Springer LNCS
{ "authors" : [{ "lastname":"Lastname" , "initial":"F" , "url":"http://www.example.com" , "mail":"example(at)example.com" }, { "lastname":"Plattner" , "initial":"H" , "url":"https://hpi.de/plattner/people/prof-dr-hc-hasso-plattner.html" , "mail":"Hasso.Plattner@hpi.de" }, { "lastname":"Meinel" , "initial":"C" , "url":"https://hpi.de/meinel/lehrstuhl/prof-dr-ch-meinel.html" , "mail":"Christoph.Meinel@hpi.de" }, { "lastname":"Cheng" , "initial":"F" , "url":"https://hpi.de/cheng/" , "mail":"cheng@hpi.de" }, { "lastname":"Mühle" , "initial":"A" , "url":"https://hpi.de/meinel/lehrstuhl/team/current-phd-students/alexander-muehle.html" , "mail":"alexander.muehle@hpi.de" }, { "lastname":"Alhosseini" , "initial":"A" , "url":"https://hpi.de/meinel/lehrstuhl/team/current-phd-students/ali-alhosseini.html" , "mail":"seyedali.alhosseini@hpi.de" }, { "lastname":"Najafi" , "initial":"P" , "url":"https://hpi.de/meinel/lehrstuhl/team/current-phd-students/pejman-najafi.html" , "mail":"pejman.najafi@hpi.de" }, { "lastname":"Sukmana" , "initial":"M" , "url":"https://hpi.de/meinel/lehrstuhl/team/current-phd-students/muhammad-ihsan-haikal-sukmana.html" , "mail":"muhammad.sukmana@hpi.de" }, { "lastname":"Grüner" , "initial":"A" , "url":"https://hpi.de/meinel/lehrstuhl/team-fotos/current-phd-students/andreas-gruener.html" , "mail":"andreas.gruener@hpi.de" }, { "lastname":"Graupner" , "initial":"H" , "url":"https://hpi.de/meinel/lehrstuhl/team-fotos/current-phd-students/hendrik-graupner.html" , "mail":"Hendrik.Graupner @hpi.de" }, { "lastname":"Pelchen" , "initial":"C" , "url":"https://hpi.de/meinel/lehrstuhl/team-fotos/current-phd-students/chris-pelchen.html" , "mail":"chris.pelchen@hpi.de" }, { "lastname":"Klieme" , "initial":"E" , "url":"https://hpi.de/meinel/lehrstuhl/team/current-phd-students/eric-klieme.html" , "mail":"eric.klieme@hpi.de" }, { "lastname":"Köhler" , "initial":"D" , "url":"https://hpi.de/meinel/lehrstuhl/team/current-phd-students/daniel-koehler.html" , "mail":"daniel.koehler@hpi.de" }, { "lastname":"Kayem" , "initial":"A" , "url":"https://hpi.de/meinel/lehrstuhl/team-fotos/senior-researcher/dr-anne-kayem-phd.html" , "mail":"anne.kayem@hpi.de" }, { "lastname":"Podlesny" , "initial":"N" , "url":"https://dblp.org/pid/204/6414.html" , "mail":"Nikolai.Podlesny@hpi.de" }, { "lastname":"Yang" , "initial":"H" , "url":"https://hpi.de/meinel/lehrstuhl/team-fotos/senior-researcher/haojin-yang.html" , "mail":"haojin.yang@hpi.de" }, { "lastname":"Mordido" , "initial":"G" , "url":"https://hpi.de/meinel/lehrstuhl/team-fotos/current-phd-students/goncalo-mordido.html" , "mail":"goncalo.mordido@hpi.de" }, { "lastname":"Bartz" , "initial":"C" , "url":"https://hpi.de/meinel/lehrstuhl/team-fotos/current-phd-students/christian-bartz.html" , "mail":"Christian.Bartz@hpi.de" }, { "lastname":"Bethge" , "initial":"J" , "url":"https://hpi.de/meinel/lehrstuhl/team-fotos/current-phd-students/joseph-bethge.html" , "mail":"joseph.bethge@hpi.de" }, { "lastname":"Hentschel" , "initial":"C" , "url":"https://hpi.de/meinel/lehrstuhl/team/current-phd-students/christian-hentschel.html" , "mail":"christian.hentschel@hpi.de" }, { "lastname":"Renz" , "initial":"J" , "url":"https://hpi.de/meinel/lehrstuhl/team/postdocs/jan-renz.html" , "mail":"Jan.Renz(at)hpi.de" }, { "lastname":"Staubitz" , "initial":"T" , "url":"https://hpi.de/meinel/lehrstuhl/team/postdocs/thomas-staubitz.html" , "mail":"Thomas.Staubitz(at)hpi.de" }, { "lastname":"Serth" , "initial":"S" , "url":"https://hpi.de/meinel/lehrstuhl/team/current-phd-students/sebastian-serth.html" , "mail":"Sebastian.Serth(at)hpi.de" }, { "lastname":"Bothe" , "initial":"M" , "url":"https://hpi.de/meinel/lehrstuhl/team-fotos/current-phd-students/max-bothe.html" , "mail":"Max.Bothe(at)hpi.de" }, { "lastname":"Rohloff" , "initial":"T" , "url":"https://hpi.de/meinel/lehrstuhl/team/current-phd-students/tobias-rohloff.html" , "mail":"Tobias.Rohloff(at)hpi.de" }, { "lastname":"Hagedorn" , "initial":"C" , "url":"https://hpi.de/meinel/lehrstuhl/team/current-phd-students/christiane-hagedorn.html" , "mail":"Christiane.Hagedorn(at)hpi.de" }, { "lastname":"Haarmann" , "initial":"S" , "url":"https://bpt.hpi.uni-potsdam.de/Public/StephanHaarmann" , "mail":"Stephan.Haarmann@hpi.de" }, { "lastname":"Faber" , "initial":"L" , "url":"https://disco.ethz.ch/members/lfaber" , "mail":"lfaber@ethz.ch" }, { "lastname":"Uflacker" , "initial":"M" , "url":"https://hpi.de/plattner/people/dr-matthias-uflacker.html" , "mail":"Matthias.Uflacker@hpi.de" }, { "lastname":"Teusner" , "initial":"R" , "url":"https://hpi.de/plattner/people/phd-students/ralf-teusner.html" , "mail":"Ralf.Teusner@hpi.de" }, { "lastname":"Schlosser" , "initial":"R" , "url":"https://hpi.de/plattner/people/postdocs/dr-rainer-schlosser.html" , "mail":"Rainer.Schlosser@hpi.de" }, { "lastname":"Boissier" , "initial":"M" , "url":"https://hpi.de/plattner/people/phd-students/martin-boissier.html" , "mail":"Martin.Boissier@hpi.de" }]}
Sukmana, M.I.H., Petzolt, M., Torkura, K.A., Graupner, H., Cheng, F., Meinel, C.: Secure and Scalable Multi-Company Management in Enterprise Cloud Storage Broker System. Presented at the (2019).
Najafi, P., Mühle, A., Pünter, W., Cheng, F., Meinel, C.: MalRank: A Measure of Maliciousness in SIEM-based Knowledge Graphs.Proceedings of the 35th Annual Computer Security Applications Conference. p. 417--429. ACM (2019).
In this paper, we formulate threat detection in SIEM environments as a large-scale graph inference problem. We introduce a SIEM- based knowledge graph which models global associations among entities observed in proxy and DNS logs, enriched with related open-source intelligence (OSINT) and cyber threat intelligence (CTI). Next, we propose MalRank, a graph-based inference algorithm designed to infer a node maliciousness score based on its associations to other entities presented in the knowledge graph, e.g., shared IP ranges or name servers. After a series of experiments on real-world data captured from a global enterprise’s SIEM (spanning over 3TB of disk space), we show that MalRank maintains a high detection rate (AUC = 96%) outperforming its predecessor, Belief Propagation, both in terms of accuracy and efficiency. Furthermore, we show that this approach is effective in identifying previously unknown malicious entities such as malicious domain names and IP addresses. The system proposed in this research can be implemented in conjunction with an organization’s SIEM, providing a maliciousness score for all observed entities, hence aiding SOC investigations.
Weitere Informationen
AbstractIn this paper, we formulate threat detection in SIEM environments as a large-scale graph inference problem. We introduce a SIEM- based knowledge graph which models global associations among entities observed in proxy and DNS logs, enriched with related open-source intelligence (OSINT) and cyber threat intelligence (CTI). Next, we propose MalRank, a graph-based inference algorithm designed to infer a node maliciousness score based on its associations to other entities presented in the knowledge graph, e.g., shared IP ranges or name servers. After a series of experiments on real-world data captured from a global enterprise’s SIEM (spanning over 3TB of disk space), we show that MalRank maintains a high detection rate (AUC = 96%) outperforming its predecessor, Belief Propagation, both in terms of accuracy and efficiency. Furthermore, we show that this approach is effective in identifying previously unknown malicious entities such as malicious domain names and IP addresses. The system proposed in this research can be implemented in conjunction with an organization’s SIEM, providing a maliciousness score for all observed entities, hence aiding SOC investigations.
Grüner, A., Mühle, A., Meinel, C.: Using Probabilistic Attribute Aggregation for Increasing Trust in Attribute Assurance.Proceedings of the 2019 IEEE Symposium Series on Computational Intelligence in Cyber Security. IEEE, Xiamen, China (2019).
Identity management is an essential cornerstone of securing online services. Service provisioning relies on correct and valid attributes of a digital identity. Therefore, the identity provider is a trusted third party with a specific trust requirement towards a verified attribute supply. This trust demand implies a significant dependency on users and service providers. We propose a novel attribute aggregation method to reduce the reliance on one identity provider. Trust in an attribute is modelled as a combined assurance of several identity providers based on probability distributions. We formally describe the proposed aggregation model. The resulting trust model is implemented in a gateway that is used for authentication with self-sovereign identity solutions. Thereby, we devise a service provider specific web of trust that constitutes an intermediate approach bridging a global hierarchical model and a locally decentralized peer to peer scheme.
Weitere Informationen
AbstractIdentity management is an essential cornerstone of securing online services. Service provisioning relies on correct and valid attributes of a digital identity. Therefore, the identity provider is a trusted third party with a specific trust requirement towards a verified attribute supply. This trust demand implies a significant dependency on users and service providers. We propose a novel attribute aggregation method to reduce the reliance on one identity provider. Trust in an attribute is modelled as a combined assurance of several identity providers based on probability distributions. We formally describe the proposed aggregation model. The resulting trust model is implemented in a gateway that is used for authentication with self-sovereign identity solutions. Thereby, we devise a service provider specific web of trust that constitutes an intermediate approach bridging a global hierarchical model and a locally decentralized peer to peer scheme.
Graupner, H., Torkura, K.A., Sukmana, M.I.H., Meinel, C.: Secure Deduplication on Public Cloud Storage.Proceedings of the 2019 4th International Conference on Big Data and Computing. p. 34--41. ACM (2019).
Podlesny, N.J., Kayem, A.V.D.M., Meinel, C.: Towards Identifying De-anonymisation Risks in Distributed Health Data Silos.International Conference on Database and Expert Systems Applications. p. 33--43. Springer (2019).
Podlesny, N.J., Kayem, A.V.D.M., Meinel, C.: Identifying Data Exposure Across Distributed High-Dimensional Health Data Silos through Bayesian Networks Optimised by Multigrid and Manifold.2019 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech). p. 556--563. IEEE (2019).
Podlesny, N.J., Kayem, A.V.D.M., Meinel, C.: Attribute Compartmentation and Greedy UCC Discovery for High-Dimensional Data Anonymization.Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy. p. 109--119. ACM (2019).
Podlesny, N.J., Kayem, A.V.D.M., Meinel, C., Jungmann, S.: How Data Anonymisation Techniques influence Disease Triage in Digital Health: A Study on Base Rate Neglect.Proceedings of the 9th International Conference on Digital Public Health. p. 55--62. ACM (2019).
Torkura, K. .A., Sukmana, M.I.H., Cheng, F., Meinel, C.: SlingShot: Automated Threat Detection and Incident Response in Multi-Cloud Storage Systems.The Proceedings of 18th IEEE International Symposium on Network Computing and Applications (NCA 2019). IEEE (2019).
Seidel, F., Krentz, K.-F., Meinel, C.: Deep En-Route Filtering of Constrained Application Protocol (CoAP) Messages on 6LoWPAN Border Routers.Proceedings of the IEEE 5th World Forum on Internet of Things (WF-IoT). IEEE, Limerick, Ireland (2019).
Devices on the IoT are usually battery-powered and have limited resources. Hence, energy-efficient and lightweight protocols were designed for IoT devices, such as the popular CoAP. Yet, CoAP itself does not include any defenses against denial-of-sleep attacks, which are attacks that aim at depriving victim devices of entering low-power sleep modes. For example, a denial-of-sleep attack against an IoT device that runs a CoAP server is to send plenty of CoAP messages to it, thereby forcing the IoT device to expend energy for receiving and processing these CoAP messages. All current security solutions for CoAP, namely DTLS, IPsec, and OSCORE, fail to prevent such attacks. To fill this gap, Seitz et al. proposed a method for filtering out inauthentic and replayed CoAP messages "en-route" on 6LoWPAN border routers. In this paper, we expand on Seitz et al.'s proposal in two ways. First, we revise Seitz et al.'s software architecture so that 6LoWPAN border routers can not only check the authenticity and freshness of CoAP messages, but can also perform a wide range of further checks. Second, we propose a couple of such further checks, which, as compared to Seitz et al.'s original checks, more reliably protect IoT devices that run CoAP servers from remote denial-of-sleep attacks, as well as from remote exploits. We prototyped our solution and successfully tested its compatibility with Contiki-NG's CoAP implementation.
Weitere Informationen
AbstractDevices on the IoT are usually battery-powered and have limited resources. Hence, energy-efficient and lightweight protocols were designed for IoT devices, such as the popular CoAP. Yet, CoAP itself does not include any defenses against denial-of-sleep attacks, which are attacks that aim at depriving victim devices of entering low-power sleep modes. For example, a denial-of-sleep attack against an IoT device that runs a CoAP server is to send plenty of CoAP messages to it, thereby forcing the IoT device to expend energy for receiving and processing these CoAP messages. All current security solutions for CoAP, namely DTLS, IPsec, and OSCORE, fail to prevent such attacks. To fill this gap, Seitz et al. proposed a method for filtering out inauthentic and replayed CoAP messages "en-route" on 6LoWPAN border routers. In this paper, we expand on Seitz et al.'s proposal in two ways. First, we revise Seitz et al.'s software architecture so that 6LoWPAN border routers can not only check the authenticity and freshness of CoAP messages, but can also perform a wide range of further checks. Second, we propose a couple of such further checks, which, as compared to Seitz et al.'s original checks, more reliably protect IoT devices that run CoAP servers from remote denial-of-sleep attacks, as well as from remote exploits. We prototyped our solution and successfully tested its compatibility with Contiki-NG's CoAP implementation.
