Spam Filter Challenge

Adaptation of Adversaries [1]

  • The adversaries are motivated to transform the test data to reduce the learner’s effectiveness. 
  • Spam filter designers
    • Attempt to learn good filters by training their algorithms on Spam (and legitimate) email messages received in the recent past. 
  • Spammer
    • Are motivated to reverse-engineer existing Spam filters and use this knowledge to generate messages which are different enough from the (inferred) training data to circumvent the filters. 


  • Increase the robustness of the learning algorithm to generic training/test data differences via standard methods such as regularization or minimization of worst-case loss [1]
    • However, these techniques do not account for the adversarial nature of the training/test set discrepancies and may be overly conservative.
  • Predictive analystics to anticipate and counter the adversaries [1]
    • For example, predictions can be made using extrapolation or game-theoretic considerations, and can be employed to transform training instances so that they become similar to (future) test data and therefore provider a more appropriate basis for learning.
  • Time-varying posture to increase uncertainty [1]
    • Pros
      • This approach is flexible, scalable, easy to implement, and hard to reverse-engineer.


[1] Moving Target Defense for Adaptive Adversaries, by Richard Colbaugh and Kristin Glass, in ISI 2013.

Covert Channel Tutorial

High-speed Covert channel Attacks in the Cloud 

  • The challenges in conducting covert channel
    • scheduling uncertainty
    • address uncertainty
    • cache physical limitations
      • Different VMs may not share cache
      • This can be overcomed by the atomic operations implementation in the system
        • i.e., the memory bus will be locked when a cache is being locked.
  • Memory-bus based covert channel attacks

User Mode and Kernel Mode

Mode Bit

  • A bit, called mode bit, is added to the hardware of the computer to indicate current mode.
    • 0: kernel mode
      • When a task is executed on behalf of the operating system
    • 1: user mode
      • When a task is executed on behalf of the user


  • Whenever a trap or interrupt occurs, the hardware switches from user mode to kernel mode
    • i.e., change mode bit to 0
  • When a user application requests a service from the operating system (via a system call)
    • It must transition from user to kernel mode to fulfill the request
  • Privileged Instructions
    • The hardware allow privileged instructions to be executed only in kernel mode. 
    • The instruction to switch to kernel mode is an example of a privileged instruction. Some other example include I/O control, timer management, and interrupt management. 

Virtual Memory


  • It allows the execution of a process that is not completely in memory. So that it enables users to run programs that are larger than actual physical memory.
  • In addition, it abstracts main memory into a larger, uniform array for storage, separating logical memory as viewed by the user from physical memory. This arrangement free programmers from concern over memory-storage limitations. 


Device Controller

  • A device controller is in charge of the devices. 
  • It maintains 
    • some local buffer
    • and a set of special purpose registers
  • It is responsible for moving the data between the peripheral devices that it is controls and its local buffer storage.

Device Driver

  • The operating system has a device driver for each device controller
  • This device driver understands the device controller and presents a uniform interface to the device to the rest of the operating system

Interrupt Driver IO

  • Procedure
    • The device driver loads the appropriate registers within the device controller.
    • The device controller, in turn, examines the contents of these registers to determine what action to take.
    • The controller starts the transfer of the data from the device to its local buffer.
    • Once the transfer of data is complete, the device controller informs the device driver via an interrupt that it has finished its operation.
    • The device driver then returns control to the operating system, possibly returning the data or a pointer to the data if the operation was a read.
  • Drawback
    • High overhead when used for bulk data movement such as disk I/O.
    • To solve this problem, directed memory access (DMA) is used.

Directed Memory Access (DMA)

  • After setting up buffer, pointers and counters for the I/O device, the device controller transfers an entire block of data directly to or from its own buffer storage to the memory, with no intervention by the CPU.



The occurrence of an event is usually signaled by an interrupt from either the hardware or the software.

  • Hardware
    • Hardware may trigger an interrupt at any time by sending signal to the CPU, usually by way of the system bus.
  • Software (called Trap)
    • Software may trigger an interrupt by executing a special operation called a system call.
    • The Trap could be, e.g., division by zero, or invalid memory access

Return Address

  • Before the interrupt
    • Before enter the interrupt, the return address will be stored on the system stack.
  • After the interrupt
    • After the interrupt is serviced, the saved return address is loaded into the program counter, and the interrupted computation resumes s through the interrupt had not occurred.



When a computer start running, i.e., when it is powered up or rebooted. it needs to have an initial program to run.

This initial program, or bootstrap program, tends to be simple. Typically, it is stored in read-only memory (ROM) or eletrically erasable programmable read-only memory (EEPROM), known by the general term firmware, within the computer hardware.

Computer Storage Unit


A bit is the basic unit of computer storage. It can contain one of two values, zero or one.


A byte is 8 bits, and on most computers it is the smallest convenient chunk of storage. 
  • For example, most computers don’t have an instruction to move a bit but do have one to move a byte


A word is generally made up of one or more bytes. 
  • For example, a computer may have instructions to move 64-bit (8-byte) words.


  • 1024 Bytes


  • (1024)^2 Bytes
    • Usually round off as 1 million bytes


  • (1024)^3 Bytes
    • Usually round off as 1 billion bytes