Shishir Nagaraja
Strathclyde Computer Security Group site
Vacancies
PhD Studentships
Apply by 05 June 2019
A fully funded PhD position is available in the area of Network Security and Privacy starting in October 2018. The PhD topic is fairly flexible however applicants interested in working at the intersection of software engineering, control theory, network security, or communications theory are particularly welcome.
Students should be skilled programmers with an interest (or expertise) in the foundations of: statistics, distributed systems, and networks.
Eligibility and process: Any UK or EU resident is eligible to apply. UK/EU citizenship is not required. The studentship is for 3.5 years, and includes tuition fees and a competitive stipend.
Applicants should send complete applications including two academic references, research proposal, transcripts, and degree certificates via the Post Graduate Application Portal by 05 June 2019. Appointment will be made on a rolling basis.
Research Interests
My research interest is network security and privacy. These extend into various other areas such as software-defined networks, botnets, social networks, adhoc networks, the economics of information security, and usable security.
Google scholar page
Publications
Ryan Shah and I wrote a paper on service-denial attacks on IoT systems and mitigation using SDN controller apps published at ICDCN 2018 (Workshop).
Ryan Shah and I wrote a paper on
service-denial attacks at scale on self-driving
vehicles . Driverless vehicles are expected to form the foundation
of future connected transport infrastructure. A key weakness of
connected vehicles is their vulnerability to physical-proximity
attacks such as sensor saturation attacks. We show that currently
attackers have the upper hand in most cases and are able to carry out
crippling denial-of-service attacks on entire fleets, by leveraging
the inherent deficiencies of road networks identified by techniques
from graph analysis. Experimental results on ten cities using
real-world courier traces shows that most cities will require upgraded
infrastructure to defend driverless vehicles against denial-of-service
attacks. This work reveals the hidden costs underlying future
connected transport networks. Original quipment designers and
operators of driverless vehicles should take note that entire sections
of roadways may need to be redesigned for robustness against
attacks.
Jonathan Weekes and I wrote a paper describing practical denial-of-service attacks on SDN switches.
Along with Arnab Biswas and Dipak Ghosal, I wrote a paper in ACM Surveys 2017 summarising the state-of-the-art and open challenges in timing side channels. The paper can be found here.
Joe Gardiner and I wrote a survey paper on the pitfalls of applying machine learning in building security defences published in ACM Surveys 2017.
S. Nagaraja, Botyacc: unified P2P botnet detection using
behavioural analysis and graph analysis, in the Proceedings of the
European Symposium on Research in Computer Security (ESORICS),
2014. Paper This paper unifies behavioural
analysis and graph analysis approaches to detect malware C&C
traffic. Behavioural analysis deals with the statistics of traffic
i.e how endpoints communicate. Graph analysis
considers who talks to whom without considering how. In this
work, we propose a new technique that integrates and extends both
these approaches. What Botyacc is different from the logical
equivalent of taking the intersection of the output of the independent
application of graph analysis and behaviour analysis. For a given IP
connectivity graph, Botyacc uses a diffusion process defined on the
graph topology to construct a feedback loop into conventional
behavioural analysis. A second feedback loop from the output of
behavioural analysis is input to the diffusion process.
J. Gardiner and S. Nagaraja, Blindspot: Indistinguishable Anonymous Communications, 2014. Pre-print paper
J. Gardiner, M. Cova, and S. Nagaraja, Command and Control: Understanding, Denying, and Detecting, 2014. [Tech Report, Checklist, Attack-Infographic, Defence-Infographic]
J. Gardiner and S. Nagaraja, On the reliability of network measurement techniques, in the Proceedings of the Security Protocols Workshop (SPW), 2014. Paper
R. Khurana and S. Nagaraja, Challenges in leveraging vibration-based covert channels for information-theft, in the Proceedings of the Security Protocols Workshop (SPW), 2013. Paper
Photographer anonymity published at WPES 2011 (slides)
Photographer anonymity is a new problem in anonymity and
privacy that I recently defined. The problem is as follows: Alice is a
citizen journalist who's gained entry into a secret conference of
politicians and donors of illegal election money. Alice wants to do a
sting operation to expose the nexus. However the event security detail
ensure that no cameras or recording devices are allowed in the meeting
area. They have also installed CCTVs but as usual there's no one
actively monitoring the footage, but it is being recorded. Given this
threat model, how does Alice expose the collusion between politicians
and illegal donors?
