Electrical & Computer Engineering
Permanent URI for this communityhttp://hdl.handle.net/1903/2234
Browse
86 results
Search Results
Item Hardware Assisted Solutions for Automobile Security(2019) Wang, Qian; Qu, Gang; Electrical Engineering; Digital Repository at the University of Maryland; University of Maryland (College Park, Md.)In the past couple of decades, many in-vehicle features have been invented and deployed in order to make modern vehicles which not only safer and more reliable but also connected, smarter, and intelligent. Meanwhile, vehicular ad-hoc networks (VANETs) are proposed to provide communications between vehicles and road-side stations as the foundation of the intelligent transportation system to provide efficient and safe transportation. To support these updated functions, a large amount of electronic equipment has been integrated into the car system. Although these add-on functions around vehicles offer great help in driving assistance, they inevitably introduced new security vulnerabilities that threaten the safety of the on-board drivers, passengers and pedestrians. This has been demonstrated by many well-documented attacks either on the in-vehicle bus system or on the wireless vehicular network communications. In this dissertation, we design and implement several hardware-oriented solutions to the arousing security issues on vehicles. More specifically, we focus on three important and representative problems: (1) how to secure the in-vehicle Controller Area Network (CAN), (2) how to secure the communication between vehicle and outside, and (3) how to establish trust on VANETs. Current approaches based on cryptographic algorithms to secure CAN bus violate the strict timing and limited resource constraints for CAN communications. We thus emphasize on the alternate solution of intrusion detection system (IDS) in this dissertation. We explore monitoring the changes of CAN message content or the physical delay of its transmission to detect on the CAN bus. We first propose a new entropy-based IDS following the observation that all the known CAN message injection attacks need to alter the CAN identifier bit. Thus, analyzing the entropy changes of such bits can be an effective way to detect those attacks. Next, we develop a delay-based IDS to protect the CAN network by identifying the location of the compromised Electronic Control Unit (ECU) from the transmission delay difference to two terminals connected to the CAN bus. We demonstrate that both approaches can protect the integrity of the messages on CAN bus leading to a further improve the security and safety of autonomous vehicles. In the second part of this dissertation, we consider Plug-and-Secure, an industrial practice on key management for automotive CAN networks. It has been proven to be information theoretically secure. However, we discover side-channel attacks based on the physical properties of the CAN bus that can leak almost the entire secret key bits. We analyze the fundamental characteristics that lead to such attacks and propose techniques to minimize information leakage at the hardware level. Next, we extend our study from in-vehicle secure CAN communication to the communication between vehicle and outside world. We take the example of the popular GPS spoofing attack and show how we can use the rich information from CAN bus to build a cross-validation system to detect such attacks. Our approach is based on the belief that the local driving data from the in-vehicle network can be authenticated and thus trusted by secure CAN networks mechanisms. Such data can be used to cross-validate the GPS signals from the satellite which are vulnerable to spoofing attacks. We conduct driving tests on real roads to show that our proposed approach can defend both GPS spoofing attacks and location-based attacks on the VANETs. Finally, we propose a blockchain based Anonymous Reputation System (BARS) to establish a privacy-preserving trust model for VANETs. The certificate and revocation transparency is implemented efficiently with the proofs of presence and absence based on the extended blockchain technology. To prevent the broadcast of forged messages, a reputation evaluation algorithm is presented relying on both direct historical interactions of that vehicle and indirect opinions from the other vehicles. This dissertation features solutions to vehicle security problems based on hardware or physical characteristics, instead of cryptographic algorithms. We believe that given the critical timing requirement on vehicular systems and their very limited resource (such as the bandwidth on CAN bus), this will be a very promising direction to secure vehicles and vehicular network.Item Extending The Applicability of Non-Malleable Codes(2019) Kulkarni, Mukul; Dachman-Soled, Dana; Electrical Engineering; Digital Repository at the University of Maryland; University of Maryland (College Park, Md.)Modern cryptographic systems provide provable