Papers by Sotiris Ioannidis
Over the last several years, popular applications such as Microsoft Internet Explorer and Netscap... more Over the last several years, popular applications such as Microsoft Internet Explorer and Netscape Navigator have become prime targets of attacks. These applications are targeted because their function is to process unauthenticated network data that often carry active content. The processing is done either by helper applications, or by the web browser itself. In both cases the software is often too complex to be bug free. To make matters worse, the underlying operating system can do very little to protect the users against such attacks since the software is running with the user's privileges.
On Using Reliable Network RAM in Networks of Workstations
Scalable Computing: Practice and Experience, 1999
Abstract File systems and databases usually make several synchronous disk write accesses in order... more Abstract File systems and databases usually make several synchronous disk write accesses in order to make sure that the disk always has a consistent view of their data, and that data can be recovered in the case of a system crash. Since synchronous disk operations are slow, some systems choose to employ asynchronous disk write operations, at the cost of low reliability: in case of a system crash all data that have not yet been written to disk are lost. In this paper we describe a software-based approach into using the network memory in a ...

Lecture Notes in Computer Science, 2001
The main focus of active networking research so far has been at the infrastructure level, facing ... more The main focus of active networking research so far has been at the infrastructure level, facing the challenges of designing suitable node operating system structures and the study of different programming models. This has left exploration of the actual utility of active networks to rather simple applications that have yet to exploit the full potential of the programmable network. In this paper we present an application-driven study of active networks, identifying unique and practical applications that make full use of the active infrastructure. We explore a class of applications in network monitoring that indicate a clear need for programmability as offered by active networking technology. We have built several monitoring applications on an active substrate that is synthesized from off-the-shelf components. We demonstrate the flexibility provided while showing that for certain application workloads such a system can efficiently operate at modern backbone network speeds. Our performance study also leads to design considerations for scaling up the infrastructure to future network speeds.
Information Security Conference/Information Security Workshop, 2006
Cooperative defensive systems communicate and cooperate in their response to worm attacks, but de... more Cooperative defensive systems communicate and cooperate in their response to worm attacks, but determine the presence of a worm attack solely on local information. Distributed worm detection and im- munization systems track suspicious behavior at multiple cooperating nodes to determine whether a worm attack is in progress. Earlier work has shown that cooperative systems can respond quickly to day-zero worms,
Lecture Notes in Computer Science, 2002
Packet monitoring arguably needs the flexibility of open architectures and active networking. In ... more Packet monitoring arguably needs the flexibility of open architectures and active networking. In earlier work we have implemented FLAME, an open monitoring system, that balanced flexibility and safety while attempting to achieve high performance by combining the use of a type-safe language, lightweight run-time checks, and fine-grained policy restrictions. We seek to understand the range of applications, workloads, and traffic, for which a safe, open, traffic monitoring architecture is practical. To that end, we investigated a number of applications built on top of FLAME. We use measurement data and analysis to predict the workload at which our system cannot keep up with incoming traffic. We report on our experience with these applications, and make several observations on the current state of open architecture applications.
Proceedings of the 7th ACM conference on Computer and Communications Security, 2000

Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, 2014
In an effort to hinder attackers from compromising user accounts, Facebook launched a form of two... more In an effort to hinder attackers from compromising user accounts, Facebook launched a form of two-factor authentication called social authentication (SA), where users are required to identify photos of their friends to complete a log-in attempt. Recent research, however, demonstrated that attackers can bypass the mechanism by employing face recognition software. Here we demonstrate an alternative attack that employs image comparison techniques to identify the SA photos within an offline collection of the users' photos. In this paper, we revisit the concept of SA and design a system with a novel photo selection and transformation process, which generates challenges that are robust against these attacks. The intuition behind our photo selection is to use photos that fail software-based face recognition, while remaining recognizable to humans who are familiar with the depicted people. The photo transformation process creates challenges in the form of photo collages, where faces are transformed so as to render image matching techniques ineffective. We experimentally confirm the robustness of our approach against three template matching algorithms that solve 0.4% of the challenges, while requiring four orders of magnitude more processing effort.. Furthermore, when the transformations are applied, face detection software fails to detect even a single face. Our user studies confirm that users are able to identify their friends in over 99% of the photos

