Research Interests:
Research Interests:
Research Interests:
Research Interests:
Data is a most valuable part of most of nowadays system. A lot of hackers and criminals are trying to steal this data all the time. Due to that data should also be the best protected part of every company's systems. We would like our... more
Data is a most valuable part of most of nowadays system. A lot of hackers and criminals are trying to steal this data all the time. Due to that data should also be the best protected part of every company's systems. We would like our systems to be impenetrable, but that is not possible. If we want to protect the data, in case our system is compromised, we need to use encryption. This article describes traditional ways of database encryption, modern concept of securing data and some possible concepts how to secure the data using encryption. All of these approaches are discussed from high-level point of view to show their impact on security of entire system.
Research Interests:
This paper examines optimization possibilities of SelfInitialization Quadratic Sieve (SIQS), which is enhanced version of Quadratic Sieve factorization method. SIQS is considered the second fastest factorization method at all and the... more
This paper examines optimization possibilities of SelfInitialization Quadratic Sieve (SIQS), which is enhanced version of Quadratic Sieve factorization method. SIQS is considered the second fastest factorization method at all and the fastest one for numbers shorter than 100 decimal digits, respectively. Although, SIQS is the fastest method up to 100 decimal digits, it cannot be effectively utilized to work in polynomial time. Therefore, it is desirable to look for options how to speed up the method as much as possible. Two feasible ways of achieving it are code optimization and parallelism. Both of them are utilized in this paper. The goal of this paper is to show how it is possible to take advantage of parallelism in SIQS as well as reach a large speedup thanks to detailed source code analysis with optimization. Our implementation process consists of two phases. In the first phase, the complete serial algorithm is implemented in the simplest way which does not consider any requirem...
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Internet of Things (IoT) devices have become ubiquitous, with applications in many domains, including industry, transportation, and healthcare; these devices also have many household applications. The proliferation of IoT devices has... more
Internet of Things (IoT) devices have become ubiquitous, with applications in many domains, including industry, transportation, and healthcare; these devices also have many household applications. The proliferation of IoT devices has raised security and privacy concerns, however many manufacturers neglect these aspects, focusing solely on the core functionality of their products due to the short time to market and the need to reduce product costs. Consequently, vulnerable IoT devices are left unpatched, allowing attackers to exploit them for various purposes, which include compromising the device users’ privacy or recruiting the devices to an IoT botnet. We present a practical and effective host-based anomaly detection system for IoT devices (HADES-IoT) as a novel last line of defense. HADES-IoT has proactive detection capabilities that enable the execution of any malicious process to be stopped before it even starts. HADES-IoT provides tamper-proof protection and can be deployed on a wide range of Linux-based IoT devices. HADES-IoT’s main advantage is its low overhead, making it suitable for Linux-based IoT devices where state-of-the-art security solutions are infeasible due to their high-performance demands. We deployed HADES-IoT on seven IoT devices, where it demonstrated 100% effectiveness in the detection of IoT malware, including VPNFilter, IoT Reaper, and Mirai malware, while requiring only 5.5% (on average) of the available memory and consuming just negligible CPU resources.
Research Interests:
In this paper, we present three datasets that have been built from network traffic traces using ASNM (Advanced Security Network Metrics) features, designed in our previous work. The first dataset was built using a state-of-the-art dataset... more
In this paper, we present three datasets that have been built from network traffic traces using ASNM (Advanced Security Network Metrics) features, designed in our previous work. The first dataset was built using a state-of-the-art dataset CDX 2009 that was collected during a cyber defense exercise, while the remaining two datasets were collected by us in 2015 and 2018 using publicly available network services containing buffer overflow and other high severity vulnerabilities. These two datasets contain several adversarial obfuscation techniques that were applied onto malicious as well as legitimate traffic samples during “the execution” of their TCP network connections. Adversarial obfuscation techniques were used for evading machine learning-based network intrusion detection classifiers. We show that the performance of such classifiers can be improved when partially augmenting their training data by samples obtained from obfuscation techniques. In detail, we utilized tunneling obfuscation in HTTP(S) protocol and non-payload-based obfuscations modifying various properties of network traffic by, e.g., TCP segmentation, re-transmissions, corrupting and reordering of packets, etc. To the best of our knowledge, this is the first collection of network traffic data that contains adversarial techniques and is intended for non-payload-based network intrusion detection and adversarial classification. Provided datasets enable testing of the evasion resistance of arbitrary machine learning-based classifiers.
Research Interests:
Research Interests:
This repository contains a large dataset for the research of domain generation algorithms (DGAs) and machine learning. At the time of writing the dataset contains more than 90m of domains and more than 100 families. The dataset consists... more
This repository contains a large dataset for the research of domain generation algorithms (DGAs) and machine learning. At the time of writing the dataset contains more than 90m of domains and more than 100 families. The dataset consists of SLDs from DGAs and their extracted features. The main sources for the DGAs are the following: DGArchive The DGA feed from Network Security Research Lab at 360 The OSINT feeds for DGA from Bambenek Consulting When the samples were sparse, we used the reversed code to create new ones. Johannes Bader Github repo Moreover, it has SLDs from three adversarial DGAs (referred to deception, deception2 and khaos) DGAs and SLDs from the top 1m Alexa domains.