security guarantees as long as secret keys of the system remain confidential. However, if adversary learns some bits of information about the secret keys the security of the system can be breached. Side-channel attacks (like power analysis, timing analysis etc.) are one of the most effective tools employed by the adversaries to learn information pertaining to cryptographic secret keys. An adversary can also tamper with secret keys (say flip some bits) and observe the modified behavior of the cryptosystem, thereby leaking information about the secret keys. Dziembowski et al. (JACM 2018) defined the notion of non-malleable codes, a tool to protect memory against tampering. Non-malleable codes ensure that, when a codeword (generated by encoding an underlying message) is modified by some tampering function in a given tampering class, if the decoding of tampered codeword is incorrect then the decoded message is independent of the original message. In this dissertation, we focus on improving different aspects of non-malleable codes. Specifically, (1) we extend the class of tampering functions and present explicit constructions as well as general frameworks for constructing non-malleable codes. While most prior work considered ``compartmentalized" tampering functions, which modify parts of the codeword independently, we consider classes of tampering functions which can tamper with the entire codeword but are restricted in computational complexity. The tampering classes studied in this work include complexity classes $\mathsf{NC}^0$, and $\mathsf{AC}^0$. Also, earlier works focused on constructing non-malleable codes from scratch for different tampering classes, in this work we present a general framework for constructing non-malleable codes based on average-case hard problems for specific tampering families, and we instantiate our framework for various tampering classes including $\mathsf{AC}^0$. (2) The locality of code is the number of codeword blocks required to be accessed in order to decode/update a single block in the underlying message. We improve efficiency and usability by studying the optimal locality of non-malleable codes. We show that locally decodable and updatable non-malleable codes cannot have constant locality. We also give a matching upper bound that improves the locality of previous constructions. (3) We investigate a stronger variant of non-malleable codes called continuous non-malleable codes, which are known to be impossible to construct without computational assumptions. We show that setup assumptions such as common reference string (CRS) are also necessary to construct this stronger primitive. We present construction of continuous non-malleable codes in CRS model from weaker computational assumptions than assumptions used in prior work.Item Scalable and Accurate Memory System Simulation(2019) Li, Shang; Jacob, Bruce; Electrical Engineering; Digital Repository at the University of Maryland; University of Maryland (College Park, Md.)Memory systems today possess more complexity than ever. On one hand, main memory technology has a much more diverse portfolio. Other than the mainstream DDR DRAMs, a variety of DRAM protocols have been proliferating in certain domains. Non-Volatile Memory(NVM) also finally has commodity main memory products, introducing more heterogeneity to the main memory media. On the other hand, the scale of computer systems, from personal computers, server computers, to high performance computing systems, has been growing in response to increasing computing demand. Memory systems have to be able to keep scaling to avoid bottlenecking the whole system. However, current memory simulation works cannot accurately or efficiently model these developments, making it hard for researchers and developers to evaluate or to optimize designs for memory systems. In this study, we attack these issues from multiple angles. First, we develop a fast and validated cycle accurate main memory simulator that can accurately model almost all existing DRAM protocols and some NVM protocols, and it can be easily extended to support upcoming protocols as well. We showcase this simulator by conducting a thorough characterization over existing DRAM protocols and provide insights on memory system designs. Secondly, to efficiently simulate the increasingly paralleled memory systems, we propose a lax synchronization model that allows efficient parallel DRAM simulation. We build the first ever practical parallel DRAM simulator that can speedup the simulation by up to a factor of three with single digit percentage loss in accuracy comparing to cycle accurate simulations. We also developed mitigation schemes to further improve the accuracy with no additional performance cost. Moreover, we discuss the limitation of cycle accurate models, and explore the possibility of alternative modeling of DRAM. We propose a novel approach that converts DRAM timing simulation into a classification problem. By doing so we