research | Suhyeon Lee

2024

A Tip for IOTA Privacy: IOTA Light Node Deanonymization via Tip Selection

Hojung Lee, Suhyeon Lee, and Seungjoo Kim

In ICBC 2024 - IEEE International Conference on Blockchain and Cryptocurrency, 2024

Abs HTML PDF

IOTA is a distributed ledger technology that uses a Directed Acyclic Graph (DAG) structure called the Tangle. It is known for its efficiency and is widely used in the Internet of Things (IoT) environment. Tangle can be configured by utilizing the tip selection process. Due to performance issues with light nodes, full nodes are being asked to perform the tip selections of light nodes. However, in this paper, we demonstrate that tip selection can be exploited to compromise users’ privacy. An adversary full node can associate a transaction with the identity of a light node by comparing the light node’s request with its ledger. We show that these types of attacks are not only viable in the current IOTA environment but also in IOTA 2.0 and the privacy improvement being studied. We also provide solutions to mitigate these attacks and propose ways to enhance anonymity in the IOTA network while maintaining efficiency and scalability.

2023

Hiding in the Crowd: Ransomware Protection by Adopting Camouflage and Hiding Strategy With the Link File

Soohan Lee, Suhyeon Lee, Jiwon Park, and 2 more authors

IEEE Access, 2023

Abs HTML PDF

Ransomware is a growing threat and is building ecosystems in the form of ransomware as a service (RaaS). While there have been diverse efforts to detect and mitigate such threats, techniques to bypass such countermeasures have advanced considerably. Since detecting all evolving threats has become challenging, there is a growing interest in developing proactive countermeasures that can minimize the damage even in environments where ransomware has already been executed. In this study, we gained insights from an attacker’s perspective by analyzing ransomware such as LockBit and derived a generic counterstrategy against features that are common in ransomware attacks. Our proposed method protects critical files from existing ransomware by applying a hiding strategy that poses a challenge to attackers in finding the target files. We also present best practices for implementing the strategy while considering both in terms of security and usability using the link file and improving the method through the addition of a linker and encrypted database to reduce the attack surface. By using real-world ransomware samples, our experiments show that the proposed method successfully protects valuable files against ransomware in a cost-effective manner.
Rethinking selfish mining under pooled mining

Suhyeon Lee, and Seungjoo Kim

ICT Express, 2023

Abs Bib HTML PDF

Bitcoin’s core security requires honest participants to control at least 51% of the total hash power. However, it has been shown that several techniques can exploit the fair mining in the Bitcoin network. This study focuses on selfish mining, which is based on the idea, ”keeping blocks secret.” Herein, we analyze selfish mining regarding competition between mining pools. We emphasize that mining-related information is shared between mining pools and participants. Based on shared information about selfish mining, we have developed an effective and practical counter strategy.
@article{LEE2023356, title = {Rethinking selfish mining under pooled mining}, journal = {ICT Express}, volume = {9}, number = {3}, pages = {356-361}, year = {2023}, issn = {2405-9595}, doi = {10.1016/j.icte.2022.03.003}, author = {Lee, Suhyeon and Kim, Seungjoo}, keywords = {Blockchain, Mining pool, Security analysis, Selfish mining, Proof-of-Work}, }
Shorting attack: Predatory, destructive short selling on Proof-of-Stake cryptocurrencies

Suhyeon Lee, and Seungjoo Kim

Concurrency and Computation: Practice and Experience, 2023

Abs Bib PDF

Summary Bitcoin introduced blockchain which is the transparent and decentralized way of recording the lists of digital currency transactions. Bitcoin’s blockchain uses Proof-of-Work as a Sybil control mechanism. However, PoW wastes energy since it uses hash computing competitions to find a block. Hence, various alternative mechanisms have been proposed. Among them, Proof-of-Stake, which is based on the deposit, has been spotlighted. As opposed to Proof-of-Work, Proof-of-Stake requires nodes to have a certain amount of tokens (stake) in order to qualify to validate blocks. The “one-sentence philosophy” of proof of stake is not “security comes from burning energy,” but rather “security comes from putting up economic value-at-loss.” In this article, contrary to popular belief, we point out that this value-at-loss can be hedged by short selling or other financial products. We propose a “shorting attack,” which makes a profit by massive short selling and sabotage to a Proof-of-Stake-based cryptocurrency. The shorting attack implies that the security of Proof-of-Stake-based cryptocurrency can be vulnerable by a low stake ratio.
@article{shorting, author = {Lee, Suhyeon and Kim, Seungjoo}, title = {Shorting attack: Predatory, destructive short selling on Proof-of-Stake cryptocurrencies}, journal = {Concurrency and Computation: Practice and Experience}, volume = {35}, number = {16}, pages = {e6585}, keywords = {blockchain, Proof-of-Stake, security, short selling}, doi = {10.1002/cpe.6585}, year = {2023}, }