Naive defence: Alice carries a hidden camera device to capture
images which are then published. Attack: attacker analyses the
published images to see where the photographer was standing, then
consults the CCTV footage to identify Alice, who then faces a risk to
personal safety.
Better defence: Alice captures a number of images of the subject from
different angles (a,b,c) and combines them together to form a new
image that appears to have been taken from a randomly chosen angle. Upon
consulting the CCTV the attackers' assessment of the potential
photographer will be wrong. Does this work? We have a few initial
pictures in the slides above, and a full paper on an anonymity framework
and metrics will follow soon.
See press coverage in the
Guardian and New Scientist.
Stegobot: a covert social network botnet
accepted at
the Information
Hiding 2011 (slides).
Stegobot is a proof of concept new-generation botnet where
bots communicate over unobservable communication channels. It is
designed to spread via social-malware attacks and steal information
from its victims. Unlike conventional botnets, Stegobot traffic does
not introduce new communication endpoints between bots. Command and
control information as well as stolen sensitive information are
relayed using steganographic techniques piggybacking over the image
sharing behavior of users in a social network. Hence stolen
information travels along the edges of the victims' social
network. The current implementation is based on a simple routing
algorithm called restricted flooding. The tuning of the
steganographic channels is a key security parameter. It works
surprisingly well in real world experimental deployments; even when
tuned very conservatively (against detection) it is capable of
channeling sensitive payloads of close to 100MB to the botmaster.
See press coverage in the
New
Scientist,
MSNBC, Times of India,
and a
few others.
P3CA: Private Anomaly Detection across ISP Networks
accepted at the
11th Privacy Enhancing Technologies Symposium (PETS 2011).
P3CA is an ongoing project where we are trying to balance
privacy requirements of ISPs with their desire to cooperatively
detect malicious traffic. Often the trail of attack traffic is
distributed across ISPs such that a single ISP might not be able to
perform the job of classifying malicious traffic effectively. This
is because a single small ISP analyzing local traffic trends, would
not have enough information about the 'normal' subspace to make
confident classification decisions. However multiple collaborating
small ISPs can come together to share traffic information and
determine common global trends that helps them to clearly delineate
'normal' traffic from malicious
traffic. A poster on this
project appeared at
NSDI
(the 7th USENIX Symposium on Networked Systems Design and
Implementation).
Botgrep: Finding P2P Bots with Structured Graph Analysis
accepted at
the USENIX Security
2010 Symposium.
This is a paper on botnet detection that I co-authored
with Prateek Mittal, Chi-Yao Hong, Matt Caesar and Nikita Borisov.
Starting with the Storm botnet a few years ago, a number of new
botnets have moved away from a centralized command and control
(C&C) design to a P2P design. This lets them carry out
sophisticated coordination activities whilst being resilient to
the loss of infected machines. However the use of structured P2P
design can also be used to defend against botnets. We show that
this increase is resilience also leads to a loss of stealth. This
allows one to localize a majority of botnet traffic with low false
positive rate.
The impact of unlinkability on adversarial community detection: effects
and countermeasures
accepted at
the Privacy Enhancing
Technologies Symposium(PETS) 2010.
This is a paper on community detection and anonymity
where I consider the threat model of a mobile adversary. The
adversary gathers information by spying on victims' address books
whilst being limited by the number of people she can
simultaneously spy on. The attackers goal is to carry out
community detection i.e. detect clusters of users that are more
densely connected among themselves than with the rest of the
network. For an attacker faced with the task of analyzing hundreds
of terabytes of traffic, this would be an important pre-analysis
exercise in order to concentrate traffic analysis efforts on a
subset of data rather than grappling with the entire mass of data
at once. I show that such attacks are devastatingly effective even
when the victims are communicating using an anonymous
communications network such as Tor. Finally I propose and analyze
community hiding techniques that allow a privacy conscious
community of users to induce unacceptably high rates of error in
in the adversary's detection efforts.
