Your search keyword '"Emmanouil Vasilomanolakis"' showing total 34 results

1. Open for hire:attack trends and misconfiguration pitfalls of IoT devices

Author

Shreyas Srinivasa, Jens Myrup Pedersen, and Emmanouil Vasilomanolakis

Subjects

Password, IoT, Honeypot, Exploit, Computer science, computer.internet_protocol, Network telescope, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Denial-of-service attack, security, Computer security, computer.software_genre, IPv4, deception, Attack model, cyber-security, fingerprinting, Universal Plug and Play, computer, honeypot

Abstract

Mirai and its variants have demonstrated the ease and devastating effects of exploiting vulnerable Internet of Things (IoT) devices. In many cases, the exploitation vector is not sophisticated; rather, adversaries exploit misconfigured devices (e.g. unauthenticated protocol settings or weak/default passwords). Our work aims at unveiling the state of IoT devices along with an exploration of the current attack landscape. In this paper, we perform an Internet-level IPv4 scan to unveil 1.8 million misconfigured IoT devices that may be exploited to perform large-scale attacks. These results are filtered to exclude a total of 8,192 devices that we identify as honeypots during our scan. To study current attack trends, we deploy six state-of-art IoT honeypots for a period of 1 month. We gather a total of 200, 209 attacks and investigate how adversaries leverage misconfigured IoT devices. In particular, we study different attack types, including denial of service, multistage attacks and attacks from infected online hosts. Furthermore, we analyze data from a /8 network telescope covering a total of 81 billion requests towards IoT protocols (e.g. CoAP, UPnP). Combining knowledge from the aforementioned experiments, we identify 11, 118 IP addresses (that are part of the detected misconfigured IoT devices) that attacked our honeypot setup and the network telescope.

Published

2021

2. Using NetFlow to Measure the Impact of Deploying DNS-based Blacklists

Author

Martin Fejrskov, Emmanouil Vasilomanolakis, and Jens Myrup Pedersen

Subjects

Measure (data warehouse), Web server, Software_OPERATINGSYSTEMS, Computer science, InformationSystems_INFORMATIONSYSTEMSAPPLICATIONS, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, computer.software_genre, Computer security, Blacklist, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, ComputingMethodologies_PATTERNRECOGNITION, Software deployment, Web traffic, Web page, NetFlow, Malware, computer

Abstract

To prevent user exposure to a wide range of cyber security threats, organizations and companies often resort to deploying blacklists in DNS resolvers or DNS firewalls. The impact of such a deployment is often measured by comparing the coverage of individual blacklists, by counting the number of blocked DNS requests, or by counting the number of flows redirected to a benign web page that contains a warning to the user. This paper suggests an alternative to this by using NetFlow data to measure the effect of a DNS-based blacklist deployment. Our findings suggest that only 38–40% of blacklisted flows are web traffic. Furthermore, the paper analyzes the flows blacklisted by IP address, and it is shown that the majority of these are potentially benign, such as flows towards a web server hosting both benign and malicious sites. Finally, the flows blacklisted by domain name are categorized as either spam or malware, and it is shown that less than 6% are considered malicious.

Published

2021

3. Visualizing the Bitcoin’s OP_RETURN operator

Author

Johannes Mols and Emmanouil Vasilomanolakis

Subjects

blockchain, 021110 strategic, defence & security studies, Cryptocurrency, Computer science, OP_RETURN, 0211 other engineering and technologies, Botnet, 02 engineering and technology, Computer security, computer.software_genre, Asset (computer security), Qualitative analysis, Operator (computer programming), Distributed ledger, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Use case, distributed ledgers, computer, Bitcoin, visualization, Range (computer programming)

Abstract

Bitcoin is undoubtedly the most used distributed ledger technology nowadays. Bitcoin's OP_RETURN operator allows for saving arbitrary data on the blockchain. This comes as an extension of Bitcoin's core usage (i.e. cryptocurrency) and opens up a multitude of use cases. These range from benign applications (e.g. ownership of a digital/physical asset) to illegal/malicious scenarios (e.g. blockchain-based botnets). In this paper, we present a system that provides advanced analytic and visual capabilities with regard to the OP_RETURN operator. Furthermore, we showcase a quantitative and qualitative analysis of the OP_RETURN along with a number of interesting findings.

Published

2020

4. TRIDEnT:Towards a Decentralized Threat Indicator Marketplace

Author

Stéphane Le Roux, Steven Rowe, Emmanouil Vasilomanolakis, Max Mühlhäuser, and Nikolaos Alexopoulos

Subjects

Computer science, Vulnerability, Competitive relationship, 020207 software engineering, 02 engineering and technology, Trident, Computer security, computer.software_genre, Trust, Critical infrastructure, Threat indicator sharing, Collaborative security, Ethereum, Incentive, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, computer, Smart contracts

Abstract

Sophisticated mass attacks, especially when exploiting zero-day vulnerabilities, have the potential to cause destructive damage to organizations and critical infrastructure. To timely detect and contain such attacks, collaboration among the defenders is critical. By correlating real-time detection information (threat indicators) from multiple sources, defenders can detect attacks and take the appropriate measures in time. However, although the technical tools to facilitate collaboration exist, real-world adoption of such collaborative security mechanisms is still underwhelming. This is largely due to a lack of trust and participation incentives for companies and organizations. This paper proposes TRIDEnT, a novel collaborative platform that aims to enable parties to exchange network threat indicators, thus increasing their overall detection capabilities. TRIDEnT allows parties that may be in a competitive relationship, to selectively advertise, sell and acquire threat indicators in the form of (near) real-time peer-to-peer streams. To demonstrate the feasibility of our approach, we instantiate our design in a decentralized manner using Ethereum smart contracts and provide a fully functional prototype.