can make predictions on DRAM latency for each memory request upon first sight, which makes it compatible for scalable architecture simulation frameworks. We developed prototypes based on various machine learning models and they demonstrate excellent performance and accuracy results that makes them a promising alternative to cycle accurate models. Finally, for large scale memory systems where data movement is often the performance limiting factor, we propose a set of interconnect topologies and implement them in a parallel discrete event simulation framework. We evaluate the proposed topologies through simulation and prove that their scalability and performance exceeds existing topologies with increasing system size or workloads.Item HIGH PERFORMANCE AGENT-BASED MODELS WITH REAL-TIME IN SITU VISUALIZATION OF INFLAMMATORY AND HEALING RESPONSES IN INJURED VOCAL FOLDS(2019) Seekhao, Nuttiiya; JaJa, Joseph; Li-Jessen, Nicole Y. K.; Electrical Engineering; Digital Repository at the University of Maryland; University of Maryland (College Park, Md.)The introduction of clusters of multi-core and many-core processors has played a major role in recent advances in tackling a wide range of new challenging applications and in enabling new frontiers in BigData. However, as the computing power increases, the programming complexity to take optimal advantage of the machine's resources has significantly increased. High-performance computing (HPC) techniques are crucial in realizing the full potential of parallel computing. This research is an interdisciplinary effort focusing on two major directions. The first involves the introduction of HPC techniques to substantially improve the performance of complex biological agent-based models (ABM) simulations, more specifically simulations that are related to the inflammatory and healing responses of vocal folds at the physiological scale in mammals. The second direction involves improvements and extensions of the existing state-of-the-art vocal fold repair models. These improvements and extensions include comprehensive visualization of large data sets generated by the model and a significant increase in user-simulation interactivity. We developed a highly-interactive remote simulation and visualization framework for vocal fold (VF) agent-based modeling (ABM). The 3D VF ABM was verified through comparisons with empirical vocal fold data. Representative trends of biomarker predictions in surgically injured vocal folds were observed. The physiologically representative human VF ABM consisted of more than 15 million mobile biological cells. The model maintained and generated 1.7 billion signaling and extracellular matrix (ECM) protein data points in each iteration. The VF ABM employed HPC techniques to optimize its performance by concurrently utilizing the power of multi-core CPU and multiple GPUs. The optimization techniques included the minimization of data transfer between the CPU host and the rendering GPU. These transfer minimization techniques also reduced transfers between peer GPUs in multi-GPU setups. The data transfer minimization techniques were executed with a scheduling scheme that aims to achieve load balancing, maximum overlap of computation and communication, and a high degree of interactivity. This scheduling scheme achieved optimal interactivity by hyper-tasking the available GPUs (GHT). In comparison to the original serial implementation on a popular ABM framework, NetLogo, these schemes have shown substantial performance improvements of 400x and 800x for the 2D and 3D model, respectively. Furthermore, the combination of data footprint and data transfer reduction techniques with GHT achieved high-interactivity visualization with an average framerate of 42.8 fps. This performance enabled the users to perform real-time data exploration on large simulated outputs and steer the course of their simulation as needed.Item DIAGNOSING AND IMPROVING THE PERFORMANCE OF INTERNET ANYCAST(2019) Li, Zhihao; Spring, Neil; Electrical Engineering; Digital Repository at the University of Maryland; University of Maryland (College Park, Md.)IP anycast is widely used in Internet infrastructure, including many of the root and top-level DNS servers, major open DNS resolvers, and content delivery networks (CDNs). Increasing popularity of anycast in DNS resolvers involves it in most activities of Internet users. As a result, the performance of anycast deployments is critical to all the Internet users. What makes IP anycast such an attractive option for these globally replicated services are the desired properties that anycast would appear to achieve: reduced overall access latency for clients, improved scalability by distributing traffic across servers, and enhanced resilience to DDoS attacks. These desired properties, however, are not guaranteed. In anycast, a packet is directed to certain anycast site through inter-domain routing, which can fail to pick a route with better performance