The 11th IEEE International Conference on Networks, 2003. ICON2003.
Viruses and worms are one of the most common causes of security problems in computer systems toda... more Viruses and worms are one of the most common causes of security problems in computer systems today. Users attempt to protect machines from such attacks by using antivirus programs and firewalls, with a mixed record of success at best. One of the main problems with these solutions is that they rely on manual configurations and human intervention, and may fail to react in time to defend against an attack. We present a cooperative immunization system that helps defend against these types of attacks. The nodes in our system cooperate and inform each other of ongoing attacks and the actions necessary to defend. To evaluate our proposal, we discuss a simple virus model and evaluate our system using simulation. Our measurements show that our algorithm is more effective against viruses and more robust against malicious participants in the immunization system.

2011 IEEE International Conference on Pervasive Computing and Communications Workshops (PERCOM Workshops), 2011
Social networking is one of the most popular Internet activities, with millions of users from aro... more Social networking is one of the most popular Internet activities, with millions of users from around the world. The time spent on sites like Facebook or LinkedIn is constantly increasing at an impressive rate. At the same time, users populate their online profile with a plethora of information that aims at providing a complete and accurate representation of themselves. Attackers may duplicate a user's online presence in the same or across different social networks and, therefore, fool other users into forming trusting social relations with the fake profile. By abusing that implicit trust transferred from the concept of relations in the physical world, they can launch phishing attacks, harvest sensitive user information, or cause unfavorable repercussions to the legitimate profile's owner. In this paper we propose a methodology for detecting social network profile cloning. We present the architectural design and implementation details of a prototype system that can be employed by users to investigate whether they have fallen victims to such an attack. Our experimental results from the use of this prototype system prove its efficiency and also demonstrate its simplicity in terms of deployment by everyday users. Finally, we present the findings from a short study in terms of profile information exposed by social network users.

IFIP Advances in Information and Communication Technology, 2014
In the fight against tax evaders and other cheats, governments seek to gather more information ab... more In the fight against tax evaders and other cheats, governments seek to gather more information about their citizens. In this paper we claim that this increased transparency, combined with ineptitude, or corruption, can lead to widespread violations of privacy, ultimately harming law-abiding individuals while helping those engaged in criminal activities such as stalking, identity theft and so on. In this paper we survey a number of data sources administrerd by the Greek state, offered as web services, to investigate whether they can lead to leakage of sensitive information. Our study shows that we were able to download significant portions of the data stored in some of these data sources (scraping). Moreover, for those datasources that were not ammenable to scraping we looked at ways of extracting information for specific individuals that we had identified by looking at other data sources. The vulnerabilities we have discovered enable the collection of personal data and, thus, open the way for a variety of impersonation attacks, identity theft, confidence trickster attacks and so on. We believe that the lack of a big picture which was caused by the piecemeal development of these datasources hides the true extent of the threat. Hence, by looking at all these data sources together, we outline a number of mitigation strategies that can alleviate some of the most obvious attack strategies. Finally, we look at measures that can be taken in the longer term to safeguard the privacy of the citizens.

NOMS 2002. IEEE/IFIP Network Operations and Management Symposium. ' Management Solutions for the New Communications World'(Cat. No.02CH37327)
Network monitoring is a vital part of modern network infrastructure management. Existing techniqu... more Network monitoring is a vital part of modern network infrastructure management. Existing techniques either present a restricted view of network behavior and state, or do not efficiently scale to higher network speeds and heavier monitoring workloads. We present a novel architecture for programmable packet-level network monitoring that addresses these shortcomings. Our approach allows users to customize the monitoring function at the lowest possible level of abstraction to suit a wide range of monitoring needs: we use operating system mechanisms that result in a programming environment providing a high degree of flexibility, retaining fine-grained control over security, and minimizing the associated performance overheads. We present an implementation of this architecture as well as a set of experimental applications.