Published

2020

5. ethVote:Towards secure voting with distributed ledgers

Author

Emmanouil Vasilomanolakis and Johannes Mols

Subjects

Unit testing, business.industry, Computer science, Process (engineering), media_common.quotation_subject, Cryptography, Space (commercial competition), Computer security, computer.software_genre, Voting, Ledger, The Internet, State (computer science), business, computer, media_common

Abstract

The topic of performing safe and secure elections is a long-standing debate. Regardless, of the various attempts for electronic or Internet-based voting, the majority of countries still use paper ballots. Nevertheless, with major advancements occurring over the last years in both cryptography and distributed ledgers we believe that there is space now for re-investigating this area. In this paper, we propose ethVote an Internet voting system that makes use of the Ethereum blockchain, state of the art cryptographic mechanisms and a P2P-based front-end to ensure a secure voting process. In addition, we provide an open-source proof of concept implementation that features the majority of the needed components for securely using ethVote. Our proposal is tested both in terms of unit testing, requirement verification, and with regard to the feasibility to perform such an operation in a public distributed ledger.

Published

2020

6. Cyber-security research by ISPs:A NetFlow and DNS Anonymization Policy

Author

Martin Fejrskov, Emmanouil Vasilomanolakis, and Jens Myrup Pedersen

Subjects

Computer science, DNS, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Legislation, Computer security, computer.software_genre, privacy, Network activity, Data availability, anonymization, Internet service provider, cyber-security, NetFlow, ISP, State (computer science), computer, IPFIX

Abstract

Internet Service Providers (ISPs) have an economic and operational interest in detecting malicious network activity relating to their subscribers. However, it is unclear what kind of traffic data an ISP has available for cyber-security research, and under which legal conditions it can be used. This paper gives an overview of the challenges posed by legislation and of the data sources available to a European ISP. DNS and NetFlow logs are identified as relevant data sources and the state of the art in anonymization and fingerprinting techniques is discussed. Based on legislation, data availability and privacy considerations, a practically applicable anonymization policy is presented.

Published

2020

7. Assessing the Threat of Blockchain-based Botnets

Author

Nikolaos Alexopoulos, Emmanouil Vasilomanolakis, Max Mühlhäuser, Leon Böck, and Emine Saracoglu

Subjects

blockchain, botnets, Cryptocurrency, Blockchain, Edge device, Computer science, Botnet, Computer security, computer.software_genre, Atomic broadcast, Control channel, Backup, Command and control, computer

Abstract

Time and time again the security community has faced novel threats that were previously never analyzed, sometimes with catastrophic results. To avoid this, proactive analysis of envisioned threats is of great importance. One such threat is blockchain-based botnets. Bitcoin, and blockchain-based decentralized cryptocurrencies in general, promise a fair and more transparent financial system. They do so by implementing an open and censorship-resistant atomic broadcast protocol that enables the maintenance of a global transaction ledger, known as a blockchain. In this paper, we consider how this broadcast protocol may be used for malicious behavior as a botnet command and control (C2) channel. Botmasters have been known to misuse broadcasting platforms, like social media, as C2 channels. However, these platforms lack the integral censorship-resistant property of decentralized cryptocurrencies. In this paper, we provide a comprehensive systematization of knowledge study on using blockchains as botnet C2 channels, generating a number of important insights. We set off by providing a critical analysis of the state of the art of blockchain-based botnets, along with an abstract model of such a system. We then examine the inherent limitations of the design, in an attempt to challenge the feasibility of such a botnet. With such limitations in mind, we move forward with an experimental analysis of the detectability of such botnets and discuss potential countermeasures. Contrary to previous work that proposed such botnets, we provide a broad overview of the associated risk and view the problem in relation to other existing botnet C2 channels. We conclude that despite its limitations, the blockchain, as a backup mechanism, practically renders attempts to suppress the control channel of a botnet futile. Thus, more focus should be put on detecting and disinfecting machines at the network edge (router) or even per-bot level.

Published

2019

8. Network entity characterization and attack prediction

Author

Emmanouil Vasilomanolakis, Václav Bartoš, Sheikh Mahbub Habib, and Martin Zadnik

Subjects

FOS: Computer and information sciences, Computer Science - Machine Learning, Computer Science - Cryptography and Security, Relation (database), Computer Networks and Communications, Computer science, media_common.quotation_subject, Machine Learning (stat.ML), Attack prediction, 02 engineering and technology, Characterization (mathematics), Computer security, computer.software_genre, Machine Learning (cs.LG), Ranking (information retrieval), Computer Science - Networking and Internet Architecture, Alert prioritization, Statistics - Machine Learning, Machine learning, 0202 electrical engineering, electronic engineering, information engineering, media_common, Networking and Internet Architecture (cs.NI), Reputation database, 020206 networking & telecommunications, Network security, Alert sharing, Hardware and Architecture, 020201 artificial intelligence & image processing, State (computer science), Cryptography and Security (cs.CR), computer, Software, Reputation

Abstract

The devastating effects of cyber-attacks, highlight the need for novel attack detection and prevention techniques. Over the last years, considerable work has been done in the areas of attack detection as well as in collaborative defense. However, an analysis of the state of the art suggests that many challenges exist in prioritizing alert data and in studying the relation between a recently discovered attack and the probability of it occurring again. In this article, we propose a system that is intended for characterizing network entities and the likelihood that they will behave maliciously in the future. Our system, namely Network Entity Reputation Database System (NERDS), takes into account all the available information regarding a network entity (e. g. IP address) to calculate the probability that it will act maliciously. The latter part is achieved via the utilization of machine learning. Our experimental results show that it is indeed possible to precisely estimate the probability of future attacks from each entity using information about its previous malicious behavior and other characteristics. Ranking the entities by this probability has practical applications in alert prioritization, assembly of highly effective blacklists of a limited length and other use cases., 30 pages, 8 figures