Social Malware Surveillance of the Tibetan Movement
( Slides )
This is a paper on social-malware surveillance that I
co-authored with
Ross
Anderson. We introduce the term social malware to refer to
malware attacks where the dispersion mechanism involves
masquerading as an entity in the close proximity of the intended
target's social network. The attacks are devastatingly effective
and in this report. The implications are significant, for the
corporate world, for governments, for non-governmental
organisations and for individuals too. Developing low cost
measures for resisting these attacks is a serious information
security challenge.
The economics of community hiding presented at
the Workshop on the
Economics of Information Security 2008
A paper on the economics of surveillance and
counter-surveillance, that examines the extent of network
topology information an attacker must gather, in order to uncover
the existence of communities within a network. Our results
support the assertion that while the privacy of the general public
is easily compromised with a small surveillance budget, a covert
group that makes a small investment in counter-surveillance can
escape detection even when the adversary has a very high
surveillance budget covering a majority of the population. Hence,
government initiatives on detecting terrorist networks with large
scale privacy invasion of the public are doomed to failure.
Anonymity in the
wild: Mixes on unstructured networks
( slides )
at PET 2007
Current anonymous communication systems suffer from a vital
incentive design failure. How you design a robust mix network
where the mix operator has incentives to keep her mixes running
in the face of direct adversarial challenges in the form of cease
and desist. Previous approaches have incorporated the property of
plausible deniability in order to design compulsion resistant
systems. We take an alternate approach of having "friends mix
traffic for friends", whose main advantage is that the incentive
model is very well understood by the public. This paper
establishes the theoretical anonymity bounds of various low
latency mix network topologies with expander graph topology as a
baseline to compare with. We established the feasibility and
detail the challenges thrown up by a mix deployment on the
Live-Journal network of friendship ties.
Incentives and
Information Security in
Algorithmic Game Theory, N. Nisan, T. Roughgarden, E. Tardos,
and V. Vazirani (editors), ISBN-13: 9780521872829, Cambridge
University Press, 2007.
Along with Ross Anderson, Tyler Moore and Andy Ozment, I
co-authored a book chapter that surveys several live research
challenges in the economics of information security. We discuss
the persistent problem of misaligned incentives, how network
topology has a significant impact on emerging user incentives,
auctions as a way of measuring security risk, and finally,
asymmetric information and the capacity for hidden action.
the topology of covert conflict
(slides) published
at Workshop on the
Economics of Information Security 2006
In this paper we illustrate how network structure can influence
the evolution of user incentives in the context of security
economics. This work shows several rounds of interplay between
attack and defence strategies, between an attacker out to
minimize the value of the network by reducing the average
shortest path length or the size of the biggest connected
component and defenders fighting back by reorganizing themselves
to maximize the same parameters. Also available
as
Technical Report 637 .
On a dynamic topology of
covert groups presented this year
at
Sunbelt XXVII , a social networks conference.
Suppose you are designing a covert network that is hidden in a
large social network, with incomplete knowledge of the host
network's topology. What should your covert group's topology
look like? This paper discusses the interplay of attack and
defense in the context of detection and hiding of covert groups
in large networks. The global passive adversary uses a series of
high level traffic analysis measures in the form of graph
partitioning algorithms while the covert group must rewire/add a
small number of edges. We analyze a number of strategies of
hiding covert networks and offer suggestions on how to protect
your secret group from the eyes of the "global passive
adversary".
New Strategies for Revocation in Ad-Hoc Networks
won the best paper award at ESAS 2007.
This
paper discusses decentralized strategies for removing misbehaving
nodes in adhoc-networks. It turns out that reelection turns out
to be a better strategy than blackballing. We then propose a more
radical strategy, namely suicide where both the alleged
misbehavior and the behavior detector die, which we find to be
even more efficient.
