Android Malware Detection via Graphlet Sampling

In this paper, we extend the work done in Android Malware Detection via Graphlet Sampling (CNS 2016). Specifically, we analyze our system, App topologiCal signature through graphleT Sampling (ACTS), in terms of its performance against sampling space size, graph size bias, and sample bias, among other metrics.

IM 2019

On Multi-Point, In-Network Filtering of Distributed Denial-of-Service Traffic

In this paper, we model the existing two main categories of in-network DDoS defense algorithms (PushBack, SourceEnd) and propose a new type of algorithm (StrategicPoints). In particular, we compare their effectiveness in minimizing the amount of DDoS traffic that the victim receives, their impact on reducing the DDoS traffic on the entire Internet, and their resiliency against intelligent adversaries and dynamic attacks. We detail how the comparison results vary according to parameters and provide our insights on the pros and cons of these three categories of in-network DDoS defense solutions.

SecureComm 2018

Securing the Smart Home via a Two-Mode Security Framework

We present TWINKLE, a framework for smart home environments that considers the unique properties of IoT networks. TWINKLE utilizes a two-mode adaptive security model that allows an IoT device to be in regular mode for most of the time which incurs a low resource consumption rate and only when suspicious behavior is detected, switch to vigilant mode which potentially incurs a higher overhead. Our evaluations show that TWINKLE is not only friendly to resource-constrained devices, but can also successfully detect and prevent the two types of attacks, with a significantly lower overhead and detection latency than the existing systems.

ICCCN 2018

FR-WARD: Fast Retransmit as a Wary but Ample Response to Distributed Denial-of-Service Attacks from the Internet of Things

We present FR-WARD, a system that defends against DDoS attacks launched from an IoT network. FR-WARD operates close to potential attack sources at the gateway of an IoT network and drops packets to throttle any DDoS traffic that attempts to leave the IoT network. However, in order to properly react to traffic too difficult to categorically label as good or bad, FR-WARD employs a novel response based on the fast retransmit and flow control mechanisms of the Transmission Control Protocol (TCP) which minimizes the energy consumption and network latency of benign IoT devices within the policed network.

IoT S&P 2017

POSTER: Source-End DDoS Defense in IoT Environments

This paper is the poster version of FR-WARD: Fast Retransmit as a Wary but Ample Response to Distributed Denial-of-Service Attacks from the Internet of Things (ICCCN 2018). This poster paper introduced the world to FR-WARD.

CNS 2016

ACTS: Extracting Android App Topological Signature Through Graphlet Sampling

In this paper, we propose a novel topological signature of Android apps based on the function call graphs (FCGs) extracted from their Android App PacKages (APKs). Specifically, by leveraging recent advances in graphlet sampling, the proposed method fully captures the invocator-invocatee relationship at local neighborhoods in an FCG without exponentially inflating the state space. Using real benign app and malware samples, we demonstrate that our method, ACTS (App topologiCal signature through graphleT Sampling), can detect malware and identify malware families robustly and efficiently. More importantly, we demonstrate that, without augmenting the FCG with any semantic features such as bytecode-based vertex typing, local topological information captured by ACTS alone can achieve a high malware detection accuracy. Since ACTS only uses structural features, which are orthogonal to semantic features, it is expected that combining them would give a greater improvement in malware detection accuracy than combining non-orthogonal semantic features.