Published

2019

9. Autonomously detecting sensors in fully distributed botnets

Author

Emmanouil Vasilomanolakis, Max Mühlhäuser, Leon Böck, and Jan Wolf

Subjects

General Computer Science, Computer science, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Botnet, 020206 networking & telecommunications, 02 engineering and technology, Computer security, computer.software_genre, P2P botnets, 0202 electrical engineering, electronic engineering, information engineering, Botnet monitoring, 020201 artificial intelligence & image processing, Computational trust, Fully distributed botnets, Sensor evasion, Law, computer

Abstract

Botnet attacks have devastating effects on public and private infrastructures. The botmasters controlling these networks aim to prevent takedown attempts by using highly resilient P2P overlays to commandeer their botnets, and even harden them with countermeasures against intelligence gathering attempts. In fact, recent research indicates that advanced countermeasures can hamper the ability to gather the necessary intelligence for taking down botnets. In this article, we take the perspective of the botmaster to eventually anticipate their behavior. That said, we present a novel mechanism, namely Trust Based Botnet Monitoring Countermeasure (TrustBotMC), that combines computational trust with specially crafted bot messages to detect the presence of monitoring activity. We study and evaluate different computational trust models, to create a local and autonomous mechanism that ensures the avoidance of common botnet tracking mechanisms, such as sensors. Furthermore, we show, via our experimental results, that our approach can reduce the gathered intelligence by at least 53% compared to techniques that have been seen in botnets to date. Finally, we investigate techniques for mitigating our approach.

Published

2019

10. On generating network traffic datasets with synthetic attacks for intrusion detection

Author

Aidmar Wainakh, Emmanouil Vasilomanolakis, Max Mühlhäuser, Simin Nadjm-Tehrani, and Carlos Garcia Cordero

Subjects

FOS: Computer and information sciences, Computer Science - Cryptography and Security, General Computer Science, Exploit, Computer science, Data_MISCELLANEOUS, attack injection, Botnet, 02 engineering and technology, Intrusion detection system, computer.software_genre, Field (computer science), Set (abstract data type), 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Network intrusion detection, Safety, Risk, Reliability and Quality, synthetic dataset, datasets, 020206 networking & telecommunications, Replicate, Replication (computing), Intrusion detection systems, Data mining, computer, Cryptography and Security (cs.CR)

Abstract

Most research in the area of intrusion detection requires datasets to develop, evaluate or compare systems in one way or another. In this field, however, finding suitable datasets is a challenge on to itself. Most publicly available datasets have negative qualities that limit their usefulness. In this article, we propose ID2T (Intrusion Detection Dataset Toolkit) to tackle this problem. ID2T facilitates the creation of labeled datasets by injecting synthetic attacks into background traffic. The injected synthetic attacks blend themselves with the background traffic by mimicking the background traffic's properties to eliminate any trace of ID2T's usage. This work has three core contribution areas. First, we present a comprehensive survey on intrusion detection datasets. In the survey, we propose a classification to group the negative qualities we found in the datasets. Second, the architecture of ID2T is revised, improved and expanded. The architectural changes enable ID2T to inject recent and advanced attacks such as the widespread EternalBlue exploit or botnet communication patterns. The toolkit's new functionality provides a set of tests, known as TIDED (Testing Intrusion Detection Datasets), that help identify potential defects in the background traffic into which attacks are injected. Third, we illustrate how ID2T is used in different use-case scenarios to evaluate the performance of anomaly and signature-based intrusion detection systems in a reproducible manner. ID2T is open source software and is made available to the community to expand its arsenal of attacks and capabilities., Comment: 31 pages

Published

2019

11. Don't steal my drone: Catching attackers with an unmanned aerial vehicle honeypot

Author

Dhanasekar Boopalan, Jörg Daubert, Emmanouil Vasilomanolakis, and Max Mühlhäuser

Subjects

Honeypot, Computer science, business.industry, ComputerApplications_COMPUTERSINOTHERSYSTEMS, Computer security, computer.software_genre, ComputingMethodologies_ARTIFICIALINTELLIGENCE, Drone, Raspberry pi, Software, ComputerSystemsOrganization_SPECIAL-PURPOSEANDAPPLICATION-BASEDSYSTEMS, business, Private information retrieval, computer

Abstract

The increased utilization of Unmanned Aerial Vehicles (UAVs) in both personal as well as commercial and public safety scenarios has also opened the door to adversaries. In more details, such malicious activities may include the hijacking of the UAV (and its cargo), the theft of private information stored in the device, etc. In this paper, we introduce the idea of a honeypot that is specifically designed for the protection of UAVs. The honeypot, which is also capable of running on small portable devices, e.g., a Raspberry Pi, emulates a number of UAV-specific and UAV-tailored protocols, making it possible to lure adversaries into attacking it. Our system can assist into detecting active attackers in a certain area as well as into shedding light into the adversaries' techniques for compromising UAVs.

