PDF Security and Privacy in Communication Networks 16th EAI International Conference SecureComm 2020 Washington DC USA October 21 23 2020 Proceedings Part II Noseong Park Download
PDF Security and Privacy in Communication Networks 16th EAI International Conference SecureComm 2020 Washington DC USA October 21 23 2020 Proceedings Part II Noseong Park Download
PDF Security and Privacy in Communication Networks 16th EAI International Conference SecureComm 2020 Washington DC USA October 21 23 2020 Proceedings Part II Noseong Park Download
OR CLICK LINK
https://textbookfull.com/product/security-and-
privacy-in-communication-networks-16th-eai-
international-conference-
securecomm-2020-washington-dc-usa-
october-21-23-2020-proceedings-part-ii-noseong-
Read with Our Free App Audiobook Free park/
Format PFD EBook, Ebooks dowload PDF
with Andible trial, Real book, online, KINDLE , Download[PDF] and Read and Read
Read book Format PDF Ebook, Dowload online, Read book Format PDF Ebook,
[PDF] and Real ONLINE Dowload [PDF] and Real ONLINE
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
https://textbookfull.com/product/security-and-privacy-in-
communication-networks-16th-eai-international-conference-
securecomm-2020-washington-dc-usa-october-21-23-2020-proceedings-
part-i-noseong-park/
https://textbookfull.com/product/security-and-privacy-in-
communication-networks-15th-eai-international-conference-
securecomm-2019-orlando-fl-usa-october-23-25-2019-proceedings-
part-ii-songqing-chen/
https://textbookfull.com/product/social-cultural-and-behavioral-
modeling-13th-international-conference-sbp-brims-2020-washington-
dc-usa-october-18-21-2020-proceedings-robert-thomson/
https://textbookfull.com/product/computer-vision-eccv-2020-16th-
european-conference-glasgow-uk-august-23-28-2020-proceedings-
part-ii-andrea-vedaldi/
https://textbookfull.com/product/e-learning-e-education-and-
online-training-6th-eai-international-conference-
eleot-2020-changsha-china-june-20-21-2020-proceedings-part-ii-
shuai-liu/
https://textbookfull.com/product/computer-aided-
verification-32nd-international-conference-cav-2020-los-angeles-
ca-usa-july-21-24-2020-proceedings-part-ii-shuvendu-k-lahiri/
Noseong Park · Kun Sun ·
Sara Foresti · Kevin Butler ·
Nitesh Saxena (Eds.)
336
Part 2
Lecture Notes of the Institute
for Computer Sciences, Social Informatics
and Telecommunications Engineering 336
123
Editors
Noseong Park Kun Sun
Yonsei University George Mason University
Seoul, Korea (Republic of) Fairfax, VA, USA
Sara Foresti Kevin Butler
Dipartimento di Informatica University of Florida
Universita degli Studi Gainesville, FL, USA
Milan, Milano, Italy
Nitesh Saxena
Division of Nephrology
University of Alabama
Birmingham, AL, USA
© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2020
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, expressed or implied, with respect to the material contained herein or for any errors or
omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations.
This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Preface
We are delighted to introduce the proceedings of the 16th EAI International Conference
on Security and Privacy in Communication Networks (SecureComm 2020). This
conference has brought together researchers, developers, and practitioners from around
the world who are leveraging and developing security and privacy technology for a safe
and robust system or network.
These proceedings contain 60 papers, which were selected from 120 submissions
(an acceptance rate of 50%) from universities, national laboratories, and the private
sector from across the USA as well as other countries in Europe and Asia. All the
submissions went through an extensive review process by internationally-recognized
experts in cybersecurity.
Any successful conference requires the contributions of different stakeholder groups
and individuals, who have selflessly volunteered their time and energy in disseminating
the call for papers, submitting their research findings, participating in the peer reviews
and discussions, etc. First and foremost, we would like to offer our gratitude to the
entire Organizing Committee for guiding the entire process of the conference. We are
also deeply grateful to all the Technical Program Committee members for their time
and effort in reading, commenting, debating, and finally selecting the papers. We also
thank all the external reviewers for assisting the Technical Program Committee in their
particular areas of expertise as well as all the authors, participants, and session chairs
for their valuable contributions. Support from the Steering Committee and EAI staff
members was also crucial in ensuring the success of the conference. It was a great
privilege to work with such a large group of dedicated and talented individuals.
