Lee, Wenke

Associated Organization(s)
Organizational Unit
ArchiveSpace Name Record

Publication Search Results

Now showing 1 - 10 of 14
  • Item
    Cybersecurity Demo Day 2018 Introduction
    (Georgia Institute of Technology, 2018-04-12) Lee, Wenke
    Vetted and coached to enter the marketplace, students presented ideas for commercialization before venture capitalists, industry leaders, and the public at the Institute for Information Security & Privacy's Cybersecurity Demo Day Finale. This year's prize pool included generous support from partners of the Institute for Information Security & Privacy, Create-X Startup LAUNCH, the National Science Foundation Innovation Corps (I-Corps) program at VentureLab, ATDC, and Speakeasy.
  • Item
    Mimesis Aegis: A Mimicry Privacy Shield
    (Georgia Institute of Technology, 2014-07) Lau, Billy ; Chung, Simon ; Song, Chengyu ; Jang, Yeongjin ; Lee, Wenke ; Boldyreva, Alexandra
    Users are increasingly storing, accessing, and exchanging data through public cloud services such as those provided by Google, Facebook, Apple, and Microsoft. Although users may want to have faith in cloud providers to provide good security protection, the Snowden expos´e is the latest reminder of the reality we live in: the confidentiality of any data in public clouds can be violated, and consequently, while the providers may not be “doing evil”, we can not and should not trust them with data confidentiality. To better protect the privacy of user data stored on the cloud, in this paper we propose a privacy-preserving system called Mimesis Aegis (M-Aegis) that is suitable for mobile platforms. M-Aegis is a new approach to user data privacy that not only provides isolation but also preserves user experience, through the creation of a conceptual layer called Layer 7.5 (L-7.5), which is interposed between the application (Layer 7) and the user (Layer 8). This approach allows M-Aegis to implement a true endto- end encryption of user data with three goals in mind: 1) complete data and logic isolation from untrusted entities; 2) the preservation of original user experience with target apps; and 3) applicable to a large number of apps and resilient to updates.
  • Item
    Leveraging Forensic Tools for Virtual Machine Introspection
    (Georgia Institute of Technology, 2011) Dolan-Gavitt, Brendan ; Payne, Bryan ; Lee, Wenke
    Virtual machine introspection (VMI) has formed the basis of a number of novel approaches to security in recent years. Although the isolation provided by a virtualized environment provides improved security, software that makes use of VMI must overcome the semantic gap, reconstructing high-level state information from low-level data sources such as physical memory. The digital forensics community has likewise grappled with semantic gap problems in the field of forensic memory analysis (FMA), which seeks to extract forensically relevant information from dumps of physical memory. In this paper, we will show that work done by the forensic community is directly applicable to the VMI problem, and that by providing an interface between the two worlds, the difficulty of developing new virtualization security solutions can be significantly reduced.
  • Item
    I Own, I Provide, I Decide: Generalized User-Centric Access Control Framework for Web Applications
    (Georgia Institute of Technology, 2010) Singh, Kapil ; Erete, Ikpeme ; Lee, Wenke
    With the rapid growth of Web 2.0 technologies, users are contributing more and more content on the Internet, in the form of user profiles, blogs, reviews, etc. With this increased sharing comes a pressing need for access control policies and mechanisms to protect the users’ privacy. Access control has remained largely centralized and under the control of the web applications hosted on their servers. Moreover, most web applications either provide no or very primitive and limited access control. We argue that the owner of any piece of data on the web should be able to decide how to control access to this data. This argument should hold not only for the web applications contributing data, but also for the contributing users. In other words, users should be able to choose their own access control models to control the sharing of their data independent of the underlying applications of their data. In this work, we present a novel framework, called xAccess, for providing generic access control that empowers users to control how they want their data to be accessed. Such a control could be in the form of user-defined access categories, or in the form of new access control models built on top of our framework. On one hand, xAccess enables individual users to use a single unified access control across multiple web applications; and on the other hand, it allows an application to support different access control models deployed by its users with a single model abstraction. We demonstrate the viability of our design by means of a platform prototype. The usability of the platform is further evaluated by developing sample applications using the xAccess APIs. Our results show that our model incurs minimum overhead in enforcing the generic access control and requires negligible changes to the application code for deployment.
  • Item
    Evaluating Bluetooth as a Medium for Botnet Command and Control
    (Georgia Institute of Technology, 2009) Jain, Nehil ; Lee, Wenke ; Sangal, Samrit ; Singh, Kapil ; Traynor, Patrick
    Malware targeting mobile phones is being studied with increasing interest by the research community. While such attention has previously focused on viruses and worms, many of which use near-field communications in order to propagate, none have investigated whether more complex malware such as botnets can effectively operate in this environment. In this paper, we investigate the challenges of constructing and maintaining mobile phone-based botnets communicating nearly exclusively via Bluetooth. Through extensive large-scale simulation based on publicly available Bluetooth traces, we demonstrate that such a malicious infrastructure is possible in many areas due to the largely repetitive nature of human daily routines. In particular, we demonstrate that command and control messages can propagate to approximately 2/3 of infected nodes within 24 hours of being issued by the botmaster. We then explore how traditional defense mechanisms can be modified to take advantage of the same information to more effectively mitigate such systems. In so doing, we demonstrate that mobile phone-based botnets are a realistic threat and that defensive strategies should be modified to consider them.
  • Item
    Rotalumè: A Tool for Automatic Reverse Engineering of Malware Emulators
    (Georgia Institute of Technology, 2009) Sharif, Monirul I. ; Lanzi, Andrea ; Giffin, Jonathon ; Lee, Wenke
