Ev Even Turing Sho Shoul uld So Sometimes No Not Be Be Ab Able To To Te Tell: Mi Mimicking Hu Humanoid Us Usage Be Behav avior or fo for Ex Expl ploratory St Stud udies of of On Online e Ser ervices es Stephan Wiefling 1 , Nils Gruschka 2 , Luigi Lo Iacono 1 1 TH Köln – University of Applied Sciences 2 University of Oslo Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 1
Mo Motiva tivatio tion Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 2
Mo Motiva tivatio tion § Algorithms impact our society § Technical aspects hidden behind user interfaces § Data availability needed for reliable research Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 3
Mo Motiva tivatio tion § Most online services are black boxes § Lack of transparency hinders ? research § Reverse engineering needed Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 4
Re Reve verse en engi gineer eering is is co complicat cated… Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 5
Re Reve verse en engi gineer eering is is co complicat cated… § No unique path to conduct such an analysis § Services implement countermeasures Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 6
Re Reve verse en engi gineer eering is is co complicat cated… § No unique path to conduct such an analysis § Services implement countermeasures à Camouflage measures needed Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 7
HOSIT Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 8
Humanoid Online Service Inspection Tool HOSIT Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 9
Ov Over erview ew 1. 1. Tool Tool 2. Proof of Concept 3. Conclusion Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 10
In Insp spectio ion To Tool § Simulates human-like browsing behavior on online services § All actions have to be predefined by the HOSIT researchers § Reliable and reproducible research § Based on Puppeteer API Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 11
In Insp spectio ion To Tool Conductor Study Training Inspection Procedures Procedures Virtual Identities Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 12
Vi Virtua ual Identities § Define properties § Typing, clicking behavior § Interests § … Conductor Study Training Inspection Procedures Procedures Virtual Identities Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 13
Tr Training Pr Procedures § New accounts are considered suspicious § Need to create valid behavior first § Takes time Conductor Study Training Inspection Procedures Procedures Virtual Identities Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 14
Tr Training Pr Procedures § Define activities to be performed on online service § and other online services (tracking) § Executed multiple times Conductor Study Training Inspection Procedures Procedures Virtual Identities Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 15
Tr Training Pr Procedures § Let the service learn “normal” behavior § Get tracked on other websites by the service § Desired result: § Get labeled as “normal” user Conductor Study Training Inspection Procedures Procedures Virtual Identities Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 16
In Insp spectio ion Pr Procedures § Create unusual behavior at online service § Analyze services’ reaction to unusual behavior Conductor Study Training Inspection Procedures Procedures Virtual Identities Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 17
In Insp spectio ion To Tool Conductor Study Training Inspection Procedures Procedures Virtual Identities API API HOSIT Framework Human User Imitation Log Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 18
In Insp spectio ion To Tool § Executes the actions Conductor Study Training Inspection § Adds human-imitating Procedures Procedures Virtual Identities behavior to function calls § Properties of virtual identity API API HOSIT Framework Human User Imitation Log Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 19
In Insp spectio ion To Tool § Logs all actions with Conductor Study Training Inspection screenshots Procedures Procedures Virtual Identities § Reproducibility API API HOSIT Framework Human User Imitation Log Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 20
In Insp spectio ion To Tool Conductor Study Training Inspection Procedures Procedures Virtual Identities API API HOSIT Framework Inspected Service Human User Imitation Log Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 21
Why do we need another browser automation tool? Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 22
Cl Click Be Behavio ior * Pu Puppeteer 0. 0.13. 13.0 HO HOSIT IT * Komandur et al.: Relation between mouse button click duration and muscle contraction time. In: EMBC '08. (Aug 2008) Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 23
Typ Typing Sp Speed t t Constant delay Randomized variations* Pu Puppeteer 0. 0.13. 13.0 HO HOSIT IT * Drury, C.G., Hoffmann, E.R.: A model for movement time on data-entry keyboards. Ergonomics 35(2) (Feb 1992) Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 24
Bo Bot De Detection Pr Prote tectio tion Pu Puppeteer 0. 0.13. 13.0 HO HOSIT IT Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 25
Br Browsin ing Be Behavio ior Cha Chang nges Pe Persona A Pe Persona B Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 26
Mo More Fu Func nctions ons § Common workflows integrated § Search query generator § CAPTCHA solving § Scrolling § Select tabs Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 27
Ex Examp mple Sc Scrip ipt § Opens a search engine § Clicks on image search § Types random search query covered in the media § Scrolls to bottom of results Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 28
Ex Examp mple Sc Scrip ipt § Video recorded at October 22 nd , 2019 Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 29
Ov Over erview ew 1. Tool 2. 2. Pr Proof f of of Co Concept ept 3. Conclusion Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 30
Pr Proof f of of Co Conc ncept pt § Study on Risk-based Authentication* § Required human-like behavior from clients * Wiefling et al.: Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild. In: IFIP SEC ’19. (Jun 2019) Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 31
IP address User agent ... Username Password Risk estimation Risk: Low Medium High Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 32
IP: Aalborg, DK Chrome Windows 10 ... Username Password Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 33
IP: Aalborg, DK Chrome Windows 10 „Same device as ... always“ Username Password Risk estimation Low risk Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 34
IP: Ber Berlin, n, DE Chrome An Andro roid 8 8.1 .1 ... Username Password Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 35
IP: Ber Berlin, n, DE Chrome „There‘s An Andro roid 8 8.1 .1 something different here“ ... Username Password Additional Risk estimation Authentication Medium risk Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 36
IP: Ber Berlin, n, DE Chrome „There‘s Andro An roid 8 8.1 .1 something different here“ ... Username Password Additional Risk estimation Authentication Medium risk Proof for additional authentication Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 37
IP: Ne New York, US* Ph PhantomJS Li Linux ... Username Password * Known spam IP address Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 38
IP: Ne New York, US* PhantomJS Ph „Very likely a Linux Li hacker“ ... Username Password Risk estimation High risk * Known spam IP address Stephan Wiefling, Nils Gruschka, Luigi Lo Iacono Aalborg, Denmark | NordSec 2019 39
Recommend
More recommend
![Turing Machines A more powerful computation model than a PDA ? [Section 9.1] Turing Machines](https://c.sambuz.com/785218/turing-machines-s.jpg)