We hope that you found the discussions and interactions at SecureComm 2020,
which was held online, enjoyable and that the proceedings will simulate further
research.
Steering Committee
Imrich Chlamtac University of Trento, Italy
Guofei Gu Texas A&M University, USA
Peng Liu Penn State University, USA
Sencun Zhu Penn State University, USA
Organizing Committee
General Co-chairs
Kun Sun George Mason University, USA
Sara Foresti Università degli Studi di Milano, Italy
Local Chair
Hemant Purohit George Mason University, USA
Workshops Chair
Qi Li Tsinghua University, China
Publications Chair
Noseong Park Yonsei University, South Korea
Web Chair
Pengbin Feng George Mason University, USA
Panels Chair
Massimiliano Albanese George Mason University, USA
viii Organization
Tutorials Chair
Fabio Scotti Università degli Studi di Milano, Italy
POQ: A Consensus Protocol for Private Blockchains Using Intel SGX . . . . . . 141
Golam Dastoger Bashar, Alejandro Anzola Avila, and Gaby G. Dagher
A Machine Learning Based Smartphone App for GPS Spoofing Detection . . . 235
Javier Campos, Kristen Johnson, Jonathan Neeley, Staci Roesch,
Farha Jahan, Quamar Niyaz, and Khair Al Shamaileh
The Bitcoin Hunter: Detecting Bitcoin Traffic over Encrypted Channels . . . . 152
Fatemeh Rezaei, Shahrzad Naseri, Ittay Eyal, and Amir Houmansadr
Ruming Tang1,2 , Cheng Huang3 , Yanti Zhou4 , Haoxian Wu3 , Xianglin Lu1,2 ,
Yongqian Sun5 , Qi Li1,2(B) , Jinjin Li4 , Weiyao Huang4 , Siyuan Sun4 ,
and Dan Pei1,2
1
Tsinghua University, Beijing, China
trm14@mails.tsinghua.edu.cn, {peidan,qli01}@tsinghua.edu.cn
2
Beijing National Research Center for Information Science and Technology
(BNRist), Beijing, China
everl@bupt.edu.cn
3
BizSeer Technologies Co., Ltd., Beijing, China
huangcheng@bizseer.com, MOVIEGEORGE@pku.edu.cn
4
Bank of Communications, Shanghai, China
{zhouyt,lijj,huangweiyao,sunsiyuan}@bankcomm.com
5
Nankai University, Tianjin, China
sunyongqian@nankai.edu.cn
1 Introduction
As a core infrastructure on the Internet, the Domain Name System (DNS)
is commonly used in all kinds of Internet applications, to translate easy-to-
c ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2020
Published by Springer Nature Switzerland AG 2020. All Rights Reserved
N. Park et al. (Eds.): SecureComm 2020, LNICST 336, pp. 1–21, 2020.
https://doi.org/10.1007/978-3-030-63095-9_1
2 R. Tang et al.
Fig. 1. Examples of (a) normal DNS lookups, (b) DNS-based data exfiltration, and (c)
DNS-based C&C.
recognize domain names into IP addresses. Unfortunately, the DNS system suf-
fers from known vulnerabilities, such as DDoS [27], spoofing [24] and other
exploits [8,30,36]. To defend against these attacks, approaches such as [10,18,24]
have been proposed. Unlike those traditional attacks which target DNS system
itself, DNS covert communication is leveraged to transmit messages cross the
boundary between an enterprise’s LAN (i.e., office network and datacenter) and
the Internet, through DNS messages in a stealthy and unauthorized manner.
However, the defense against DNS covert communication in enterprises is still
not well-studied, and is the focus of this paper.
In enterprises, security tools are commonly deployed to closely monitor the
traffic between the enterprise’s LAN and the Internet to detect serious security
attacks such as data exfiltration (which transmits valuable internal data to the
Internet), command-and-control (C&C) of internal hosts by external attackers,
and so on. However, those data exfiltration and C&C using covert communication
via the DNS traffic [7,8,22,23,28] are still hard to detect.