Grüner, A., Mühle, A., Meinel, C.: An Integration Architecture to Enable Service Providers for Self-sovereign Identity.Proceedings of the 18th. International Symposium on Network Computing and Applications. IEEE, Boston, MA (2019).
The self-sovereign identity management model emerged with the rise of blockchain technology. This paradigm focuses on user-centricity and strives to place the user in full control of the digital identity. Numerous implementations embrace the self-sovereign identity concept, leading to a fragmented landscape of solutions. At the same time, traditional identity and access management protocols are largely disregarded and facilities to issue verifiable claims as attributes are not available. Therefore, service providers barely adopt these solutions. We propose a component-based architecture for integrating selfsovereign identity solutions into web applications to foster their adoption by service providers. Furthermore, we outline a sample implementation as a gateway that enables uPort and Jolocom for authentication, via the OpenID Connect protocol, as well as the retrieval of email address attestations for these solutions.
Weitere Informationen
AbstractThe self-sovereign identity management model emerged with the rise of blockchain technology. This paradigm focuses on user-centricity and strives to place the user in full control of the digital identity. Numerous implementations embrace the self-sovereign identity concept, leading to a fragmented landscape of solutions. At the same time, traditional identity and access management protocols are largely disregarded and facilities to issue verifiable claims as attributes are not available. Therefore, service providers barely adopt these solutions. We propose a component-based architecture for integrating selfsovereign identity solutions into web applications to foster their adoption by service providers. Furthermore, we outline a sample implementation as a gateway that enables uPort and Jolocom for authentication, via the OpenID Connect protocol, as well as the retrieval of email address attestations for these solutions.
Torkura, K. .A., Sukmana, M.I.H., Cheng, F., Meinel, C.: Security Chaos Engineering for Cloud Services.The Proceedings of 18th IEEE International Symposium on Network Computing and Applications (NCA 2019). IEEE (2019).
Sukmana, M.I.H., Torkura, K.A., Graupner, H., Chauhan, A., Cheng, F., Meinel, C.: Supporting Internet-Based Location for Location-Based Access Control in Enterprise Cloud Storage Solution.International Conference on Advanced Information Networking and Applications. p. 1240--1253. Springer (2019).
Sukmana, M.I.H., Torkura, K.A., Graupner, H., Cheng, F., Meinel, C.: Unified Cloud Access Control Model for Cloud Storage Broker.2019 International Conference on Information Networking (ICOIN). p. 60--65. IEEE (2019).
Grüner, A., Mühle, A., Gayvoronskaya, T., Meinel, C.: A Comparative Analysis of Trust Requirements in Decentralized Identity Management.Proceedings of the 33rd. International Conference on Advanced Information Networking and Applications. Springer, Matsue, Japan (2019).
Identity management is a fundamental component in securing online services. Isolated and centralized identity models have been applied within organizations. Moreover, identity federations connect digital identities across trust domain boundaries. These traditional models have been thoroughly studied with regard to trust requirements. The recently emerging blockchain technology enables a novel decentralized identity management model that targets user-centricity and eliminates the identity provider as a trusted third party. The result is a substantially different set of entities with mutual trust requirements. In this paper, we analyze decentralized identity management based on blockchain through defining topology patterns. These patterns depict schematically the decentralized setting and its main actors. We study trust requirements for the devised patterns and, finally, compare the result to traditional models. Our contribution enables a clear view of differences in trust requirements within the various models.
Weitere Informationen
AbstractIdentity management is a fundamental component in securing online services. Isolated and centralized identity models have been applied within organizations. Moreover, identity federations connect digital identities across trust domain boundaries. These traditional models have been thoroughly studied with regard to trust requirements. The recently emerging blockchain technology enables a novel decentralized identity management model that targets user-centricity and eliminates the identity provider as a trusted third party. The result is a substantially different set of entities with mutual trust requirements. In this paper, we analyze decentralized identity management based on blockchain through defining topology patterns. These patterns depict schematically the decentralized setting and its main actors. We study trust requirements for the devised patterns and, finally, compare the result to traditional models. Our contribution enables a clear view of differences in trust requirements within the various models.
Bock, B., Matysik, J.-T., Krentz, K.-F., Meinel, C.: Link Layer Key Revocation and Rekeying for the Adaptive Key Establishment Scheme.Proceedings of the IEEE 5th World Forum on Internet of Things (WF-IoT). IEEE, Limerick, Ireland (2019).
While the IEEE 802.15.4 radio standard has many features that meet the requirements of Internet of things (IoT) applications, IEEE 802.15.4 leaves the whole issue of key management unstandardized. To address this gap, Krentz et al. proposed the Adaptive Key Establishment Scheme (AKES), which establishes session keys for use in IEEE 802.15.4 security. Yet, AKES does not cover all aspects of key management. In particular, AKES comprises no means for key revocation and rekeying. Moreover, existing protocols for key revocation and rekeying seem limited in various ways. In this paper, we hence propose a key revocation and rekeying protocol, which is designed to overcome various limitations of current protocols for key revocation and rekeying. For example, our protocol seems unique in that it routes around IEEE 802.15.4 nodes whose keys are being revoked. We succesfully implemented and evaluated our protocol using the Contiki-NG operating system and aiocoap.
Weitere Informationen
AbstractWhile the IEEE 802.15.4 radio standard has many features that meet the requirements of Internet of things (IoT) applications, IEEE 802.15.4 leaves the whole issue of key management unstandardized. To address this gap, Krentz et al. proposed the Adaptive Key Establishment Scheme (AKES), which establishes session keys for use in IEEE 802.15.4 security. Yet, AKES does not cover all aspects of key management. In particular, AKES comprises no means for key revocation and rekeying. Moreover, existing protocols for key revocation and rekeying seem limited in various ways. In this paper, we hence propose a key revocation and rekeying protocol, which is designed to overcome various limitations of current protocols for key revocation and rekeying. For example, our protocol seems unique in that it routes around IEEE 802.15.4 nodes whose keys are being revoked. We succesfully implemented and evaluated our protocol using the Contiki-NG operating system and aiocoap.
Tietz, C., Klieme, E., Behrendt, L., Böning, P., Marschke, L., Meinel, C.: Verification of Keyboard Acoustics Authentication on Laptops and Smartphones Using WebRTC.2019 3rd Cyber Security in Networking Conference (CSNet). pp. 130-137 (2019).
Torkura, K. .A., Sukmana, M.I.H., Kayem, A.V.D.M., Cheng, F., Meinel, C.: A Cyber Risk Based Moving Target Defense Mechanism for Microservice Architectures.32nd IEEE International Symposium on Parallel and Distributed Processing with Applications. IEEE (2018).
Krentz, K.-F., Meinel, C., Graupner, H.: Denial-of-Sleep-Resilient Session Key Establishment for IEEE 802.15.4 Security: From Adaptive to Responsive.Proceedings of the International Conference on Embedded Wireless Systems and Networks (EWSN 2018). Junction, Madrid, Spain (2018).
Battery-powered and energy-harvesting IEEE 802.15.4 nodes are subject to so-called denial-of-sleep attacks. Such attacks generally aim at draining the energy of a victim device. Especially, session key establishment schemes for IEEE 802.15.4 security are susceptible to denial-of-sleep attacks since injected requests for session key establishment typically trigger energy-consuming processing and communication. Nevertheless, Krentz et al.’s Adaptive Key Establishment Scheme (AKES) for IEEE 802.15.4 security is deemed to be resilient to denial-of-sleep attacks thanks to its energy-efficient design and special defenses. However, thus far, AKES’ resilience to denial-of-sleep attacks was presumably never evaluated. In this paper, we make two contributions. First, we evaluate AKES’ resilience to denial-of-sleep attacks both theoretically and empirically. We particularly consider two kinds of denial-of-sleep attacks, namely HELLO flood attacks, as well as what we introduce in this paper as “yo-yo attacks”. Our key finding is that AKES’ denial-of-sleep defenses require trade-offs between denial-of-sleep resilience and the speed at which AKES adapts to topology changes. Second, to alleviate these trade-offs, we devise and evaluate new denial-of-sleep defenses. Indeed, our newly-devised denial-of-sleep defenses turn out to significantly accelerate AKES’ reaction to topology changes, without incurring much overhead nor sacrificing on security.
Weitere Informationen
AbstractBattery-powered and energy-harvesting IEEE 802.15.4 nodes are subject to so-called denial-of-sleep attacks. Such attacks generally aim at draining the energy of a victim device. Especially, session key establishment schemes for IEEE 802.15.4 security are susceptible to denial-of-sleep attacks since injected requests for session key establishment typically trigger energy-consuming processing and communication. Nevertheless, Krentz et al.’s Adaptive Key Establishment Scheme (AKES) for IEEE 802.15.4 security is deemed to be resilient to denial-of-sleep attacks thanks to its energy-efficient design and special defenses. However, thus far, AKES’ resilience to denial-of-sleep attacks was presumably never evaluated. In this paper, we make two contributions. First, we evaluate AKES’ resilience to denial-of-sleep attacks both theoretically and empirically. We particularly consider two kinds of denial-of-sleep attacks, namely HELLO flood attacks, as well as what we introduce in this paper as “yo-yo attacks”. Our key finding is that AKES’ denial-of-sleep defenses require trade-offs between denial-of-sleep resilience and the speed at which AKES adapts to topology changes. Second, to alleviate these trade-offs, we devise and evaluate new denial-of-sleep defenses. Indeed, our newly-devised denial-of-sleep defenses turn out to significantly accelerate AKES’ reaction to topology changes, without incurring much overhead nor sacrificing on security.
Torkura, K. .A., Sukmana, M.I.H., Meinig, M., Kayem, A., Cheng, F., Graupner, H., Meinel, C.: Securing Cloud Storage Brokerage Systems through Threat Models.The 32nd IEEE International Conference on Advanced Information Networking and Applications (AINA 2018). IEEE (2018).
Torkura, K. .A., Sukmana, M.I.H., Cheng, F., Meinel, C.: CAVAS: Neutralizing Application and Container Security Vulnerabilities in the Cloud Native Era.14th EAI International Conference on Security and Privacy in Communication Networks (SecureComm 2018). Springer (2018).
Torkura, K. .A., Sukmana, M.I.H., Tim, S., Cheng, F., Graupner, H., Meinel, C.: CSBAuditor: Proactive Security Risk Analysis for Cloud Storage Broker Systems.The Proceedings of 17th IEEE International Symposium on Network Computing and Applications (NCA 2018). IEEE (2018).
Grüner, A., Mühle, A., Gayvoronskaya, T., Meinel, C.: Towards a Blockchain-based Identity Provider.Proceedings of the 12th. International Conference on Emerging Security Information, Systems and Technologies. IARIA, Venice, Italy (2018).
The emerging technology blockchain is under way to revolutionize various fields. One significant domain to apply blockchain is identity management. In traditional identity management, a centralized identity provider, representing a trusted third party, supplies digital identities and their attributes. The identity provider controls and owns digital identities instead of the associated subjects and therefore, constitutes a single point of failure and compromise. To overcome the need for this trusted third party, blockchain enables the creation of a decentralized identity provider serving digital identities that are under full control of the associated subject. In this paper, we outline the design and implementation of a decentralized identity provider using an unpermissioned blockchain. Digital identities are partially stored on the blockchain and their attributes are modelled as verifiable claims, consisting of claims and attestations. In addition to that, the identity provider implements the OpenID Connect protocol to promote seamless integration into existing application landscapes. We provide a sample authentication workflow for a user at an online shop to show practical feasibility.
Weitere Informationen
AbstractThe emerging technology blockchain is under way to revolutionize various fields. One significant domain to apply blockchain is identity management. In traditional identity management, a centralized identity provider, representing a trusted third party, supplies digital identities and their attributes. The identity provider controls and owns digital identities instead of the associated subjects and therefore, constitutes a single point of failure and compromise. To overcome the need for this trusted third party, blockchain enables the creation of a decentralized identity provider serving digital identities that are under full control of the associated subject. In this paper, we outline the design and implementation of a decentralized identity provider using an unpermissioned blockchain. Digital identities are partially stored on the blockchain and their attributes are modelled as verifiable claims, consisting of claims and attestations. In addition to that, the identity provider implements the OpenID Connect protocol to promote seamless integration into existing application landscapes. We provide a sample authentication workflow for a user at an online shop to show practical feasibility.
Sukmana, M.I.H., Torkura, K.A., Cheng, F., Meinel, C., Graupner, H.: Unified logging system for monitoring multiple cloud storage providers in cloud storage broker.Information Networking (ICOIN), 2018 International Conference on. p. 44--49. IEEE (2018).
Grüner, A., Mühle, A., Gayvoronskaya, T., Meinel, C.: A Quantifiable Trust Model for Blockchain-Based Identity Management.Proceedings of the 2018 International Conference on Blockchain. IEEE, Halifax, Canada (2018).
Removing the need for a trusted third party, blockchain technology revolutionizes the field of identity management. Service providers rely on digital identities to securely identify, authenticate and authorize users to their services. Traditionally, these digital identities are offered by a central identity provider belonging to a specific organisation. Trust in the digital identity mainly originates from the identity provider’s reputation, organizational functioning and contractual obligations. Blockchain technology enables the creation of decentralized identity management without a central identity provider as trusted third party. Therefore, the derivation of trust in digital identities within this paradigm requires a distinct approach. In this paper we propose a novel general quantifiable trust model and a specific implementation variant for blockchainbased identity management. Applying the model, trust is deduced in a decentralized manner from attestations of claims and applied to the associated digital identity. This concept replaces trust with a central identity provider by aggregated trust into attestation issuers. Thus, promoting self-sovereign identities to be fit for purpose. The calculated numerical trust metric serves as independent basis for the definition of assurance levels to simplify and automate reasoning about trust by service providers without requiring a dedicated evaluation of a trusted third party.
Weitere Informationen
AbstractRemoving the need for a trusted third party, blockchain technology revolutionizes the field of identity management. Service providers rely on digital identities to securely identify, authenticate and authorize users to their services. Traditionally, these digital identities are offered by a central identity provider belonging to a specific organisation. Trust in the digital identity mainly originates from the identity provider’s reputation, organizational functioning and contractual obligations. Blockchain technology enables the creation of decentralized identity management without a central identity provider as trusted third party. Therefore, the derivation of trust in digital identities within this paradigm requires a distinct approach. In this paper we propose a novel general quantifiable trust model and a specific implementation variant for blockchainbased identity management. Applying the model, trust is deduced in a decentralized manner from attestations of claims and applied to the associated digital identity. This concept replaces trust with a central identity provider by aggregated trust into attestation issuers. Thus, promoting self-sovereign identities to be fit for purpose. The calculated numerical trust metric serves as independent basis for the definition of assurance levels to simplify and automate reasoning about trust by service providers without requiring a dedicated evaluation of a trusted third party.
Klieme, E., Tietz, C., Meinel, C.: Beware of SMOMBIES: Verification of Users Based on Activities While Walking.2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE). pp. 651-660 (2018).