With the recent rise of cryptocurrencies, the security and management of crypto-tokens have become critical. We have witnessed many attacks on users, their software, or their providers, which have resulted in significant financial losses.... more
With the recent rise of cryptocurrencies, the security and management of crypto-tokens have become critical. We have witnessed many attacks on users, their software, or their providers, which have resulted in significant financial losses. To remedy these issues, many wallet solutions have been proposed to store users' crypto-tokens. However, these solutions lack either essential security features, or usability, or do not allow users to express their spending rules. In this paper, we propose a smart-contract cryptocurrency wallet framework that gives a flexible, usable, and secure way of managing crypto-tokens in a self-sovereign fashion. The proposed framework consists of three components (i.e., an authenticator, a client, and a smart contract) and provides 2-factor authentication performed in two stages of interaction with the blockchain. Our framework utilizes one-time passwords (OTPs) aggregated by a Merkle tree that is distributed across the components in such a way that for...
Research Interests:
Tor is a low-latency free anonymization network based on onion routing. In Tor, directory servers maintain a list of all nodes. It is, however, possible for a powerful adversary (e.g., law enforcement agencies) to seize or compromise... more
Tor is a low-latency free anonymization network based on onion routing. In Tor, directory servers maintain a list of all nodes. It is, however, possible for a powerful adversary (e.g., law enforcement agencies) to seize or compromise enough directory servers and thus forge that list. Therefore, clients that obtained such a forged list of nodes can be effectively deanonymized. As a countermeasure, we propose to utilize a permissioned blockchain with a single voting committee that is privately “elected” by a verifiable random function (VRF). Since the blockchain provides us with integrity guarantees by design, we increase trust in the directory servers by decentralizing management of Tor nodes present in the shared list. We apply skiplist as an optimization reducing a validation overhead of newly joined nodes and clients. The proposed approach has only a small performance impact on the existing Tor infrastructure.
Research Interests:
Masqueraders are users who take control of a machine and perform malicious activities such as data exfiltration or system misuse on behalf of legitimate users. In the literature, there are various approaches for detecting masqueraders by... more
Masqueraders are users who take control of a machine and perform malicious activities such as data exfiltration or system misuse on behalf of legitimate users. In the literature, there are various approaches for detecting masqueraders by modeling legitimate users' behavior during their daily tasks and automatically determine whether they are doing something suspicious. Usually, these techniques model user behavior using features extracted from various sources, such as file system, network activities, system calls, etc. In this work, we propose a one-class anomaly detection approach that measures similarities between a history of a user and events recorded in a timewindow of the user's session which is to be classified. The idea behind our solution is the application of a graph partitioning technique on weighted oriented graphs generated from such event sequences, while considering that strongly connected nodes have to belong into the same cluster. First, a history of vertex clusters is build per each user and then this history is compared to a new input by using a similarity function, which leads either to the acceptance or rejection of a new input. This makes our approach substantially different from existing general graph-based approaches that consider graphs as a single entity. The approach can be applied for different kinds of homogeneous event sequences, however successful application of the approach will be demonstrated on file system access events only. The linear time complexity of the approach was demonstrated in the experiments and the performance evaluation was done using two state-of-the-art datasets - WUIL and TWOS - both of them containing file system access logs of legitimate users and masquerade attackers; for WUIL dataset we achieved an average per-user AUC of 0.94, a TPR over 95%, and a FPR less than 10%, while for TWOS dataset we achieved an average per-user AUC of 0.851, a TPR over 91% and a FPR around 11%.
Research Interests:
With the recent rise of cryptocurrencies' popularity, the security and management of crypto-tokens have become critical. We have witnessed many attacks on users and providers, which have resulted in significant financial losses. To remedy... more
With the recent rise of cryptocurrencies' popularity, the security and management of crypto-tokens have become critical. We have witnessed many attacks on users and providers, which have resulted in significant financial losses. To remedy these issues, several wallet solutions have been proposed. However, these solutions often lack either essential security features, usability, or do not allow users to customize their spending rules.
In this paper, we propose SmartOTPs, a smart-contract wallet framework that gives a flexible, usable, and secure way of managing crypto-tokens in a self-sovereign fashion. The proposed framework consists of four components (i.e., an authenticator, a client, a hardware wallet, and a smart contract), and it provides 2-factor authentication (2FA) performed in two stages of interaction with the blockchain. To the best of our knowledge, our framework is the first one that utilizes one-time passwords (OTPs) in the setting of the public blockchain. In SmartOTPs, the OTPs are aggregated by a Merkle tree and hash chains whereby for each authentication only a short OTP (e.g., 16B-long) is transferred from the authenticator to the client. Such a novel setting enables us to make a fully air-gapped authenticator by utilizing small QR codes or a few mnemonic words, while additionally offering resilience against quantum cryptanalysis. We have made a proof-of-concept based on the Ethereum platform. Our cost analysis shows that the average cost of a transfer operation is comparable to existing 2FA solutions using smart contracts with multi-signatures.