Figure 1 shows examples of normal DNS lookup and DNS covert communi-
cation. In the normal DNS lookup in Fig. 1(a), a normal host queries its local
DNS server about google.com, and the local DNS server then iteratively queries
DNS root server and .com top-level domain server (both are omitted in the
figure) and relays the response (which indicates the corresponding IP address is
172.217.164.100 ) from the authoritative name server for google.com to the host.
Figure 1(b) shows an example of real point of sale (POS) malware, in which POS
A Practical Machine Learning-Based Framework 3
malware exfiltrated credit card information in the domain names of the DNS
queries [20]. Such exfiltration incidents (e.g., MULTIGRAIN [20], UDPoS [28])
caused many loss to the users and providers. The compromised host encodes the
stolen credit card information as subdomains in the domain name to be queried,
and when the query arrives at the authoritative name server controlled by the
attacker, the attacker can then easily decode the credit card information from
the queried domain name. Figure 1(c) shows an example of DNS C&C [22] where
a malware-infected host talks to and receives command from its C&C server by
sending a DNS query message to and receiving corresponding DNS response from
the compromised authoritative name server, which is the C&C server. In this
example, the seemingly-random domain name (rohgoruhgsorhugih.nl) queried
are actually dynamically generated by Domain-Generation-Algorithms (DGAs)
and automatically synchronized between the compromised host and the C&C
server [9,13,29,30,35,36].
Therefore, new detection methods are needed to detect these DNS covert
communication because traditional security tools based on blacklists, rules,
signatures cannot enumerate or capture the dynamically changing subdomain
names in the DNS covert communications exemplified in Fig. 1 (b)(c).
Our intuitive idea in detecting DNS covert communication is to apply
machine learning (ML) to capture a suspicious domain based on its features
(see the feature list in Table 2, e.g., the length of the domain). Although this
idea is promising, previous ML-based approaches along this direction have not
been deployed in the real-world enterprises yet, to the best of our knowledge,
due to the following the three challenges.
First, the performance of different ML algorithms might be different for dif-
ferent enterprises because the DNS traffic data distribution might be different.
Furthermore, the machine learning algorithms used in previous works, super-
vised models perform better and are preferred for some kinds of known threat
types, while unsupervised models are more preferred for some unknown but rare
threats. Thus, the algorithms used should be generic and flexible (as opposed to
being fixed) in the detection system. Second, different DNS covert communica-
tion threats might have different patterns, thus previous machine-leaning based
approaches, to the best of our knowledge, so far only focuses on specific types
of such attacks, e.g., [7,8] only detect data exfiltration, and [30] only detects
DGA domains. However, enterprises in the real-world are interested in detect-
ing various attacks, thus are reluctant to deploy the aforementioned piece-meal
approaches that can detect only one type of DNS covert communication. Third,
a practical ML-based detection system needs to have feedback mechanisms to
either add labeled data for re-training in the supervised approaches and/or tune
the parameters in the unsupervised approaches, and also fully utilize (as opposed
to replacing) the traditional DNS security tools such as the domain blacklist.
To tackle the above challenges, in this paper we propose a practical, flexi-
ble and end-to-end ML-based framework, called D 2 C2 (Detecting DNS Covert
Communication), to effectively detect various DNS covert communications in
enterprises by leveraging supervised and unsupervised classifiers trained by var-
4 R. Tang et al.
2 Background
A DNS log contains several important fields: NAME (the queried domain name),
TYPE (A for IPv4 address, CNAME for canonical names, TXT for text records
and etc.), and RDATA (the resource) [21]. For example, the query in Fig. 1(a)
contains the queried name (www.google.com), class (IN ), type (A). The response
log contains the response: RCODE (Response Code), TTL (Time to Live) and
the answer, and the corresponding query. The answer is the IPv4 address(es) for
the queried name. RCODE indicates the condition of the answer, NOERROR
(in this example) means a normal answer, and NXDomain indicates that the
queried name does not exist.
A Practical Machine Learning-Based Framework 5
Although DNS is a fundamental system that many services rely on, some
enterprise operators treat DNS as a “set and forget” infrastructure, and do not
update them from time to time with the latest security mechanisms [17]. For
example, DNSSEC [12] is one security extension of DNS proposed early, but its
adoption is quite slow till recently [10,15]. Some operators may be interested in
the availability of DNS only when DNS servers go wrong.