Published

2018

12. HoneyDrone: A medium-interaction unmanned aerial vehicle honeypot

Author

Jörg Daubert, Emmanouil Vasilomanolakis, Max Mühlhäuser, and Dhanasekar Boopalan

Subjects

050210 logistics & transportation, Emulation, Honeypot, Computer science, media_common.quotation_subject, 05 social sciences, ComputerApplications_COMPUTERSINOTHERSYSTEMS, 020206 networking & telecommunications, 02 engineering and technology, Network interface, Computer security, computer.software_genre, Drone, Variety (cybernetics), 0502 economics and business, 0202 electrical engineering, electronic engineering, information engineering, Sophistication, computer, Private information retrieval, media_common

Abstract

Over the last years, we have experienced an increased utilization of Unmanned Aerial Vehicles (UAVs) not only in personal, but also commercial and public safety applications. Simultaneously, malicious activities have emerged too; from hijacking of UAVs (and their cargo), to the theft of private information stored in UAVs, attacks not only exist but seem to increase both in their numbers and their sophistication. In this paper, we propose HoneyDrone, the first honeypot that is specifically designed for the protection of UAVs. HoneyDrone emulates a number of UAV-specific and UAV-tailored protocols, making it possible to lure adversaries into attacking it. The honeypot is designed to run in portable low-cost devices, e.g., Raspberry Pis, which makes it possible to strategically deploy it in a variety of locations. Our system can assist in detecting active attackers in a certain area, as well as in shedding light into the adversaries' techniques for compromising UAVs. We evaluate HoneyDrone's performance and also examine a number of different realistic attack scenarios to show how the honeypot can cope with them.

Published

2018

13. Towards Blockchain-Based Collaborative Intrusion Detection Systems

Author

Nikolaos Alexopoulos, Natalia Reka Ivanko, Emmanouil Vasilomanolakis, and Max Mühlhäuser

Subjects

Computer science, Intersection (set theory), 02 engineering and technology, Intrusion detection system, Data science, Field (computer science), Task (project management), Work (electrical), 020204 information systems, Accountability, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Architecture, Implementation

Abstract

In an attempt to cope with the increased number of cyber-attacks, research in Intrusion Detection System IDSs is moving towards more collaborative mechanisms. Collaborative IDSs (CIDSs) are such an approach; they combine the knowledge of a plethora of monitors to generate a holistic picture of the monitored network. Despite the research done in this field, CIDSs still face a number of fundamental challenges, especially regarding maintaining trust among the collaborating parties. Recent advances in distributed ledger technologies, e.g. various implementations of blockchain protocols, are a good fit to the problem of enhancing trust in collaborative environments. This paper touches the intersection of CIDSs and blockchains. Particularly, it introduces the idea of utilizing blockchain technologies as a mechanism for improving CIDSs. We argue that certain properties of blockchains can be of significant benefit for CIDSs; namely for the improvement of trust between monitors, and for providing accountability and consensus. For this, we study the related work and highlight the research gaps and challenges towards such a task. Finally, we propose a generic architecture for the incorporation of blockchains into the field of CIDSs and an analysis of the design decisions that need to be made to implement such an architecture.

Published

2018

14. Taxonomy and Survey of Collaborative Intrusion Detection

Author

Emmanouil Vasilomanolakis, Max Mühlhäuser, Mathias Fischer, and Shankar Karuppayah

Subjects

General Computer Science, business.industry, Computer science, Network security, Information technology, Intrusion detection system, Computer security, computer.software_genre, Theoretical Computer Science, Component (UML), Scalability, Key (cryptography), Architecture, business, Massively parallel, computer

Abstract

The dependency of our society on networked computers has become frightening: In the economy, all-digital networks have turned from facilitators to drivers; as cyber-physical systems are coming of age, computer networks are now becoming the central nervous systems of our physical world—even of highly critical infrastructures such as the power grid. At the same time, the 24/7 availability and correct functioning of networked computers has become much more threatened: The number of sophisticated and highly tailored attacks on IT systems has significantly increased. Intrusion Detection Systems (IDSs) are a key component of the corresponding defense measures; they have been extensively studied and utilized in the past. Since conventional IDSs are not scalable to big company networks and beyond, nor to massively parallel attacks, Collaborative IDSs (CIDSs) have emerged. They consist of several monitoring components that collect and exchange data. Depending on the specific CIDS architecture, central or distributed analysis components mine the gathered data to identify attacks. Resulting alerts are correlated among multiple monitors in order to create a holistic view of the network monitored. This article first determines relevant requirements for CIDSs; it then differentiates distinct building blocks as a basis for introducing a CIDS design space and for discussing it with respect to requirements. Based on this design space, attacks that evade CIDSs and attacks on the availability of the CIDSs themselves are discussed. The entire framework of requirements, building blocks, and attacks as introduced is then used for a comprehensive analysis of the state of the art in collaborative intrusion detection, including a detailed survey and comparison of specific CIDS approaches.

Published

2015

15. Defending against Probe-Response Attacks

Author

Emmanouil Vasilomanolakis, Noorulla Sharief, and Max Mühlhäuser

Subjects

Class (computer programming), Shuffling, business.industry, Process (engineering), Computer science, media_common.quotation_subject, 020206 networking & telecommunications, Usability, 02 engineering and technology, Adversary, Computer security, computer.software_genre, Encryption, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, The Internet, business, Sophistication, computer, media_common, Computer network

Abstract

With the increase in the sophistication of cyberattacks, collaborative defensive approaches such as Collaborative IDSs (CIDSs) have emerged. CIDSs utilize a multitude of heterogeneous monitors to create a holistic picture of the monitored network. Nowadays, a number of research institutes and companies deploy CIDSs that publish their alert data publicly, over the Internet. Such systems are important for researchers and security administrators as they provide a source of real-world alert data for experimentation. However, a class of attacks exist, called Probe-Response Attacks (PRAs), which can significantly reduce the benefits of a CIDS. In particular, such attacks allow an adversary to detect the network location of the monitors of a CIDS. In this paper, we first study the related work and analyze the various mitigation techniques for defending against PRAs. Subsequently, we propose a novel mitigation mechanism that improves the state of the art. Our method, namely the Shuffle-based PRA Mitigation (SPM), is based on the idea of shuffling the watermarks, so-called markers, which the adversary requires to successfully perform a PRA. By doing so the whole process of the attack is disrupted leading to a very small number of identified monitors. Our experimental results suggest that our proposed method significantly reduces the impact of a PRA whilst it does not introduce a trade-off for the usability of the data produced by the CIDS.

