehuan Li, Shanshan Yang, Liangjia Fu

    Faculty Mentor: Seth Nielson

    External Mentor: Mark Munoz (APL)

    Abstract: In cybersecurity world,  there  are  two ways  against  cybersecurity  attacks, namely, cyber security techniques and security-related data. Obviously, security- related data plays a critical role in the protection of cyber security. The AIS, provided by DHS, serves as a security-related information collector, providing timely exchange of cyber security threat among federal departments and other non-federal entities. The initiative of AIS is to reveal more cyber-attack source, while those revealers do not wish to expose any details about their own vulnerabilities. However, it is possible that hackers may apply reverse-engineering on those data and expose those vulnerabilities. Thus, in this capstone project, we are seeking to identify the flaws inside the AIS data.

  • Students: Joshua Bailey, Meng Xie, Zihan Lin

    Faculty Mentor: Lanier Watkins

    External Mentor: Michael Ayenson (APL)

    Abstract: The area of automated penetration testing has been a topic that has gained

    increased publicity over last few years. There is not a single definition to automated penetration testing, however most researchers would define it as a process where a penetration tester uses tools to fi exploitable faults in a piece of software. As our literature review confirms, automated penetration testing is done from a more defensive or preventative role. This research takes the offensive to automated penetration testing. We utilize Q-Learning to find the optimal path to find a given target. This is done using a discovery module to fi scout the network and report it. The Q- Learning module will take the report and use Q-Learning to find the best possible path.

  • Students: Yuqian Huang, Zijiang Yang

    Faculty Mentor: Timothy Leschke

    Abstract: The increase in number of attacks, especially novel attacks, makes the anomaly-based intrusion detection system more efficient than the signature-based intrusion detection in practice. In this paper, we will introduce five supervised machine learning algorithms to improve the performance of anomaly detection. The algorithms are Decision Tree, Random Forest, Naive Bayes, neural network and Support Virtual Machine. The dataset we use is UNSW-NB15 dataset.

JHU Information Security Institute