Search

Your search keyword '"Emmanouil Vasilomanolakis"' showing total 100 results
Start Over Author "Emmanouil Vasilomanolakis"
100 results on '"Emmanouil Vasilomanolakis"'

53. Botnet Business Models, Takedown Attempts, and the Darkweb Market:A Survey

Author

Dimitrios Georgoulias, Jens Myrup Pedersen, Morten Falch, and Emmanouil Vasilomanolakis

Subjects
Additional Key Words and PhrasesCybercrime, botnets, General Computer Science, Cybercrime, SDG 16 - Peace, Justice and Strong Institutions, forum, marketplace, economics, Theoretical Computer Science, takedowns, attacks, darkweb, business models
Abstract

Botnets account for a substantial portion of cybercrime. Botmasters utilize darkweb marketplaces to promote and provide their services, which can vary from renting or buying a botnet (or parts of it) to hiring services (e.g., distributed denial of service attacks). At the same time, botnet takedown attempts have proven to be challenging, demanding a combination of technical and legal methods, and often requiring the collaboration of a plethora of entities with varying jurisdictions. In this article, we map the elements associated with the business aspect of botnets and utilize them to develop adaptations of two widely used business models. Furthermore, we analyze the 28 most notable botnet takedown operations carried out from 2008 to 2021, in regard to the methods employed, and illustrate the correlation between these methods and the segments of our adapted business models. Our analysis suggests that the botnet takedown methods have been mainly focused on the technical side, but not on the botnet economic components. We aim to shed light on new takedown vectors and incentivize takedown actors to expand their efforts to methods oriented more toward the business side of botnets, which could contribute toward eliminating some of the challenges that surround takedown operations.

Published
2023

54. Gotta catch ’em all: a Multistage Framework for honeypot fingerprinting

Author

Shreyas Srinivasa, Jens Myrup Pedersen, and Emmanouil Vasilomanolakis

Subjects
FOS: Computer and information sciences, Software_OPERATINGSYSTEMS, Computer Science - Cryptography and Security, Computer Networks and Communications, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Computer Science Applications, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, fingerprinting, Hardware and Architecture, Honeypot, Cryptography and Security (cs.CR), Safety Research, Software, Information Systems
Abstract

Honeypots are decoy systems that lure attackers by presenting them with a seemingly vulnerable system. They provide an early detection mechanism as well as a method for learning how adversaries work and think. However, over the last years a number of researchers have shown methods for fingerprinting honeypots. This significantly decreases the value of a honeypot; if an attacker is able to recognize the existence of such a system, they can evade it. In this article, we revisit the honeypot identification field, by providing a holistic framework that includes state of the art and novel fingerprinting components. We decrease the probability of false positives by proposing a rigid multi-step approach for labeling a system as a honeypot. We perform extensive scans covering 2.9 billion addresses of the IPv4 space and identify a total of 21,855 honeypot instances. Moreover, we present a number of interesting side-findings such as the identification of around 355,000 non-honeypot systems that represent potentially misconfigured or unpatched vulnerable servers (e.g. SSH servers with default password configurations and vulnerable versions). We ethically disclose our findings to network administrators about the default configuration and the honeypot developers about the gaps in implementation that lead to possible honeypot fingerprinting. Lastly, we discuss countermeasures against honeypot fingerprinting techniques.

Published
2023

57. Detecting DNS hijacking by using NetFlow data

Author

Jens Myrup Pedersen, Emmanouil Vasilomanolakis, and Martin Fejrskov

Subjects
hijacking, DNS, malware, NetFlow, IPFix
Abstract

DNS hijacking represents a security threat to users because it enables bypassing existing DNS security measures. Several malware families exploit this by changing the client DNS configuration to point to a malicious DNS resolver. Following the assumption that users will never actively choose to use a resolver that is not well-known, our paper introduces the idea of detecting client-based DNS hijacking by classifying public resolvers based on whether they are well-known or not. Furthermore, we propose to use NetFlow-based features to classify a resolver as well-known or malicious. By characterizing and manually labelling the 405 resolvers seen in four weeks of NetFlow data from a national ISP, we show that classification of both well-known and malicious servers can be made with an AUROC of 0.85.

Published
2022

61. Deceptive directories and 'vulnerable' logs: a honeypot study of the LDAP and log4j attack landscape

Author

Jens Myrup Pedersen, Emmanouil Vasilomanolakis, and Shreyas Srinivasa

Subjects
LDAP attacks, Deception, LDAP, Honeypots
Abstract

The Lightweight Directory Access Protocol (LDAP) has been widely used to query directory services. It is mainly utilized for reading, writing, and searching directory services like the Active Directory. The vast adoption of LDAP for authentication has entailed several attack attempts like injection attacks and unauthorized access due to third-party key storage. Furthermore, recent vulnerabilities discovered in libraries like the Log4j can lead adversaries to obtain unauthorized information from the directory services through pivoting attacks. Moreover, the LDAP can be configured to operate on UDP, motivating adversaries to exploit it for Distributed Reflection Denial of Service attacks (DRDoS). This paper presents a study of attacks on the LDAP by deploying honeypots that simulate multiple profiles that support the LDAP service and correlating the attack datasets obtained from honeypots deployed by the Honeynet Project community. We observe a total of 39,388 malicious events targeting the honeypots and discover 273 unique attack sources performing pivot attacks in a period of one month.