in terms of latency or load balance. Prior work has studied anycast deployments and painted a mixed picture of anycast performance: many clients of anycast are not served by their nearby anycast servers and experience large latency overheads; anycast sometimes does not balance load across sites effectively; the catchment of an anycast site is mostly stable, but it is very sensitive to routing changes. Although it was observed over a decade ago that anycast deployments can be inefficient, there exist surprisingly few explanations on the causes or solutions. In addition, most prior work evaluated only one or several deployments with measurement snapshots. I extended previous studies by large-scale and longitudinal measurements towards distinct anycast deployments, which can provide more complete insights on identifying performance bottlenecks and providing potential improvements. More importantly, I develop novel measurement techniques to identify the major causes for inefficiency in anycast, and propose a fix to it. In this dissertation, I defend the following thesis: Performance-unawareness of BGP routing leads to larger path inflation in anycast than in unicast; and with current topology and protocol support, a policy that selects routes based on geographic information could significantly reduce anycast inflation. In the first part of the dissertation, I use longitudinal measurements collected from a large Internet measurement platform towards distinct anycast deployments to quantitatively demonstrate the inefficiency in performance of anycast. I measured most root DNS servers, popular open DNS resolvers, and one of the major CDNs. With the passive and active measurements across multiple years, I illustrate that anycast performs poorly for most deployments that I measured: anycast is neither effective at directing queries to nearby sites, nor does it distribute traffic in a balanced manner. Furthermore, this longitudinal study over distinct anycast deployments shows that the performance has little correlation with number of sites. In the second part of the dissertation, I focus on identifying the root causes for the performance deficits in anycast. I develop novel measurement techniques to compare AS-level routes from client to multiple anycast sites. These techniques allow me to reaffirm that the major cause of the inefficiency in anycast is the performance- unawareness of inter-domain routing. With measurements from two anycast deployments, I illustrate how much latency inflation among clients can be attributed to the policy-based performance-unaware decisions made by BGP routing. In addition, I design BGP control plane experiments to directly reveal relative preference among routes, and how much such preference affects anycast performance. The newly discovered relative preferences shed light on improving state-of-art models of inter-domain routing for researchers. In the last part of the dissertation, I describe an incrementally deployable fix to the inefficiency of IP anycast. Prior work has proposed a particular deployment scheme for anycast to improve its performance: anycast servers should be deployed such that they all share the same upstream provider. However, this solution would require re-negotiating services that are not working under such a deployment. Moreover, to put the entire anycast service behind a single upstream provider introduces a single point of failure. In the last chapter, I show that a static hint with embedded geographic information in BGP announcements fixes most of the inefficiency in anycast. I evaluate the improvements from such static hints in BGP route selection mechanisms through simulation with real network traces. The simulation results show that the fix is promising: in the anycast deployments I evaluated, the fix reduces latency inflation for almost all clients, and reduces latency by 50ms for 23% to 33% of the clients. I further conduct control plane experiments to evaluate the effectiveness of the static hints in BGP announcements with real-world anycast deployments. This dissertation provides broad and longitudinal performance evaluation of distinct anycast deployments for different services, and identifies an at-fault weakness of BGP routing which is particularly amplified in anycast, i.e., route selection is based on policies and is unaware of performance. While applying the model of BGP routing to diagnose anycast, anycast itself serves as a magnifying glass to reveal new insights on the route selection process of the BGP in general. This work can help refine the model of route selection process that can be applied to various BGP- related studies. Finally, this dissertation provides suggestions to the community on improving anycast performance, which thus improves performance and reliability for many critical Internet infrastructure and ultimately benefits global Internet users.Item HIGH EFFICIENCY CIS SOLAR CELLS BY A SIMPLE TWO-STEP SELENIZATION PROCESS