IEEE Network, 2010
he popularity of online social networks (OSNs) is ever increasing. The online communities created... more he popularity of online social networks (OSNs) is ever increasing. The online communities created by OSNs are a fast growing phenomenon on the web empowered by new modes of social interaction among people from around the globe. OSNs are useful for keeping in touch with friends, forming new contacts, research collaboration, information sharing, political campaigns [2, 3], and so on. Some OSNs are used for professional contacts, such as LinkedIn and XING [5], where a user can discover business connections, while others, such as Facebook [6], MySpace and Orkut [8], are friendship-focused and primarily used for communication, photo and video sharing, and entertainment. The massive adoption of OSNs by Internet users provides us with a unique opportunity to study possible exploits that may turn them into antisocial networks, that is, platforms for malicious and illegal activities like distributed denial of service (DDoS) attacks, malware propagation, spamming, privacy violations, and disk compromise, to name a few. OSNs have some intrinsic properties that make them ideal for exploitation by an adversary: • A very large and highly distributed user base • Clusters of users sharing the same social interests, developing trust relationships, and seeking access to the same resources • Platform openness for deploying malicious applications that lure users to install them All these characteristics give adversaries the opportunity to massively manipulate Internet users and force them to perform antisocial acts against the rest of the Internet without their knowledge. Apart from controlling social network users and driving them to launch attacks against third parties, an adversary can also harm the users themselves. In this article we explore these properties, develop real exploits, and analyze their impact. Facebook, one of the leading social networks, offers a framework for software developers to create lightweight applications. These application are able to run inside the social network and interact with its resources (users and users' data). In this section we present technical details for the construction of Facebook applications. A user who wants to build a Facebook application must simply add the Developer Application [9] to her account. The application can be implemented in any development environment the user prefers. Facebook and third-party application developers have created a large number of client libraries in several development environments. Facebook officially supports PHP, JavaScript, Connect for iPhone, and Flash/ActionScript client libraries. Facebook does not provide official support for the following client libraries:

Computer Networks, 2006
Increases in scale, complexity, dependency and security for networks have motivated increased aut... more Increases in scale, complexity, dependency and security for networks have motivated increased automation of activities such as network monitoring. We have employed technology derived from active networking research to develop a series of network monitoring systems, but unlike most previous work, made application needs the priority over infrastructure properties. This choice has produced the following results: (1) the techniques for general infrastructure are both applicable and portable to specific applications such as network monitoring; (2) tradeoffs can benefit our applications while preserving considerable flexibility; and (3) careful engineering allows applications with open architectures to perform competitively with custom-built static implementations. These results are demonstrated via measurements of the Lightweight Active Measurement Environment (LAME), its successor, Flexible LAME (FLAME), and their application to monitoring for performance and security.
ACM Computing Surveys, 2008
The Internet enables global sharing of data across organizational boundaries. Distributed file sy... more The Internet enables global sharing of data across organizational boundaries. Distributed file systems facilitate data sharing in the form of remote file access. However, traditional access control mechanisms used in distributed file systems are intended for machines under common administrative control, and rely on maintaining a centralized database of user identities. They fail to scale to a large user base distributed across multiple organizations. We provide a survey of decentralized access control mechanisms in distributed file systems intended for large scale, in both administrative domains and users. We identify essential properties of such access control mechanisms. We analyze both popular production and experimental distributed file systems in the context of our survey.
Scalable Security Policy Mechanisms
ABSTRACT The design principle of restricting local autonomy only where necessary for global robus... more ABSTRACT The design principle of restricting local autonomy only where necessary for global robustness has led to a scalable Internet. Unfortunately, this scalability and capacity for distributed control has not been achieved in the mechanisms for specifying and enforcing security policies.

Lecture Notes in Computer Science, 2009
The expressive power of regular expressions has been often exploited in network intrusion detecti... more The expressive power of regular expressions has been often exploited in network intrusion detection systems, virus scanners, and spam filtering applications. However, the flexible pattern matching functionality of regular expressions in these systems comes with significant overheads in terms of both memory and CPU cycles, since every byte of the inspected input needs to be processed and compared against a large set of regular expressions. In this paper we present the design, implementation and evaluation of a regular expression matching engine running on graphics processing units (GPUs). The significant spare computational power and data parallelism capabilities of modern GPUs permits the efficient matching of multiple inputs at the same time against a large set of regular expressions. Our evaluation shows that regular expression matching on graphics hardware can result to a 48 times speedup over traditional CPU implementations and up to 16 Gbit/s in processing throughput. We demonstrate the feasibility of GPU regular expression matching by implementing it in the popular Snort intrusion detection system, which results to a 60% increase in the packet processing throughput.
Uploads
Papers by Sotiris Ioannidis