In this paper, we propose SmartOTPs, a smart-contract wallet framework that gives a flexible, usable, and secure way of managing crypto-tokens in a self-sovereign fashion. The proposed framework consists of four components (i.e., an authenticator, a client, a hardware wallet, and a smart contract), and it provides 2-factor authentication (2FA) performed in two stages of interaction with the blockchain. To the best of our knowledge, our framework is the first one that utilizes one-time passwords (OTPs) in the setting of the public blockchain. In SmartOTPs, the OTPs are aggregated by a Merkle tree and hash chains whereby for each authentication only a short OTP (e.g., 16B-long) is transferred from the authenticator to the client. Such a novel setting enables us to make a fully air-gapped authenticator by utilizing small QR codes or a few mnemonic words, while additionally offering resilience against quantum cryptanalysis. We have made a proof-of-concept based on the Ethereum platform. Our cost analysis shows that the average cost of a transfer operation is comparable to existing 2FA solutions using smart contracts with multi-signatures.
Research Interests:
Buffer overflow (BO) attacks are one of the most dangerous threats in the area of network security. Methods for detection of BO attacks basically use two approaches: signature matching against packets’ payload versus analysis of packets’... more
Buffer overflow (BO) attacks are one of the most dangerous threats in the area of network security. Methods for detection of BO attacks basically use two approaches: signature matching against packets’ payload versus analysis of packets’ headers with the behavioral analysis of the connection’s flow. The second approach is intended for detection of BO attacks regardless of packets’ content which can be ciphered. In this paper, we propose a technique based on Network Behavioral Anomaly Detection (NBAD) aimed at connectionless network traffic. A similar approach has already been used in related works, but focused on connection-oriented traffic. All principles of connection-oriented NBAD cannot be applied in connectionless anomaly detection. There is designed a set of features describing the behavior of connectionless BO attacks and the tool implemented for their offline extraction from network traffic dumps. Next, we describe experiments performed in the virtual network environment utilizing SIP and TFTP network services exploitation and further data mining experiments employing supervised machine learning (ML) and Naive Bayes classifier. The exploitation of services is performed using network traffic modifications with intention to simulate real network conditions. The experimental results show the proposed approach is capable of distinguishing BO attacks from regular network traffic with high precision and class recall.
Research Interests:
Cryptocurrencies have become very popular in recent years. Thousands of new cryptocurrencies have emerged, proposing new and novel techniques that improve on Bitcoin's core innovation of the blockchain data structure and consensus... more
Cryptocurrencies have become very popular in recent years. Thousands of new cryptocurrencies have emerged, proposing new and novel techniques that improve on Bitcoin's core innovation of the blockchain data structure and consensus mechanism. However, cryptocurrencies are a major target for cyber-attacks, as they can be sold on exchanges anonymously and most cryptocurrencies have their codebases publicly available. One particular issue is the prevalence of code clones in cryptocurrencies, which may amplify security threats. If a vulnerability is found in one cryptocurrency, it might be propagated into other cloned cryptocurrencies. In this work, we propose a systematic remedy to this problem, called COINWATCH (CW). Given a reported vulnerability at the input, CW uses the code evolution analysis and a clone detection technique for the indication of cryptocurrencies that might be vulnerable. We applied CW on 1094 cryptocurrencies using 4 CVEs and obtained 786 true vulnerabilities present in 384 projects, which were confirmed with developers and successfully reported as CVE extensions.
Research Interests:
Elections are commonly repeated over longer and fixed intervals of time, ranging from months to years. This results in limitations on governance since elected candidates or policies are difficult to remove before the next election even... more
Elections are commonly repeated over longer and fixed intervals of time, ranging from months to years. This results in limitations on governance since elected candidates or policies are difficult to remove before the next election even though they might be deemed detrimental to the majority of participants. When new information is available, participants may decide (through a public deliberation) to make amendments to their choice but have no opportunity to change their vote before the next elections. Another issue is the peak-end effect where voters’ judgment is based on how they felt a short time before the elections, instead of judging the whole period of the governance. Finally, there exist a few issues related to centralized e-voting, such as censorship and tampering with the results and data. To address these issues, we propose Always on Voting (AoV) — a repetitive blockchain-based voting framework that allows participants to continuously vote and change elected candidates or ...