Published
2022

62. A Bad IDEa: Weaponizing uncontrolled online-IDEs in availability attacks

Author

Jens Myrup Pedersen, Dimitrios Georgoulias, Emmanouil Vasilomanolakis, and Shreyas Srinivasa

Subjects
uncontrolled execution, online IDE
Abstract

Botnets are an ongoing threat to the cyber world and can be utilized to carry out DDoS attacks of high magnitude. From the botmaster's perspective, there is a constant need for deploying more effective botnets and discovering new ways to bolster their bot ranks. Integrated Development Environments (IDEs) have been essential for software developers to write and compile source code. The increasing need for remote work and collaborative workspaces have led to the IDE-as-a-service paradigm that offers online code editing and compilation with multiple language support. In this paper, we show that a multitude of online IDEs do not run control checks on the user code and can be therefore lever-aged by a botnet. We examine the concept of uncontrolled execution environments and present a proof of concept to show how uncontrolled online-IDEs can be weaponized to perform large-scale attacks by a botnet. Overall, we detect a total of 719 online-IDEs with uncontrolled execution environments and limited sandboxing. Lastly, as ethical disclosure, we inform the IDE developers and service providers of the vulnerabilities and propose countermeasures.

Published
2022

65. Interaction matters: a comprehensive analysis and a dataset of hybrid IoT/OT honeypots

Author

Jens Myrup Pedersen, Emmanouil Vasilomanolakis, and Shreyas Srinivasa

Subjects
deception, IoT, Interaction, SDG 16 - Peace, Justice and Strong Institutions, honeypots, SDG 9 - Industry, Innovation, and Infrastructure, Cyber Deception, operation technology
Abstract

The Internet of things (IoT) and critical infrastructure utilizing operational technology (OT) protocols are nowadays a common attack target and/or attack surface used to further propagate malicious actions. Deception techniques such as honeypots have been proposed for both IoT and OT but they either lack an extensive evaluation or are subject to fingerprinting attacks. In this paper, we extend and evaluate RIoTPot, a hybrid-interaction honeypot, by exposing it to attacks on the Internet and perform a longitudinal study with multiple evaluation parameters for three months. Furthermore, we publish the aforementioned study in the form of a dataset that is available to researchers upon request. We leverage RIoTPot's hybrid-interaction model to deploy it in three interaction variants with six protocols deployed on both cloud and self-hosted infrastructure to study and compare the attacks gathered. At a glance, we receive 10.87 million attack events originating from 22,518 unique IP addresses that involve brute-force, poisoning, multistage and other attacks. Moreover, we fingerprint the attacker IP addresses to identify the type of devices who participate in the attacks. Lastly, our results indicate that the honeypot interaction levels have an important role in attracting specific attacks and scanning probes.

Published
2022

69. Open for hire:attack trends and misconfiguration pitfalls of IoT devices

Author

Shreyas Srinivasa, Jens Myrup Pedersen, and Emmanouil Vasilomanolakis

Subjects
Password, IoT, Honeypot, Exploit, Computer science, computer.internet_protocol, Network telescope, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Denial-of-service attack, security, Computer security, computer.software_genre, IPv4, deception, Attack model, cyber-security, fingerprinting, Universal Plug and Play, computer, honeypot
Abstract

Mirai and its variants have demonstrated the ease and devastating effects of exploiting vulnerable Internet of Things (IoT) devices. In many cases, the exploitation vector is not sophisticated; rather, adversaries exploit misconfigured devices (e.g. unauthenticated protocol settings or weak/default passwords). Our work aims at unveiling the state of IoT devices along with an exploration of the current attack landscape. In this paper, we perform an Internet-level IPv4 scan to unveil 1.8 million misconfigured IoT devices that may be exploited to perform large-scale attacks. These results are filtered to exclude a total of 8,192 devices that we identify as honeypots during our scan. To study current attack trends, we deploy six state-of-art IoT honeypots for a period of 1 month. We gather a total of 200, 209 attacks and investigate how adversaries leverage misconfigured IoT devices. In particular, we study different attack types, including denial of service, multistage attacks and attacks from infected online hosts. Furthermore, we analyze data from a /8 network telescope covering a total of 81 billion requests towards IoT protocols (e.g. CoAP, UPnP). Combining knowledge from the aforementioned experiments, we identify 11, 118 IP addresses (that are part of the detected misconfigured IoT devices) that attacked our honeypot setup and the network telescope.

