PIRAT biweekly seminars
Links: Attend remotely | Mailing List | iCalendar | Youtube channel | Contact: Pierre-François Gimenez
~~ Summer break ~~
Thursday September 19th 2024 – 2PM
Racim Boussa (IETR): TBA
Abstract: TBA
Thursday October 3rd 2024 – 2PM
Yufei Han (Inria): TBA
Abstract: TBA
Thursday October 10th 2024 – 2PM
Ballarini Paolo (CentraleSupélec): TBA
Abstract: TBA
Thursday October 24th 2024 – 2PM
Pierre-François Gimenez (CentraleSupélec): TBA
Abstract: TBA
Thursday November 7th 2024 – 2PM
Cédric Herzog (CodeClarity): TBA
Abstract: TBA
Past seminars
Wednesday July 10th 2024 – 11AM
Davide Balzarotti (EURECOM): Malware Research: History, Milestones, and Open Questions
Abstract: Researchers have worked on the analysis, detection, and classification of malicious software since the first early viruses in the 1980s. After more than 40 years of academic research and thousands of papers published on this topic, what have we learned about malware? Which problems and questions have attracted the interest of researchers? And for which of those did we find some answers so far? In this talk, I will go through some of these past achievements (shamelessly using some of my research as an example) and discuss past findings as well as open questions for the future.
Monday June 24th 2024 – 2PM
Natan Talon (Hackuity): Retour d’expérience BreizhCTF
Abstract: Ce qu’il faut savoir quand on veut allier l’utile à l’agréable pour récupérer des données.
Tuesday June 18th 2024 – 2PM
Patrik Goldschmidt (KInIT): Common Pitfalls of (Cybersecurity) Machine Learning Research. Pragmatic Model Evaluation
Abstract: Tons of research in machine learning and its applications in security is performed nowadays. However, despite being interesting academically, most never receive attention from practitioners. This phenomenon happens primarily due to the disconnection of academia from industry, such as research papers neglecting operational details or not sharing enough information. Practitioners are thus unable to gauge the practical usability of the research despite achieving state-of-the-art results on public datasets. This seminar, led by a visiting Ph.D. student from KInIT, Slovakia, Patrik Goldschmidt, will merge and present the knowledge from three papers from top-tier cybersecurity conferences discussing this issue. The unique knowledge fusion of three related papers will first outline ten common biases and pitfalls present in contemporary ML-based cybersecurity research. Afterward, we will talk about an approach to perform a pragmatic assessment of ML methods in a statistically significant manner without bias. Presented examples and case studies will focus on cybersecurity, but the problems and recommendations are relevant to many more domains. Therefore, the talk aims to provide valuable insights for researchers and practitioners across a broad spectrum of domains and will shed new light on assessments and evaluations of ML methods.
Thursday June 13th 2024 – 2PM
Julien Piet (University of California, Berkeley): Network Detection of Interactive SSH Impostors Using Deep Learning
Abstract: Impostors who have stolen a user’s SSH login credentials can inflict significant harm to the systems to which the user has remote access. We consider the problem of identifying such imposters when they conduct interactive SSH logins by detecting discrepancies in the timing and sizes of the client-side data packets, which generally reflect the typing dynamics of the person sending keystrokes over the connection.
Wednesday June 5th 2024 – 11AM
Manuel Poisson (Amossys): CVE representation to build attack positions graphs
Abstract: In cybersecurity, CVEs (Common Vulnerabilities and Exposures) are publicly disclosed hardware or software vulnerabilities. These vulnerabilities are documented and listed in the NVD database maintained by the NIST. Knowledge of the CVEs impacting an information system provides a measure of its level of security. Our work points out that these vulnerabilities should be described in greater detail to understand how they could be chained together in a complete attack scenario. We present the first proposal for the CAPG (CVE representation to build Attack Positions Graphs) format, which is a method for representing a CVE vulnerability, a corresponding exploit, and associated attack positions.