Research Interests:
The impact of a successfully performed intrusion can be very crucial. There exists a lot of space which needs research in order to improve detection capabilities of various types of intrusions. Therefore, many researchers and developers... more
The impact of a successfully performed intrusion can be very crucial. There exists a lot of space which needs research in order to improve detection capabilities of various types of intrusions. Therefore, many researchers and developers are encouraged to design new methods and approaches for detection of known and unknown (zero-day) network attacks. These facts are the most important reasons why Anomaly Detection Systems (ADS) intended for intrusion detection arose. Network ADS (further ADS) approaches attack detection by utilizing packets’ headers and communication behavior, not the content of the packets. Thus, basic principles of ADS open possibilities of an attacker to evade ADS detection by obfuscation techniques.
Research Interests:
Research Interests:
Voting is a means to agree on a collective decision based on available choices (e.g., candidates), where participants (voters) agree to abide by their outcome. To improve trust in voting, decentralized solutions based on a blockchain can... more
Voting is a means to agree on a collective decision based on available choices (e.g., candidates), where participants (voters) agree to abide by their outcome. To improve trust in voting, decentralized solutions based on a blockchain can be employed. A blockchain ensures that all entities in the voting system have the same view of the actions made by others due to the immutable log. Existing blockchain-based boardroom voting implementation called Open Voting Network (OVN) supports only two candidates. We present a blockchain-based approach for decentralized 1-out-of-k voting and provide a cost-optimized implementation using Ethereum. We resolve the problem of stalling participants by a fault recovery protocol. Finally, we compare our implementation with OVN and show that our work decreases the costs for voters by 13.5% in terms of gas consumption.
Research Interests:
Insider threats are one of today's most challenging cybersecurity issues that are not well addressed by commonly employed security solutions. Despite several scientific works published in this domain, we argue that the field can benefit... more
Insider threats are one of today's most challenging cybersecurity issues that are not well addressed by commonly employed security solutions. Despite several scientific works published in this domain, we argue that the field can benefit from the proposed structural taxonomy and novel categorization of research that contribute to the organization and disambiguation of insider threat incidents and the defense solutions used against them. The objective of our categorization is to systematize knowledge in insider threat research, while leveraging existing grounded theory method for rigorous literature review. The proposed categorization depicts the workflow among particular categories that include: 1) Incidents and datasets, 2) Analysis of attackers, 3) Simulations, and 4) Defense solutions. Special attention is paid to the definitions and taxonomies of the insider threat; we present a structural taxonomy of insider threat incidents, which is based on existing taxonomies and the 5W1H questions of the information gathering problem. Our survey will enhance researchers' efforts in the domain of insider threat, because it provides: a) a novel structural taxonomy that contributes to orthogonal classification of incidents and defining the scope of defense solutions employed against them, b) an updated overview on publicly available datasets that can be used to test new detection solutions against other works, c) references of existing case studies and frameworks modeling insiders' behaviors for the purpose of reviewing defense solutions or extending their coverage, and d) a discussion of existing trends and further research directions that can be used for reasoning in the insider threat domain.
Research Interests:
In this paper we present open research questions and options for data analysis of our previously designed dataset called TWOS: The Wolf of SUTD. In specified research questions, we illustrate the potential use of the TWOS dataset in... more
In this paper we present open research questions and options for data analysis of our previously designed dataset called TWOS: The Wolf of SUTD. In specified research questions, we illustrate the potential use of the TWOS dataset in multiple areas of cyber security, which does not limit only to malicious insider threat detection but are also related to authorship verification and identification, continuous authentication, and sentiment analysis. For the purpose of investigating the research questions, we present several state-of-the-art features applicable to collected data sources, and thus we provide researchers with a guidance how to start with data analysis. The TWOS dataset was collected during a gamified competition that was devised in order to obtain realistic instances of malicious insider threat. The competition simulated user interactions in/among competing companies, where two types of behaviors (normal and malicious) were incentivized. For the case of malicious behavior,...
Research Interests:
Bitcoin is the most successful cryptocurrency so far. This is mainly due to its novel consensus algorithm, which is based on proof-of-work combined with a cryptographically-protected data structure and a rewarding scheme that incentivizes... more
Bitcoin is the most successful cryptocurrency so far. This is mainly due to its novel consensus algorithm, which is based on proof-of-work combined with a cryptographically-protected data structure and a rewarding scheme that incentivizes nodes to participate. However, despite its unprecedented success Bitcoin suffers from many inefficiencies. For instance, Bitcoin's consensus mechanism has been proved to be incentive-incompatible, its high reward variance causes centralization, and its hardcoded deflation raises questions about its long-term sustainability. In this work, we revise the Bitcoin consensus mechanism by proposing StrongChain, a scheme that introduces transparency and incentivizes participants to collaborate rather than to compete. The core design of our protocol is to reflect and utilize the computing power aggregated on the blockchain which is invisible and "wasted" in Bitcoin today. Introducing relatively easy, although important changes to Bitcoin's...