2022

Block Double-Submission Attack: Block Withholding Can Be Self-Destructive

Suhyeon Lee, Donghwan Lee, and Seungjoo Kim

In AFT 2022 - ACM Conference on Advances in Financial Technologies, 2022

Abs Bib HTML PDF

Proof-of-Work (PoW) is a Sybil control mechanism adopted in blockchain-based cryptocurrencies. It prevents the attempt of malicious actors to manipulate distributed ledgers. Bitcoin has successfully suppressed double-spending by accepting the longest PoW chain. Nevertheless, PoW encountered several major security issues surrounding mining competition. One of them is a Block WithHolding (BWH) attack that can exploit a widespread and cooperative environment called a mining pool. This attack takes advantage of untrustworthy relationships between mining pools and participating agents. Moreover, detecting or responding to attacks is challenging due to the nature of mining pools. In this paper, however, we suggest that BWH attacks also have a comparable trust problem. Because a BWH attacker cannot have complete control over BWH agents, they can betray the belonging mining pool and seek further benefits by trading with victims. We prove that this betrayal is not only valid in all attack parameters but also provides double benefits; finally, it is the best strategy for BWH agents. Furthermore, our study implies that BWH attacks may encounter self-destruction of their own revenue, contrary to their intention.
@inproceedings{lee2022block, author = {Lee, Suhyeon and Lee, Donghwan and Kim, Seungjoo}, title = {Block Double-Submission Attack: Block Withholding Can Be Self-Destructive}, year = {2022}, isbn = {9781450398619}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, doi = {10.1145/3558535.3559787}, booktitle = {AFT 2022 - ACM Conference on Advances in Financial Technologies}, pages = {232–243}, numpages = {12}, keywords = {blockchain, proof-of-work, block double-submission attack, block withholding attack, game theoretic analysis}, location = {Cambridge, MA, USA}, series = {AFT '22}, }
Do You Really Need to Disguise Normal Servers as Honeypots?

Suhyeon Lee, Kwangsoo Cho, and Seungjoo Kim

In MILCOM 2022 - IEEE Military Communications Conference, Nov 2022

Abs Bib PDF

A honeypot, which is a kind of deception strategy, has been widely used for at least 20 years to mitigate cyber threats. Decision-makers have believed that honeypot strategies are intuitive and effective, since honeypots have successfully protected systems from Denial-of-Service (DoS) attacks to Advanced Persistent Threats (APT) in real-world cases. Nonetheless, there is a lack of research on the appropriate level of honeypot technique application to choose real-world operations. We examine and contrast three attack-defense games with respect to honeypot detection techniques in this paper. In particular, we specifically design and contrast two stages of honeypot technology one by one, starting with a game without deception. We demonstrate that the return for a defender using honeypots is higher than for a defender without them, albeit the defender may not always benefit financially from using more honeypot deception strategies. Particularly, disguising regular servers as honeypots does not provide defenders with a better reward. Furthermore, we take in consideration that fake honeypots can make maintaining normal nodes more costly. Our research offers a theoretical foundation for the real-world operator’s decision of honeypot deception tactics and the required number of honeypot nodes.
@inproceedings{10017586, author = {Lee, Suhyeon and Cho, Kwangsoo and Kim, Seungjoo}, booktitle = {MILCOM 2022 - IEEE Military Communications Conference}, title = {Do You Really Need to Disguise Normal Servers as Honeypots?}, year = {2022}, volume = {}, number = {}, pages = {166-172}, keywords = {}, doi = {10.1109/MILCOM55135.2022.10017586}, issn = {2155-7586}, month = nov }
Blockchain as a Cyber Defense: Opportunities, Applications, and Challenges

Suhyeon Lee, and Seungjoo Kim

IEEE Access, 2022

Abs Bib HTML PDF

Targets of cyber crime are not exclusive to the private sector. Successful cyber attacks on nation-states have proved that cyber threats can jeopardize significant national interests. In response, nation-states have begun to handle cyber threats at the national defense level, which is titled ‘cyber defense.’ The cyber defense sector is related to national security, therefore requires robust security technology. Contrary to normal systems, blockchain provides strong security properties without a centralized control entity, and as such its application in the cyber defense field is under the spotlight. In this paper, we present opportunities blockchain provides for cyber defense, research and national projects, and limitations. We constructed a survey of government documents, interviews, related news, technical reports, and research papers from 2016 to 2021. As a result, our research contributes to reducing the gap in blockchain for cyber defense by systematically conducting research and analysis. In our research, we found that not only research but also government-led plans are actively promoting blockchain, which demonstrates that blockchain will play a remarkable role in cyber defense. This paper concludes with suggestions for future research in aspects of the blockchain technology, evaluation, and survey.
@article{9654201, author = {Lee, Suhyeon and Kim, Seungjoo}, journal = {IEEE Access}, title = {Blockchain as a Cyber Defense: Opportunities, Applications, and Challenges}, year = {2022}, volume = {10}, number = {}, pages = {2602-2618}, keywords = {}, doi = {10.1109/ACCESS.2021.3136328}, issn = {2169-3536}, month = {} }