Published

2017

16. CHALLENGES AND AVAILABLE SOLUTIONS AGAINST ORGANIZED CYBER-CRIME AND TERRORIST NETWORKS

Author

Bernhard Jäger, Florian Huber, Emmanouil Vasilomanolakis, Andrea Tundis, Jörg Daubert, and Max Mühlhäuser

Subjects

Cybercrime, 021110 strategic, defence & security studies, Computer science, 020204 information systems, Terrorism, 0211 other engineering and technologies, 0202 electrical engineering, electronic engineering, information engineering, 02 engineering and technology, Organised crime, Cyber crime, Computer security, computer.software_genre, computer

Published

2017

17. On probe-response attacks in Collaborative Intrusion Detection Systems

Author

Emmanouil Vasilomanolakis, Carlos Garcia Cordero, Max Mühlhäuser, and Michael Stahn

Subjects

Class (computer programming), Computer science, 020206 networking & telecommunications, 02 engineering and technology, Intrusion detection system, Computer security, computer.software_genre, System a, Critical infrastructure, Software deployment, 020204 information systems, Encoding (memory), 0202 electrical engineering, electronic engineering, information engineering, computer

Abstract

Cyber-attacks are steadily increasing in both their size and sophistication. To cope with this, Intrusion Detection Systems (IDSs) are considered mandatory for the protection of critical infrastructure. Furthermore, research is currently focusing on collaborative architectures for IDSs, creating a Collaborative IDS (CIDS). In such a system a number of IDS monitors work together towards creating a holistic picture of the monitored network. Nevertheless, a class of attacks exists, called probe-response, which can assist adversaries to detect the network position of CIDS monitors. This can significantly affect the advantages of a CIDS. In this paper, we introduce PREPARE, a framework for deploying probe-response attacks and also for studying methods for their mitigation. Moreover, we present significant improvements on both the effectiveness of probe-response attacks as well as on mitigation techniques for detecting them. We evaluate our approach via an extensive simulation and a real-world attack deployment that targets two CIDSs. Our results show that our framework can be practically utilized, that our proposals significantly improve probe-response attacks and, lastly, that the introduced detection and mitigation techniques are effective.

Published

2016

18. Detection and mitigation of monitor identification attacks in collaborative intrusion detection systems

Author

Emmanouil Vasilomanolakis and Max Mühlhäuser

Subjects

021110 strategic, defence & security studies, Identification (information), Computer Networks and Communications, Computer science, Real-time computing, 0211 other engineering and technologies, 0202 electrical engineering, electronic engineering, information engineering, 020206 networking & telecommunications, 02 engineering and technology, Intrusion detection system, Computer Science Applications

Published

2018

19. BoobyTrap: On autonomously detecting and characterizing crawlers in P2P botnets

Author

Mathias Fischer, Emmanouil Vasilomanolakis, Max Mühlhäuser, Shankar Karuppayah, and Steffen Haas

Subjects

Exploit, Computer science, business.industry, Botnet, 020206 networking & telecommunications, 02 engineering and technology, Cutwail botnet, Sality, Computer security, computer.software_genre, Rustock botnet, ZeroAccess botnet, Srizbi botnet, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, business, Web crawler, computer, Computer network

Abstract

The ever-growing number of cyber attacks from botnets has made them one of the biggest threats on the Internet. Thus, it is crucial to study and analyze botnets, to take them down. For this, an extensive monitoring is a pre-requisite for preparing a botnet takedown, e.g., via a sinkholing attack. However, every new monitoring mechanism developed for botnets is usually tackled by the botmasters by introducing novel antimonitoring countermeasures. In this paper, we anticipate these countermeasures by proposing a set of lightweight techniques for detecting the presence of crawlers in P2P botnets, called BoobyTrap. For that, we exploit botnet-specific protocol and design constraints. We evaluate the performance of our BoobyTrap mechanism on two real-world botnets: Sality and ZeroAccess. Our results indicate that we can distinguish many crawlers from benign bots. In fact, we discovered close to 10 crawler nodes within our observation period in the Sality botnet and around 120 in the ZeroAccess botnet. In addition, we also describe the observable characteristics of the detected crawlers and suggest crawler improvements for enabling monitoring in the presence of the BoobyTrap mechanism.

Published

2016

20. Towards the creation of synthetic, yet realistic, intrusion detection datasets

Author

Carlos Garcia Cordero, Emmanouil Vasilomanolakis, Nikolay Milanov, and Max Mühlhäuser

Subjects

business.industry, Quality assessment, Computer science, media_common.quotation_subject, User defined, 02 engineering and technology, Intrusion detection system, computer.software_genre, Field (computer science), Host-based intrusion detection system, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Quality (business), Data mining, business, Software architecture, computer, Graphical user interface, media_common

Abstract

Intrusion Detection Systems (IDSs) are an important defense tool against the sophisticated and ever-growing network attacks. With this in mind, the research community has been immersed in the field of IDSs over the past years more than before. Still, assessing and comparing performance between different systems and algorithms remains one of the biggest challenges in this research area. IDSs need to be evaluated and compared against high quality datasets; nevertheless, the existing ones have become outdated or lack many essential requirements. We present the Intrusion Detection Dataset Toolkit (ID2T), an approach for creating out-of-the-box labeled datasets that contain user defined attacks. In this paper, we discuss the essential requirements needed to create synthetic, yet realistic, datasets with user defined attacks. We also present typical problems found in synthetic datasets and propose a software architecture for building tools that can cope with the most typical problems. A publicly available prototype, is implemented and evaluated. The evaluation comprises a performance analysis and a quality assessment of the generated datasets. We show that our tool can handle large amounts of network traffic and that it can generate synthetic datasets without the problems or shortcomings we identified in other datasets.