Research Interests:
Distributed ledger systems (i.e., blockchains) have received a lot of attention recently. They promise to enable mutually untrusted participants to execute transactions, while providing the immutability of the transaction history and... more
Distributed ledger systems (i.e., blockchains) have received a lot of attention recently. They promise to enable mutually untrusted participants to execute transactions, while providing the immutability of the transaction history and censorship resistance. Although decentralized ledgers may become a disruptive innovation, as of today, they suffer from scalability, privacy, or governance issues. Therefore, they are inapplicable for many important use cases, where interestingly, centralized ledger systems quietly gain adoption and find new use cases. Unfortunately, centralized ledgers have also several drawbacks, like a lack of efficient verifiability or a higher risk of censorship and equivocation. In this paper, we present Aquareum, a novel framework for centralized ledgers removing their main limitations. By combining a trusted execution environment with a public blockchain platform, Aquareum provides publicly verifiable, non-equivocating, censorship-evident, private, and high-perf...
Research Interests:
In this paper, we discuss privacy issues in modern networks for Internet of Things. We focus on anonymization of both devices and users in the context of both IP and non-IP networks. We take a closer look on two current non-IP... more
In this paper, we discuss privacy issues in modern networks for Internet of Things. We focus on anonymization of both devices and users in the context of both IP and non-IP networks. We take a closer look on two current non-IP technologies -- LoRaWan and ZigBee. Those represent two distinct groups of Internet of Things (IoT) networks -- Low Power WANs covering large areas and providing connectivity as a service, and Wireless PANs following traditional scheme with a local network interconnecting IoT devices. For both IP and non-IP networks we analyze possible approaches to preserve privacy of connected devices and identify open problems for future investigation. We propose strategies for ensuring privacy for IoT devices in IP, LPWAN and PAN networks based on their specific features and analyze possible problems of suggested strategies.
Research Interests:
In response to the bottleneck of processing throughput inherent to single chain PoW blockchains, several proposals have substituted a single chain for Directed Acyclic Graphs (DAGs). In this work, we investigate two notable DAGoriented... more
In response to the bottleneck of processing throughput inherent to single chain PoW blockchains, several proposals have substituted a single chain for Directed Acyclic Graphs (DAGs). In this work, we investigate two notable DAGoriented designs. We focus on PHANTOM (and its optimization GHOSTDAG), which proposes a custom transaction selection strategy that enables to increase the throughput of the network. However, the related work lacks a thorough investigation of corner cases that deviate from the protocol in terms of transaction selection strategy. Therefore, we build a custom simulator that extends open source simulation tools to support multiple chains and enables us to investigate such corner cases. Our experiments show that malicious actors who diverge from the proposed transaction selection strategy make more profit as compared to honest miners. Moreover, they have a detrimental effect on the processing throughput of the PHANTOM (and GHOSTDAG) due to same transactions being i...
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests:
Research Interests: Computer Science, Artificial Intelligence, Machine Learning, Intrusion Detection Systems, Network Intrusion Detection & Prevention, and 7 moreAdversarial Classification, Decision Tree, Intrusion Detection System, Exploit, Obfuscation, Naive Bayes Classifier, and Anomaly based network intrusion detection
Insider threats are one of today’s most challenging cybersecurity issues that are not well addressed by commonly employed security solutions. In this work, we propose structural taxonomy and novel categorization of research that... more
Insider threats are one of today’s most challenging cybersecurity issues that are not well addressed by commonly employed security solutions. In this work, we propose structural taxonomy and novel categorization of research that contribute to the organization and disambiguation of insider threat incidents and the defense solutions used against them. The objective of our categorization is to systematize knowledge in insider threat research while using an existing grounded theory method for rigorous literature review. The proposed categorization depicts the workflow among particular categories that include incidents and datasets, analysis of incidents, simulations, and defense solutions. Special attention is paid to the definitions and taxonomies of the insider threat; we present a structural taxonomy of insider threat incidents that is based on existing taxonomies and the 5W1H questions of the information gathering problem. Our survey will enhance researchers’ efforts in the domain o...
Research Interests:
ABSTRACT This paper examines the detection properties of obfuscated network buffer overflow attacks by selected IDS and NBA. The obfuscation was performed by tunneling the malicious traffic in HTTP and HTTPS protocols with the intention... more
ABSTRACT This paper examines the detection properties of obfuscated network buffer overflow attacks by selected IDS and NBA. The obfuscation was performed by tunneling the malicious traffic in HTTP and HTTPS protocols with the intention of simulating the usual legitimate characteristics of the HTTP traffic's flow. The buffer overflow vulnerabilities of four services were used: Samba, BadBlue, Apache, DCOM RPC. Exploitation was performed in a virtual network environment by using scenarios simulating real traffic's conditions as well as legitimate traffic simulations which were performed. Captured data were examined by SNORT and by ASNM network features of the AIPS representing statistically and behaviorally based NBA. The achieved results show an obfuscated attacks transparency for SNORT detection and low detection performance of the AIPS trained by direct attacks and legitimate traffic only in contrast with high classification accuracy of the AIPS trained with an inclusion of obfuscated attacks. Data mining analysis was performed by using both bi-nominal and poly-nominal classifications, resulting into better performance of poly-nominal classification. At the summary, we emphasize the necessity of training the statistically and behaviorally based NBAs with divergent obfuscation techniques to strengthen their detection capabilities.
