CyLab Student Seminar
- Robert Mehrabian Collaborative Innovation Center
- WILLIAM MELICHER
- Ph.D. Student
- Department of Electrical and Computer Engineering
- Carnegie Mellon University
Modeling Security Weaknesses to Enable Practical Runtime Defenses
Security weaknesses are often caused by patterns in human behaviors. However, it can be difficult to identify such patterns in a practical, yet accurate way. In order to fix security weaknesses, it is crucial to identify and detect them. Useful systems to model security weaknesses must be accurate enough to guide users' decisions, but also be lightweight enough to produce results in a reasonable time frame. In this thesis, we show how machine learning techniques allow us to detect security weaknesses that result from patterns in human behavior faster and more efficiently than current approaches, enabling new, practical run-time defenses. We present two applications to support this thesis.
First, we use neural networks to identify users' weak passwords and show how to make such models practical for fully client-side password feedback. One problem with current password feedback is that users can get either quick but substantially incorrect feedback by using heuristics that have little relation to password strength, or accurate but slow feedback by simulating adversarial guessing using large models. In contrast, we found that our models of password guessing are both more accurate and smaller than previous ones, which enables us to more practically estimate resistance to password-guessing attacks in real time on client machines.
William Melicher is a PhD candidate from Carnegie Mellon University where he is advised by Lujo Bauer. William has broad interest in security and privacy research, and has worked on projects on usable security, online privacy, security applications of machine learning, and web security. He has received several awards, including two best paper awards for work on passwords, at USENIX Security and CHI, and the IEEE Cybersecurity Award for Practice. During his doctoral work, William spent two summers working at Google on the identity and privacy teams.
This is a practice talk for William's PhD thesis defense.