What's buzzing in the security space? Insights from ACM CCS Conference 2018

Our security research team attended the ACM Conference on Computer and Communication Security (CCS) recently. Here, the team summarize their most important insights from the event. The CCS is one of the top tier annual security conference. It attracts information security researchers from both industrial and academia positions as well as practitioners, developers, and users from all over the world, to explore innovation ideas and results.

Opening of ACM CCS 2018
Mengyuan Zhang

Experienced Researcher, Security

Eva Fogelström

Research Director, Security


Many diverse topics were discussed at CCS, not only in traditional security domains such as web security and vulnerability detection, but also in SDN and IoT security. We noted that research work is starting to tackle security in NFV and authentication in 5G.

It’s important to point out that security is more than technology. In a conference like this the topics range from legal and regulatory issues, ethics, and user behavior to advanced mathematics and computer science. This also opens up opportunities for more interdisciplinary research and cross-domain competence building. Cooperation between academia and industrials, which is more and more frequently seen in conferences, brings about new research models and boosts the research work in a direction of more practical and direct use cases.

Cross-domain synergies

Our first highlight is that new research directions combine multiple domains. As a result, the knowledge sharing between the domains will boost security in both areas. Commonly, security mitigation methods from one domain could be applied into other domains to improve security.

One example: researchers found connections between adversarial machine learning (where the learning process itself may be manipulated or reconstructed by adversaries) and digital watermarking (used to verify authenticity of data). Knowledge and methods of attacks are similar in these two contexts, meaning that exchange of information between the two domains may boost the advance of both areas. The original work, “Forgotten siblings: unifying attacks on machine learning and digital watermarking”, was published in Euro S&P 2018 and brought up in a CCS keynote.

Dynamic defense

Moving target defense (MTD) is a dynamic defense methodology that provides an unpredictable attack surface by reconfiguring the network environment over time. Thus, any information that an attacker gathers from the previous configuration of the system will eventually become obsolete.

Considered a promising solution for cybersecurity in recent years, this methodology is widely combined with  software diversity, cloud security and SDN security. However, quantifying the effects of MTD remains an open research topic, and researchers now adapt diverse security metrics to quantify the security of the cloud before and after deploying MTD, as for example in the paper “Comprehensive security assessment of combined MTD techniques for the cloud”. Although there are working groups on security metrics, the efficiency of security metrics and differentiation of security metrics among multiple platforms should still be studied and evaluated.

Advancing the view on privacy

Since GDPR came into effect in May, privacy-related topics receive significant attention. The keynote “Achieving meaningful privacy in digital systems” was on meaningful privacy, addressing the actual societal concerns. It was pointed out that privacy should not simply be considered as secrecy, data minimization, data leakage or no collection of data.

Rather, privacy should be considered in the context of information flows, typically within the following parameters: data subject, sender, recipient, information type, and transmission principle.

In Ericsson Research, we have done work on privacy together with partners in a collaboration project with Concordia University. At the CCS, we presented a method to preserve both privacy and utility in network traces, in the context of verifying security compliance for a cloud environment, and received positive feedback.

The main idea of our solution, multi-view, is to generate multiple anonymized and sufficiently indistinguishable views of the original network traces for analysts. Only one of the views will then yield true analysis results, privately retrieved by the data owner. The experimental evaluation using network traces provided by a major ISP shows information leaks less than 1% of the information leaked by state-of-art solutions.

Continued interest in SDN and IoT

As another highlight, we note that beside traditional web and mobile security, software-defined networks (SDN) and IoT continue to be in focus for security research.

Researchers focus on building robust and easy-to-manage SDN and IoT environments by proposing solutions in diagnosing network security issues, or security monitoring of virtual applications. We see a trend shifting from theoretical work to proof-of-concepts. Runtime overhead, efficiency and scalability of the solutions are becoming important factors.

Let us give you some examples from CCS: FronGuard, presented in the paper “Towards Fine-grained Network Security Forensics and Diagnosis in the SDN Era”, a solution which provides flow-level forensics and diagnosis functions in SDN networks, is implemented on Floodlight controller and diagnosed several real-life control plane attacks, such as loss of LLDP packets, link fabrication, and host location hijacking.

Another solution, PROVSDN, see paper “Cross-App Poisoning in Software-Defined Networking”, has been proposed to mitigate and monitor a cross-app poisoning (CAP) attack. That’s where an application with lower privilege can compromise applications with proper privileges to take actions on behalf of the attacking application, by using data provenance to track the information flow. Researchers built the cross-app information flow graph from 64 applications in the experiment to evaluate their proposed solution.

Interestingly, the same type of technique could often be used for both good and bad purposes. For example, for malicious use, researchers discovered a novel physical side channel, a voltage side channel, which leaks the benign tenants’ power usage information at runtime. It helps attackers precisely time their power attacks. Nevertheless, for misbehavior detection, another group of researchers proposed to generate fingerprints from the encrypted packet sequences that were sniffed from the side channel to monitor smart home applications.

The corresponding paper, “HoMonit: monitoring smart home apps from encrypted traffic”, argues the harmlessness of this type of side channel due to two reasons: first, only encrypted traffics have been used in experiments; and second, it is not easy to setup sniffing equipment within certain distance range of a victim’s home.

Machine learning is a powerful tool

Hot topics such as machine learning, blockchain, smart contracts, TLS and Tor  continuously inspire new research. For example, machine learning is widely used for fingerprinting websites to detect deanonymization attacks on Tor. DeepCorr provides 96% of the accuracy compared to 4% by the state-of-the-art system of RAPTOR by leveraging an advanced deep learning architecture to tailor with Tor’s complex network. Deep Fingerprinting, a new website fingerprinting attack, combines a deep learning model called convolutional neural networks to achieve 98% accuracy on Tor traffic without defenses compared to 90% accuracy by other attacks.

More about CCS

This year, 887 papers were submitted to CCS and 134 of them were accepted. The figure below shows topics presented in the conference.

ACM CCS 2018 topics

If you are interested in learning more detailed information, please visit the CCS website.

The Ericsson blog

In a world that is increasingly complex, we are on a quest for easy. At the Ericsson blog, we provide insight, news and opinion to help make complex ideas on technology, business and innovation simple. If you want to hear from us directly, please head over to our contact page.

Contact us