Torkura, K. .A., Sukmana, M.I.H., Tim, S., Cheng, F., Graupner, H., Meinel, C.: Defeating Malicious Intrusions in Multi-Cloud Storage Systems.Proceedings of the 6th HPI Cloud Symposium “Operating the Cloud” 2018. Hasso Plattner Institute, Potsdam, Germany (2018).
Torkura, K.A., Sukmana, M.I.H., Meinig, M., Graupner, H., Cheng, F., Meinel, C.: A Threat Modeling Approach for Cloud Storage Brokerage and File Sharing Systems.16th IEEE/IFIP Network Operations and Management Symposium (NOMS 2018). IEEE/IFIP (2018).
Cloud storage brokerage systems abstract cloud storage complexities by mediating technical and business relationships between Cloud Service Providers(CSP) and cloud users, while providing value-added services e.g. increased security, identity management and file sharing/syncing. However, CSBs face several security challenges including enlarged attack surfaces due to integration of disparate components e.g. on-premise and cloud APIs/services. Therefore, appropriate security risk assessment methods are required to identify and evaluate these security issues, and examine the efficiency of countermeasures. A possible approach for satisfying these requirements is employment of threat modeling concepts, which have been successfully applied in traditional paradigms. In this work, we employ threat models including attack trees, attack graphs and Data Flow Diagrams against a representative, real Cloud Storage Broker (CSB) and analyze these security threats and risks. We also propose a technique for combining Common Vulnerability Scoring System (CVSS) and Common Configuration Scoring System (CCSS) base scores in probabilistic attack graphs in order to cater for configuration-based vulnerabilities which are typically leveraged to compromise cloud storage systems. This effort is necessary since existing schemes do not provide sufficient security metrics, imperative for comprehensive risk assessments. We demonstrate the efficiency of our proposal by devising CCSS base scores for two common attacks against cloud storage: Cloud Storage Enumeration Attack and Cloud Storage Exploitation Attack. These metrics are then used in Attack Graph Metric-based risk assessment. Therefore, our approach can be employed by CSBs and CSPs to improve cloud security.
Weitere Informationen
AbstractCloud storage brokerage systems abstract cloud storage complexities by mediating technical and business relationships between Cloud Service Providers(CSP) and cloud users, while providing value-added services e.g. increased security, identity management and file sharing/syncing. However, CSBs face several security challenges including enlarged attack surfaces due to integration of disparate components e.g. on-premise and cloud APIs/services. Therefore, appropriate security risk assessment methods are required to identify and evaluate these security issues, and examine the efficiency of countermeasures. A possible approach for satisfying these requirements is employment of threat modeling concepts, which have been successfully applied in traditional paradigms. In this work, we employ threat models including attack trees, attack graphs and Data Flow Diagrams against a representative, real Cloud Storage Broker (CSB) and analyze these security threats and risks. We also propose a technique for combining Common Vulnerability Scoring System (CVSS) and Common Configuration Scoring System (CCSS) base scores in probabilistic attack graphs in order to cater for configuration-based vulnerabilities which are typically leveraged to compromise cloud storage systems. This effort is necessary since existing schemes do not provide sufficient security metrics, imperative for comprehensive risk assessments. We demonstrate the efficiency of our proposal by devising CCSS base scores for two common attacks against cloud storage: Cloud Storage Enumeration Attack and Cloud Storage Exploitation Attack. These metrics are then used in Attack Graph Metric-based risk assessment. Therefore, our approach can be employed by CSBs and CSPs to improve cloud security.
Krentz, K.-F., Meinel, C., Graupner, H.: More Lightweight, yet Stronger 802.15.4 Security through an Intra-Layer Optimization.Proceedings of the 10th International Symposium on Foundations & Practice of Security (FPS 2017). Springer, Nancy, France (2017).
802.15.4 security protects against the replay, injection, and eavesdropping of 802.15.4 frames. A core concept of 802.15.4 security is the use of frame counters for both nonce generation and anti-replay protection. While being functional, frame counters (i) cause an increased energy consumption as they incur a per-frame overhead of 4 bytes and (ii) only provide sequential freshness. The Last Bits (LB) optimization does reduce the per-frame overhead of frame counters, yet at the cost of an increased RAM consumption and occasional energy- and time-consuming resynchronization actions. Alternatively, the timeslotted channel hopping (TSCH) media access control (MAC) protocol of 802.15.4 avoids the drawbacks of frame counters by replacing them with timeslot indices, but findings of Yang et al. question the security of TSCH in general. In this paper, we assume the use of ContikiMAC, which is a popular asynchronous MAC protocol for 802.15.4 networks. Under this assumption, we propose an Intra-Layer Optimization for 802.15.4 Security (ILOS), which intertwines 802.15.4 security and ContikiMAC. In effect, ILOS reduces the security-related per-frame overhead even more than the LB optimization, as well as achieves strong freshness. Furthermore, unlike the LB optimization, ILOS neither incurs an increased RAM consumption nor requires resynchronization actions. Beyond that, ILOS integrates with and advances other security supplements to ContikiMAC. We implemented ILOS using OpenMotes and the Contiki operating system.
Weitere Informationen
Abstract802.15.4 security protects against the replay, injection, and eavesdropping of 802.15.4 frames. A core concept of 802.15.4 security is the use of frame counters for both nonce generation and anti-replay protection. While being functional, frame counters (i) cause an increased energy consumption as they incur a per-frame overhead of 4 bytes and (ii) only provide sequential freshness. The Last Bits (LB) optimization does reduce the per-frame overhead of frame counters, yet at the cost of an increased RAM consumption and occasional energy- and time-consuming resynchronization actions. Alternatively, the timeslotted channel hopping (TSCH) media access control (MAC) protocol of 802.15.4 avoids the drawbacks of frame counters by replacing them with timeslot indices, but findings of Yang et al. question the security of TSCH in general. In this paper, we assume the use of ContikiMAC, which is a popular asynchronous MAC protocol for 802.15.4 networks. Under this assumption, we propose an Intra-Layer Optimization for 802.15.4 Security (ILOS), which intertwines 802.15.4 security and ContikiMAC. In effect, ILOS reduces the security-related per-frame overhead even more than the LB optimization, as well as achieves strong freshness. Furthermore, unlike the LB optimization, ILOS neither incurs an increased RAM consumption nor requires resynchronization actions. Beyond that, ILOS integrates with and advances other security supplements to ContikiMAC. We implemented ILOS using OpenMotes and the Contiki operating system.
Krentz, K.-F., Meinel, C., Graupner, H.: Countering Three Denial-of-Sleep Attacks on ContikiMAC.Proceedings of the International Conference on Embedded Wireless Systems and Networks (EWSN 2017). Junction, Uppsala, Sweden (2017).
Seitz, K., Serth, S., Krentz, K.-F., Meinel, C.: Demo: Enabling En-Route Filtering for End-to-End Encrypted CoAP Messages.15th ACM Conference on Embedded Networked Sensor Systems (SenSys 2017). ACM, Delft, The Netherlands (2017).
IoT devices usually are battery-powered and directly connected to the Internet. This makes them vulnerable to so-called path-based denial-of-service (PDoS) attacks. For example, in a PDoS attack an adversary sends multiple Constrained Application Protocol (CoAP) messages towards an IoT device, thereby causing each IoT device along the path to expend energy for forwarding this message. Current end-to-end security solutions, such as DTLS or IPsec, fail to prevent such attacks since they only filter out inauthentic CoAP messages at their destination. This demonstration shows an approach to allow en-route filtering where a trusted gateway has all necessary information to check the integrity, decrypt and, if necessary, drop a message before forwarding it to the constrained mote. Our approach preserves precious resources of IoT devices in the face of path-based denial-of-service attacks by remote attackers.
Weitere Informationen
AbstractIoT devices usually are battery-powered and directly connected to the Internet. This makes them vulnerable to so-called path-based denial-of-service (PDoS) attacks. For example, in a PDoS attack an adversary sends multiple Constrained Application Protocol (CoAP) messages towards an IoT device, thereby causing each IoT device along the path to expend energy for forwarding this message. Current end-to-end security solutions, such as DTLS or IPsec, fail to prevent such attacks since they only filter out inauthentic CoAP messages at their destination. This demonstration shows an approach to allow en-route filtering where a trusted gateway has all necessary information to check the integrity, decrypt and, if necessary, drop a message before forwarding it to the constrained mote. Our approach preserves precious resources of IoT devices in the face of path-based denial-of-service attacks by remote attackers.
Krentz, K.-F., Meinel, C., Graupner, H.: Secure Self-Seeding with Power-Up SRAM States.Proceedings of the 22nd IEEE Symposium on Computers and Communications (ISCC 2017). IEEE, Heraklion, Greece (2017).
Generating seeds on Internet of things (IoT) devices is challenging because these devices typically lack common entropy sources, such as user interaction or hard disks. A promising replacement is to use power-up static random-access memory (SRAM) states, which are partly random due to manufacturing deviations. Thus far, there, however, seems to be no method for extracting close-to-uniformly distributed seeds from power-up SRAM states in an information-theoretically secure and practical manner. Moreover, the min-entropy of power-up SRAM states reduces with temperature, thereby rendering this entropy source vulnerable to so-called freezing attacks. In this paper, we mainly make three contributions. First, we propose a new method for extracting uniformly distributed seeds from power-up SRAM states. Unlike current methods, ours is information-theoretically secure, practical, and freezing attack-resistant rolled into one. Second, we point out a trick that enables using power-up SRAM states not only for self-seeding at boot time, but also for reseeding at runtime. Third, we compare the energy consumption of seeding an IoT device either with radio noise or power-up SRAM states. While seeding with power-up SRAM states turned out to be more energy efficient, we argue for mixing both these entropy sources.
Weitere Informationen
AbstractGenerating seeds on Internet of things (IoT) devices is challenging because these devices typically lack common entropy sources, such as user interaction or hard disks. A promising replacement is to use power-up static random-access memory (SRAM) states, which are partly random due to manufacturing deviations. Thus far, there, however, seems to be no method for extracting close-to-uniformly distributed seeds from power-up SRAM states in an information-theoretically secure and practical manner. Moreover, the min-entropy of power-up SRAM states reduces with temperature, thereby rendering this entropy source vulnerable to so-called freezing attacks. In this paper, we mainly make three contributions. First, we propose a new method for extracting uniformly distributed seeds from power-up SRAM states. Unlike current methods, ours is information-theoretically secure, practical, and freezing attack-resistant rolled into one. Second, we point out a trick that enables using power-up SRAM states not only for self-seeding at boot time, but also for reseeding at runtime. Third, we compare the energy consumption of seeding an IoT device either with radio noise or power-up SRAM states. While seeding with power-up SRAM states turned out to be more energy efficient, we argue for mixing both these entropy sources.
Torkura, K.A., Sukmana, M.I.H., Cheng, F., Meinel, C.: Leveraging Cloud Native Design Patterns for Security-as-a-Service Applications.Proceedings of the 2nd IEEE International Conference on Smart Cloud (SmartCloud). IEEE (2017).
This paper discusses a new approach for designing and deploying Security-as-a-Service (SecaaS) applications using cloud native design patterns. Current SecaaS approaches do not efficiently handle the increasing threats to computer systems and applications. For example, requests for security assessments drastically increase after a high-risk security vulnerability is disclosed. In such scenarios, SecaaS applications are unable to dynamically scale to serve requests. A root cause of this challenge is employment of architectures not specifically fitted to cloud environments. Cloud native design patterns resolve this challenge by enabling certain properties e.g. massive scalability and resiliency via the combination of microservice patterns and cloud-focused design patterns. However adopting these patterns is a complex process, during which several security issues are introduced. In this work, we investigate these security issues, we redesign and deploy a monolithic SecaaS application using cloud native design patterns while considering appropriate, layered security counter-measures i.e. at the application and cloud networking layer. Our prototype implementation out-performs traditional, monolithic applications with an average Scanner Time of 6 minutes, without compromising security. Our approach can be employed for designing secure, scalable and performant SecaaS applications that effectively handle unexpected increase in security assessment requests.
Weitere Informationen
AbstractThis paper discusses a new approach for designing and deploying Security-as-a-Service (SecaaS) applications using cloud native design patterns. Current SecaaS approaches do not efficiently handle the increasing threats to computer systems and applications. For example, requests for security assessments drastically increase after a high-risk security vulnerability is disclosed. In such scenarios, SecaaS applications are unable to dynamically scale to serve requests. A root cause of this challenge is employment of architectures not specifically fitted to cloud environments. Cloud native design patterns resolve this challenge by enabling certain properties e.g. massive scalability and resiliency via the combination of microservice patterns and cloud-focused design patterns. However adopting these patterns is a complex process, during which several security issues are introduced. In this work, we investigate these security issues, we redesign and deploy a monolithic SecaaS application using cloud native design patterns while considering appropriate, layered security counter-measures i.e. at the application and cloud networking layer. Our prototype implementation out-performs traditional, monolithic applications with an average Scanner Time of 6 minutes, without compromising security. Our approach can be employed for designing secure, scalable and performant SecaaS applications that effectively handle unexpected increase in security assessment requests.
Torkura, K.A., Sukmana, M.I.H., Meinel, C.: Integrating Continuous Security Assessments in Microservices and Cloud Native Applications.Proceedings of the10th International Conference on Utility and Cloud Computing. p. 171--180. ACM (2017).
Cloud Native Applications (CNA) consists of multiple collaborating microservice instances working together towards common goals. These microservices leverage the underlying cloud infrastructure to enable several properties such as scalability and resiliency. CNA are complex distributed applications, vulnerable to several security issues affecting microservices and traditional cloud-based applications. For example, each microservice instance could be developed with different technologies e.g. programming languages and databases. This diversity of technologies increases the chances for security vulnerabilities in microservices. Moreover, the fast-paced development cycles of CNA increases the probability of insufficient security tests in the development pipelines, and consequent deployment of vulnerable microservices. Furthermore, cloud native environments are ephemeral, microservices are dynamically launched and de-registered, this factor creates a discoverability challenge for traditional security assessment techniques. Hence, security assessments in such environments require new approaches which are specifically adapted and integrated to CNA. In fact, such techniques are to be cloud native i.e. well integrated into the cloud’s fabric. In this paper, we tackle the above-mentioned challenges through the introduction of a novel Security Control concept - the Security Gateway. To support the Security Gateway concept, two other concepts are proposed: dynamic document store and security health endpoints.We have implemented these concepts using cloud native design patterns and integrated them into the CNA workflow. Our experimental evaluations validate the efficiency of our proposals, the time overhead due to the security gateway is minimal and the vulnerability detection rate surpasses that of traditional security assessment approaches. Our proposal can therefore be employed to secure CNA and microservice-based implementations.