Published
2021

73. TRIDEnT:Towards a Decentralized Threat Indicator Marketplace

Author

Stéphane Le Roux, Steven Rowe, Emmanouil Vasilomanolakis, Max Mühlhäuser, and Nikolaos Alexopoulos

Subjects
Computer science, Vulnerability, Competitive relationship, 020207 software engineering, 02 engineering and technology, Trident, Computer security, computer.software_genre, Trust, Critical infrastructure, Threat indicator sharing, Collaborative security, Ethereum, Incentive, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, computer, Smart contracts
Abstract

Sophisticated mass attacks, especially when exploiting zero-day vulnerabilities, have the potential to cause destructive damage to organizations and critical infrastructure. To timely detect and contain such attacks, collaboration among the defenders is critical. By correlating real-time detection information (threat indicators) from multiple sources, defenders can detect attacks and take the appropriate measures in time. However, although the technical tools to facilitate collaboration exist, real-world adoption of such collaborative security mechanisms is still underwhelming. This is largely due to a lack of trust and participation incentives for companies and organizations. This paper proposes TRIDEnT, a novel collaborative platform that aims to enable parties to exchange network threat indicators, thus increasing their overall detection capabilities. TRIDEnT allows parties that may be in a competitive relationship, to selectively advertise, sell and acquire threat indicators in the form of (near) real-time peer-to-peer streams. To demonstrate the feasibility of our approach, we instantiate our design in a decentralized manner using Ethereum smart contracts and provide a fully functional prototype.

Published
2020

74. ethVote:Towards secure voting with distributed ledgers

Author

Emmanouil Vasilomanolakis and Johannes Mols

Subjects
Unit testing, business.industry, Computer science, Process (engineering), media_common.quotation_subject, Cryptography, Space (commercial competition), Computer security, computer.software_genre, Voting, Ledger, The Internet, State (computer science), business, computer, media_common
Abstract

The topic of performing safe and secure elections is a long-standing debate. Regardless, of the various attempts for electronic or Internet-based voting, the majority of countries still use paper ballots. Nevertheless, with major advancements occurring over the last years in both cryptography and distributed ledgers we believe that there is space now for re-investigating this area. In this paper, we propose ethVote an Internet voting system that makes use of the Ethereum blockchain, state of the art cryptographic mechanisms and a P2P-based front-end to ensure a secure voting process. In addition, we provide an open-source proof of concept implementation that features the majority of the needed components for securely using ethVote. Our proposal is tested both in terms of unit testing, requirement verification, and with regard to the feasibility to perform such an operation in a public distributed ledger.

Published
2020

75. Cyber-security research by ISPs:A NetFlow and DNS Anonymization Policy

Author

Martin Fejrskov, Emmanouil Vasilomanolakis, and Jens Myrup Pedersen

Subjects
Computer science, DNS, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Legislation, Computer security, computer.software_genre, privacy, Network activity, Data availability, anonymization, Internet service provider, cyber-security, NetFlow, ISP, State (computer science), computer, IPFIX
Abstract

Internet Service Providers (ISPs) have an economic and operational interest in detecting malicious network activity relating to their subscribers. However, it is unclear what kind of traffic data an ISP has available for cyber-security research, and under which legal conditions it can be used. This paper gives an overview of the challenges posed by legislation and of the data sources available to a European ISP. DNS and NetFlow logs are identified as relevant data sources and the state of the art in anonymization and fingerprinting techniques is discussed. Based on legislation, data availability and privacy considerations, a practically applicable anonymization policy is presented.

Published
2020

76. Assessing the Threat of Blockchain-based Botnets

Author

Nikolaos Alexopoulos, Emmanouil Vasilomanolakis, Max Mühlhäuser, Leon Böck, and Emine Saracoglu

Subjects
blockchain, botnets, Cryptocurrency, Blockchain, Edge device, Computer science, Botnet, Computer security, computer.software_genre, Atomic broadcast, Control channel, Backup, Command and control, computer
Abstract

Time and time again the security community has faced novel threats that were previously never analyzed, sometimes with catastrophic results. To avoid this, proactive analysis of envisioned threats is of great importance. One such threat is blockchain-based botnets. Bitcoin, and blockchain-based decentralized cryptocurrencies in general, promise a fair and more transparent financial system. They do so by implementing an open and censorship-resistant atomic broadcast protocol that enables the maintenance of a global transaction ledger, known as a blockchain. In this paper, we consider how this broadcast protocol may be used for malicious behavior as a botnet command and control (C2) channel. Botmasters have been known to misuse broadcasting platforms, like social media, as C2 channels. However, these platforms lack the integral censorship-resistant property of decentralized cryptocurrencies. In this paper, we provide a comprehensive systematization of knowledge study on using blockchains as botnet C2 channels, generating a number of important insights. We set off by providing a critical analysis of the state of the art of blockchain-based botnets, along with an abstract model of such a system. We then examine the inherent limitations of the design, in an attempt to challenge the feasibility of such a botnet. With such limitations in mind, we move forward with an experimental analysis of the detectability of such botnets and discuss potential countermeasures. Contrary to previous work that proposed such botnets, we provide a broad overview of the associated risk and view the problem in relation to other existing botnet C2 channels. We conclude that despite its limitations, the blockchain, as a backup mechanism, practically renders attempts to suppress the control channel of a botnet futile. Thus, more focus should be put on detecting and disinfecting machines at the network edge (router) or even per-bot level.