Published

2016

21. Multi-stage attack detection and signature generation with ICS honeypots

Author

Shreyas Srinivasa, Carlos Garcia Cordero, Emmanouil Vasilomanolakis, and Max Mühlhäuser

Subjects

Emulation, Honeypot, Computer science, business.industry, 020206 networking & telecommunications, 02 engineering and technology, Intrusion detection system, Industrial control system, Computer security, computer.software_genre, Critical infrastructure, Signature (logic), Multi stage, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, The Internet, business, computer

Abstract

New attack surfaces are emerging with the rise of Industrial Control System (ICS) devices exposed on the Internet. ICS devices must be protected in a holistic and efficient manner; especially when these are supporting critical infrastructure. Taking this issue into account, cyber-security research is recently being focused on providing early detection and warning mechanisms for ICSs. In this paper we present a novel honeypot capable of detecting multi-stage attacks targeting ICS networks. Upon detecting a multi-stage attack, our honeypot can generate signatures so that misuse Intrusion Detection Systems (IDSs) can subsequently thwart attacks of the same type. Our experimental results indicate that our honeypot and the signatures it generates provide good detection accuracy and that the Bro IDS can successfully use the signatures to prevent future attacks.

Published

2016

22. SkipMon: A locality-aware Collaborative Intrusion Detection System

Author

Emmanouil Vasilomanolakis, Carlos Garcia Cordero, Max Mühlhäuser, Matthias Krugl, and Mathias Fischer

Subjects

Privacy preserving, business.industry, Computer science, Locality, Scalability, Intrusion detection system, Intrusion prevention system, business, Computer network

Abstract

Due to the increasing quantity and sophistication of cyber-attacks, Intrusion Detection Systems (IDSs) are nowadays considered mandatory security mechanisms for protecting critical networks. Research on cyber-security is moving from such isolated IDSs towards Collaborative IDSs (CIDSs) in order to protect large-scale networks. In CIDSs, a number of IDS sensors work together for creating a holistic picture of the monitored network. Our contribution in this paper is a novel distributed and scalable CIDS, called SkipMon. Our system supports, both, the idea of locality and privacy preserving communication by means of exchanging compact alert data. Furthermore, we propose a mechanism for interconnecting sensors that experience similar traffic patterns. The experimental results suggest that our CIDS, with our technique of connecting monitoring nodes that experience similar traffic, is scalable and offers a good accuracy rate compared to a centralized system with full knowledge of the participating sensors' data.

Published

2015

23. A honeypot-driven cyber incident monitor

Author

Shankar Karuppayah, Panayotis Kikiras, Emmanouil Vasilomanolakis, and Max Mühlhäuser

Subjects

Honeypot, Computer science, business.industry, media_common.quotation_subject, Perspective (graphical), Tracing, Computer security, computer.software_genre, Multiple sensors, Software deployment, Analytics, Data analysis, business, Sophistication, computer, media_common

Abstract

In recent years, the amount and the sophistication of cyber attacks has increased significantly. This creates a plethora of challenges from a security perspective. First, for the efficient monitoring of a network, the generated alerts need to be presented and summarized in a meaningful manner. Second, additional analytics are required to identify sophisticated and correlated attacks. In particular, the detection of correlated attacks requires collaboration between different monitoring points. Cyber incident monitors are platforms utilized for supporting the tasks of network administrators and provide an initial step towards coping with the aforementioned challenges. In this paper, we present our cyber incident monitor TraCINg. TraCINg obtains alert data from honeypot sensors distributed across all over the world. The main contribution of this paper is a thoughtful discussion of the lessons learned, both from a design rational perspective as well as from the analysis of data gathered during a five month deployment period. Furthermore, we show that even with a relatively small number of deployed sensors, it is possible to detect correlated attacks that target multiple sensors.

Published

2015

24. On the Security and Privacy of Internet of Things Architectures and Systems

Author

Emmanouil Vasilomanolakis, Vangelis Gazis, Manisha Luthra, Panayotis Kikiras, Jörg Daubert, and Alexander Wiesmaier

Subjects

Information privacy, Privacy by Design, business.industry, Privacy software, Computer science, Internet privacy, Multitude, Internet of Things, business, Construct (philosophy), Computer security, computer.software_genre, computer

Abstract

The Internet of Things (IoT) brings together a multitude of technologies, with a vision of creating an interconnected world. This will benefit both corporations as well as the end-users. However, a plethora of security and privacy challengesneed to be addressed for the IoT to be fully realized. In thispaper, we identify and discuss the properties that constitutethe uniqueness of the IoT in terms of the upcoming securityand privacy challenges. Furthermore, we construct requirementsinduced by the aforementioned properties. We survey the fourmost dominant IoT architectures and analyze their securityand privacy components with respect to the requirements. Ouranalysis shows a mediocre coverage of security and privacyrequirements. Finally, through our survey we identify a number ofresearch gaps that constitute the steps ahead for future research.

Published

2015

25. ID2T: A DIY dataset creation toolkit for Intrusion Detection Systems

Author

Emmanouil Vasilomanolakis, Max Mühlhäuser, Carlos Garcia Cordero, David Hausheer, Nikolay Milanov, and Christian Koch

Subjects

Host-based intrusion detection system, Data visualization, business.industry, Computer science, User defined, Intrusion detection system, Data mining, business, computer.software_genre, computer

Abstract

Intrusion Detection Systems (IDSs) are an important defense tool against the sophisticated and ever-growing network attacks. These systems need to be evaluated against high quality datasets for correctly assessing their usefulness and comparing their performance. We present an Intrusion Detection Dataset Toolkit (ID2T) for the creation of labeled datasets containing user defined synthetic attacks. The architecture of the toolkit is provided for examination and the example of an injected attack, in real network traffic, is visualized and analyzed. We further discuss the ability of the toolkit of creating realistic synthetic attacks of high quality and low bias.