Weitere Informationen
AbstractCloud Native Applications (CNA) consists of multiple collaborating microservice instances working together towards common goals. These microservices leverage the underlying cloud infrastructure to enable several properties such as scalability and resiliency. CNA are complex distributed applications, vulnerable to several security issues affecting microservices and traditional cloud-based applications. For example, each microservice instance could be developed with different technologies e.g. programming languages and databases. This diversity of technologies increases the chances for security vulnerabilities in microservices. Moreover, the fast-paced development cycles of CNA increases the probability of insufficient security tests in the development pipelines, and consequent deployment of vulnerable microservices. Furthermore, cloud native environments are ephemeral, microservices are dynamically launched and de-registered, this factor creates a discoverability challenge for traditional security assessment techniques. Hence, security assessments in such environments require new approaches which are specifically adapted and integrated to CNA. In fact, such techniques are to be cloud native i.e. well integrated into the cloud’s fabric. In this paper, we tackle the above-mentioned challenges through the introduction of a novel Security Control concept - the Security Gateway. To support the Security Gateway concept, two other concepts are proposed: dynamic document store and security health endpoints.We have implemented these concepts using cloud native design patterns and integrated them into the CNA workflow. Our experimental evaluations validate the efficiency of our proposals, the time overhead due to the security gateway is minimal and the vulnerability detection rate surpasses that of traditional security assessment approaches. Our proposal can therefore be employed to secure CNA and microservice-based implementations.
Gawron, M., Cheng, F., Meinel, C.: Automatic Vulnerability Classification using Machine Learning.Proceedings of the 12th International Conference on Risks and Security of Internet and Systems (CRiSIS 2017). Springer (2017).
Sukmana, M.I.H., Torkura, K.A., Meinel, C., Graupner, H.: Redesign cloudRAID for flexible and secure enterprise file sharing over public cloud storage.Proceedings of the 10th International Conference on Security of Information and Networks. p. 3--10. ACM (2017).
Seitz, K., Serth, S., Krentz, K.-F., Meinel, C.: Demo: Enabling En-Route Filtering for End-to-End Encrypted CoAP Messages.Proceedings of the 15th ACM Conference on Embedded Networked Sensor Systems (SenSys 2017). ACM Press, New York, NY, USA (2017).
IoT devices usually are battery-powered and directly connected to the Internet. This makes them vulnerable to so-called path-based denial-of-service (PDoS) attacks. For example, in a PDoS attack an adversary sends multiple Constrained Application Protocol (CoAP) messages towards an IoT device, thereby causing each IoT device along the path to expend energy for forwarding this message. Current end-to-end security solutions, such as DTLS or IPsec, fail to prevent such attacks since they only filter out inauthentic CoAP messages at their destination. This demonstration shows an approach to allow en-route filtering where a trusted gateway has all necessary information to check the integrity, decrypt and, if necessary, drop a message before forwarding it to the constrained mote. Our approach preserves precious resources of IoT devices in the face of path-based denial-of-service attacks by remote attackers.
Weitere Informationen
AbstractIoT devices usually are battery-powered and directly connected to the Internet. This makes them vulnerable to so-called path-based denial-of-service (PDoS) attacks. For example, in a PDoS attack an adversary sends multiple Constrained Application Protocol (CoAP) messages towards an IoT device, thereby causing each IoT device along the path to expend energy for forwarding this message. Current end-to-end security solutions, such as DTLS or IPsec, fail to prevent such attacks since they only filter out inauthentic CoAP messages at their destination. This demonstration shows an approach to allow en-route filtering where a trusted gateway has all necessary information to check the integrity, decrypt and, if necessary, drop a message before forwarding it to the constrained mote. Our approach preserves precious resources of IoT devices in the face of path-based denial-of-service attacks by remote attackers.
Najafi, P., Sapegin, A., Cheng, F., Meinel, C.: Guilt-by-Association: Detecting Malicious Entities via Graph Mining.International Conference on Security and Privacy in Communication Systems. p. 88--107. Springer (2017).
In this paper, we tackle the problem of detecting malicious domains and IP addresses using graph inference. In this regard, we mine proxy and DNS logs to construct an undirected graph in which vertices represent domain and IP address nodes, and the edges represent relationships describing an association between those nodes. More specifically, we investigate three main relationships: subdomainOf, referredTo, andresolvedTo. We show that by providing minimal ground truth information, it is possible to estimate the marginal probability of a domain or IP node being malicious based on its association with other malicious nodes. This is achieved by adopting belief propagation, i.e., an efficient and popular inference algorithm used in probabilistic graphical models. We have implemented our system in Apache Spark and evaluated using one day of proxy and DNS logs collected from a global enterprise spanning over 2 terabytes of disk space. In this regard, we show that our approach is not only efficient but also capable of achieving high detection rate (96% TPR) with reasonably low false positive rates (8% FPR). Furthermore, it is also capable of fixing errors in the ground truth as well as identifying previously unknown malicious domains and IP addresses. Our proposal can be adopted by enterprises to increase both the quality and the quantity of their threat intelligence and blacklists using only proxy and DNS logs.
Weitere Informationen
AbstractIn this paper, we tackle the problem of detecting malicious domains and IP addresses using graph inference. In this regard, we mine proxy and DNS logs to construct an undirected graph in which vertices represent domain and IP address nodes, and the edges represent relationships describing an association between those nodes. More specifically, we investigate three main relationships: subdomainOf, referredTo, andresolvedTo. We show that by providing minimal ground truth information, it is possible to estimate the marginal probability of a domain or IP node being malicious based on its association with other malicious nodes. This is achieved by adopting belief propagation, i.e., an efficient and popular inference algorithm used in probabilistic graphical models. We have implemented our system in Apache Spark and evaluated using one day of proxy and DNS logs collected from a global enterprise spanning over 2 terabytes of disk space. In this regard, we show that our approach is not only efficient but also capable of achieving high detection rate (96% TPR) with reasonably low false positive rates (8% FPR). Furthermore, it is also capable of fixing errors in the ground truth as well as identifying previously unknown malicious domains and IP addresses. Our proposal can be adopted by enterprises to increase both the quality and the quantity of their threat intelligence and blacklists using only proxy and DNS logs.
Torkura, K., Meinel, C.: Towards Vulnerability Assessment as a Service in OpenStack Clouds.Proceedings of the 41st IEEE Conference on Local Computer Networks (LCN). IEEE, Dubai, UAE (2016).
Efforts towards improving security in cloud infrastructures recommend regulatory compliance approaches such as HIPAA and PCI DSS. Similarly, vulnerability assessments are imperatives for fulfilling these regulatory compliance requirements. Nevertheless, conducting vulnerability assessments in cloud environments requires approaches different from those found in traditional computing. Factors such as multi-tenancy, elasticity, self-service and cloud-specific vulnerabilities must be considered. Furthermore, the Anything-as-a-Service model of the cloud stimulates security automation and user-intuitive services. In this paper, we tackle the challenge of efficient vulnerability assessments at the system level, in particular for core cloud applications.Within this scope, we focus on the use case of a cloud administrator. We believe the security of the underlying cloud software is crucial to the overall health of a cloud infrastructure since these are the foundations upon which other applications within the cloud function. We demonstrate our approach using OpenStack and through our experiments prove that our prototype implementation is effective at identifying “OpenStacknative” vulnerabilities. We also automate the process of identifying insecure configurations in the cloud and initiate steps for deploying Vulnerability Assessment-as-a-Service in OpenStack.
Weitere Informationen
AbstractEfforts towards improving security in cloud infrastructures recommend regulatory compliance approaches such as HIPAA and PCI DSS. Similarly, vulnerability assessments are imperatives for fulfilling these regulatory compliance requirements. Nevertheless, conducting vulnerability assessments in cloud environments requires approaches different from those found in traditional computing. Factors such as multi-tenancy, elasticity, self-service and cloud-specific vulnerabilities must be considered. Furthermore, the Anything-as-a-Service model of the cloud stimulates security automation and user-intuitive services. In this paper, we tackle the challenge of efficient vulnerability assessments at the system level, in particular for core cloud applications.Within this scope, we focus on the use case of a cloud administrator. We believe the security of the underlying cloud software is crucial to the overall health of a cloud infrastructure since these are the foundations upon which other applications within the cloud function. We demonstrate our approach using OpenStack and through our experiments prove that our prototype implementation is effective at identifying “OpenStacknative” vulnerabilities. We also automate the process of identifying insecure configurations in the cloud and initiate steps for deploying Vulnerability Assessment-as-a-Service in OpenStack.
Krentz, K.-F., Meinel, C., Schnjakin, M.: POTR: Practical On-the-fly Rejection of Injected and Replayed 802.15.4 Frames.Proceedings of the International Conference on Availability, Reliability and Security (ARES 2016). IEEE, Salzburg, Austria (2016).
Amirkhanyan, A., Meinel, C.: Analysis of the Value of Public Geotagged Data from Twitter from the Perspective of Providing Situational Awareness.Proceedings of the 15th IFIP Conference on e-Business, e-Services and e-Society (I3E2016) - Social Media: The Good, the Bad, and the Ugly. Springer, Swansea, Wales, UK (2016).
In the era of social networks, we have a huge amount of social geotagged data that reflect the real world. These data can be used to provide or to enhance situational and public safety awareness. It can be reached by the way of analysis and visualization of geotagged data that can help to better understand the situation around and to detect local geo-spatial threats. One of the challenges in the way of reaching this goal is providing valuable statistics and advanced methods for filtering data. Therefore, in the scope of this paper, we collect sufficient amount of public social geotagged data from Twitter, build different valuable statistics and analyze them. Also, we try to find valuable parameters and propose the useful filters based on these parameters that can filter data from invaluable data and, by this way, support analysis of geotagged data from the perspective of providing situational awareness.
Weitere Informationen
AbstractIn the era of social networks, we have a huge amount of social geotagged data that reflect the real world. These data can be used to provide or to enhance situational and public safety awareness. It can be reached by the way of analysis and visualization of geotagged data that can help to better understand the situation around and to detect local geo-spatial threats. One of the challenges in the way of reaching this goal is providing valuable statistics and advanced methods for filtering data. Therefore, in the scope of this paper, we collect sufficient amount of public social geotagged data from Twitter, build different valuable statistics and analyze them. Also, we try to find valuable parameters and propose the useful filters based on these parameters that can filter data from invaluable data and, by this way, support analysis of geotagged data from the perspective of providing situational awareness.
Amirkhanyan, A., Meinel, C.: Visualization and Analysis of Public Social Geodata to Provide Situational Awareness.Proceedings of the 8th International Conference on Advanced Computational Intelligence (ICACI2016). IEEE, Chiang Mai, Thailand (2016).
Nowadays, social networks are an essential part of modern life. People posts everything what happens with them and what happens around them. The amount of data, producing by social networks, increases dramatically every year and users more often post geo-tagged messages. It gives us more possibilities for visualization and analysis of social data, since we can be interested not only in the content of the message but also in the location, from where this message was posted. We aimed to use public social data from location-based social networks to improve situational awareness. In the paper, we show our approach of handling in real-time geodata from Twitter and providing the advanced methods for visualization, analysis, searching and statistics, in order to improve situational awareness.
Weitere Informationen
AbstractNowadays, social networks are an essential part of modern life. People posts everything what happens with them and what happens around them. The amount of data, producing by social networks, increases dramatically every year and users more often post geo-tagged messages. It gives us more possibilities for visualization and analysis of social data, since we can be interested not only in the content of the message but also in the location, from where this message was posted. We aimed to use public social data from location-based social networks to improve situational awareness. In the paper, we show our approach of handling in real-time geodata from Twitter and providing the advanced methods for visualization, analysis, searching and statistics, in order to improve situational awareness.
Sukmana, M., Meinel, C.: e-Government and Security Evaluation Tools Comparison for Indonesian e-Government System.Proceedings of the 4th International Conference on Information and Network Security. p. 96--103. ACM (2016).
Jaeger, D., Pelchen, C., Graupner, H., Cheng, F., Meinel, C.: Analysis of Publicly Leaked Credentials and the Long Story of Password (Re-)use.Proceedings of the 11th International Conference on Passwords (PASSWORDS2016). Springer, Bochum, Germany (2016).
Amirkhanyan, A., Cheng, F., Meinel, C.: Real-Time Clustering of Massive Geodata for Online Maps to Improve Visual Analysis.Proceedings of the 11th International Conference on Innovations in Information Technology (IIT2015). IEEE, Dubai, UAE (2015).
Nowadays, we have a lot of data produced by social media services, but more and more often these data contain information about a location that gives us the wide range of possibilities to analyze them. Since we can be interested not only in the content, but also in the location where this content was produced. For good analyzing geo-spatial data, we need to find the best approaches for geo clustering. And the best approach means real-time clustering of massive geodata with high accuracy. In this paper, we present a new approach of clustering geodata for online maps, such as Google Maps, OpenStreetMap and others. Clustered geodata based on their location improve visual analysis of them and improve situational awareness. Our approach is the server-side online algorithm that does not need the entire data to start clustering. Also, this approach works in real-time and could be used for clustering of massive geodata for online maps in reasonable time. We implemented the proposed approach to prove the concept, and also, we provided experiments and evaluation of our approach.
Weitere Informationen
AbstractNowadays, we have a lot of data produced by social media services, but more and more often these data contain information about a location that gives us the wide range of possibilities to analyze them. Since we can be interested not only in the content, but also in the location where this content was produced. For good analyzing geo-spatial data, we need to find the best approaches for geo clustering. And the best approach means real-time clustering of massive geodata with high accuracy. In this paper, we present a new approach of clustering geodata for online maps, such as Google Maps, OpenStreetMap and others. Clustered geodata based on their location improve visual analysis of them and improve situational awareness. Our approach is the server-side online algorithm that does not need the entire data to start clustering. Also, this approach works in real-time and could be used for clustering of massive geodata for online maps in reasonable time. We implemented the proposed approach to prove the concept, and also, we provided experiments and evaluation of our approach.
Torkura, K.A., Cheng, F., Meinel, C.: A Proposed Framework For Proactive Vulnerability Assessments in Cloud Deployments.Proceedings of the 10th International Conference for Internet Technology and Secured Transactions (ICITST2015). IEEE (2015).