Figure 2 shows some typical exploits against DNS [17]. Attacks against DNS
infrastructure itself (i.e., DDoS and spoofing) are much easier to be noticed
because it leads to the failures or errors in DNS servers. DDoS (Distributed
Denial of Service) attacks compromise the availability of DNS, and spoofing (to
redirect users to attackers) leads to wrong or unreachable destinations. Besides
these, some attackers take advantage of the lack of monitoring on DNS traffic,
and choose DNS as a channel for covert communication (in bold in Fig. 2), which
is more difficult to notice.
name directly tells where the host is looking for, and it also can be used to carry
messages. Besides domain name in NAME field, RDATA field in response also
provides a good payload for attackers. RDATA fields in TYPE CNAME or TXT
packets allow more characters to be sent, which means larger “bandwidth” for
attackers [17,23]. However, TYPE A (and AAAA) logs account for the vast
majority of all DNS logs (see data trace statistics in Sect. 5), therefore in this
paper we consider anomalies in domain names as our primary threats
to be detected in this paper.
In this paper, we only focus on domains that are related to covert communi-
cation threats (mainly data exfiltration and C&C threats). However, not all mali-
cious domains are related to covert communication. Some malicious domains are
disguised for phishing, e.g., Domain Shadowing (hijack normal domains and cre-
ate new subdomains to redirect users [19]) and Typo-Squatting (register domain
names which are similar to popular websites and leverage typos of users [34]),
which are not considered as covert communication.
Fig. 3. The framework overview of D 2 C2 . Figure (a) shows the overview of three stages
in D 2 C2 . Figure (b) shows the detailed workflow of the Threats Detection module.
Dashed lines denote malicious samples detected and dotted denote benign ones.
extract features from domain names and other registration information and use
X-Means algorithm to detect AGDs related to Fast-flux [36].
Summary: Each of the aforementioned prior studies focus on just one specific
type of anomalous domain names. However, in enterprises, operators have to
face threats of all kinds, thus would need lots of efforts to assemble and tune the
above “piecemeal” solutions. Therefore, we hope to design a generic framework
that is directly deployable, detecting multiple types of covert communication
threats with high flexibility.
3 Framework Overview
In this section, we present the core idea for our design and the overview of D 2 C2 .
when new APIs deployed), the re-training or model tuning can be done indi-
vidually, without the need to adjust the overall system workflow. Such updates
can be triggered periodically or manually based on the feedback. As a result,
the workflow of D 2 C2 stays the same, making it easy to be deployed in practice.
Meanwhile, our detection models are very flexible for modification to achieve
better performance in real-world detection.
The manual investigation is very necessary for a security system to confirm,
analyze and mitigate reported threats. We hope that D 2 C2 is able to learn
from these manual investigations. Thus we design D 2 C2 as a human-in-the-loop
(HITL) one with feedback from security engineers. All investigation results can
be further utilized for threshold adjusting, model tuning or re-training.
3.2 Overview
types of threats using Threats Detection module. The threats detection mod-
ule contains multiple chosen classifiers (detectors), each of which focuses on one
or more specific types of threats. Detectors can be modified according to the
change of data. Results combined from all detectors will be aggregated and then
sent for further investigation.
A more detailed architecture of Threats Detection is shown in Fig. 3(b), with
three detectors in series. Simply, a sample detected as malicious by one detector
will be stored, and a benign sample will be moved to the next detector. After
all detectors are done, the results will be aggregated and sent to the investiga-
tion module. For each detector, different models can be applied based on their
performance in practice. Table 1 lists the algorithms we used for these detectors
during deployment. The detector workflow will be described in Sect. 4.
Investigation Stage: The investigation stage is divided into three modules:
Whitelist, Manual Investigation and Visualization. When receiving the detection
results, Whitelist module is used to flag some certain samples before them
reaching the operators. This is because some queries generated by certain trusted
applications (usually security products from different vendors) whose behavior
is similar to that of the attackers, e.g., sending data through DNS channel,
10 R. Tang et al.
which may result in unnecessary alerts. Similar to the blacklist module, the
whitelist is created and updated based on enterprise operators. The remaining
results are further reported to Manual Investigation module, where operators
and security engineers are involved. Operators and security engineers check the
detection results. The false alerts are used as feedback to our detectors, which
may trigger alterations of thresholds, feature weights or even re-training of the
machine learning algorithms. True threats confirmed are reported and visualized
for analysis and display in Visualization module.