Published

2015

26. Probe-response attacks on collaborative intrusion detection systems: Effectiveness and countermeasures

Author

Carlos Garcia Cordero, Michael Stahn, Emmanouil Vasilomanolakis, and Max Mühlhäuser

Subjects

business.industry, Computer science, Network security, The Internet, Intrusion detection system, Adversary, business, Computer security, computer.software_genre, computer, Computer network

Abstract

Over the last years the number of cyber-attacks has been constantly increasing. Since isolated Intrusion Detection Systems (IDSs) cannot cope with the number and sophistication of attacks, collaboration among the defenders is required. Collaborative IDSs (CIDSs) work by exchanging alert traffic to construct a holistic view of the monitored network. However, an adversary can utilize probe-response attacks to successfully detect CIDS's monitoring sensors. We discuss the practicability of such attacks, suggest improvements, and also propose novel techniques to reduce the effects of such attacks. Moreover, we present preliminary results in the applicability of the attacks and hints on performing such attacks in a well known CIDS.

Published

2015

27. A survey of technologies for the internet of things

Author

Emmanouil Vasilomanolakis, Manuel Gortz, Marco F. Huber, Alexander Wiesmaier, Alessandro Leonardi, Vangelis Gazis, Kostas Mathioudakis, and Florian Zeiger

Subjects

World Wide Web, Web of Things, Order (exchange), business.industry, Analytics, Computer science, Interoperability, Internet of Things, business

Abstract

The number of smart things is growing exponentially. By 2020, tens of billions of things will be deployed worldwide, collecting a wealth of diverse data. Traditional computing models collect in-field data and then transmit it to a central data center where analytics are applied to it, but this is no longer a sustainable model. New approaches and new technologies are required to transform enormous amounts of collected data into meaningful information. Technology also will enable the interconnection around things in the IoT ecosystem but further research is required in the development, convergence and interoperability of the different IoT elements. In this paper, we provide a picture of the main technological components needed to enable the interconnection among things in order to realize IoT concepts and applications.

Published

2015

28. Community-Based Collaborative Intrusion Detection

Author

Carlos Garcia Cordero, Emmanouil Vasilomanolakis, Max Mühlhäuser, and Mathias Fischer

Subjects

Computer science, business.industry, Botnet, Intrusion detection system, Computer security, computer.software_genre, Partition (database), Information technology management, Overhead (computing), Anomaly detection, Isolation (database systems), Set (psychology), business, computer

Abstract

The IT infrastructure of today needs to be ready to defend against massive cyber-attacks which often originate from distributed attackers such as Botnets. Most Intrusion Detection Systems (IDSs), nonetheless, are still working in isolation and cannot effectively detect distributed attacks. Collaborative IDSs (CIDSs) have been proposed as a collaborative defense against the ever more sophisticated distributed attacks. However, collaboration by exchanging suspicious alarms among all interconnected sensors in CIDSs does not scale with the size of the IT infrastructure; hence, detection performance and communication overhead, required for collaboration, must be traded off. We propose to partition the set of considered sensors into subsets, or communities, as a lever for this trade off. The novelty of our approach is the application of ensemble based learning, a machine learning paradigm suitable for distributed intrusion detection. In our approach, community members exchange data features used to train models of normality, not bare alarms, thereby further reducing the communication overhead of our approach. Our experiments show that we can achieve detection rates close to those based on global information exchange with smaller subsets of collaborating sensors.

Published

2015

29. Security Perspectives for Collaborative Data Acquisition in the Internet of Things

Author

Carlos Garcia Cordero, Alexander Wiesmaier, Emmanouil Vasilomanolakis, Panayotis Kikiras, and Vangelis Gazis

Subjects

World Wide Web, Data acquisition, Computer science, business.industry, Data analysis, Context (language use), Layer (object-oriented design), Internet of Things, business, Data modeling

Abstract

The Internet of Things (IoT) is an increasingly important topic, bringing together many different fields of computer science. Nevertheless, beside the advantages (IoT) has to offer, many challenges exist, not at least in terms of security and privacy. In addition, the large number of heterogeneous devices in (IoT) produces a vast amount of data, and therefore efficient mechanisms are required that are capable of handling the data, analyze them and produce meaningful results. In this paper, we discuss the challenges that have to be addressed, when data analytics are applied in the context of the (IoT). For this, we propose a data acquisition architecture, named CoDA, that focuses on bringing together heterogeneous things to create distributed global data models. For each layer of the proposed architecture we discuss the upcoming challenges from the security perspective.