    Malware authors have recently begun using emulation technology to obfuscate their code. They convert native malware binaries into bytecode programs written in a randomly generated instruction set and paired with a native binary emulator that interprets the bytecode. No existing malware analysis can reliably reverse this obfuscation technique. In this paper, we present the first work in automatic reverse engineering of malware emulators. Our algorithms are based on dynamic analysis. We execute the emulated malware in a protected environment and record the entire x86 instruction trace generated by the emulator. We then use dynamic data-flow and taint analysis over the trace to identify data buffers containing the bytecode program and extract the syntactic and semantic information about the bytecode instruction set. With these analysis outputs, we are able to generate data structures, such as control-flow graphs, that provide the foundation for subsequent malware analysis. We implemented a proof-of-concept system called Rotalumè and evaluated it using both legitimate programs and malware emulated by VMProtect and Code Virtualizer. The results show that Rotalumè accurately reveals the syntax and semantics of emulated instruction sets and reconstructs execution paths of original programs from their bytecode representations.
  • Item
    CAREER: adaptive intrusion detection systems
    (Georgia Institute of Technology, 2008-10-31) Lee, Wenke
  • Item
    Emerging Cyber Threats Report for 2009
    (Georgia Institute of Technology, 2008-10-15) Ahamad, Mustaque ; Amster, Dave ; Barrett, Michael ; Cross, Tom ; Heron, George ; Jackson, Don ; King, Jeff ; Lee, Wenke ; Naraine, Ryan ; Ollmann, Gunter ; Ramsey, Jon ; Schmidt, Howard A. ; Traynor, Patrick
    On October 15, 2008, the Georgia Tech Information Security Center (GTISC) hosted its annual summit on emerging security threats and countermeasures affecting the digital world. At the conclusion of the event, GTISC released this Emerging Cyber Threats Report—outlining the top five information security threats and challengesfacing both consumer and business users in 2009. This year’s summit participants include security experts from the public sector, private enterprise and academia, reinforcing GTISC’s collaborative approach to addressing information security technology and policy challenges. "As one of the leading academic research centers focused on information security, GTISC believes strongly that a proactive and collaborative approach to understanding emerging threats will help us develop more effective information security technologies and strategies," said Mustaque Ahamad, director of GTISC. "The annual GTISC Security Summit on Emerging Cyber Security Threats and our annual Emerging Cyber Threats Report seek to give us a better understanding of the cyber security challenges we will face in the years ahead." GTISC research and advance interviews with key information security experts from government, industry and academia uncovered five specific trends and some profound questions that will drive threats and countermeasures in 2009 and beyond, including: Malware, Botnets, Cyber warfare, Threats to VoIP and mobile devices, and The evolving cyber crime economy. In an effort to inform the broader community about current and future risks, this report will describe each emerging threat, existing or potential countermeasures, and how the threat may evolve in the coming year. In addition, our experts will offer their opinion on the role that Internet security education and regulation may play in further preventing the spread of cyber crime.
  • Item
    The 2008 GTISC Security Summit - Emerging Cyber Security Threats
    (Georgia Institute of Technology, 2008-10-15) Ahamad, Mustaque ; Goodman, Seymour E. ; Rouland, Christopher Jay ; Elder, Robert J., Jr. ; Kwon, Mischel ; Lee, Wenke ; Moore, Morris ; Noonan, Thomas E. ; Ramsey, Jon ; Ransome, James ; Thompson, Heath
    Welcome address by Mustaque Ahamad, Director, Georgia Tech Information Security Center, Professor, College of Computing. Opening remarks by Sy Goodman, Professor and Co-Director, Center for International Strategy, Technology, and Policy ; Chris Rouland, Adjunct Lecturer College of Computing. Introduction by Tom Noonan, former chairman, president and chief executive officer of Internet Security Systems, Inc. Keynote address: Global Operations and Mission Assurance in a Contested Cyber Environment by Lt. General Robert J. Elder, Jr., Commander Eighth Air Force, Barksdale Air Force Base. Panel Discussions: Moderator: Thomas E. Noonan, Entrepreneur ; Mischel Kwon, Director, United States Computer Emergency Readiness Team; National Cyber Security Division, U.S. Department of Homeland Security ; Wenke Lee, Associate Professor, Georgia Tech Information Security Center ; Morris Moore, Vice President of Security Technology, Motorola's Applied Research and Technology Center ; Jon Ramsey, Chief Technology Officer, SecureWorks ; Jim Ransome, Senior Director, Secure Unified Wireless and Mobility Solutions Corporate Security Programs and Global Government Solutions, Cisco ; Heath Thompson, Director, Product Development, IBM/Internet Security Systems
  • Item
    Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic
    (Georgia Institute of Technology, 2005) Kolesnikov, Oleg ; Lee, Wenke
    Normal traffic can provide worms with a very good source of information to camouflage themselves. In this paper, we explore the concept of polymorphic worms that mutate based on normal traffic. We assume that a worm has already penetrated a system and is trying to hide its presence and propagation attempts from an IDS.We focus on stealthy worms that cannot be reliably detected by increases in traffic because of their low propagation factor.We first give an example of a simple polymorphic worm. Such worms can evade a signature-based IDS but not necessarily an anomaly-based IDS. We then show that it is feasible for an advanced polymorphic worm to gather a normal traffic profile and use it to evade an anomaly-based IDS.We tested the advanced worm implementation with three anomaly IDS approaches: NETAD, PAYL and Service-specific IDS. None of the three IDS approaches were able to detect the worm reliably. We found that the mutated worm can also evade other detection methods, such as the Abstract Payload Execution. The goal of this paper is to advance the science of IDS by analyzing techniques polymorphic worms can use to hide themselves. While future work is needed to present a complete solution, our analysis can be used in designing possible defenses. By showing that polymorphic worms are a practical threat, we hope to stimulate further research to improve existing IDS.