Published
2019

77. Network entity characterization and attack prediction

Author

Emmanouil Vasilomanolakis, Václav Bartoš, Sheikh Mahbub Habib, and Martin Zadnik

Subjects
FOS: Computer and information sciences, Computer Science - Machine Learning, Computer Science - Cryptography and Security, Relation (database), Computer Networks and Communications, Computer science, media_common.quotation_subject, Machine Learning (stat.ML), Attack prediction, 02 engineering and technology, Characterization (mathematics), Computer security, computer.software_genre, Machine Learning (cs.LG), Ranking (information retrieval), Computer Science - Networking and Internet Architecture, Alert prioritization, Statistics - Machine Learning, Machine learning, 0202 electrical engineering, electronic engineering, information engineering, media_common, Networking and Internet Architecture (cs.NI), Reputation database, 020206 networking & telecommunications, Network security, Alert sharing, Hardware and Architecture, 020201 artificial intelligence & image processing, State (computer science), Cryptography and Security (cs.CR), computer, Software, Reputation
Abstract

The devastating effects of cyber-attacks, highlight the need for novel attack detection and prevention techniques. Over the last years, considerable work has been done in the areas of attack detection as well as in collaborative defense. However, an analysis of the state of the art suggests that many challenges exist in prioritizing alert data and in studying the relation between a recently discovered attack and the probability of it occurring again. In this article, we propose a system that is intended for characterizing network entities and the likelihood that they will behave maliciously in the future. Our system, namely Network Entity Reputation Database System (NERDS), takes into account all the available information regarding a network entity (e. g. IP address) to calculate the probability that it will act maliciously. The latter part is achieved via the utilization of machine learning. Our experimental results show that it is indeed possible to precisely estimate the probability of future attacks from each entity using information about its previous malicious behavior and other characteristics. Ranking the entities by this probability has practical applications in alert prioritization, assembly of highly effective blacklists of a limited length and other use cases., 30 pages, 8 figures

Published
2019

78. Autonomously detecting sensors in fully distributed botnets

Author

Emmanouil Vasilomanolakis, Max Mühlhäuser, Leon Böck, and Jan Wolf

Subjects
General Computer Science, Computer science, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Botnet, 020206 networking & telecommunications, 02 engineering and technology, Computer security, computer.software_genre, P2P botnets, 0202 electrical engineering, electronic engineering, information engineering, Botnet monitoring, 020201 artificial intelligence & image processing, Computational trust, Fully distributed botnets, Sensor evasion, Law, computer
Abstract

Botnet attacks have devastating effects on public and private infrastructures. The botmasters controlling these networks aim to prevent takedown attempts by using highly resilient P2P overlays to commandeer their botnets, and even harden them with countermeasures against intelligence gathering attempts. In fact, recent research indicates that advanced countermeasures can hamper the ability to gather the necessary intelligence for taking down botnets. In this article, we take the perspective of the botmaster to eventually anticipate their behavior. That said, we present a novel mechanism, namely Trust Based Botnet Monitoring Countermeasure (TrustBotMC), that combines computational trust with specially crafted bot messages to detect the presence of monitoring activity. We study and evaluate different computational trust models, to create a local and autonomous mechanism that ensures the avoidance of common botnet tracking mechanisms, such as sensors. Furthermore, we show, via our experimental results, that our approach can reduce the gathered intelligence by at least 53% compared to techniques that have been seen in botnets to date. Finally, we investigate techniques for mitigating our approach.

Published
2019

79. On generating network traffic datasets with synthetic attacks for intrusion detection

Author

Aidmar Wainakh, Emmanouil Vasilomanolakis, Max Mühlhäuser, Simin Nadjm-Tehrani, and Carlos Garcia Cordero

Subjects
FOS: Computer and information sciences, Computer Science - Cryptography and Security, General Computer Science, Exploit, Computer science, Data_MISCELLANEOUS, attack injection, Botnet, 02 engineering and technology, Intrusion detection system, computer.software_genre, Field (computer science), Set (abstract data type), 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Network intrusion detection, Safety, Risk, Reliability and Quality, synthetic dataset, datasets, 020206 networking & telecommunications, Replicate, Replication (computing), Intrusion detection systems, Data mining, computer, Cryptography and Security (cs.CR)
Abstract

Most research in the area of intrusion detection requires datasets to develop, evaluate or compare systems in one way or another. In this field, however, finding suitable datasets is a challenge on to itself. Most publicly available datasets have negative qualities that limit their usefulness. In this article, we propose ID2T (Intrusion Detection Dataset Toolkit) to tackle this problem. ID2T facilitates the creation of labeled datasets by injecting synthetic attacks into background traffic. The injected synthetic attacks blend themselves with the background traffic by mimicking the background traffic's properties to eliminate any trace of ID2T's usage. This work has three core contribution areas. First, we present a comprehensive survey on intrusion detection datasets. In the survey, we propose a classification to group the negative qualities we found in the datasets. Second, the architecture of ID2T is revised, improved and expanded. The architectural changes enable ID2T to inject recent and advanced attacks such as the widespread EternalBlue exploit or botnet communication patterns. The toolkit's new functionality provides a set of tests, known as TIDED (Testing Intrusion Detection Datasets), that help identify potential defects in the background traffic into which attacks are injected. Third, we illustrate how ID2T is used in different use-case scenarios to evaluate the performance of anomaly and signature-based intrusion detection systems in a reproducible manner. ID2T is open source software and is made available to the community to expand its arsenal of attacks and capabilities., Comment: 31 pages