Thursday May 23rd 2024 – 2PM
Yufei Han (Inria): Defending Jailbreak Prompts via In-Context Adversarial Game
Abstract: Large Language Models (LLMs) demonstrate remarkable capabilities across diverse applications. However, concerns regarding their security, particularly the vulnerability to jailbreak attacks, persist. Drawing inspiration from adversarial training in deep learning and LLM agent learning processes, we introduce the In-Context Adversarial Game (ICAG) for defending against jailbreaks without the need for fine-tuning. ICAG leverages agent learning to conduct an adversarial game, aiming to dynamically extend knowledge to defend against jailbreaks. Unlike traditional methods that rely on static datasets, ICAG employs an iterative process to enhance both the defense and attack agents. This continuous improvement process strengthens defenses against newly generated jailbreak prompts. Our empirical studies affirm ICAG’s efficacy, where LLMs safeguarded by ICAG exhibit significantly reduced jailbreak success rates across various attack scenarios. Moreover, ICAG demonstrates remarkable transferability to other LLMs, indicating its potential as a versatile defense mechanism.
Thursday April 25th 2024 – 2PM
Solayman Ayoubi (Télécom SudParis): Data-driven Evaluation of Intrusion Detectors: a Methodological Framework
Abstract: Intrusion detection systems are an important domain in cybersecurity research. Countless solutions have been proposed, continuously improving upon one another. Yet, despite the introduction of distinct approaches, including machine-learning methods, the evaluation
methodology has barely evolved. Prior evaluation approaches lack formalization and disregard ML best practices. We address this challenge by implementing an evaluation framework to ensure completeness, reliability, and reproducibility. This framework emphasizes the relationship between evaluation choices and data selection, requiring the generation of purpose-specific datasets.
Friday April 19th 2024 – 2PM
Lucas Aubard: Some fragmented packet characteristics on MAWI traces
Abstract: The presentation will focus on the work I did during my 3-months internship at National Institute of Informatics (NII). First half of the talk will focus on IPv4 fragmentation. Second half will be some feedbacks regarding the mobility exchange experience. IPv4 fragmentation is used whenever the original datagram size is higher than the Maximum Transmit Unit between the two communicatve hosts. It has been some years now that this mechanism has been considered “harmful” because of possible attacks (e.g., DoS, NIDS evasion) or ressource overhead. We conducted a longitudinal study of MAWI traces, for 2 days per month from 2006 to 2023, to 1) verify if IPv4 fragmentation is observed in the wild and 2) try to understand in which circunstances this fragmentation may occur. Note that the presented results will be preliminary results.
Wednesday April 17th 2024 – 2PM
Daniel De Almeida Braga (IRISA): Microarchitectural side-channels and their impact on cryptographic implementations
Abstract: In the rapidly evolving field of cybersecurity, the robustness of cryptographic implementations against side-channel attacks represents a critical challenge. This talk delves into the research on microarchitectural side-channels, presenting sophisticated attacks that underscore the vulnerability of cryptographic protocols to such threats. First, I will present attacks against WPA3, leaking enough information on the Wi-Fi password to recover it. In particular, one of the attacks exploits a previously undocumented prefetcher behavior, which highlights the complex interplay between hardware design and software security. Next, I explain how we ported a well-known CPU side-channel attack to GPUs, demonstrating the feasibility of executing the Prime+Probe technique via a web browser. This attack enables us to implement a keylogger, an AES key recovery attack and a native-to-browser covert channel, entirely from JavaScript, in a drive-by manner.
Wednesday April 10th 2024 – 2PM
Thomas Rokicki (IRISA): Side Channels in Web Browsers: Applications to Security and Privacy
Abstract: Side channel attacks exploit the side effects of sensitive computation to leak secrets. Their implementation in web browsers represents a considerable increase in threat surface, but comes with challenges due to the restrictive environment and the constant browser updates. This presentation introduces a longitudinal analysis of browser-based side channels, as well as a focus on port-contention side channels and how we can use them in the JavaScript sandbox.
Thursday March 28th 2024 – 2PM
Cristoffer Leite (Eindhoven University of Technology): From Cyber Threat Intelligence to Incident Response and Back
Abstract: The presentation will focus on specific aspects of the research conducted during my PhD. First, I will talk about characterising attackers’ behaviour and how to map this to the information provided by a Network Intrusion Detection System. Then, I will present our approaches for improving the use and creation of Cyber Threat Intelligence for incident response by applying those maps.