Privacy amplification with social networks
( slides ) at
SPW 2007
Often, users in a network wishing to communicate, share a weak
secret. We propose protocols for privacy amplification based on
exploiting the topological properties of the social network
connecting the users. After presenting an initial scheme based on
random walks, we propose a number of modifications that exploit
the presence of communities in such networks to make our
protocols efficient with practical bounds. This paper is
currently undergoing substantial revision currently, a new
version should be available soon.
Evaluation Framework of Location Privacy of Wireless Mobile Systems
with Arbitrary Beam Pattern
was published in
Communication Networks and Services Research Conference (CNSR
2007).
In this paper, we counter location privacy compromise by
proposing a low level countermeasure that we call adaptive
beam-forming, to prevent position location of transmitters in
mobile wireless systems. We propose a new antenna design, discuss
its radio characteristics and perform a high level security
analysis to measure the privacy enhancing features as compared to
previous antenna designs.
Time-sync independent Kerberos Authentication Protocol
is a standards draft of a time synchronization independent
kerberos protocol suite. This was originally written for Novell's directory services in order
to provide alternate access to the proprietary nonce based
challenge response protocol, however I left the company soon
after to pursue my PhD and don't know what actually happened to
it.
An Algorithm to cluster directory users into user communities
based on similarity in access is a patent on a
dynamic clustering technique I proposed with Ravi Kiran UVS, a
former colleague at Novell . The
basic idea is that you can group one or more interesting
objects in a directory server based on corresponding access
patterns with regard to other objects, instead of an
administrator coming along and performing complex manual
configuration and often getting it wrong. This leads to a
storage cache management system that massively improves access
times on remote filtered replica servers while reducing administrator
effort.
Security and Policy Integrity in multilateral authorization
systems
was a patent
issued in November 2006, is a system for implementing
multilateral authorization using quorums. First, stakeholders of
a directory object split a quorum private key, the shares of
which for each stakeholder in all access sets is determined. The
shares of the private key held by the stakeholders in any one
access set add up to a number directly related to the private
key. One or more secret keys of the stakeholders are further
determined for each access set. One or more polynomials for the
access sets are then generated by using the shares of the private
key and the secret keys of the object's stakeholders.
Method and System for Amassed Authorization and
An adaptive method and system for user empowered management
based on Dynamic Quorums are still pending with the US patent
office.
Teaching
Spring 2012 -- 2017 -- Network Security
Spring 2014 -- 2017 -- Security and Risk
Fall 2011 -- Introduction to Programming
Spring 2011 --
CSE549 Privacy Enhancing Technologies
Fall 2010 --
CSE539 Distributed Systems Security
CSE595 Topics in Computer Security
Spring 2010 -- ECE428
(at UIUC) Distributed Systems
Service
Program committee member
for PETS 2010,
PETS 2011,
HotWisec2011, ISPEC 2012, EuroPKI 2012, and PET Award 2013 .
External reviewer
for ACM CCS 2009,2010,
2011 ,
IEEE
S&P 2010, ACM Usenix
Security 2010 ,
PET 2004.
Students
Joseph Gardiner (PhD)
Jonathan Weekes (PhD)
The following MSc and Bachelors (dissertation) students have graduated:
|
|
|
|
Jonathan Weekes (VM migration for DDoS resistance) |
Joel Barnham-Noyce (Securing acoustic table-top networks) |
Maryam Abdalnazari (Empirical evaluation of SybilLimit and SybilInfer) |
Maksims Luferovs (SDN controller security for OVS) |
Mandeep Ola (Camera anonymity) |
Abdal Mohammad (Botnet detection via acoustic analysis) |
Joseph Gardiner (Covert channels based on text) |
Daniel Botterill (Traffic anomaly detection) |
Giannis Tziakouris (Malware detection using file system anomalies) |
Madhvi Gupta (Botnet detection using traffic geometry) |
Rushil Khurana (Acoustic covert channels) |
Rohit Kishore (Private clock-skew analysis |
Previous Work
I obtained my B.E. majoring in computer science from Bangalore
University in 1999. I started in the infosec industry in 1997,
implmenting the SET protocol at Zillion Infotech. In 1999, I joined
the network security group at Novell Research at Bangalore, and worked
there until 2004 in various secure distributed computing projects
including leading on the kerberos and NICI projects.