Published
2019
Full Text
View/download PDF

80. Don't steal my drone: Catching attackers with an unmanned aerial vehicle honeypot

Author

Dhanasekar Boopalan, Jörg Daubert, Emmanouil Vasilomanolakis, and Max Mühlhäuser

Subjects
Honeypot, Computer science, business.industry, ComputerApplications_COMPUTERSINOTHERSYSTEMS, Computer security, computer.software_genre, ComputingMethodologies_ARTIFICIALINTELLIGENCE, Drone, Raspberry pi, Software, ComputerSystemsOrganization_SPECIAL-PURPOSEANDAPPLICATION-BASEDSYSTEMS, business, Private information retrieval, computer
Abstract

The increased utilization of Unmanned Aerial Vehicles (UAVs) in both personal as well as commercial and public safety scenarios has also opened the door to adversaries. In more details, such malicious activities may include the hijacking of the UAV (and its cargo), the theft of private information stored in the device, etc. In this paper, we introduce the idea of a honeypot that is specifically designed for the protection of UAVs. The honeypot, which is also capable of running on small portable devices, e.g., a Raspberry Pi, emulates a number of UAV-specific and UAV-tailored protocols, making it possible to lure adversaries into attacking it. Our system can assist into detecting active attackers in a certain area as well as into shedding light into the adversaries' techniques for compromising UAVs.

Published
2018

81. Towards Blockchain-Based Collaborative Intrusion Detection Systems

Author

Nikolaos Alexopoulos, Natalia Reka Ivanko, Emmanouil Vasilomanolakis, and Max Mühlhäuser

Subjects
Computer science, Intersection (set theory), 02 engineering and technology, Intrusion detection system, Data science, Field (computer science), Task (project management), Work (electrical), 020204 information systems, Accountability, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Architecture, Implementation
Abstract

In an attempt to cope with the increased number of cyber-attacks, research in Intrusion Detection System IDSs is moving towards more collaborative mechanisms. Collaborative IDSs (CIDSs) are such an approach; they combine the knowledge of a plethora of monitors to generate a holistic picture of the monitored network. Despite the research done in this field, CIDSs still face a number of fundamental challenges, especially regarding maintaining trust among the collaborating parties. Recent advances in distributed ledger technologies, e.g. various implementations of blockchain protocols, are a good fit to the problem of enhancing trust in collaborative environments. This paper touches the intersection of CIDSs and blockchains. Particularly, it introduces the idea of utilizing blockchain technologies as a mechanism for improving CIDSs. We argue that certain properties of blockchains can be of significant benefit for CIDSs; namely for the improvement of trust between monitors, and for providing accountability and consensus. For this, we study the related work and highlight the research gaps and challenges towards such a task. Finally, we propose a generic architecture for the incorporation of blockchains into the field of CIDSs and an analysis of the design decisions that need to be made to implement such an architecture.

Published
2018

82. CHALLENGES AND AVAILABLE SOLUTIONS AGAINST ORGANIZED CYBER-CRIME AND TERRORIST NETWORKS

Author

Bernhard Jäger, Florian Huber, Emmanouil Vasilomanolakis, Andrea Tundis, Jörg Daubert, and Max Mühlhäuser

Subjects
Cybercrime, 021110 strategic, defence & security studies, Computer science, 020204 information systems, Terrorism, 0211 other engineering and technologies, 0202 electrical engineering, electronic engineering, information engineering, 02 engineering and technology, Organised crime, Cyber crime, Computer security, computer.software_genre, computer
Published
2017
Full Text
View/download PDF

83. Detection and mitigation of monitor identification attacks in collaborative intrusion detection systems

Author

Emmanouil Vasilomanolakis and Max Mühlhäuser

Subjects
021110 strategic, defence & security studies, Identification (information), Computer Networks and Communications, Computer science, Real-time computing, 0211 other engineering and technologies, 0202 electrical engineering, electronic engineering, information engineering, 020206 networking & telecommunications, 02 engineering and technology, Intrusion detection system, Computer Science Applications
Published
2018

84. BoobyTrap: On autonomously detecting and characterizing crawlers in P2P botnets

Author

Mathias Fischer, Emmanouil Vasilomanolakis, Max Mühlhäuser, Shankar Karuppayah, and Steffen Haas

Subjects
Exploit, Computer science, business.industry, Botnet, 020206 networking & telecommunications, 02 engineering and technology, Cutwail botnet, Sality, Computer security, computer.software_genre, Rustock botnet, ZeroAccess botnet, Srizbi botnet, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, business, Web crawler, computer, Computer network
Abstract

The ever-growing number of cyber attacks from botnets has made them one of the biggest threats on the Internet. Thus, it is crucial to study and analyze botnets, to take them down. For this, an extensive monitoring is a pre-requisite for preparing a botnet takedown, e.g., via a sinkholing attack. However, every new monitoring mechanism developed for botnets is usually tackled by the botmasters by introducing novel antimonitoring countermeasures. In this paper, we anticipate these countermeasures by proposing a set of lightweight techniques for detecting the presence of crawlers in P2P botnets, called BoobyTrap. For that, we exploit botnet-specific protocol and design constraints. We evaluate the performance of our BoobyTrap mechanism on two real-world botnets: Sality and ZeroAccess. Our results indicate that we can distinguish many crawlers from benign bots. In fact, we discovered close to 10 crawler nodes within our observation period in the Sality botnet and around 120 in the ZeroAccess botnet. In addition, we also describe the observable characteristics of the detected crawlers and suggest crawler improvements for enabling monitoring in the presence of the BoobyTrap mechanism.