Vulnerability scanners are deployed in computer networks and software to timely identify security flaws and misconfigurations. However, cloud computing has introduced new attack vectors that requires commensurate change of vulnerability assessment strategies. To investigate the effectiveness of these scanners in cloud environments, we first conduct a quantitative security assessment of OpenStack’s vulnerability lifecycle and discover severe risk levels resulting from prolonged patch release duration. More specifically, there are long time lags between OpenStack patch releases and patch inclusion in vulnerability scanning engines. This scenario introduces sufficient time for malicious actions and creation of exploits such as zero-days. Mitigating these concern requires systems with current knowledge on events within the vulnerability lifecycle. However, current vulnerability scanners are designed to depend on information about publicly announced vulnerabilities which mostly includes only vulnerability disclosure dates. Accordingly, we propose a framework that would mitigate these risks by gathering and correlating information from several security information sources including exploit databases, malware signature repositories and Bug Tracking Systems. The information is thereafter used to automatically generate plugins armed with current information about zero-day exploits and unknown vulnerabilities. We have characterized two new security metrics to describe the discovered risks
Weitere Informationen
AbstractVulnerability scanners are deployed in computer networks and software to timely identify security flaws and misconfigurations. However, cloud computing has introduced new attack vectors that requires commensurate change of vulnerability assessment strategies. To investigate the effectiveness of these scanners in cloud environments, we first conduct a quantitative security assessment of OpenStack’s vulnerability lifecycle and discover severe risk levels resulting from prolonged patch release duration. More specifically, there are long time lags between OpenStack patch releases and patch inclusion in vulnerability scanning engines. This scenario introduces sufficient time for malicious actions and creation of exploits such as zero-days. Mitigating these concern requires systems with current knowledge on events within the vulnerability lifecycle. However, current vulnerability scanners are designed to depend on information about publicly announced vulnerabilities which mostly includes only vulnerability disclosure dates. Accordingly, we propose a framework that would mitigate these risks by gathering and correlating information from several security information sources including exploit databases, malware signature repositories and Bug Tracking Systems. The information is thereafter used to automatically generate plugins armed with current information about zero-day exploits and unknown vulnerabilities. We have characterized two new security metrics to describe the discovered risks
Sapegin, A., Gawron, M., Jaeger, D., Cheng, F., Meinel, C.: High-speed Security Analytics Powered by In-memory Machine Learning Engine.Proceedings of the 14th International Symposium on Parallel and Distributed Computing (ISPDC 2015). pp. 74 - 81. IEEE (2015).
Modern Security Information and Event Management systems should be capable to store and process high amount of events or log messages in different formats and from different sources. This requirement often prevents such systems from usage of computational-heavy algorithms for security analysis. To deal with this issue, we built our system based on an in-memory data base with an integrated machine learning library, namely SAP HANA. Three approaches, i.e. (1) deep normalisation of log messages (2) storing data in the main memory and (3) running data analysis directly in the database, allow us to increase processing speed in such a way, that machine learning analysis of security events becomes possible nearly in real-time. To prove our concepts, we measured the processing speed for the developed system on the data generated using Active Directory tested and showed the efficiency of our approach for high-speed analysis of security events.
Weitere Informationen
AbstractModern Security Information and Event Management systems should be capable to store and process high amount of events or log messages in different formats and from different sources. This requirement often prevents such systems from usage of computational-heavy algorithms for security analysis. To deal with this issue, we built our system based on an in-memory data base with an integrated machine learning library, namely SAP HANA. Three approaches, i.e. (1) deep normalisation of log messages (2) storing data in the main memory and (3) running data analysis directly in the database, allow us to increase processing speed in such a way, that machine learning analysis of security events becomes possible nearly in real-time. To prove our concepts, we measured the processing speed for the developed system on the data generated using Active Directory tested and showed the efficiency of our approach for high-speed analysis of security events.
Ussath, M., Cheng, F., Meinel, C.: Concept for a Security Investigation Framework.Proceedings of the 7th IFIP International Conference on New Technologies, Mobility, and Security (NTMS’15) (2015).
Amirkhanyan, A., Sapegin, A., Cheng, F., Meinel, C.: Simulation User Behavior on A Security Testbed Using User Behavior States Graph.Proceedings of the 8th International Conference on Security of Information and Networks (SIN’15). pp. 217-223. ACM Press (2015).
For testing new methods of network security or new algorithms of security analytics, we need the experimental environments as well as the testing data which are much as possible similar to the real-world data. Therefore, the researchers are always trying to find the best approaches and recommendations of creating and simulating testbeds, because the issue of automation of the testbed creation is a crucial goal to accelerate research progress. One of the ways to generate data is simulate the user behavior on the virtual machines, but the challenge is how to describe what we want to simulate. In this paper, we present a new approach of describing user behavior for the simulation tool. This approach meets requirements of simplicity and extensibility. And it could be used for generating user behavior scenarios to simulate them on Windows-family virtual machines. The proposed approached is applied to our developed simulation tool that we use for solving a problem of the lack of data for research in network security and security analytics areas by generating log dataset that could be used for testing new methods of network security and new algorithms of security analytics.
Weitere Informationen
AbstractFor testing new methods of network security or new algorithms of security analytics, we need the experimental environments as well as the testing data which are much as possible similar to the real-world data. Therefore, the researchers are always trying to find the best approaches and recommendations of creating and simulating testbeds, because the issue of automation of the testbed creation is a crucial goal to accelerate research progress. One of the ways to generate data is simulate the user behavior on the virtual machines, but the challenge is how to describe what we want to simulate. In this paper, we present a new approach of describing user behavior for the simulation tool. This approach meets requirements of simplicity and extensibility. And it could be used for generating user behavior scenarios to simulate them on Windows-family virtual machines. The proposed approached is applied to our developed simulation tool that we use for solving a problem of the lack of data for research in network security and security analytics areas by generating log dataset that could be used for testing new methods of network security and new algorithms of security analytics.
Sapegin, A., Amirkhanyan, A., Gawron, M., Cheng, F., Meinel, C.: Poisson-based Anomaly Detection for Identifying Malicious User Behaviour.Proceedings of the International Conference on Mobile, Secure and Programmable Networking (MSPN'15). Springer (2015).
Nowadays, malicious user behaviour that does not trigger access violation or alert of data leak is difficult to be detected. Using the stolen login credentials the intruder doing espionage will first try to stay undetected: silently collect data from the company network and use only resources he is authorised to access. To deal with such cases, a Poisson-based anomaly detection algorithm is proposed in this paper. Two extra measures make it possible to achieve high detection rates and meanwhile reduce number of false positive alerts: (1) checking probability first for the group, and then for single users and (2) selecting threshold automatically. To prove the proposed approach, we developed a special simulation testbed that emulates user behaviour in the virtual network environment. The proof-of-concept implementation has been integrated into our prototype of a SIEM system — Real-time Event Analysis and Monitoring System, where the emulated Active Directory logs from Microsoft Windows domain are extracted and normalised into Object Log Format for further processing and anomaly detection. The experimental results show that our algorithm was able to detect all events related to malicious activity and produced zero false positive results. Forethought as the module for our self-developed SIEM system based on the SAP HANA in-memory database, our solution is capable of processing high volumes of data and shows high efficiency on experimental dataset.
Weitere Informationen
AbstractNowadays, malicious user behaviour that does not trigger access violation or alert of data leak is difficult to be detected. Using the stolen login credentials the intruder doing espionage will first try to stay undetected: silently collect data from the company network and use only resources he is authorised to access. To deal with such cases, a Poisson-based anomaly detection algorithm is proposed in this paper. Two extra measures make it possible to achieve high detection rates and meanwhile reduce number of false positive alerts: (1) checking probability first for the group, and then for single users and (2) selecting threshold automatically. To prove the proposed approach, we developed a special simulation testbed that emulates user behaviour in the virtual network environment. The proof-of-concept implementation has been integrated into our prototype of a SIEM system — Real-time Event Analysis and Monitoring System, where the emulated Active Directory logs from Microsoft Windows domain are extracted and normalised into Object Log Format for further processing and anomaly detection. The experimental results show that our algorithm was able to detect all events related to malicious activity and produced zero false positive results. Forethought as the module for our self-developed SIEM system based on the SAP HANA in-memory database, our solution is capable of processing high volumes of data and shows high efficiency on experimental dataset.
Jaeger, D., Azodi, A., Cheng, F., Meinel, C.: Normalizing Security Events with a Hierarchical Knowledge Base.Proceedings of the 9th International Conference on Information Security Theory and Practice (WISTP'15). pp. 237-248. Springer Internation Publishing (2015).
An important technique for attack detection in complex company networks is the analysis of log data from various network components. As networks are growing, the number of produced log events increases dramatically, sometimes even to multiple billion events per day. The analysis of such big data highly relies on a full normalization of the log data in realtime. Until now, the important issue of full normalization of a large number of log events is only insufficiently handled by many software solutions and not well covered in existing research work. In this paper, we propose and evaluate multiple approaches for handling the normalization of a large number of typical logs better and more efficient. The main idea is to organize the normalization in multiple levels by using a hierarchical knowledge base (KB) of normalization rules. In the end, we achieve a performance gain of about 1000x with our presented approaches, in comparison to a naive approach typically used in existing normalization solutions. Considering this improvement, big log data can now be handled much faster and can be used to find and mitigate attacks in realtime.
Weitere Informationen
AbstractAn important technique for attack detection in complex company networks is the analysis of log data from various network components. As networks are growing, the number of produced log events increases dramatically, sometimes even to multiple billion events per day. The analysis of such big data highly relies on a full normalization of the log data in realtime. Until now, the important issue of full normalization of a large number of log events is only insufficiently handled by many software solutions and not well covered in existing research work. In this paper, we propose and evaluate multiple approaches for handling the normalization of a large number of typical logs better and more efficient. The main idea is to organize the normalization in multiple levels by using a hierarchical knowledge base (KB) of normalization rules. In the end, we achieve a performance gain of about 1000x with our presented approaches, in comparison to a naive approach typically used in existing normalization solutions. Considering this improvement, big log data can now be handled much faster and can be used to find and mitigate attacks in realtime.
Elsaid, M.E., Meinel, C.: Friendship based Storage Allocation for Online Social Networks Cloud Computing.Proceedings of the International Conference of Cloud Computing Technologies and Applications (CloudTech 2015). IEEE Press, Marrakesh, Morrocco (2015).
Sianipar, J.H., Meinel, C.: A verification mechanism for cloud brokerage system.Proceedings of the Second International Conference on Computer Science, Computer Engineering, and Social Media (CSCESM2015). pp. 143 - 148. IEEE Press, Lodz, Poland (2015).
In the existing cloud brokerage system, the client does not have the ability to verify the result of the cloud service selection. There are possibilities that the cloud broker can be biased in selecting the best Cloud Service Provider (CSP) for a client. A compromised or dishonest cloud broker can unfairly select a CSP for its own advantage by cooperating with the selected CSP. To address this problem, we propose a mechanism to verify the CSP selection result of the cloud broker. In this verification mechanism, properties of every CSP will also be verified. It uses a trusted third party to gather clustering result from the cloud broker. This trusted third party is also used as a base station to collect CSP properties in a multi-agents system. Software Agents are installed and running on every CSP. The CSP is monitored by agents as the representative of the customer inside the cloud. These multi-agents give reports to a third party that must be trusted by CSPs, customers and the Cloud Broker. The third party provides transparency by publishing reports to the authorized parties (CSPs and Customers).
Weitere Informationen
AbstractIn the existing cloud brokerage system, the client does not have the ability to verify the result of the cloud service selection. There are possibilities that the cloud broker can be biased in selecting the best Cloud Service Provider (CSP) for a client. A compromised or dishonest cloud broker can unfairly select a CSP for its own advantage by cooperating with the selected CSP. To address this problem, we propose a mechanism to verify the CSP selection result of the cloud broker. In this verification mechanism, properties of every CSP will also be verified. It uses a trusted third party to gather clustering result from the cloud broker. This trusted third party is also used as a base station to collect CSP properties in a multi-agents system. Software Agents are installed and running on every CSP. The CSP is monitored by agents as the representative of the customer inside the cloud. These multi-agents give reports to a third party that must be trusted by CSPs, customers and the Cloud Broker. The third party provides transparency by publishing reports to the authorized parties (CSPs and Customers).
Torkura, K.A., Meinel, C.: Towards Cloud-Aware Vulnerability Assessments.Proceedings of the 11th International Conference on Signal-Image Technology & Internet-Based Systems (SITIS2015). IEEE (2015).
Vulnerability assessments are best practices for computer security and requirements for regulatory compliance. Potential and existing security holes can be identified during vulnerability assessments and security breaches could be averted. However, the unique nature of cloud computing environments requires more dynamic assessment techniques. The proliferation of cloud services and cloud-aware applications introduce more cloud vulnerabilities. But, current measures for identification, mitigation and prevention of cloud vulnerabilities do not suffice. Our investigations indicate a possible reason for this inefficiency to lapses in availability of precise, cloud vulnerability information. We observed also that most research efforts in the context of cloud vulnerability concentrate on IaaS, leaving other cloud models largely unattended. Similarly, most cloud assessment efforts tackle general cloud vulnerabilities rather than cloud specific vulnerabilities. Yet, mitigating cloud specific vulnerabilities is important for cloud security. Hence, this paper proposes a new approach that addresses the mentioned issues by monitoring, acquiring and adapting publicly available cloud vulnerability information for effective vulnerability assessments. We correlate vulnerability information from public vulnerability databases and develop Network Vulnerability Tests for specific cloud vulnerabilities. We have implemented, evaluated and verified the suitability of our approach.
Weitere Informationen
AbstractVulnerability assessments are best practices for computer security and requirements for regulatory compliance. Potential and existing security holes can be identified during vulnerability assessments and security breaches could be averted. However, the unique nature of cloud computing environments requires more dynamic assessment techniques. The proliferation of cloud services and cloud-aware applications introduce more cloud vulnerabilities. But, current measures for identification, mitigation and prevention of cloud vulnerabilities do not suffice. Our investigations indicate a possible reason for this inefficiency to lapses in availability of precise, cloud vulnerability information. We observed also that most research efforts in the context of cloud vulnerability concentrate on IaaS, leaving other cloud models largely unattended. Similarly, most cloud assessment efforts tackle general cloud vulnerabilities rather than cloud specific vulnerabilities. Yet, mitigating cloud specific vulnerabilities is important for cloud security. Hence, this paper proposes a new approach that addresses the mentioned issues by monitoring, acquiring and adapting publicly available cloud vulnerability information for effective vulnerability assessments. We correlate vulnerability information from public vulnerability databases and develop Network Vulnerability Tests for specific cloud vulnerabilities. We have implemented, evaluated and verified the suitability of our approach.
Gawron, M., Cheng, F., Meinel, C.: Automatic Vulnerability Detection for Weakness Visualization and Advisory Creation.Proceedings of the 8th International Conference on Security of Information and Networks (SIN’15). pp. 229-236. ACM Press (2015).
The detection of vulnerabilities in computer systems and computer networks as well as the representation of the results are crucial problems. The presented method tackles the problem with an automated detection and an intuitive representation. For detecting vulnerabilities the approach uses a logical representation of preconditions and postconditions of vulnerabilities. Thus an automated analytical function could detect security leaks on a target system. The gathered information is used to provide security advisories and enhanced diagnostics for the system. Additionally the conditional structure allows us to create attack graphs to visualize the network structure and the integrated vulnerability information. Finally we propose methods to resolve the identified weaknesses whether to remove or update vulnerable applications and secure the target system. This advisories are created automatically and provide possible solutions for the security risks.
Weitere Informationen
AbstractThe detection of vulnerabilities in computer systems and computer networks as well as the representation of the results are crucial problems. The presented method tackles the problem with an automated detection and an intuitive representation. For detecting vulnerabilities the approach uses a logical representation of preconditions and postconditions of vulnerabilities. Thus an automated analytical function could detect security leaks on a target system. The gathered information is used to provide security advisories and enhanced diagnostics for the system. Additionally the conditional structure allows us to create attack graphs to visualize the network structure and the integrated vulnerability information. Finally we propose methods to resolve the identified weaknesses whether to remove or update vulnerable applications and secure the target system. This advisories are created automatically and provide possible solutions for the security risks.