AND WAVEGUIDE BRAGG GRATINGS IN INTEGRATED PHOTONICS(2019) Zhang, Yang; Dagenais, Mario; Electrical Engineering; Digital Repository at the University of Maryland; University of Maryland (College Park, Md.)Part I: High Efficiency CIS Solar Cells with Simple Fabrication Method CIS has a very high optical absorption coefficient, which makes it able to absorb more than 90% of the incident photons with energies higher than 1.04 eV within 1-2 µm thickness. Because of the high absorption coefficient and low bandgap, high quality CIS solar cells can have a very high short circuit current compared with other thin film material or other type of solar cells. We offer a very simple two-step process based on annealing stacked elemental layers under selenium vapor within a graphite box, followed by a potassium fluoride postdeposition treatment, which is a low-cost and highly manufacturable approach. We are able to reproducibly achieve above 12% conversion efficiency, with the champion cell exhibiting near-record 14.7% efficiency. Our results indicate that perhaps the CIS system is less sensitive to elaborate processing steps and details than previously thought. This simple approach offers a very useful experimental platform from which to study a variety of thin film PV research topics, including the possibility of producing tandem solar cell by also using perovskite. Part II: Waveguides Bragg Gratings in Integrated Photonics Integrated photonics on silicon-based material combines two great inventions of the last century: silicon technology and photonic technology. It is paving the way for a monolithically integrated optoelectronic platform on a single chip. Being a prevailing research topic in the past decade, it has seen tremendous progress with the successful development of high-performance components. Among all integrated photonics platforms, the silicon nitride planar waveguide platform provides benefits like low optical losses, transparency over a wide wavelength range (400-2350 nm), compatibility with CMOS and wafer-scale foundry processes, and high-power handling capabilities. In this part, waveguides Bragg gratings are investigated to improve the performance of several integrated photonics components. An 83-dB rejection ratio pump filter using a periodic waveguide Bragg grating with an efficient z-shape waveguide design to suppress the TM mode and avoid scattered modes is demonstrated. Fabry-Perot cavity enhanced four-wave mixing devices are optimized based on a numerical model developed with an ABCD matrix method and four-wave mixing in a Fabry-Perot cavity that uses grating is demonstrated experimentally. Finally, to reduce the pixel size and power consumption of optical phased array for virtual reality applications, complex waveguide Bragg gratings are generated via both Layer Peeling/Adding algorithm and genetic algorithm to support slow-light modes over certain bandwidth.Item GREMLIN++ & BITGRAPH: IMPLEMENTING THE GREMLIN TRAVERSAL LANGUAGE AND A GPU-ACCELERATED GRAPH COMPUTING FRAMEWORK IN C++(2019) Barghi, Alexander; Franklin, Manoj; Electrical Engineering; Digital Repository at the University of Maryland; University of Maryland (College Park, Md.)This thesis consists of two major components, Gremlin++ and BitGraph. Gremlin++ is a C++ implementation of the Gremlin graph traversal language designed for interfacing with C++ graph processing backends. BitGraph is a graph backend written in C++ designed to outperform Java-based competitors, such as JanusGraph and Neo4j . It also offers GPU acceleration through OpenCL . Designing the two components of this thesis was a major undertaking that involved implementing the semantics of Gremlin in C++, and then writing the computing framework to execute Gremlin’s traversal steps in BitGraph, along with runtime optimizations and backend-specific steps. There were many important and novel design decisions made along the way, including some which yielded both advantages and disadvantages over Java-Gremlin. BitGraph was also compared to several major backends, including TinkerGraph, JanusGraph, and Neo4j. In this comparison, BitGraph offered the fastest overall runtime, primarily due to data ingest speedup.Item Improving Existing Static and Dynamic Malware Detection Techniques with Instruction-level Behavior(2019) Kim, Danny; Barua, Rajeev; Electrical Engineering; Digital Repository at the University of Maryland; University of Maryland (College Park, Md.)My Ph.D. focuses on detecting malware by leveraging the information obtained at an instruction-level. Instruction-level information is obtained by looking at the instructions or disassembly that make up an executable. My initial work focused on using a dynamic binary instrumentation (DBI) tool. A DBI tool enables the study of instruction-level behavior while the malware is executing, which I show proves to be valuable in detecting malware. To expand on my work with dynamic instruction-level information, I integrated