Published
2016

85. Towards the creation of synthetic, yet realistic, intrusion detection datasets

Author

Carlos Garcia Cordero, Emmanouil Vasilomanolakis, Nikolay Milanov, and Max Mühlhäuser

Subjects
business.industry, Quality assessment, Computer science, media_common.quotation_subject, User defined, 02 engineering and technology, Intrusion detection system, computer.software_genre, Field (computer science), Host-based intrusion detection system, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Quality (business), Data mining, business, Software architecture, computer, Graphical user interface, media_common
Abstract

Intrusion Detection Systems (IDSs) are an important defense tool against the sophisticated and ever-growing network attacks. With this in mind, the research community has been immersed in the field of IDSs over the past years more than before. Still, assessing and comparing performance between different systems and algorithms remains one of the biggest challenges in this research area. IDSs need to be evaluated and compared against high quality datasets; nevertheless, the existing ones have become outdated or lack many essential requirements. We present the Intrusion Detection Dataset Toolkit (ID2T), an approach for creating out-of-the-box labeled datasets that contain user defined attacks. In this paper, we discuss the essential requirements needed to create synthetic, yet realistic, datasets with user defined attacks. We also present typical problems found in synthetic datasets and propose a software architecture for building tools that can cope with the most typical problems. A publicly available prototype, is implemented and evaluated. The evaluation comprises a performance analysis and a quality assessment of the generated datasets. We show that our tool can handle large amounts of network traffic and that it can generate synthetic datasets without the problems or shortcomings we identified in other datasets.

Published
2016

86. Multi-stage attack detection and signature generation with ICS honeypots

Author

Shreyas Srinivasa, Carlos Garcia Cordero, Emmanouil Vasilomanolakis, and Max Mühlhäuser

Subjects
Emulation, Honeypot, Computer science, business.industry, 020206 networking & telecommunications, 02 engineering and technology, Intrusion detection system, Industrial control system, Computer security, computer.software_genre, Critical infrastructure, Signature (logic), Multi stage, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, The Internet, business, computer
Abstract

New attack surfaces are emerging with the rise of Industrial Control System (ICS) devices exposed on the Internet. ICS devices must be protected in a holistic and efficient manner; especially when these are supporting critical infrastructure. Taking this issue into account, cyber-security research is recently being focused on providing early detection and warning mechanisms for ICSs. In this paper we present a novel honeypot capable of detecting multi-stage attacks targeting ICS networks. Upon detecting a multi-stage attack, our honeypot can generate signatures so that misuse Intrusion Detection Systems (IDSs) can subsequently thwart attacks of the same type. Our experimental results indicate that our honeypot and the signatures it generates provide good detection accuracy and that the Bro IDS can successfully use the signatures to prevent future attacks.

Published
2016

87. A honeypot-driven cyber incident monitor

Author

Shankar Karuppayah, Panayotis Kikiras, Emmanouil Vasilomanolakis, and Max Mühlhäuser

Subjects
Honeypot, Computer science, business.industry, media_common.quotation_subject, Perspective (graphical), Tracing, Computer security, computer.software_genre, Multiple sensors, Software deployment, Analytics, Data analysis, business, Sophistication, computer, media_common
Abstract

In recent years, the amount and the sophistication of cyber attacks has increased significantly. This creates a plethora of challenges from a security perspective. First, for the efficient monitoring of a network, the generated alerts need to be presented and summarized in a meaningful manner. Second, additional analytics are required to identify sophisticated and correlated attacks. In particular, the detection of correlated attacks requires collaboration between different monitoring points. Cyber incident monitors are platforms utilized for supporting the tasks of network administrators and provide an initial step towards coping with the aforementioned challenges. In this paper, we present our cyber incident monitor TraCINg. TraCINg obtains alert data from honeypot sensors distributed across all over the world. The main contribution of this paper is a thoughtful discussion of the lessons learned, both from a design rational perspective as well as from the analysis of data gathered during a five month deployment period. Furthermore, we show that even with a relatively small number of deployed sensors, it is possible to detect correlated attacks that target multiple sensors.