Research Interests:
Research Interests:
Research Interests:
ABSTRACT This paper presents an automated detection method based on classification of network traffic using predefined set of network metrics. We proposed the set of metrics with focus on behavior of buffer overflow attacks and their... more
ABSTRACT This paper presents an automated detection method based on classification of network traffic using predefined set of network metrics. We proposed the set of metrics with focus on behavior of buffer overflow attacks and their sufficient description without the need of deep packet inspection. In this paper we describe two laboratory experiments of automated detection of buffer overflow attacks on vulnerable network services and their description by proposed set of network metrics. We present the principles of several chosen network metrics and their application on experimental attacks according to their nature in comparison to valid communication.
Research Interests:
In this chapter we propose a method for the extraction of data from network flow and a contextual separation of partial connections, using a set of network metrics that create a signature defining the connection behavior. We begin with... more
In this chapter we propose a method for the extraction of data from network flow and a contextual separation of partial connections, using a set of network metrics that create a signature defining the connection behavior. We begin with defining the input dataset of captured communication and the process of extracting metrics from separated connections. Then we define the set of metrics included in the final behavioral signature. The second part of the chapter describes experiments performed with a state-of-the-art set of network metrics, with comparison to our proposed experimental set. The chapter concludes with the results of our experiments.
Research Interests:
Research Interests:
Bitcoin is the most successful cryptocurrency so far. This is mainly due to its novel consensus algorithm, which is based on proof-of-work combined with a cryptographically-protected data structure and a rewarding scheme that... more
Bitcoin is the most successful cryptocurrency so far. This is mainly due to its novel consensus algorithm, which is based on proof-of-work combined with a cryptographically-protected data structure and a rewarding scheme that incen-tivizes nodes to participate. However, despite its unprecedented success Bitcoin suffers from many inefficiencies. For instance, Bitcoin's consensus mechanism has been proved to be incentive-incompatible, its high reward variance causes centralization, and its hardcoded deflation raises questions about its long-term sustainability. In this work, we revise the Bitcoin consensus mechanism by proposing StrongChain, a scheme that introduces transparency and incentivizes participants to collaborate rather than to compete. The core design of our protocol is to reflect and utilize the computing power aggregated on the blockchain which is invisible and "wasted" in Bitcoin today. Introducing relatively easy, although important changes to Bitcoin's design enables us to improve many crucial aspects of Bitcoin-like cryptocurrencies making it more secure, efficient , and profitable for participants. We thoroughly analyze our approach and we present an implementation of StrongChain. The obtained results confirm its efficiency, security , and deployability.
Research Interests:
Internet of Things (IoT) devices have become ubiquitous and spread across many application domains including the industry, transportation , healthcare, and households. However, the proliferation of the IoT devices has raised the concerns... more
Internet of Things (IoT) devices have become ubiquitous and spread across many application domains including the industry, transportation , healthcare, and households. However, the proliferation of the IoT devices has raised the concerns about their security-many manufacturers focus only on the core functionality of their products due to short time to market and low cost pressures, while neglecting security aspects. Moreover, it does not exist any established or standardized method for measuring and ensuring the security of IoT devices. Consequently, vulnerabilities are left untreated, allowing attackers to exploit IoT devices for various purposes, such as compromising privacy, recruiting devices into a botnet, or misusing devices to perform cryptocurrency mining. In this paper, we present a practical Host-based Anomaly DEtection System for IoT (HADES-IoT) that represents the last line of defense. HADES-IoT has proactive detection capabilities, provides tamper-proof resistance, and it can be deployed on a wide range of Linux-based IoT devices. The main advantage of HADES-IoT is its low performance overhead, which makes it suitable for the IoT domain, where state-of-the-art approaches cannot be applied due to their high-performance demands. We deployed HADES-IoT on seven IoT devices and demonstrated 100% effectiveness in the detection of current IoT malware such as VPNFilter and IoTReaper; while on average, requiring only 5.5% of available memory and causing only a low CPU load.