Azodi, A., Jaeger, D., Cheng, F., Meinel, C.: Passive Network Monitoring using REAMS.Proceedings of the 6th International Conference on Information Science and Applications (ICISA 2015). pp. 205-215. Sprinter, Pattaya, Thailand (2015).
Torkura, K.A., Cheng, F., Meinel, C.: Aggregating Vulnerability Information for Proactive Cloud Vulnerability Assessment.Journal of Internet Technology and Secured Transactions.4, (2015).
The current increase in software vulnerabilities necessitates concerted research in vulnerability lifecycles and how effective mitigative approaches could be implemented. This is especially imperative in cloud infrastructures considering the novel attack vectors introduced by this emerging computing paradigm. By conducting a quantitative security assessment of OpenStack’s vulnerability lifecycle, we discovered severe risk levels resulting from prolonged gap between vulnerability discovery and patch release. We also observed an additional time lag between patch release and patch inclusion in vulnerability scanning engines. This scenario introduces sufficient time for malicious actors to develop zero-days exploits and other types of malicious software. Mitigating these concerns requires systems with current knowledge on events within the vulnerability lifecycle. However, current threat mitigation systems like vulnerability scanners are designed to depend on information from public vulnerability repositories which mostly do not retain comprehensive information on vulnerabilities. Accordingly, we propose a framework that would mitigate the afore-mentioned risks by gathering and correlating information from several security information sources including exploit databases, malware signature repositories, Bug Tracking Systems and other channels. These information is thereafter used to automatically generate plugins armed with current information about possible zeroday exploits and other unknown vulnerabilities. We have characterized two new security metrics to describe the discovered risks, Scanner Patch Time and Scanner Patch Discovery Time
Weitere Informationen
AbstractThe current increase in software vulnerabilities necessitates concerted research in vulnerability lifecycles and how effective mitigative approaches could be implemented. This is especially imperative in cloud infrastructures considering the novel attack vectors introduced by this emerging computing paradigm. By conducting a quantitative security assessment of OpenStack’s vulnerability lifecycle, we discovered severe risk levels resulting from prolonged gap between vulnerability discovery and patch release. We also observed an additional time lag between patch release and patch inclusion in vulnerability scanning engines. This scenario introduces sufficient time for malicious actors to develop zero-days exploits and other types of malicious software. Mitigating these concerns requires systems with current knowledge on events within the vulnerability lifecycle. However, current threat mitigation systems like vulnerability scanners are designed to depend on information from public vulnerability repositories which mostly do not retain comprehensive information on vulnerabilities. Accordingly, we propose a framework that would mitigate the afore-mentioned risks by gathering and correlating information from several security information sources including exploit databases, malware signature repositories, Bug Tracking Systems and other channels. These information is thereafter used to automatically generate plugins armed with current information about possible zeroday exploits and other unknown vulnerabilities. We have characterized two new security metrics to describe the discovered risks, Scanner Patch Time and Scanner Patch Discovery Time
Torkura, K.A., Cheng, F., Meinel, C.: Application of Quantitative Security Metrics In Cloud Computing.Proceedings of the 10th International Conference for Internet Technology and Secured Transactions (ICITST2015). IEEE (2015).
Security issues are still prevalent in cloud computing particularly public cloud. Efforts by Cloud Service Providers to secure out-sourced resources are not sufficient to gain trust from customers. Service Level Agreements (SLAs) are currently used to guarantee security and privacy, however research into SLAs monitoring suggests levels of dissatisfaction from cloud users. Accordingly, enterprises favor private clouds such as OpenStack as they offer more control and security visibility. However, private clouds do not provide absolute security, they share some security challenges with public clouds and eliminate other challenges. Security metrics based approaches such as quantitative security assessments could be adopted to quantify security value of private and public clouds. Software quantitative security assessments provide extensive visibility into security postures and help assess whether or not security has improved or deteriorated. In this paper we focus on private cloud security using OpenStack as a case study, we conduct a quantitative assessment of OpenStack based on empirical data. Our analysis is multi-faceted, covering OpenStack major releases and services. We employ security metrics to determine the vulnerability density, vulnerability severity metrics and patching behavior. We show that OpenStack’s security has improved since inception, however concerted efforts are imperative for secure deployments, particularly in production environments.
Weitere Informationen
AbstractSecurity issues are still prevalent in cloud computing particularly public cloud. Efforts by Cloud Service Providers to secure out-sourced resources are not sufficient to gain trust from customers. Service Level Agreements (SLAs) are currently used to guarantee security and privacy, however research into SLAs monitoring suggests levels of dissatisfaction from cloud users. Accordingly, enterprises favor private clouds such as OpenStack as they offer more control and security visibility. However, private clouds do not provide absolute security, they share some security challenges with public clouds and eliminate other challenges. Security metrics based approaches such as quantitative security assessments could be adopted to quantify security value of private and public clouds. Software quantitative security assessments provide extensive visibility into security postures and help assess whether or not security has improved or deteriorated. In this paper we focus on private cloud security using OpenStack as a case study, we conduct a quantitative assessment of OpenStack based on empirical data. Our analysis is multi-faceted, covering OpenStack major releases and services. We employ security metrics to determine the vulnerability density, vulnerability severity metrics and patching behavior. We show that OpenStack’s security has improved since inception, however concerted efforts are imperative for secure deployments, particularly in production environments.
Cheng, F., Sapegin, A., Gawron, M., Meinel, C.: Analyzing Boundary Device Logs on the In-Memory Platform.Proceedings of the IEEE International Symposium on Big Data Security on Cloud (BigDataSecurity‘15). IEEE (2015).
The boundary devices, such as routers, firewalls, proxies, and domain controllers, etc., are continuously generating logs showing the behaviors of the internal and external users, the working state of the network as well as the devices themselves. To rapidly and efficiently analyze these logs makes great sense in terms of security and reliability. However, it is a challenging task due to the fact that a huge amount of data might be generated for being analyzed in very short time. In this paper, we address this challenge by applying complex analytics and modern in-memory database technology on the large amount of log data. Logs from different kinds of devices are collected, normalized, and stored in the In-Memory database. Machine learning approaches are then implemented to analyze the centralized big data to identify attacks and anomalies which are not easy to be detected from the individual log event. The proposed method is implemented on the In-Memory platform, i.e., SAP HANA Platform, and the experimental results show that it has the expected capabilities as well as the high performance.
Weitere Informationen
AbstractThe boundary devices, such as routers, firewalls, proxies, and domain controllers, etc., are continuously generating logs showing the behaviors of the internal and external users, the working state of the network as well as the devices themselves. To rapidly and efficiently analyze these logs makes great sense in terms of security and reliability. However, it is a challenging task due to the fact that a huge amount of data might be generated for being analyzed in very short time. In this paper, we address this challenge by applying complex analytics and modern in-memory database technology on the large amount of log data. Logs from different kinds of devices are collected, normalized, and stored in the In-Memory database. Machine learning approaches are then implemented to analyze the centralized big data to identify attacks and anomalies which are not easy to be detected from the individual log event. The proposed method is implemented on the In-Memory platform, i.e., SAP HANA Platform, and the experimental results show that it has the expected capabilities as well as the high performance.
Sianipar, J.H., Meinel, C.: A verification mechanism for cloud brokerage system.Proceedings of the Second International Conference on Computer Science, Computer Engineering, and Social Media (CSCESM2015). pp. 143 - 148. IEEE Press, Lodz, Poland (2015).
In the existing cloud brokerage system, the client does not have the ability to verify the result of the cloud service selection. There are possibilities that the cloud broker can be biased in selecting the best Cloud Service Provider (CSP) for a client. A compromised or dishonest cloud broker can unfairly select a CSP for its own advantage by cooperating with the selected CSP. To address this problem, we propose a mechanism to verify the CSP selection result of the cloud broker. In this verification mechanism, properties of every CSP will also be verified. It uses a trusted third party to gather clustering result from the cloud broker. This trusted third party is also used as a base station to collect CSP properties in a multi-agents system. Software Agents are installed and running on every CSP. The CSP is monitored by agents as the representative of the customer inside the cloud. These multi-agents give reports to a third party that must be trusted by CSPs, customers and the Cloud Broker. The third party provides transparency by publishing reports to the authorized parties (CSPs and Customers).
Weitere Informationen
AbstractIn the existing cloud brokerage system, the client does not have the ability to verify the result of the cloud service selection. There are possibilities that the cloud broker can be biased in selecting the best Cloud Service Provider (CSP) for a client. A compromised or dishonest cloud broker can unfairly select a CSP for its own advantage by cooperating with the selected CSP. To address this problem, we propose a mechanism to verify the CSP selection result of the cloud broker. In this verification mechanism, properties of every CSP will also be verified. It uses a trusted third party to gather clustering result from the cloud broker. This trusted third party is also used as a base station to collect CSP properties in a multi-agents system. Software Agents are installed and running on every CSP. The CSP is monitored by agents as the representative of the customer inside the cloud. These multi-agents give reports to a third party that must be trusted by CSPs, customers and the Cloud Broker. The third party provides transparency by publishing reports to the authorized parties (CSPs and Customers).
Azodi, A., Gawron, M., Sapegin, A., Cheng, F., Meinel., C.: Leveraging Event Structure for Adaptive Machine Learning on Big Data Landscapes.Proceedings of the International Conference on Mobile, Secure and Programmable Networking (MSPN'15). Springer (2015).
Modern machine learning techniques have been applied to many aspects of network analytics in order to discover patterns that can clarify or better demonstrate the behavior of users and systems within a given network. Often the information to be processed has to be converted to a different type in order for machine learning algorithms to be able to process them. To accurately process the information generated by systems within a network, the true intention and meaning behind the information must be observed. In this paper we propose different approaches for mapping network information such as IP addresses to integer values that attempts to keep the relation present in the original format of the information intact. With one exception, all of the proposed mappings result in (at most) 64 bit long outputs in order to allow atomic operations using CPUs with 64 bit registers. The mapping output size is restricted in the interest of performance. Additionally we demonstrate the benefits of the new mappings for one specific machine learning algorithm (k-means) and compare the algorithm's results for datasets with and without the proposed transformations.
Weitere Informationen
AbstractModern machine learning techniques have been applied to many aspects of network analytics in order to discover patterns that can clarify or better demonstrate the behavior of users and systems within a given network. Often the information to be processed has to be converted to a different type in order for machine learning algorithms to be able to process them. To accurately process the information generated by systems within a network, the true intention and meaning behind the information must be observed. In this paper we propose different approaches for mapping network information such as IP addresses to integer values that attempts to keep the relation present in the original format of the information intact. With one exception, all of the proposed mappings result in (at most) 64 bit long outputs in order to allow atomic operations using CPUs with 64 bit registers. The mapping output size is restricted in the interest of performance. Additionally we demonstrate the benefits of the new mappings for one specific machine learning algorithm (k-means) and compare the algorithm's results for datasets with and without the proposed transformations.
Jaeger, D., Azodi, A., Cheng, F., Meinel, C.: Normalizing Security Events with a Hierarchical Knowledge Base.Proceedings of the 9th WISTP International Conference on Information Security Theory and Practice (WISTP'15) (2015).
An important technique for attack detection in complex company networks is the analysis of log data from various network components. As networks are growing, the number of produced log events increases dramatically, sometimes even to multiple billion events per day. The analysis of such big data highly relies on a full normalization of the log data in realtime. Until now, the important issue of full normalization of a large number of log events is only insufficiently handled by many software solutions and not well covered in existing research work. In this paper, we propose and evaluate multiple approaches for handling the normalization of a large number of typical logs better and more efficient. The main idea is to organize the normalization in multiple levels by using a hierarchical knowledge base (KB) of normalization rules. In the end, we achieve a performance gain of about 1000x with our presented approaches, in comparison to a naive approach typically used in existing normalization solutions. Considering this improvement, big log data can now be handled much faster and can be used to find and mitigate attacks in realtime.
Weitere Informationen
AbstractAn important technique for attack detection in complex company networks is the analysis of log data from various network components. As networks are growing, the number of produced log events increases dramatically, sometimes even to multiple billion events per day. The analysis of such big data highly relies on a full normalization of the log data in realtime. Until now, the important issue of full normalization of a large number of log events is only insufficiently handled by many software solutions and not well covered in existing research work. In this paper, we propose and evaluate multiple approaches for handling the normalization of a large number of typical logs better and more efficient. The main idea is to organize the normalization in multiple levels by using a hierarchical knowledge base (KB) of normalization rules. In the end, we achieve a performance gain of about 1000x with our presented approaches, in comparison to a naive approach typically used in existing normalization solutions. Considering this improvement, big log data can now be handled much faster and can be used to find and mitigate attacks in realtime.
Gawron, M., Cheng, F., Meinel, C.: Automatic Detection of Vulnerabilities for Advanced Security Analytics.Proceedings of the 17th Asia-Pacific Network Operations and Management Symposium (APNOMS’15). pp. 471-474. IEEE (2015).
The detection of vulnerabilities in computer systems and computer networks as well as the weakness analysis are crucial problems. The presented method tackles the problem with an automated detection. For identifying vulnerabilities the approach uses a logical representation of preconditions and postconditions of vulnerabilities. The conditional structure simulates requirements and impacts of each vulnerability. Thus an automated analytical function could detect security leaks on a target system based on this logical format. With this method it is possible to scan a system without much expertise, since the automated or computer-aided vulnerability detection does not require special knowledge about the target system. The gathered information is used to provide security advisories and enhanced diagnostics which could also detect attacks that exploit multiple vulnerabilities of the system.
Weitere Informationen
AbstractThe detection of vulnerabilities in computer systems and computer networks as well as the weakness analysis are crucial problems. The presented method tackles the problem with an automated detection. For identifying vulnerabilities the approach uses a logical representation of preconditions and postconditions of vulnerabilities. The conditional structure simulates requirements and impacts of each vulnerability. Thus an automated analytical function could detect security leaks on a target system based on this logical format. With this method it is possible to scan a system without much expertise, since the automated or computer-aided vulnerability detection does not require special knowledge about the target system. The gathered information is used to provide security advisories and enhanced diagnostics which could also detect attacks that exploit multiple vulnerabilities of the system.
Krentz, K.-F., Meinel, C.: Handling Reboots and Mobility in 802.15.4 Security.Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC 2015). ACM, Los Angeles, CA, USA (2015).
Elsaid, M.E., Meinel, C.: Live Migration Impact on Virtual Datacenter Performance.Proceedings of the 2nd International Conference on Future Internet of Things and Cloud (FiCloud 2014). pp. 216 - 221. IEEE Press, Barcelona, Spain (2014).