Published

2015

30. This network is infected

Author

Mathias Fischer, Lars Pandikow, Mihai Plasoianu, Emmanouil Vasilomanolakis, Max Mühlhäuser, Shankar Karuppayah, and Wulf Pfeiffer

Subjects

Honeypot, Computer science, Wireless network, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Intrusion detection system, Computer security, computer.software_genre, Security awareness, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Trustworthiness, Malware, Android (operating system), computer, Mobile device

Abstract

In recent years, the number of sophisticated cyber attacks has increased rapidly. At the same time, people tend to utilize unknown, in terms of trustworthiness, wireless networks in their daily life. They connect to these networks, e.g., airports, without knowledge of whether they are safe or infected with actively propagating malware. In traditional networks, malicious behavior can be detected via Intrusion Detection Systems (IDSs). However, IDSs cannot be applied easily to mobile environments and to resource constrained devices. Another common defense mechanism is honeypots, i.e., systems that pretend to be an attractive target to attract malware and attackers. As a honeypot has no productive use, each attempt to access it can be interpreted as an attack. Hence, they can provide an early indication on malicious network environments. Since low interaction honeypots do not demand high CPU or memory requirements, they are suitable to resource constrained devices like smartphones or tablets.In this paper we present the idea of Honeypot-To-Go. We envision portable honeypots on mobile devices that aim on the fast detection of malicious networks and thus boost the security awareness of users. Moreover, to demonstrate the feasibility of this proposal we present our prototype HosTaGe, a low-interaction honeypot implemented for the Android OS. We present some initial results regarding the performance of this application as well as its ability to detect attacks in a realistic environment. To the best of our knowledge, HosTaGe is the first implementation of a generic low-interaction honeypot for mobile devices.

Published

2013

31. Did you really hack a nuclear power plant? An industrial control mobile honeypot

Author

Emmanouil Vasilomanolakis, Max Mühlhäuser, and Shreyas Srinivasa

Subjects

Honeypot, Computer science, business.industry, Control (management), Industrial control system, Computer security, computer.software_genre, law.invention, law, Server, Nuclear power plant, Malware, The Internet, Mobile telephony, business, computer, Computer network

Abstract

The emerge of sophisticated attackers and malware that target Industrial Control System (ICS) suggests that novel security mechanisms are required. Honeypots, can act as an additional line of defense, by providing early warnings for such attacks. We present a mobile ICS honeypot, that can be placed in various network positions to provide security administrators an on-the-go security status of their network. We discuss our system, its merits in comparison to other honeypots, and provide preliminary results towards a large-scale evaluation.

32. HosTaGe: a Mobile Honeypot for Collaborative Defense

Author

Emmanouil Vasilomanolakis, Max Mühlhäuser, Shankar Karuppayah, and Mathias Fischer

Subjects

Honeypot, Computer science, Pseudoserver, Android (operating system), Computer security, computer.software_genre, computer, Mobile device

Abstract

The continuous growth of the number of cyber attacks along with the massive increase of mobile devices creates a highly heterogeneous landscape in terms of security challenges. We argue that in order for security researchers to cope with both the massive amount and the complexity of attacks, a more pro-active approach has to be taken into account. In addition, distributed attacks that are carried out by interconnected attackers require a collaborative defense. Diverging from traditional security defenses, honeypots are systems whose value lies on in being attacked and compromised. In this paper, we extend the idea of HosTaGe, i.e., a low interaction honeypot for mobile devices. Our system is specifically designed in a user-centric manner and runs out-of-the-box in the Android operating system. We present the design rational and discuss the different attack surfaces that HosTaGe is able to handle. The main contribution of this paper is the introduction of the collaborative capabilities of HosTaGe.

33. Next Generation P2P Botnets: Monitoring Under Adverse Conditions

Author

Emmanouil Vasilomanolakis, Max Mühlhäuser, Leon Böck, and Shankar Karuppayah

Subjects

Intelligence gathering, Adverse conditions, Computer science, Botnet, 020206 networking & telecommunications, Denial-of-service attack, Context (language use), 02 engineering and technology, Computer security, computer.software_genre, Resistance monitoring, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Ransomware, Resilience (network), computer

Abstract

The effects of botnet attacks, over the years, have been devastating. From high volume Distributed Denial of Service (DDoS) attacks to ransomware attacks, it is evident that defensive measures need to be taken. Indeed, there has been a number of successful takedowns of botnets that exhibit a centralized architecture. However, this is not the case with distributed botnets that are more resilient and armed with countermeasures against monitoring. In this paper, we argue that monitoring countermeasures, applied by botmasters, will only become more sophisticated; to such an extent that monitoring, under these adverse conditions, may become infeasible. That said, we present the most detailed analysis, to date, of parameters that influence a P2P botnet’s resilience and monitoring resistance. Integral to our analysis, we introduce BotChurn (BC) a realistic and botnet-focused churn generator that can assist in the analysis of botnets. Our experimental results suggest that certain parameter combinations greatly limit intelligence gathering operations. Furthermore, our analysis highlights the need for extensive collaboration between defenders. For instance, we show that even the combined knowledge of 500 monitoring instances is insufficient to fully enumerate some of the examined botnets. In this context, we also raise the question of whether botnet monitoring will still be feasible in the near future.

34. Towards Trust-Aware Collaborative Intrusion Detection: Challenges and Solutions

Author

Emmanouil Vasilomanolakis, Max Mühlhäuser, Rabee Sohail Malik, Sheikh Mahbub Habib, and Pavlos Milaszewicz

Subjects

Computer science, 020206 networking & telecommunications, 02 engineering and technology, Intrusion detection system, Data science, Field (computer science), Identification (information), Work (electrical), 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Trust management (information system), State (computer science), Computational trust, Set (psychology)

Abstract

Collaborative Intrusion Detection Systems (CIDSs) are an emerging field in cyber-security. In such an approach, multiple sensors collaborate by exchanging alert data with the goal of generating a complete picture of the monitored network. This can provide significant improvements in intrusion detection and especially in the identification of sophisticated attacks. However, the challenge of deciding to which extend a sensor can trust others, has not yet been holistically addressed in related work. In this paper, we firstly propose a set of requirements for reliable trust management in CIDSs. Afterwards, we carefully investigate the most dominant CIDS trust schemes. The main contribution of the paper is mapping the results of the analysis to the aforementioned requirements, along with a comparison of the state of the art. Furthermore, this paper identifies and discusses the research gaps and challenges with regard to trust and CIDSs.