In this section, we first present the features we extract from domain names.
Then we explain the detailed implementation workflow of threat detectors and
alternative algorithms used in these detectors.
Poor U. S. A.
1 0 10 120175 20 18 55 50 270
cocoanut
Medium U. S. A.
2 0 30 350260 25 25 65 65 370
cocoanut
Good U. S. A.
3 0 60 620310 27 30 75 70 420
cocoanut
Same as U. S. A.
4 No. 2 but 12 18 320330 35 16 35 95
wet
No. 2 U. S. A.
5 0 35 400700 70 400 70 190 510
impregnated
6 Wood French 0 2.5 25 75 9 0 1 20
7 Wood British 0 6 70 90 18 4 5 30
8 Peach stone British 0 16 190135 30 25 65 60
Treated German
9 0 42 230105 20 20 22 25
wood
No. 9 German
10 30 9 90320 16 1110 120
impregnated
Soda-Lime
Charcoal is not a satisfactory all-round absorbent because it has too little capacity
for certain highly volatile acid gases, such as phosgene and hydrocyanic acid, and
because oxidizing agents are needed for certain gases. To overcome these
deficiencies the use of an alkali oxidizing agent in combination with the charcoal has
been found advisable. The material actually used for this purpose has been granules of
soda-lime containing sodium permanganate. Its principal function may be said to be to
act as a reservoir of large capacity for the permanent fixation of the more volatile acid
and oxidizable gases.
The development of a satisfactory soda-lime was a difficult problem. The principal
requirements follow: Its activity is not of vital importance, as the charcoal is able to take
up gas with extreme rapidity and then later give it off more slowly to the soda-lime.
Absorptive capacity is of the greatest importance, since the soda-lime is relied upon to
hold in chemical combination a very large amount of toxic gas. Both chemical stability
and mechanical strength are difficult to attain. The latter had never been solved until
the war made some solution absolutely imperative.
Testing of Absorbents[31]
Absorbents should be tested for moisture, hardness, uniformity of
sample and efficiency against various gases.
Moisture is simply determined by drying for two hours at 150°.
The loss in weight is called moisture.
The hardness or resistance to abrasion is determined by shaking
a 50-gram sample with steel ball bearings for 30 minutes on a Ro-
tap shaking machine. The material is then screened and the
hardness number is determined by multiplying the weight of
absorbent remaining on the screen by two.
The efficiency of an absorbent against various gases depends
upon a variety of factors. Because of this, it is necessary to select
standard conditions for the test. These were chosen as follows:
The absorbent under test is filled into a sample tube of specified
diameter (2 cm.) to a depth of 10 cm. by the standard method for
filling tubes, and a standard concentration (usually 1,000 or 10,000
p.p.m. by volume) of the gas in air of definite (50 per cent) humidity
is passed through the absorbent at a rate of 500 cc. per sq. cm. per
min. The concentration of the entering gas is determined by analysis.
The length of time is noted from the instant the gas-air mixture is
started through the absorbent to the time the gas or some toxic or
irritating reaction product of the gas begins to come through the
absorbent, as determined by some qualitative test. Quantitative
samples of the outflowing gas are then taken at known intervals and
from the amount of gas found in the sample the per cent efficiency of
the absorbent at the corresponding time is calculated.
Canisters
After an absorbent has been developed to a given point, and is
considered of sufficient value to be used in a canister, the materials
are assembled as described in Chapter XII. While the final test is the
actual use of the canister, machine tests have been devised which
give valuable information regarding the value of the absorbent in the
canister and the method of filling.
Man Tests
The final test of the canister is always carried out by means of the
so-called “man test.” Special man-test laboratories were built at
Washington, Philadelphia and Long Island. These are so constructed
that, if necessary, a man may enter the chamber containing the gas
and thus test the efficiency of the completed gas mask. In most
cases, however, the canister is placed inside or outside the gas-
chamber and the men breathe through the canister, detecting the
break point by throat and lung irritation.
The following brief description of the man test laboratory at the
American University will give a good idea of the plan and procedure.
[32]
The man test laboratory is a one-story building, 56 ft. in length
and 25 ft. in width. The main part is occupied by three gas
chambers, laboratory tables, and various devices for putting up and
controlling gas concentrations in the chambers. A small part at one
end is used as an office and storeroom.