Research Interests:
Machine-learning based intrusion detection classifiers are able to detect unknown attacks, but at the same time they may be susceptible to evasion by obfuscation techniques. An adversary intruder which possesses a crucial knowledge about... more
Machine-learning based intrusion detection classifiers are able to detect unknown attacks, but at the same time they may be susceptible to evasion by obfuscation techniques. An adversary intruder which possesses a crucial knowledge about a protection system can easily bypass the detection module. The main objective of our work is to improve the performance capabilities of intrusion detection classifiers against such adversaries. To this end, we firstly propose several obfuscation techniques of remote attacks that are based on the modification of various properties of network connections; then we conduct a set of comprehensive experiments to evaluate the effectiveness of intrusion detection classifiers against obfuscated attacks. We instantiate our approach by means of a tool, based on NetEm and Metasploit, which implements our obfuscation operators on any TCP communication. This allows us to generate modified network traffic for machine learning experiments employing features for assessing network statistics and behavior of TCP connections. We perform evaluation on five classifiers: Gaussian Naïve Bayes, Gaussian Naïve Bayes with kernel density estimation, Logistic Regression, Decision Tree, and Support Vector Machines. Our experiments confirm the assumption that it is possible to evade the intrusion detection capability of all classifiers trained without prior knowledge about obfuscated attacks, causing an exacerbation of the TPR ranging from 7.8% to 66.8%. Further, when widening the training knowledge of the classifiers by a subset of obfuscated attacks, we achieve a significant improvement of the TPR by 4.21%-73.3%, while the FPR is deteriorated only slightly (0.1%-1.48%). Finally, we test the capability of an obfuscations-aware classifier to detect unknown obfuscated attacks, where we achieve over 90% detection rate on average for most of the obfuscations.
Research Interests:
The adoption of decentralized, tamper-proof ledger systems is paving the way for new applications and opportunities in different contexts. While most research aims to improve their scalability, privacy, and governance issues,... more
The adoption of decentralized, tamper-proof ledger systems is paving the way for new applications and opportunities in different contexts. While most research aims to improve their scalability, privacy, and governance issues, interoperability has received less attention. Executing transactions across various blockchains is notably instrumental in unlocking the potential of novel applications, particularly in the financial sector, where their potential would otherwise be significantly diminished. Therefore, interoperable ledgers are crucial to ensure the expansion and further adoption of such a technology in various contexts. In this paper, we present a protocol that uses a combination of trusted execution environment (TEE) and blockchains to enable interoperability over independent semi-centralized CBDC ledgers, guaranteeing the atomicity of inter-bank transfers. Our interoperability protocol uses a custom adaptation of atomic swap protocol and is executed by any pair of CBDC instances to realize a oneway transfer. It ensures features such as atomicity, verifiability, correctness, censorship resistance, and privacy while offering high scalability in terms of the number of CBDC instances. Our approach enables to possible deployment scenarios that can be combined: (1) CBDC instances represent central banks of multiple countries, and (2) CBDC instances represent the set of retail banks and a paramount central bank of a single country. We provide a detailed description of our protocol as well as an extensive analysis of its benefits, features, and security. In this WIP paper, we made a proof-of-concept implementation and made a partial evaluation, while the more extensive evaluation will be made in our future work.
Research Interests:
Cryptocurrencies have become very popular in recent years. Thousands of new cryptocurrencies have emerged, proposing new and novel techniques that improve on Bitcoin's core innovation of the blockchain data structure and consensus... more
Cryptocurrencies have become very popular in recent years. Thousands of new cryptocurrencies have emerged, proposing new and novel techniques that improve on Bitcoin's core innovation of the blockchain data structure and consensus mechanism. However, cryptocurrencies are a major target for cyber-attacks, as they can be sold on exchanges anonymously and most cryptocurrencies have their codebases publicly available. One particular issue is the prevalence of code clones in cryptocur-rencies, which may amplify security threats. If a vulnerability is found in one cryptocurrency, it might be propagated into other cloned cryptocurrencies. In this work, we propose a systematic remedy to this problem, and we propose COINWATCH (CW). Given a reported vulnerability at the input, CW uses the code evolution analysis and a clone detection technique for indication of cryptocurrencies that might be vulnerable. We applied CW on 1094 cryptocurrencies using 4 CVEs and obtained 786 true vulnerabilities present in 384 projects, which were confirmed with developers and successfully reported as CVE extensions.
Research Interests:
Distributed ledger systems (i.e., blockchains) have received a lot of attention recently. They promise to enable mutually untrusted participants to execute transactions, while providing the immutability of the transaction history and... more
Distributed ledger systems (i.e., blockchains) have received a lot of attention recently. They promise to enable mutually untrusted participants to execute transactions, while providing the immutability of the transaction history and censorship resistance. Although decentralized ledgers may become a disruptive innovation, as of today, they suffer from scalability, privacy, or governance issues. Therefore , they are inapplicable for many important use cases, where interestingly, centralized ledger systems quietly gain adoption and find new use cases. Unfortunately, centralized ledgers have also several drawbacks, like a lack of efficient verifiability or a higher risk of censorship and equivocation. In this paper, we present Aquareum, a novel framework for centralized ledgers removing their main limitations. By combining a trusted execution environment with a public blockchain platform , Aquareum provides publicly verifiable, non-equivocating, censorship-evident, private, and high-performance ledgers. Aqua-reum ledgers are integrated with a Turing-complete virtual machine, allowing arbitrary transaction processing logics, including tokens or client-specified smart contracts. Aquareum is fully implemented and deployment-ready, even with currently existing technologies.