Published
2015

88. ID2T: A DIY dataset creation toolkit for Intrusion Detection Systems

Author

Emmanouil Vasilomanolakis, Max Mühlhäuser, Carlos Garcia Cordero, David Hausheer, Nikolay Milanov, and Christian Koch

Subjects
Host-based intrusion detection system, Data visualization, business.industry, Computer science, User defined, Intrusion detection system, Data mining, business, computer.software_genre, computer
Abstract

Intrusion Detection Systems (IDSs) are an important defense tool against the sophisticated and ever-growing network attacks. These systems need to be evaluated against high quality datasets for correctly assessing their usefulness and comparing their performance. We present an Intrusion Detection Dataset Toolkit (ID2T) for the creation of labeled datasets containing user defined synthetic attacks. The architecture of the toolkit is provided for examination and the example of an injected attack, in real network traffic, is visualized and analyzed. We further discuss the ability of the toolkit of creating realistic synthetic attacks of high quality and low bias.

Published
2015

89. Probe-response attacks on collaborative intrusion detection systems: Effectiveness and countermeasures

Author

Carlos Garcia Cordero, Michael Stahn, Emmanouil Vasilomanolakis, and Max Mühlhäuser

Subjects
business.industry, Computer science, Network security, The Internet, Intrusion detection system, Adversary, business, Computer security, computer.software_genre, computer, Computer network
Abstract

Over the last years the number of cyber-attacks has been constantly increasing. Since isolated Intrusion Detection Systems (IDSs) cannot cope with the number and sophistication of attacks, collaboration among the defenders is required. Collaborative IDSs (CIDSs) work by exchanging alert traffic to construct a holistic view of the monitored network. However, an adversary can utilize probe-response attacks to successfully detect CIDS's monitoring sensors. We discuss the practicability of such attacks, suggest improvements, and also propose novel techniques to reduce the effects of such attacks. Moreover, we present preliminary results in the applicability of the attacks and hints on performing such attacks in a well known CIDS.

Published
2015

90. A survey of technologies for the internet of things

Author

Emmanouil Vasilomanolakis, Manuel Gortz, Marco F. Huber, Alexander Wiesmaier, Alessandro Leonardi, Vangelis Gazis, Kostas Mathioudakis, and Florian Zeiger

Subjects
World Wide Web, Web of Things, Order (exchange), business.industry, Analytics, Computer science, Interoperability, Internet of Things, business
Abstract

The number of smart things is growing exponentially. By 2020, tens of billions of things will be deployed worldwide, collecting a wealth of diverse data. Traditional computing models collect in-field data and then transmit it to a central data center where analytics are applied to it, but this is no longer a sustainable model. New approaches and new technologies are required to transform enormous amounts of collected data into meaningful information. Technology also will enable the interconnection around things in the IoT ecosystem but further research is required in the development, convergence and interoperability of the different IoT elements. In this paper, we provide a picture of the main technological components needed to enable the interconnection among things in order to realize IoT concepts and applications.

Published
2015

91. Security Perspectives for Collaborative Data Acquisition in the Internet of Things

Author

Carlos Garcia Cordero, Alexander Wiesmaier, Emmanouil Vasilomanolakis, Panayotis Kikiras, and Vangelis Gazis

Subjects
World Wide Web, Data acquisition, Computer science, business.industry, Data analysis, Context (language use), Layer (object-oriented design), Internet of Things, business, Data modeling
Abstract

The Internet of Things (IoT) is an increasingly important topic, bringing together many different fields of computer science. Nevertheless, beside the advantages (IoT) has to offer, many challenges exist, not at least in terms of security and privacy. In addition, the large number of heterogeneous devices in (IoT) produces a vast amount of data, and therefore efficient mechanisms are required that are capable of handling the data, analyze them and produce meaningful results. In this paper, we discuss the challenges that have to be addressed, when data analytics are applied in the context of the (IoT). For this, we propose a data acquisition architecture, named CoDA, that focuses on bringing together heterogeneous things to create distributed global data models. For each layer of the proposed architecture we discuss the upcoming challenges from the security perspective.

Published
2015

92. This network is infected

Author

Mathias Fischer, Lars Pandikow, Mihai Plasoianu, Emmanouil Vasilomanolakis, Max Mühlhäuser, Shankar Karuppayah, and Wulf Pfeiffer

Subjects
Honeypot, Computer science, Wireless network, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Intrusion detection system, Computer security, computer.software_genre, Security awareness, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Trustworthiness, Malware, Android (operating system), computer, Mobile device
Abstract

In recent years, the number of sophisticated cyber attacks has increased rapidly. At the same time, people tend to utilize unknown, in terms of trustworthiness, wireless networks in their daily life. They connect to these networks, e.g., airports, without knowledge of whether they are safe or infected with actively propagating malware. In traditional networks, malicious behavior can be detected via Intrusion Detection Systems (IDSs). However, IDSs cannot be applied easily to mobile environments and to resource constrained devices. Another common defense mechanism is honeypots, i.e., systems that pretend to be an attractive target to attract malware and attackers. As a honeypot has no productive use, each attempt to access it can be interpreted as an attack. Hence, they can provide an early indication on malicious network environments. Since low interaction honeypots do not demand high CPU or memory requirements, they are suitable to resource constrained devices like smartphones or tablets.In this paper we present the idea of Honeypot-To-Go. We envision portable honeypots on mobile devices that aim on the fast detection of malicious networks and thus boost the security awareness of users. Moreover, to demonstrate the feasibility of this proposal we present our prototype HosTaGe, a low-interaction honeypot implemented for the Android OS. We present some initial results regarding the performance of this application as well as its ability to detect attacks in a realistic environment. To the best of our knowledge, HosTaGe is the first implementation of a generic low-interaction honeypot for mobile devices.