it with machine learning to increase the scalability and robustness of my detection tool. To further increase the scalability of the dynamic detection of malware, I created a two stage static-dynamic malware detection scheme aimed at achieving the accuracy of a fully-dynamic detection scheme without the high computational resources and time required. Lastly, I show the improvement of static analysis-based detection of malware by automatically generated machine learning features based on opcode sequences with the help of convolutional neural networks. The first part of my research focused on obfuscated malware. Obfuscation is the process in which malware tries to hide itself from static analysis and trick disassemblers. I found that by using a DBI tool, I was able to not only detect obfuscation, but detect the differences in how it occurred in malware versus goodware. Through dynamic program-level analysis, I was able to detect specific obfuscations and use the varying methods in which it was used by programs to differentiate malware and goodware. I found that by using the mere presence of obfuscation as a method of detecting malware, I was able to detect previously undetected malware. I then focused on using my knowledge of dynamic program-level features to build a highly accurate machine learning-based malware detection tool. Machine learning is useful in malware detection because it can process a large amount of data to determine meaningful relationships to distinguish malware from benign programs. Through the integration of machine learning, I was able to expand my obfuscation detection schemes to address a broader class of malware, which ultimately led to a malware detection tool that can detect 98.45% of malware with a 1% false positive rate. Understanding the pitfalls of dynamic analysis of malware, I focused on creating a more efficient method of detecting malware. Malware detection comes in three methods: static analysis, dynamic analysis, and hybrids. Static analysis is fast and effective for detecting previously seen malware where as dynamic analysis can be more accurate and robust against zero-day or polymorphic malware, but at the cost of a high computational load. Most modern defenses today use a hybrid approach, which uses both static and dynamic analysis, but are suboptimal. I created a two-phase malware detection tool that approaches the accuracy of the dynamic-only system with only a small fraction of its computational cost, while maintaining a real-time malware detection timeliness similar to a static-only system, thus achieving the best of both approaches. Lastly, my Ph.D. focused on reducing the need for manual feature generation by utilizing Convolutional Neural Networks (CNNs) to automatically generate feature vectors from raw input data. My work shows that using a raw sequence of opcode sequences from static disassembly with a CNN model can automatically produce feature vectors that are useful for detecting malware. Because this process is automated, it presents as a scalable method of consistently producing useful features without human intervention or labor that can be used to detect malware.Item Data-centric Performance Measurement and Mapping for Highly Parallel Programming Models(2018) Zhang, Hui; Hollingsworth, Jeffrey K.; Electrical Engineering; Digital Repository at the University of Maryland; University of Maryland (College Park, Md.)Modern supercomputers have complex features: many hardware threads, deep memory hierarchies, and many co-processors/accelerators. Productively and effectively designing programs to utilize those hardware features is crucial in gaining the best performance. There are several highly parallel programming models in active development that allow programmers to write efficient code on those architectures. Performance profiling is a very important technique in the development to achieve the best performance. In this dissertation, I proposed a new performance measurement and mapping technique that can associate performance data with program variables instead of code blocks. To validate the applicability of my data-centric profiling idea, I designed and implemented a profiler for PGAS and CUDA. For PGAS, I developed ChplBlamer, for both single-node and multi-node Chapel programs. My tool also provides new features such as data-centric inter-node load imbalance identification. For CUDA, I developed CUDABlamer for GPU-accelerated applications. CUDABlamer also attributes performance data to program variables, which is a feature that was not found in any previous CUDA profilers. Directed by the insights from the tools, I optimized several widely-studied benchmarks and significantly improved program performance by a factor of up to 4x for Chapel and 47x for CUDA kernels.Item UNDERSTAND, DETECT, AND BLOCK MALWARE DISTRIBUTION FROM A GLOBAL VIEWPOINT(2018) Kwon, Bum Jun; Dumitraş, Tudor; Electrical Engineering; Digital Repository at the University of