Thursday March 21st 2024 – 2PM
Lénaïg Cornanguer (CISPA): Timed automata learning from observational data
Abstract: I will present my work on modelling systems from observationnal data, carried out during my PhD. As a model of the system, we will use the formlism of timed automata, a state-based machine where the evolution depends on the occurence of events over time. A first part will be devoted to the learning timed automata from event logs with the TAG algorithm. Then, we will see how timed automata can be used for anomaly detection given streaming discrete or continous data.
Thursday March 14th 2024 – 2PM
Tristan Benoît (Loria): La similarité des programmes vue par l’analyse spectrale
Abstract: Les approches basées sur l’apprentissage automatique appliquées à la similarité de fonctions binaires ont gagné en popularité ces dernières années. Dans ce séminaire, je présenterai nos travaux concernant les similarités entre programmes qui peuvent être utiles à la rétro-ingénierie, la classification de programmes, la généalogie de logiciels malveillants et la détection du plagiat. Nous réalisons une évaluation des méthodes de recherche de clone de programme et proposons une méthode de similarité s’appuyant sur la théorie spectrale des graphes. En plus d’être rapide, celle-ci est particulièrement stable face à un changement de compilateur ou d’architecture.
Thursday March 7th 2024 – 2PM
Romain Cayre (EURECOM): OASIS: un framework pour la détection d’intrusion embarquée dans les contrôleurs Bluetooth Low Energy
Abstract: Ces dernières années, le Bluetooth Low Energy (BLE) s’est imposé comme l’un des protocoles centraux de l’Internet des Objets. Nombre de ses caractéristiques (mobilité, faible consommation d’énergie, large déploiement) en font un protocole attrayant pour les objets connectés. En parallèle de cet essor, de nombreuses vulnérabilités critiques affectant le BLE ont été rendues publiques ces dernières années, dont certaines liées au design du protocole lui même. L’impossibilité de corriger ces vulnérabilités sans affecter la spécification nécessite le développement de systèmes de détection d’intrusion (IDS) adaptés, permettant la détection et la prévention de ces nouvelles menaces. Cependant, de nombreuses difficultés techniques entravent le développement de tels systèmes. Le monitoring du protocole par l’intermédiaire de sondes est en effet complexe, coûteux et limité, du fait de l’utilisation de communications pair à pair et la présence de nombreux mécanismes complexes et dynamiques tel que des algorithmes de saut de fréquences. Ces contraintes impactent significativement les approches existantes: celles ci manquent de flexibilité, ont une portée limitée et entraînent des coûts de déploiement élevés. Dans cette présentation, nous présenterons une approche alternative pour la détection d’intrusion, visant à s’affranchir de ces limites en embarquant le système de détection d’intrusion directement au sein des contrôleurs BLE, au plus bas niveau accessible logiciellement. Nous montrerons que cette approche embarquée permet une analyse et une instrumentation plus avancée du protocole et ouvre la voie à de nouvelles applications défensives. Nous présenterons OASIS, un framework générique visant à faciliter l’injection d’heuristiques de détection au sein de contrôleurs BLE propriétaires sans impacter le fonctionnement normal de la pile protocolaire. Nous décrirons les choix ayant guidé sa conception (modularité, généricité, accessibilité), ainsi que son implémentation au sein de cinq contrôleurs de divers fabricants embarquant des piles protocolaires hétérogènes. Nous montrerons la pertinence de cette approche pour la détection d’attaques BLE bas niveau, en décrivant la conception et l’évaluation de cinq modules de détection couvrant diverses attaques complexes telles que KNOB, GATTacker ou BTLEJack. Nous détaillerons également notre analyse de l’impact du déploiement d’un tel IDS sur les performances des contrôleurs, notamment du point de vue de la consommation d’énergie, du temps d’exécution et de la mémoire. Pour terminer, nous discuterons des nouvelles directions ouvertes par ces travaux pour la prévention d’intrusion ou la détection coordonnée d’attaques complexes.
Thursday February 22th 2024 – 2PM
Pierre-François Gimenez (CentraleSupélec): Automatisation de la sécurité (projet de recherche)
Abstract: Dans cette présentation, je vais présenter mon projet de recherche au sein de l’équipe PIRAT, qui porte sur l’automatisation de la sécurité. J’y présenterai mon objectif et les trois grandes étapes pour y parvenir.