2020

Proof-of-Stake at Stake: Predatory, Destructive Attack on PoS Cryptocurrencies

Suhyeon Lee, and Seungjoo Kim

In ACM Mobicom 2020 Workshop - Cryblock, 2020

Abs Bib PDF

There have been several 51% attacks on Proof-of-Work (PoW) blockchains recently, including Verge and GameCredits, but the most noteworthy has been the attack that saw hackers make off with up to $18 million after a successful double-spend was executed on the Bitcoin Gold network. For this reason, the Proof-of-Stake (PoS) algorithm, which already has advantages of energy efficiency and throughput, is attracting attention as an alternative to the PoW algorithm. With a PoS, the attacker needs to obtain 51% of the cryptocurrency to carry out a 51% attack. But unlike PoW, the attacker in a PoS system is highly discouraged from launching a 51% attack because he would have to risk losing his entire stake amount to do so. Moreover, even if a 51% attack succeeds, the value of PoS-based cryptocurrency will fall, and the attacker with the most stake will eventually lose the most. In this paper, we propose a predatory, destructive attack on PoS cryptocurrencies. The attacker destroys the PoS cryptocurrency system. Then, using the significant depreciation of cryptocurrency, our method can make a profit from a 51% attack on the PoS cryptocurrencies using the traditional stock market’s short selling (or shorting) concept. Our findings are an example to show that the conventional myth that "a destructive attack that destroys the blockchain ecosystem totally will not occur because it is fundamentally unprofitable to the attacker itself" may be wrong.
@inproceedings{10.1145/3410699.3413791, author = {Lee, Suhyeon and Kim, Seungjoo}, title = {Proof-of-Stake at Stake: Predatory, Destructive Attack on PoS Cryptocurrencies}, year = {2020}, isbn = {9781450380799}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, doi = {10.1145/3410699.3413791}, booktitle = {ACM Mobicom 2020 Workshop - Cryblock}, pages = {7–11}, numpages = {5}, keywords = {cryptocurrency, security, 51\% attack, ethereum, blockchain, short selling, proof-of-stake, shorting}, location = {London, United Kingdom}, series = {CryBlock '20}, }

2019

Ransomware protection using the moving target defense perspective

Suhyeon Lee, Huy Kang Kim, and Kyounggon Kim

Computers & Electrical Engineering, 2019

Abs Bib PDF

Ransomware has become the most dangerous threat today because of its unique and destructive characteristics. Ransomware encrypts the victim’s important files and then requires money to decrypt them. Ransomware has become among the most preferred measures for cybercriminals to earn money. Moreover, the technology for producing ransomware continues to evolve; as a result, it has becomes more difficult to defend. In this study, we analyze major ransomware including WannaCry and propose a method to protect valuable files from existing ransomware. To this end, the moving target defense method is applied by randomly changing the file extensions that ransomware attempts to encrypt. We show that our proposed method can successfully protect files from ransomware. Finally, we present the proposed method which can be reasonably used without performance degradation.
@article{LEE2019288, title = {Ransomware protection using the moving target defense perspective}, journal = {Computers & Electrical Engineering}, volume = {78}, pages = {288-299}, year = {2019}, issn = {0045-7906}, author = {Lee, Suhyeon and Kim, Huy Kang and Kim, Kyounggon}, keywords = {Ransomware, Malware, Moving target defense, File extension, Randomization}, doi = {10.1016/j.compeleceng.2019.07.014}, }
Countering Block Withholding Attack Efficiently

Suhyeon Lee, and Seungjoo Kim

In IEEE INFOCOM 2019 Workshop - Cryblock, Apr 2019

Abs Bib PDF

Bitcoin, well-known cryptocurrency, selected Poof-of-Work (PoW) for its security. PoW mechanism incentivizes participants and deters attacks on the network. So far, Bitcoin’s PoW has been adopted in many cryptocurrencies. Researchers found, however, some vulnerabilities in PoW such as selfish mining, block withholding attack, and so on. Especially, after Rosenfeld suggested block withholding attack and Eyal made this attack practical, many variants and countermeasures have been proposed. However, most of countermeasures cause many changes in the mining algorithm itself, which makes it impractical. In this paper, we propose new countermeasure to prevent block withholding attack effectively. Mining pools can adapt our method without changing their mining environment.
@inproceedings{8845116, author = {Lee, Suhyeon and Kim, Seungjoo}, booktitle = {IEEE INFOCOM 2019 Workshop - Cryblock}, title = {Countering Block Withholding Attack Efficiently}, year = {2019}, volume = {}, number = {}, pages = {330-335}, keywords = {}, doi = {10.1109/INFCOMW.2019.8845116}, issn = {}, month = apr, }