Azodi, A., Jaeger, D., Cheng, F., Meinel, C.: Runtime Updatable and Dynamic Event Processing using Embedded ECMAScript Engines.In Proceedings of the 4rd IEEE International Conference on IT Convergence and Security (ICITCS 2014). IEEE Press, Beijing, China (2014).
Sianipar, J., Saleh, E., Meinel, C.: Construction of Agent-Based Trust in Cloud Infrastructure.Proceedings of the 7th IEEE/ACM International Conference on Utility and Cloud Computing, UCC 2014, London, United Kingdom, December 8-11, 2014. p. 941--946. IEEE Computer Society, London, United Kingdom (2014).
By design, the cloud system does not allow a cloud administrator to access the customer data in a virtual machine (VM) without customer's knowledge. However, a cloud administrator is able to modify the software/hardware configuration in a way that allow unauthorized access to the customer data. This is because the cloud administrator has full control of the cloud infrastructure. He is a super user in the cloud system and has physical access on the cloud infrastructure. We introduce the ABTiCI (Agent-Based Trust in Cloud Infrastructure) system to detect unauthorized access by verifying and monitoring the Integrity of cloud infrastructure security relevant parts. ABTiCI performs integrity verification at boot-time and at run-time. ABTiCI uses trusted boot with TPM (Trusted Platform Module) to perform integrity verification at boot-time. ABTiCI also monitors access to security relevant parts, such as hardware/software configuration, to be able to detect any changes at run-time. ABTiCI uses agents to do the integrity verification and to communicate between entities in the cloud infrastructure. ABTiCI informs the Certifier about the Dom0 address of the customer VMs (Virtual Machines) to be able to verify whether an integrity verification agent is installed and running in every Dom0.
Weitere Informationen
AbstractBy design, the cloud system does not allow a cloud administrator to access the customer data in a virtual machine (VM) without customer's knowledge. However, a cloud administrator is able to modify the software/hardware configuration in a way that allow unauthorized access to the customer data. This is because the cloud administrator has full control of the cloud infrastructure. He is a super user in the cloud system and has physical access on the cloud infrastructure. We introduce the ABTiCI (Agent-Based Trust in Cloud Infrastructure) system to detect unauthorized access by verifying and monitoring the Integrity of cloud infrastructure security relevant parts. ABTiCI performs integrity verification at boot-time and at run-time. ABTiCI uses trusted boot with TPM (Trusted Platform Module) to perform integrity verification at boot-time. ABTiCI also monitors access to security relevant parts, such as hardware/software configuration, to be able to detect any changes at run-time. ABTiCI uses agents to do the integrity verification and to communicate between entities in the cloud infrastructure. ABTiCI informs the Certifier about the Dom0 address of the customer VMs (Virtual Machines) to be able to verify whether an integrity verification agent is installed and running in every Dom0.
Jaeger, D., Graupner, H., Sapegin, A., Cheng, F., Meinel, C.: Gathering and Analyzing Identity Leaks for Security Awareness.Proceedings of the 7th International Conference on Passwords (PASSWORDS 2014). Springer, Trondheim, Norway (2014).
The amount of identity data leaks in recent times is drastically increasing. Not only smaller web services, but also established technology companies are a�ected. However, it is not commonly known, that incidents covered by media are just the tip of the iceberg. Accordingly, more detailed investigation of not just publicly accessible parts of the web but also deep web is imperative to gain greater insight into the large number of data leaks. This paper presents methods and experiences of our deep web analysis. We give insight in commonly used platforms for data exposure, formats of identity related data leaks, and the methods of our analysis. On one hand a lack of security implementations among Internet service providers exists and on the other hand users still tend to generate and reuse weak passwords. By publishing our results we aim to increase awareness on both sides and the establishment of counter measures.
Weitere Informationen
AbstractThe amount of identity data leaks in recent times is drastically increasing. Not only smaller web services, but also established technology companies are a�ected. However, it is not commonly known, that incidents covered by media are just the tip of the iceberg. Accordingly, more detailed investigation of not just publicly accessible parts of the web but also deep web is imperative to gain greater insight into the large number of data leaks. This paper presents methods and experiences of our deep web analysis. We give insight in commonly used platforms for data exposure, formats of identity related data leaks, and the methods of our analysis. On one hand a lack of security implementations among Internet service providers exists and on the other hand users still tend to generate and reuse weak passwords. By publishing our results we aim to increase awareness on both sides and the establishment of counter measures.
Saleh, E., Sianipar, J., Takouna, I., Meinel, C.: SecPlace: Security-Aware Placement Model for Multi-tenant SaaS Environments.2014 IEEE 11th Intl Conf on Ubiquitous Intelligence and Computing and 2014 IEEE 11th Intl Conf on Autonomic and Trusted Computing and 2014 IEEE 14th Intl Conf on Scalable Computing and Communications and Its Associated Workshops, Bali, Indonesia, December 9-12, 2014. pp. 596-602. IEEE Computer Society, Bali, Indonesia (2014).
Software-as-a-Service (SaaS) is emerging as a new software delivery model, where the application and its associated data are hosted in the cloud. Due to the nature of SaaS and the cloud in general, where the data and the computation are beyond the control of the user, data privacy and security becomes a vital factor in this new paradigm. In multi-tenant SaaS applications, the tenants (i.e., companies) become concerned about the confidentiality of their data since several tenants are consolidated onto a shared infrastructure (i.e., databases). Consequently, two main questions raise. First, how to prohibit a tenant from accessing other’s data? Second, how to avoid the security threats from co-located competing tenants? In this paper, we address the second question. We present SecPlace, a resource allocation model designed to increase the level of security for tenants sharing the same infrastructure. SecPlace avoids hosting competing companies on the same database instance. We minimize the risk of co-resident tenants by preventing any two tenants of the same business type to be hosted on the same database server. SecPlace utilizes the usage of tenant subscription data, such as business type and tenant size and place the tenant accordingly. We conduct extensive experiments to validate our approach. The results show that our approach is practical, achieves its goal, and have a moderate complexity.
Weitere Informationen
AbstractSoftware-as-a-Service (SaaS) is emerging as a new software delivery model, where the application and its associated data are hosted in the cloud. Due to the nature of SaaS and the cloud in general, where the data and the computation are beyond the control of the user, data privacy and security becomes a vital factor in this new paradigm. In multi-tenant SaaS applications, the tenants (i.e., companies) become concerned about the confidentiality of their data since several tenants are consolidated onto a shared infrastructure (i.e., databases). Consequently, two main questions raise. First, how to prohibit a tenant from accessing other’s data? Second, how to avoid the security threats from co-located competing tenants? In this paper, we address the second question. We present SecPlace, a resource allocation model designed to increase the level of security for tenants sharing the same infrastructure. SecPlace avoids hosting competing companies on the same database instance. We minimize the risk of co-resident tenants by preventing any two tenants of the same business type to be hosted on the same database server. SecPlace utilizes the usage of tenant subscription data, such as business type and tenant size and place the tenant accordingly. We conduct extensive experiments to validate our approach. The results show that our approach is practical, achieves its goal, and have a moderate complexity.
Krentz, K.-F., Rafiee, H., Meinel, C.: 6LoWPAN Security: Adding Compromise Resilience to the 802.15.4 Security Sublayer.Proceedings of the 1st ACM International Workshop on Adaptive Security & Privacy Management for the Internet of Things (ASPI 2013). ACM, Zurich, Switzerland (2013).
Rafiee, H., von Löwis, M., Meinel, C.: DNS Update Extension to IPv6 Secure Addressing.Proceedings of the Ninth International Symposium on Frontiers of Information Systems and Network Applications (FINA2013). pp. 896-902. IEEE CS, Barcelona, Spain (2013).
Schnjakin, M., Korsch, D., Schoenberg, M., Meinel, C.: Implementation of a Secure and Reliable Storage Above the Untrusted Clouds.Proceedings of 8th International Conference on Computer Science and Education (ICCSE 2013). pp. 347 - 353. IEEE, Colombo (2013).
Schnjakin, M., Metzke, T., Meinel, C.: Applying Erasure Codes for Fault Tolerance in Cloud-RAID.Proceedings of 16th IEEE International Conference on Computational Science and Engineering (CSE2013). IEEE, Sydney, Australia (2013).
Takouna, I., Dawoud, W., Sachs, K., Meinel, C.: A Robust Optimization for Proactive Energy Management in Virtualized Data Centers.Proceedings of the 4th ACM/SPEC International Conference on Performance Engineering(ICPE2013). pp. 323-326. ACM Press, Prague, Czech Republic (2013).
Azodi, A., Jaeger, D., Cheng, F., Meinel, C.: Pushing the Limits in Event Normalisation to Improve Attack Detection in IDS/SIEM Systems.Proceedings of the 1st International Conference on Advanced Cloud and Big Data. IEEE CS, Nanjing, China (2013).
Schnjakin, M., Meinel, C.: Evaluation of Cloud-RAID: A Secure and Reliable Storage above the Clouds.Proceedings of the 22nd International Conference on Computer Communications and Networks (ICCCN2013). pp. 1-9. IEEE, Nassau, Bahamas (2013).
Rafiee, H., Meinel, C.: A Secure, Flexible Framework for DNS Authentication in IPv6 Autoconfiguration.Proceedings of the 12th IEEE International Symposium on Network Computing and Applications (NCA2013). pp. 165 - 172. IEEE Press, MA, USA (2013).
The Domain Name System (DNS) is an essential part of the Internet on whose function many other protocols rely. One key DNS function is Dynamic Update, which allows hosts on the network to make updates to DNS records dynamically, without the need for restarting the DNS service. Unfortunately, this dynamic process does expose DNS servers to security issues. To address these issues two protocols were introduced: Transaction SIGnature (TSIG) and Domain Name System Security Extensions (DNSSEC). In Internet Protocol version 4 (IPv4) networks using these protocols eliminated security issues. In Internet Protocol version 6 (IPv6) however, there is an issue with the DNS authentication process when using the StateLess Address AutoConfiguration (SLAAC) mechanism (new to IPv6, nonexistent in IPv4). This authentication issue occurs when a node wants to update its resource records on a DNS server, during the DNS update process, or when a client wants to authenticate a DNS resolver to ensure that the DNS response does not contain a spoofed source address or message. In this paper we propose the use of a new mechanism which makes use of asymmetric cryptography to establish a trust relationship with the DNS server. We also consider the use of the current security parameters used to generate IPv6 addresses in a secure manner, i.e. Secure Neighbor Discovery (SeND), for assuring clients and DNS servers that the one they are communicating with is the real owner of this IP address. Since we are extending the RDATA field within the TSIG protocol to accommodate these new security parameters, we will call this new mechanism the CGA-TSIG algorithm.
Weitere Informationen
AbstractThe Domain Name System (DNS) is an essential part of the Internet on whose function many other protocols rely. One key DNS function is Dynamic Update, which allows hosts on the network to make updates to DNS records dynamically, without the need for restarting the DNS service. Unfortunately, this dynamic process does expose DNS servers to security issues. To address these issues two protocols were introduced: Transaction SIGnature (TSIG) and Domain Name System Security Extensions (DNSSEC). In Internet Protocol version 4 (IPv4) networks using these protocols eliminated security issues. In Internet Protocol version 6 (IPv6) however, there is an issue with the DNS authentication process when using the StateLess Address AutoConfiguration (SLAAC) mechanism (new to IPv6, nonexistent in IPv4). This authentication issue occurs when a node wants to update its resource records on a DNS server, during the DNS update process, or when a client wants to authenticate a DNS resolver to ensure that the DNS response does not contain a spoofed source address or message. In this paper we propose the use of a new mechanism which makes use of asymmetric cryptography to establish a trust relationship with the DNS server. We also consider the use of the current security parameters used to generate IPv6 addresses in a secure manner, i.e. Secure Neighbor Discovery (SeND), for assuring clients and DNS servers that the one they are communicating with is the real owner of this IP address. Since we are extending the RDATA field within the TSIG protocol to accommodate these new security parameters, we will call this new mechanism the CGA-TSIG algorithm.
Rafiee, H., Meinel, C.: Privacy and Security in IPv6 Networks: Challenges and Possible Solutions.ACM. ACM press, Aksaray, Turkey (2013).
Privacy is a very important element in every one's everyday life. Most users would not like to have their data exposed to other people on the Internet. The initial approach used for attacking a user's privacy and security is done by scanning the nodes on a network. This gives an attacker the ability to obtain the IP addresses in use by this node so that this information can then be used to initiate further attacks against this node, such as tracking them via their IP address across the networks, and then, later correlating the user's activities with his IP address. The first attempt by the Internet Engineering Task Force (IETF) to protect a user's privacy was defined in the Privacy Extension RFC [13]. Unfortunately this RFC has some de�ciencies which makes its use vulnerable to privacy related attacks. To address this problem, and solve the deciencies that exist with the use of this RFC, we introduce our new algorithm, which not only maintains a node's lifetime, but also provides a user with a method for randomized Interface ID (IID) generations.
Weitere Informationen
AbstractPrivacy is a very important element in every one's everyday life. Most users would not like to have their data exposed to other people on the Internet. The initial approach used for attacking a user's privacy and security is done by scanning the nodes on a network. This gives an attacker the ability to obtain the IP addresses in use by this node so that this information can then be used to initiate further attacks against this node, such as tracking them via their IP address across the networks, and then, later correlating the user's activities with his IP address. The first attempt by the Internet Engineering Task Force (IETF) to protect a user's privacy was defined in the Privacy Extension RFC [13]. Unfortunately this RFC has some de�ciencies which makes its use vulnerable to privacy related attacks. To address this problem, and solve the deciencies that exist with the use of this RFC, we introduce our new algorithm, which not only maintains a node's lifetime, but also provides a user with a method for randomized Interface ID (IID) generations.
Cheng, F., Azodi, A., Jaeger, D., Meinel, C.: Security Event Correlation Supported by Multi-Core Architecture.Proceedings of the 3rd IEEE International Conference on IT Convergence and Security (ICITCS 2013). pp. 1-5. IEEE CS, Macau, China (2013).
Azodi, A., Jaeger, D., Cheng, F., Meinel, C.: A New Approach to Building a Multi-Tier Direct Access Knowledgebase For IDS/SIEM Systems.Proceedings of the 11th IEEE International Conference on Dependable, Autonomic and Secure Computing (DASC2013). IEEE CS, Chengdu, China (2013).
Cheng, F., Azodi, A., Jaeger, D., Meinel, C.: Multi-Core Supported High Performance Security Analytics.Proceedings of the 13th IEEE International Conference on Scalable Computing and Communication (ScalCom 2013). IEEE CS, Chengdu, China (2013).
Sapegin, A., Cheng, F., Meinel, C.: Catch the Spike: on the Locality of Individual BGP Update Bursts.Proceedings of the 9th IEEE International Conference on Mobile Ad-hoc and Sensor Networks (MSN 2013). pp. 78-83. IEEE CS, Dalian, China (2013).