Thursday February 8th 2024 – 2PM
Julien Piet (University of California, Berkeley): GGFAST: Automating Generation of Flexible Network Traffic Classifiers
Abstract: When employing supervised machine learning to analyze network traffic, the heart of the task often lies in developing effective features for the ML to leverage. We develop GGFAST, a unified, automated framework that can build powerful classifiers for specific network traffic analysis tasks, built on interpretable features. The framework uses only packet sizes, directionality, and sequencing, facilitating analysis in a payload-agnostic fashion that remains applicable in the presence of encryption. GGFAST analyzes labeled network data to identify n-grams (“snippets”) in a network flow’s sequence-of-message-lengths that are strongly indicative of given categories of activity. The framework then produces a classifier that, given new (unlabeled) network data, identifies the activity to associate with each flow by assessing the presence (or absence) of snippets relevant to the different categories. We demonstrate the power of our framework by building—without any case-specific tuning—highly accurate analyzers for multiple types of network analysis problems. These span traffic classification (L7 protocol identification), finding DNS-over-HTTPS in TLS flows, and identifying specific RDP and SSH authentication methods. Finally, we demonstrate how, given ciphersuite specifics, we can transform a GGFAST analyzer developed for a given type of traffic to automatically detect instances of that activity when tunneled within SSH or TLS.
Bio: Julien Piet is a 3rd year Ph.D. student in the EECS department at UC Berkeley, advised by Professors Vern Paxson and David Wagner. He is currently focused on developping new methods to measure network activity and detect specific behaviors.
Thursday February 1st 2024 – 2PM
Francesco Marchiori (University of Padova): ACTing DUMB: What Can We Learn From Attackers?
Abstract: In the ever-evolving cybersecurity landscape, adversaries continually adapt and employ deceptive strategies to breach defenses. In particular, thanks to the recent advancements in Artificial Intelligence (AI), the cybersecurity research community has started to investigate its integration into diverse contexts for bolstering defense mechanisms and identifying vulnerabilities that adversaries could exploit. But what can we learn from these attacks, and most importantly, how can we improve our defenses? In this talk, we will approach the problem from both sides. First, we will analyze the role of transferability in Adversarial Machine Learning (AML), discovering how attackers might intentionally use more simple techniques to have greater evasion capabilities. Furthermore, thanks to the “DUMB” framework, we show how to evaluate the transferability of AML attacks in different conditions. Second, we will explore how Cyber Threat Intelligence (CTI) can improve defense mechanisms and how practitioners can benefit from it. To tackle the automatic generation of CTI, we present our Natural Language Generation system “AGIR” (“to act” in Italian) and show how it can improve defense mechanisms by providing timely and contextually relevant intelligence reports.
Bio: Francesco, Marchiori is a PhD student in <Brain, Mind and Computer Science> (BMCS) at the University of Padova with a Master’s degree in Cybersecurity. There, he is part of the <Security and Privacy> (SPRITZ) research group, under the supervision of <Prof. Mauro Conti>.
Thursday January 17th 2024 – 2PM
Eleonora Losiouk (University of Padova): The Android Virtualization Technique: a Double-Edged Sword for Developing Attacks and Defences
Abstract: Android virtualization enables an app to create a virtual environment, in which other apps can run. Originally designed to overcome the limitations of mobile apps dimensions, nowadays this technique is becoming more and more attractive for developing novel Android malwares and defence mechanisms. During this talk, I will illustrate different use cases that refer to malicious and legitimate usages of the Android virtualization technique.
Bio: Eleonora Losiouk is an Assistant Professor from the University of Padua, Italy. She obtained a PhD in Bioengineering and Bioinformatics in 2018 from the University of Pavia, Italy. At the end of the PhD, she moved to Padua and started working on Android security. She visited EPFL in 2017 and Berkeley in 2021/2022. Besides publishing papers in top venues, Eleonora is the recipient of several awards among which: the 2020 CONCORDIA Award for Early Career Women Researcher in 2020; a Fulbright Fellowship for visiting Berkeley in 2020; a Seal of Excellence for her EU Marie Curie Global Fellowship project proposal in 2021; a Google Research Scholar Program in 2022.