Maryland; University of Maryland (College Park, Md.)Malware still is a vital security threat. Adversaries continue to distribute various types of malicious programs to victims around the world. In this study, we try to understand the strategies the miscreants take to distribute malware, develop systems to detect malware delivery and explore the benefit of a transparent platform for blocking malware distribution in advance. At the first part of the study, to understand the malware distribution, we conduct several measurements. We initiate the study by investigating the dynamics of malware delivery. We share several findings including the downloaders responsible for the malware delivery and the high ratio of signed malicious downloaders. We further look into the problem of signed malware. To successfully distribute malware, the attacker exploits weaknesses in the code-signing PKI, which falls into three categories: inadequate client-side protections, publisher-side key mismanagement, and CA-side verification failures. We propose an algorithm to identify malware that exploits those weaknesses and to classify to the corresponding weakness. Using the algorithm, We conduct a systematic study of the weaknesses of code-signing PKI on a large scale. Then, we move to the problem of revocation. Certificate revocation is the primary defense against the abuse in code-signing PKI. We identify the effective revocation process, which includes the discovery of compromised certificates, the revocation date setting, and the dissemination of revocation information; moreover, we systematically measure the problems in the revocation process and new threats introduced by these problems. For the next part, we explore two different approaches to detect the malware distribution. We study the executable files known as downloader Trojans or droppers, which are the core of the malware delivery techniques. The malware delivery networks instruct these downloaders across the Internet to access a set of DNS domain address to retrieve payloads. We first focus on the downloaded by relationship between a downloader and a payload recorded by different sensors and introduce the downloader graph abstraction. The downloader graph captures the download activities across end hosts and exposes large parts of the malware download activity, which may otherwise remain undetected, by connecting the dots. By combining telemetry from anti-virus and intrusion-prevention systems, we perform a large-scale analysis on 19 million downloader graphs from 5 million real hosts. The analysis revealed several strong indicators of malicious activity, such as the slow growth rate and the high diameter. Moreover, we observed that, besides the local indicators, taking into account the global properties boost the performance in distinguishing between malicious and benign download activity. For example, the file prevalence (i.e., the number of hosts a file appears on) and download patterns (e.g., number of files downloaded per domain) are different from malicious to benign download activities. Next, we target the silent delivery campaigns, which is the critical method for quickly delivering malware or potentially unwanted programs (PUPs) to a large number of hosts at scale. Such large-scale attacks require coordination activities among multiple hosts involved in malicious activity. We developed Beewolf, a system for detecting silent delivery campaigns from Internet-wide records of download events. We exploit the behavior of downloaders involved in campaigns for this system: they operate in lockstep to retrieve payloads. We utilize Beewolf to identify these locksteps in an unsupervised and deterministic fashion at scale. Moreover, the lockstep detection exposes the indirect relationships among the downloaders. We investigate the indirect relationships and present novel findings such as the overlap between the malware and PUP ecosystem. The two different studies revealed the problems caused by the opaque software distribution ecosystem and the importance of the global properties in detecting malware distribution. To address both of these findings, we propose a transparent platform for software distribution called Download Transparency. Transparency guarantees openness and accountability of the data, however, itself does not provide any security guarantees. Although there exists an anecdotal example showing the benefit of transparency, it is still not clear how beneficial it is to security. In the last part of this work, we explore the benefit of transparency in the domain of downloads. To measure the performance, we designed the participants and the policies they might take when utilizing the platform. We then simulate different policies with five years of download events and measure the block performance. The results suggest that the Download Transparency can help to block a significant part of the malware distribution before the community can flag it as malicious.