Rafiee, H., Mueller, C., Niemeier, L., Streek, J., Sterz, C., Meinel, C.: A Flexible Framework For Detecting IPv6 Vulnerabilities.Proceedings of The 6th International Conference on Security of Information and Networks (SIN 2013). ACM Press, Aksaray, Turkey (2013).
Security has recently become a very important concern for entities using IPv6 networks. This is especially true with the recent news reports where governments and companies have admitted to credible cyber attacks against them in which con�dential information and the security of data have been compromised. In this paper we will introduce a flexible framework that can be used for penetration testing of IPv6 networks. Due to the large address space in each of the IPv6 subnets, the traditional scanning approaches do not work. Here we introduce our new scanning algorithm which will �nd the IPv6 nodes on the Internet which are using Domain Name System (DNS) servers. Our implementation results showed that the use of the DNS Security Extension (DNSSEC) with NSEC3 [5], which is a new and promising approach for the prevention of zone walking, was not able to prevent us from gathering information about nodes on different networks.
Weitere Informationen
AbstractSecurity has recently become a very important concern for entities using IPv6 networks. This is especially true with the recent news reports where governments and companies have admitted to credible cyber attacks against them in which con�dential information and the security of data have been compromised. In this paper we will introduce a flexible framework that can be used for penetration testing of IPv6 networks. Due to the large address space in each of the IPv6 subnets, the traditional scanning approaches do not work. Here we introduce our new scanning algorithm which will �nd the IPv6 nodes on the Internet which are using Domain Name System (DNS) servers. Our implementation results showed that the use of the DNS Security Extension (DNSSEC) with NSEC3 [5], which is a new and promising approach for the prevention of zone walking, was not able to prevent us from gathering information about nodes on different networks.
Schnjakin, M., Meinel, C.: The State of Public Cloud Storage and Cloud-RAID: a Secure and Reliable Storage above the Clouds.Proceedings of the 13. Deutscher IT-Sicherheitskongress (Sicherheit2013) (2013).
Saleh, E., Takouna, I., Meinel, C.: SignedQuery: Protecting Users Data in Multi-tenant SaaS Environments.Proceedings of the International Conference on Advances in Computing, Communications and Informatics (ICACCI2013). pp. 213 - 218. IEEE Press, Mysore, India (2013).
Schnjakin, M., Meinel, C.: Implementation of Cloud-RAID: A Secure and Reliable Storage above the Clouds.Proceedings of the 8th International Conference on Grid and Pervasive Computing (GPC2013). pp. 91-102. Springer, Seoul, Korea (2013).
Saleh, E., Meinel, C.: HPISecure: Towards Data Confidentiality in Cloud Applications.Proceedings of the 13th IEEE/ACM International Symposium on Cluster, Cloud, and Grid Computing (CCGrid2013). pp. 605-609. IEEE CS, Delft, Netherlands (2013).
Sapegin, A., Jaeger, D., Azodi, A., Gawron, M., Cheng, F., Meinel, C.: Hierarchical Object Log Format for Normalisation of Security Events.Proceedings of the 9th International Conference on Information Assurance and Security (IAS 2013). IEEE CS, Tunis, Tunisia (2013).
Arulogun, T., Meinel, C., Emuoyibofarhe, J.: IPv6 Based Wireless Sensor Networks Electronic Health Monitoring System.Proceedings of the Fourth International Conference on Mobile e-Services (ICOMeS). , LAUTECH , Ogbomoso (2012).
AlSa’deh, A., Rafiee, H., Meinel, C.: Stopping Time Condition for Practical IPv6 Cryptographically Generated Addresses.Proceedings of the 26th International Conference on Information Networking (ICOIN 2012). IEEE CS Press, Bali, Indonesia (2012).
Rafiee, H., AlSa'deh, A., Meinel, C.: Multicore-Based Auto-Scaling SEcure Neighbor Discovery for Windows Operating Systems.Proceedings of the 26th International Conference on Information Networking (ICOIN 2012). IEEE Press, Bali, Indonesia (2012).
Dawoud, W., Takouna, I., Meinel, C.: Increasing Spot Instances Reliability using Dynamic Scalability.IEEE Fifth International Conference on Cloud Computing (CLOUD 2012). pp. 959-961. IEEE CS Press, Honolulu, Hawaii, USA (2012).
Willems, C., Meinel, C.: Online Assessment for Hands-On Cybersecurity Training in a Virtual Lab.Proceedings of the 3rd IEEE Global Engineering Education Conference (EDUCON 2012). IEEE Press, Marrakesh, Morocco (2012).
Arulogun, T., AlSa’deh, A., Meinel, C.: IPv6 Private Networks: Security Consideration and recommendation.Proceedings of the Fourth International Conference on Mobile e-Services (ICOMeS). , LAUTECH, Ogbomoso (2012).
AlSa’deh, A., Rafiee, H., Meinel, C.: IPv6 Stateless Address Autoconfiguration: Balancing Between Security, Privacy and Usability.Proceedings of the 5th International Symposium on Foundations & Practice of Security (FPS 2012). Springer, Montreal, QC, Canada (2012).
AlSa’deh, A., Rafiee, H., Meinel, C.: Cryptographically Generated Addresses (CGAs): Possible Attacks and Proposed Mitigation Approaches.Proceedings of the 12th IEEE International Conference on Computer and Information Technology (IEEE CIT’12). IEEE CS Press, Chengdu, Sichuan, China (2012).
Takouna, I., Dawoud, W., Meinel, C.: Analysis and Simulation of HPC Applications in Virtualized Data Centers.Proceedings of the IEEE International Conference on Green Computing and Communications (GreenCom 2012). IEEE Press, Besançon, France (2012).
Dawoud, W., Takouna, I., Meinel, C.: Reliable Approach to Sell the Spare Capacity in the Cloud.Proceedings of the 3rd International Conference on Cloud Computing, GRIDs, and Virtualization (CLOUD COMPUTING 2012). pp. 229-236. , Nice, France (2012).
Alnemr, R., Meinel, C.: Reputation Objects for Interoperable Reputation Exchange: Implementation and Design Decisions.The 7th IEEE International Workshop on Trusted Collaboration (TrustCol 2012). IEEE (2012).
Dawoud, W., Takouna, I., Meinel, C.: Dynamic Scalability and Contention Prediction in Public Infrastructure using Internet Application Profiling.Proceedings of the 4th IEEE International Conference on Cloud Computing Technology and Science (CloudCom 2012). , Taiwan, China (2012).
Takouna, I., Dawoud, W., Meinel, C.: Accurate Multicore Processor Power Models for Power-Aware Resource Management.Proceedings of the 2011 International Conference on Cloud and Green Computing (CGC 2011). pp. 419-426. IEEE Press, Sydney, Australia (2011).
Alnemr, R., Meinel, C.: Why Rating is not Enough: A Study on Online Reputation Systems.Proceedings of the 2011, Collaborative Communities for Social Computing Workshop (CCSocialComp 2011), in conjunction with the 7th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom 2011). IEEE Press, Orlando, Florida, USA (2011).
Roschke, S., Cheng, F., Meinel, C.: BALG: Bypassing Application Layer Gateways Using Multi-Staged Encrypted Shellcodes.Proceedings of the 12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011). pp. 399-406. IEEE Press, Dublin, Ireland (2011).
Schnjakin, M., Meinel, C.: Platform for a Secure Storage-Infrastructure in the Cloud.Proceedings of the 12th Deutscher IT-Sicherheitskongress (Sicherheit 2011). , Bonn, Germany (2011).
Dawoud, W., Takouna, I., Meinel, C.: Elastic Virtual Machine for Fine-grained Cloud Resource Provisioning.Proceedings of the 4th International Conference on Recent Trends of Computing, Communication & Information Technologies (ObCom 2011). Springer, Tamil Nadu, India (2011).
Thomas, I., Warschofsky, R., Meinel, C.: Whom to trust? – Generating WS-Security Policies based on Assurance Information.Proceedings of the 9th IEEE European Conference on Web Services (ECOWS 2011). pp. 65-72. IEEE Computer Society, Lugano, Switzerland (2011).
As input for authorization decisions as well as to offer personalized services, service providers often require information about their users' identity attributes. In open identity management systems, these identity attributes are not necessarily managed by the service providers themselves, but independent identity providers. Users might be required to aggregate identity attributes from multiple identity providers in order to meet a service's needs. On the other hand service providers might also have certain requirements concerning the confidence into these attributes and face the problem of choosing one among multiple identity providers that can possibly assert the same attributes, but with different trust qualities. In this paper, we present an architecture to generate service policies using assurance information about available identity providers. Our logic-based attribute assurance library, called IdentityTrust, allows the configuration of a knowledge base reflecting a service provider's knowledge about remote identity providers. Service providers can state their trust requirements concerning technical and organizational details of identity providers and their ability to assert identity attributes. A reasoning engine finds suitable (combinations of) identity providers, which serve as input for our policy framework that generates corresponding policies using the WS-Security policy format.
Weitere Informationen
AbstractAs input for authorization decisions as well as to offer personalized services, service providers often require information about their users' identity attributes. In open identity management systems, these identity attributes are not necessarily managed by the service providers themselves, but independent identity providers. Users might be required to aggregate identity attributes from multiple identity providers in order to meet a service's needs. On the other hand service providers might also have certain requirements concerning the confidence into these attributes and face the problem of choosing one among multiple identity providers that can possibly assert the same attributes, but with different trust qualities. In this paper, we present an architecture to generate service policies using assurance information about available identity providers. Our logic-based attribute assurance library, called IdentityTrust, allows the configuration of a knowledge base reflecting a service provider's knowledge about remote identity providers. Service providers can state their trust requirements concerning technical and organizational details of identity providers and their ability to assert identity attributes. A reasoning engine finds suitable (combinations of) identity providers, which serve as input for our policy framework that generates corresponding policies using the WS-Security policy format.
Rafiee, H., AlSa’deh, A., Meinel, C.: WinSEND: Windows SEcure Neighbor Discovery.Proceedings of the 4th International Conference on Security of Information and Networks (SIN 2011). pp. 243-246. ACM Press, Sydney, Australia (2011).
Cheng, F., Roschke, S., Meinel, C.: An Integrated Network Scanning Tool for Attack Graph Construction.Proceedings of the 6th International Conference on Advances in Grid and Pervasive Computing (GPC 2011). pp. 138-147. Springer, Oulu, Finland (2011).
Thomas, I., Meinel, C.: An Attribute Assurance Framework to Define and Match Trust in Identity Attributes.Proceedings of the 2011 IEEE International Conference on Web Services (ICWS 2011). pp. 580-587. IEEE Computer Society, Washington DC, USA (2011).
Willems, C., Meinel, C.: Practical Network Security Teaching in an Online Virtual Laboratory.Proceedings of the 2011 International Conference on Security & Management (SAM 2011). CSREA Press, Las Vegas, Nevada, USA (2011).
Roschke, S., Cheng, F., Meinel, C.: A New Correlation Algorithm based on Attack Graph.Proceedings of the 4th International Conference on Computational Intelligence in Security for Information Systems (CISIS 2011). pp. 58-67. Springer, Torremolinos, Spain (2011).
Alnemr, R., Meinel, C.: From Reputation Models and Systems to Reputation Ontologies.Proceedings of the 5th IFIP International Conference on Trust Management(IFIPTM 2011). pp. 98-116. Springer, Copenhagen, Denmark (2011).
Takouna, I., Dawoud, W., Meinel, C.: Efficient Virtual Machine Scheduling-policy for Virtualized heterogeneous Multicore Systems.Proceedings of the International Conference on Parallel and Distributed Processing Techniques and Applications (PDPTA2011). CSREA Press, Las Vegas, Nevada, USA (2011).
AlSa'deh, A., Cheng, F., Roschke, S., Meinel, C.: IPv4/IPv6 Handoff on Lock-Keeper for High Flexibility and Security.Proceedings of the 4th IFIP/IEEE International Conference on New Technologies, Mobility and Seurity (NTMS 2011). pp. 1-6. IEEE Press, Paris, France (2011).
Alnemr, R., Schnjakin, M., Meinel, C.: Towards Context-aware Service-oriented Semantic Reputation Framework.Proceedings of the 10th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom 2011). IEEE Press (2011).
Warschofsky, R., Menzel, M., Meinel, C.: Automated Security Service Orchestration for the Identity Management in Web Service based Systems.Proceedings of the 2011 IEEE International Conference on Web Services (ICWS 2011). pp. 596-603. IEEE Computer Science, Washington DC, USA (2011).
Today, there is a huge amount of security services that can be used to implement different security requirements in Web Service based systems. For example, identity management services are required for authentication and authorization whereas message logging services are necessary to achieve non-repudiation. However, the deployment and configuration of these security services usually requires expert knowledge about the systems and expert knowledge about security requirements and implementations which a person can only learn by experience. Furthermore, today's Web Service based systems become increasingly complex. Thus, implementing security requirements is a complex and error prone task, even for experts. For this paper, we analysed several service-based implementations for identity management and their differences in the service orchestration. We present an approach to derive the needed security services, their configuration, and their connections to the functional services, based on defined security requirements for a Web Service based system. Therefore, we evaluate the UML use case model of the system and apply service security pattern derived during the analysis of the identity management implementations.
Weitere Informationen
AbstractToday, there is a huge amount of security services that can be used to implement different security requirements in Web Service based systems. For example, identity management services are required for authentication and authorization whereas message logging services are necessary to achieve non-repudiation. However, the deployment and configuration of these security services usually requires expert knowledge about the systems and expert knowledge about security requirements and implementations which a person can only learn by experience. Furthermore, today's Web Service based systems become increasingly complex. Thus, implementing security requirements is a complex and error prone task, even for experts. For this paper, we analysed several service-based implementations for identity management and their differences in the service orchestration. We present an approach to derive the needed security services, their configuration, and their connections to the functional services, based on defined security requirements for a Web Service based system. Therefore, we evaluate the UML use case model of the system and apply service security pattern derived during the analysis of the identity management implementations.
AlSa'deh, A., Cheng, F., Meinel, C.: CS-CGA: Compact and More Secure CGA.Proceedings of the 17th IEEE International Conference on Networks (ICON 2011). IEEE Press, Singapore (2011).
Takouna, I., Dawoud, W., Meinel, C.: Dynamic Configuration of Virtual Machine for Power-proportional Resource Provisioning.Proceedings of 2nd International Workshop on Green Computing Middleware (GCM 2011) In conjunction with the 12th ACM/IFIP/USENIX International Middleware Conference (Middleware 2011). p. 4:1--4:6. , Lisboa, Portugal (2011).
Dawoud, W., Takouna, I., Meinel, C.: Elastic VM for Cloud Resources Provisioning Optimization.Proceedings of the First International Conference on Advances in Computing and Communications (ACC 2011). pp. 431-445. Springer, Kochi, India (2011).
Dawoud, W., Takouna, I., Meinel, C.: Elastic VM for Rapid and Optimum Virtualized Resources Allocation.Proceedings of the 5th International DMTF Academic Alliance Workshop On Systems and Virtualization Management (SVM 2011). pp. 1-4. IEEE Press, Paris, France (2011).