Melicher_cmu_0041E_10418.pdf (2.35 MB)
Modeling Security Weaknesses to Enable Practical Run-time Defenses
Security weaknesses are sometimes caused by patterns in human behaviors. However, it can be difficult to identify such patterns in a practical, yet accurate way. In order to fix security weaknesses, it is crucial to identify them. Useful systems to identify security weaknesses must be accurate enough to guide users’ decisions, but also be lightweight enough to produce results in a reasonable time frame. In
this thesis, we show how machine-learning techniques allow us to detect security weaknesses that result from patterns in human behavior faster and more efficiently
than current approaches, enabling new, practical run-time defenses. We present two applications to support this thesis. First, we use neural networks to identify users’ weak passwords and show how to make this approach practical for fully client-side password feedback. One problem
with current password feedback is that users can get either quick but often incorrect feedback by using heuristics or accurate but slow feedback by simulating adversarial
guessing. In contrast, we found that our approach to password guessing is both more accurate and more compact in implementation than previous ones, which enables us to more practically estimate resistance to password-guessing attacks in real time
on client machines. Second, we use deep learning models to identify client-side cross-site scripting
vulnerabilities in JavaScript code. We collected JavaScript functions from hundreds of thousands of web pages and using a taint-tracking-enabled browser labeled them
according to whether they were vulnerable to cross-site scripting. We trained deep neural networks to classify source code as safe or as potentially vulnerable. We
demonstrate how our models can be used as a lightweight building block to selectively enable other defenses, e.g., taint tracking.
this thesis, we show how machine-learning techniques allow us to detect security weaknesses that result from patterns in human behavior faster and more efficiently
than current approaches, enabling new, practical run-time defenses. We present two applications to support this thesis. First, we use neural networks to identify users’ weak passwords and show how to make this approach practical for fully client-side password feedback. One problem
with current password feedback is that users can get either quick but often incorrect feedback by using heuristics or accurate but slow feedback by simulating adversarial
guessing. In contrast, we found that our approach to password guessing is both more accurate and more compact in implementation than previous ones, which enables us to more practically estimate resistance to password-guessing attacks in real time
on client machines. Second, we use deep learning models to identify client-side cross-site scripting
vulnerabilities in JavaScript code. We collected JavaScript functions from hundreds of thousands of web pages and using a taint-tracking-enabled browser labeled them
according to whether they were vulnerable to cross-site scripting. We trained deep neural networks to classify source code as safe or as potentially vulnerable. We
demonstrate how our models can be used as a lightweight building block to selectively enable other defenses, e.g., taint tracking.
History
Date
2019-07-17Degree Type
- Dissertation
Department
- Electrical and Computer Engineering
Degree Name
- Doctor of Philosophy (PhD)