Skip to search formSkip to main contentSkip to account menu

The Tangled Web of Password Reuse

This paper investigates for the first time how an attacker can leverage a known password from one site to more easily guess that user's password at other sites and develops the first cross-site password-guessing algorithm, able to guess 30% of transformed passwords within 100 attempts.
View via Publisher (opens in a new tab)

CommanderSong: A Systematic Approach for Practical Adversarial Voice Recognition

Novel techniques are developed that address a key technical challenge: integrating the commands into a song in a way that can be effectively recognized by ASR through the air, in the presence of background noise, while not being detected by a human listener.
View PDF on arXiv (opens in a new tab)

Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow

It is found that surprisingly detailed sensitive information is being leaked out from a number of high-profile, top-of-the-line web applications in healthcare, taxation, investment and web search, suggesting the scope of the problem seems industry-wide.
View on IEEE (opens in a new tab)

Effective and Efficient Malware Detection at the End Host

A novel malware detection approach is proposed that is both effective and efficient, and thus, can be used to replace or complement traditional antivirus software at the end host.
View Paper (opens in a new tab)

Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones

This work presents Soundcomber, a Trojan with few and innocuous permissions, that can extract a small amount of targeted private information from the audio sensor of the phone, and performs efficient, stealthy local extraction, thereby greatly reducing the communication cost for delivering stolen data.
View Paper (opens in a new tab)

Leaky Cauldron on the Dark Land: Understanding Memory Side-Channel Hazards in SGX

The research identifies 8 potential attack vectors of Intel SGX, and highlights the common misunderstandings about SGX memory side channels, demonstrating that high frequent AEXs can be avoided when recovering EdDSA secret key through a new page channel and fine-grained monitoring of enclave programs can be done through combining both cache and cross-enclave DRAM channels.
View on ACM (opens in a new tab)

Acing the IOC Game: Toward Automatic Discovery and Analysis of Open-Source Cyber Threat Intelligence

By correlating the IOCs mined from the articles published over a 13-year span, this study sheds new light on the links across hundreds of seemingly unrelated attack instances, particularly their shared infrastructure resources, as well as the impacts of such open-source threat intelligence on security protection and evolution of attack strategies.
View on ACM (opens in a new tab)

Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services

This study shows that the overall security quality of SSO deployments seems worrisome, and hopes that the SSO community conducts a study similar to the authors', but in a larger scale, to better understand to what extent SSO is insecurely deployed and how to respond to the situation.
View on IEEE (opens in a new tab)

Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale

This study shows that the technique can vet an app within 10 seconds at a low false detection rate and outperformed all 54 scanners in VirusTotal in terms of detection coverage, capturing over a hundred thousand malicious apps, including over 20 likely zero-day malware and those installed millions of times.
View Paper (opens in a new tab)

SmartAuth: User-Centered Authorization for the Internet of Things

The technique, called SmartAuth, automatically collects security-relevant information from an IoT app’s description, code and annotations, and generates an authorization user interface to bridge the gap between the functionalities explained to the user and the operations the app actually performs.
View Paper (opens in a new tab)
...
By clicking accept or continuing to use the site, you agree to the terms outlined in our Privacy Policy (opens in a new tab), Terms of Service (opens in a new tab), and Dataset License (opens in a new tab)