Research Interests:
Due to their specific features, such as decentralization and immutability, blockchains have become popular in recent years. Blockchains are full-stack distributed systems in terms of realization, where security is a critical factor for... more
Due to their specific features, such as decentralization and immutability, blockchains have become popular in recent years. Blockchains are full-stack distributed systems in terms of realization, where security is a critical factor for their success. However, despite increasing popularity and adoption, there is a lack of standardized models to study security threats related to blockchains in a similar fashion as was done, e.g., in the area of cloud computing [236], [384]. To fill this gap, the main focus of our work is to systematize the knowledge about security and privacy aspects of blockchains, and thus contribute to the standardization of this domain. To this end, we propose the security reference architecture for blockchains, which utilizes a stacked model (similar to the ISO/OSI) that demonstrates the nature and hierarchy of various security and privacy threats. The model contains four layers: (1) the network layer, (2) the consensus layer, (3) the replicated state machine layer, and (4) the application layer. At each of these layers, we identify known security threats, their origin as well as mitigation techniques or countermeasures. Although a similar model has already been used in previous work to serve as a general outline of the blockchain infrastructure, we adapt it for the purpose of studying security threats in this domain. Further, we propose a blockchain-specific version of the threat-risk assessment standard ISO/IEC 15408 by embedding the stacked model into this standard. Finally, following our stacked model and its categorization, we provide an extensive survey of blockchain-oriented and related research as well as its applications.
Research Interests:
In this paper, we present three datasets that have been built from network traffic traces using ASNM (Advanced Security Network Metrics) features, designed in our previous work. The first dataset was built using a state-of-the-art dataset... more
In this paper, we present three datasets that have been built from network traffic traces using ASNM (Advanced Security Network Metrics) features, designed in our previous work. The first dataset was built using a state-of-the-art dataset CDX 2009 that was collected during a cyber defense exercise, while the remaining two datasets were collected by us in 2015 and 2018 using publicly available network services containing buffer overflow and other high severity vulnerabilities. These two datasets contain several adversarial obfuscation techniques that were applied onto malicious as well as legitimate traffic samples during “the execution” of their TCP network connections. Adversarial obfuscation techniques were used for evading machine learning-based network intrusion detection classifiers. We show that the performance of such classifiers can be improved when partially augmenting their training data by samples obtained from obfuscation techniques. In detail, we utilized tunneling obfuscation in HTTP(S) protocol and non-payload-based obfuscations modifying various properties of network traffic by, e.g., TCP segmentation, re-transmissions, corrupting and reordering of packets, etc. To the best of our knowledge, this is the first collection of network traffic data that contains adversarial techniques and is intended for non-payload-based network intrusion detection and adversarial classification. Provided datasets enable testing of the evasion resistance of arbitrary machine learning-based classifiers.
Research Interests:
With the recent rise of cryptocurrencies, the security and management of crypto-tokens have become critical. We have witnessed many attacks on users, their software, or their providers, which have resulted in significant financial losses.... more
With the recent rise of cryptocurrencies, the security and management of crypto-tokens have become critical. We have witnessed many attacks on users, their software, or their providers, which have resulted in significant financial losses. To remedy these issues, many wallet solutions have been proposed to store users' crypto-tokens. However, these solutions lack either essential security features, or usability, or do not allow users to express their spending rules. In this paper, we propose a smart-contract cryptocurrency wallet framework that gives a flexible, usable, and secure way of managing crypto-tokens in a self-sovereign fashion. The proposed framework consists of three components (i.e., an authenticator, a client, and a smart contract) and provides 2-factor authentication performed in two stages of interaction with the blockchain. Our framework utilizes one-time passwords (OTPs) aggregated by a Merkle tree that is distributed across the components in such a way that for every authentication only a single OTP is transferred from the authenticator to the client. Such a novel setting enables us to make a fully air-gapped authenticator with 16B-long OTPs, while offering resilience against quantum cryptanalysis. We implemented our approach basing on the Ethereum cryptocurrency and the Solidity language. We have performed a cost analysis of the implementation and showed that the average cost of a transfer operation is less than $0.15.
Research Interests:
Due to their interesting features, blockchains have become popular in recent years. They are full-stack systems where security is a critical factor for their success. The main focus of this work is to systematize knowledge about security... more
Due to their interesting features, blockchains have become popular in recent years. They are full-stack systems where security is a critical factor for their success. The main focus of this work is to systematize knowledge about security and privacy issues of blockchains. To this end, we propose a security reference architecture based on models that demonstrate the stacked hierarchy of various threats (similar to the ISO/OSI hierarchy) as well as threat-risk assessment using ISO/IEC 15408. In contrast to the previous surveys [39], [8], [139], [20], we focus on the categorization of security incidents based on their origins and using the proposed architecture we present existing prevention and mitigation techniques. The scope of our work mainly covers aspects related to decentralized nature of blockchains, while we mention common operational security issues and countermeasures only tangentially.