Published
2013

93. Did you really hack a nuclear power plant? An industrial control mobile honeypot

Author

Emmanouil Vasilomanolakis, Max Mühlhäuser, and Shreyas Srinivasa

Subjects
Honeypot, Computer science, business.industry, Control (management), Industrial control system, Computer security, computer.software_genre, law.invention, law, Server, Nuclear power plant, Malware, The Internet, Mobile telephony, business, computer, Computer network
Abstract

The emerge of sophisticated attackers and malware that target Industrial Control System (ICS) suggests that novel security mechanisms are required. Honeypots, can act as an additional line of defense, by providing early warnings for such attacks. We present a mobile ICS honeypot, that can be placed in various network positions to provide security administrators an on-the-go security status of their network. We discuss our system, its merits in comparison to other honeypots, and provide preliminary results towards a large-scale evaluation.

95. HosTaGe: a Mobile Honeypot for Collaborative Defense

Author

Emmanouil Vasilomanolakis, Max Mühlhäuser, Shankar Karuppayah, and Mathias Fischer

Subjects
Honeypot, Computer science, Pseudoserver, Android (operating system), Computer security, computer.software_genre, computer, Mobile device
Abstract

The continuous growth of the number of cyber attacks along with the massive increase of mobile devices creates a highly heterogeneous landscape in terms of security challenges. We argue that in order for security researchers to cope with both the massive amount and the complexity of attacks, a more pro-active approach has to be taken into account. In addition, distributed attacks that are carried out by interconnected attackers require a collaborative defense. Diverging from traditional security defenses, honeypots are systems whose value lies on in being attacked and compromised. In this paper, we extend the idea of HosTaGe, i.e., a low interaction honeypot for mobile devices. Our system is specifically designed in a user-centric manner and runs out-of-the-box in the Android operating system. We present the design rational and discuss the different attack surfaces that HosTaGe is able to handle. The main contribution of this paper is the introduction of the collaborative capabilities of HosTaGe.

97. Next Generation P2P Botnets: Monitoring Under Adverse Conditions

Author

Emmanouil Vasilomanolakis, Max Mühlhäuser, Leon Böck, and Shankar Karuppayah

Subjects
Intelligence gathering, Adverse conditions, Computer science, Botnet, 020206 networking & telecommunications, Denial-of-service attack, Context (language use), 02 engineering and technology, Computer security, computer.software_genre, Resistance monitoring, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Ransomware, Resilience (network), computer
Abstract

The effects of botnet attacks, over the years, have been devastating. From high volume Distributed Denial of Service (DDoS) attacks to ransomware attacks, it is evident that defensive measures need to be taken. Indeed, there has been a number of successful takedowns of botnets that exhibit a centralized architecture. However, this is not the case with distributed botnets that are more resilient and armed with countermeasures against monitoring. In this paper, we argue that monitoring countermeasures, applied by botmasters, will only become more sophisticated; to such an extent that monitoring, under these adverse conditions, may become infeasible. That said, we present the most detailed analysis, to date, of parameters that influence a P2P botnet’s resilience and monitoring resistance. Integral to our analysis, we introduce BotChurn (BC) a realistic and botnet-focused churn generator that can assist in the analysis of botnets. Our experimental results suggest that certain parameter combinations greatly limit intelligence gathering operations. Furthermore, our analysis highlights the need for extensive collaboration between defenders. For instance, we show that even the combined knowledge of 500 monitoring instances is insufficient to fully enumerate some of the examined botnets. In this context, we also raise the question of whether botnet monitoring will still be feasible in the near future.

Full Text
View/download PDF

99. Towards Trust-Aware Collaborative Intrusion Detection: Challenges and Solutions

Author

Emmanouil Vasilomanolakis, Max Mühlhäuser, Rabee Sohail Malik, Sheikh Mahbub Habib, and Pavlos Milaszewicz

Subjects
Computer science, 020206 networking & telecommunications, 02 engineering and technology, Intrusion detection system, Data science, Field (computer science), Identification (information), Work (electrical), 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Trust management (information system), State (computer science), Computational trust, Set (psychology)
Abstract

Collaborative Intrusion Detection Systems (CIDSs) are an emerging field in cyber-security. In such an approach, multiple sensors collaborate by exchanging alert data with the goal of generating a complete picture of the monitored network. This can provide significant improvements in intrusion detection and especially in the identification of sophisticated attacks. However, the challenge of deciding to which extend a sensor can trust others, has not yet been holistically addressed in related work. In this paper, we firstly propose a set of requirements for reliable trust management in CIDSs. Afterwards, we carefully investigate the most dominant CIDS trust schemes. The main contribution of the paper is mapping the results of the analysis to the aforementioned requirements, along with a comparison of the state of the art. Furthermore, this paper identifies and discusses the research gaps and challenges with regard to trust and CIDSs.

Full Text
View/download PDF

Catalog

Books, media, physical & digital resources
See catalog results