Good ventilation is of great importance in a laboratory of this
nature. This is secured by means of a 6 ft. fan connected to suitable
ducts. The fan is mounted on a heavy framework outside and at one
end of the building. The fan is driven at a speed of about 250 r.p.m.
by a 10 h.p. motor. The main duct is 33 in. square, extending to all
parts of the building. A connection is also made to a small hood used
when making chemical analyses.
The gases, fumes, etc., drawn out by the fan, are forced up and
out of a stack 30 in. in diameter, extending upward 55 ft. above the
ground level.
The main features of each of the three gas chambers are
identical. Auxiliary pieces of apparatus are used with each chamber,
the type of apparatus being determined by the characteristics of the
gas employed.
Fig. 76.—Man Test Laboratory,
American University.
Each chamber is 10 ft. long, 8 ft. wide and 8½ ft. high, having,
therefore, a capacity of 680 cu. ft. or 19,257 liters. The floor is
concrete, and the walls and ceiling are constructed on a framework
of 2 × 4 in. scantling, finished on the outside with wainscoting and on
the inside with two layers of Upson board (laid with the joints lapped)
covered with a ½ in. layer of special cement plaster laid upon
expanded metal lath. The interior finish is completed by two coats of
acid-proof white paint. The single entrance to the chamber is from
outside the laboratory, and is closed by two doors, with a 36 × 40 in.
lock between them. These doors are solid, of 3-ply construction, 2½
in. thick, with refrigerator handles, which may be operated from
either inside or outside the chamber. The door jambs are lined with ³/
₁₆ in. heavy rubber tubing to secure a tight seal.
At the end of the chamber opposite the doors, a pane of ¼ in.
wire plate glass, 36 × 48 in., is set into the wall, and additional
illumination may be secured by 2 headlights, 12 in. square, set into
the ceiling of the chamber and of the air-lock, respectively, and
provided with 200 watt Mazda lamps and Holophane reflectors.
Openings into the chamber, five in number, are spaced across this
end beneath the window and 9 in. above the table top.
Fans are installed for keeping the concentration uniform.
Field Tests
It will be observed that all of the above tests are concerned only
with the efficiency of the absorbent and its packing in the canister.
No attempt was made to determine the comfort and general “feel” of
the mask. For this purpose field tests were devised, covering periods
from two to five hours. The first test was a five-hour continuous
wearing test. It was assumed that any mask which could be worn for
five hours without developing any marked features of discomfort
could, if the occasion demanded it, be worn for a much longer period
of time. A typical test follows:
8:00 to Instruction and adjustment of gas
8:30 mask.
Gas-chamber tests
8:30 to Games involving mental and physical
9:30 activity
9:30 to Cross-country hike with suitable
11:30 periods of rest
11:30 to Tests of vision
12:00
12:00 to Games to test mental condition of
12:30 subjects
12:30 to Gas-chamber fit test
1:00
Fig. 79.—Hemispherical Vision Chart.
Protective Clothing
Protective clothing was an additional feature of the general
program of protection. As far as factory protection is concerned, the
use of protective garments was more or less of a temporary
expedient and they were abandoned as fast as automatic machinery
and standard practice made their use less necessary. It is likewise a
question regarding their value at the front. It is very certain that the
garments developed needed to be made lighter and more
comfortable to be of much value to the fighting unit.
The first development of protective clothing was along the lines of
factory protection. The large number of casualties in connection with
the manufacture of mustard gas made it imperative that the workmen
be protected not only from splashes of the liquid mustard gas, but
also from its vapors. The first suit developed provided protection to
the entire body. The ordinary clothing materials and even rubberized
fabrics offered little protection but it was found that certain oilcloths
were practically impermeable to mustard gas. The suit was a single
garment, buttoning in the back, with no openings in the front, no
pockets and with tie-strings at wrists and ankles. The head was
protected by means of an aluminium helmet, supported by means of
a head band resting on the head like a cap and slung from the inside
of the helmet; this permitted slight head motions independent of the
helmet. In order to provide cooling and ventilating and pure air
breathing, the suit was inflated by pumping a considerable volume of
air into the suit through a flexible hose long enough to permit
considerable freedom of movement.