Research efforts related to in-vehicle communication security were largely focused on the Controller Area Network (CAN) protocol. While CAN is still the most widely used protocol for building in-vehicle networks, many safety critical functionalities are based on other communication protocols such as FlexRay or Ethernet which constantly expand their use inside vehicles. In this paper we address the problem of authenticating transmissions in FlexRay networks. We approach this task by adapting an authentication protocol to the time-triggered nature of FlexRay communication while also accounting for non-deterministic transmissions that may occur in the FlexRay dynamic segment. We illustrate the effects of introducing authentication on keeping strict message deadlines by evaluating our proposal based on a real-life scenario from a major vehicle manufacturer.
{"title":"Accommodating Time-Triggered Authentication to FlexRay Demands","authors":"Pal-Stefan Murvay, L. Popa, B. Groza","doi":"10.1145/3360664.3360666","DOIUrl":"https://doi.org/10.1145/3360664.3360666","url":null,"abstract":"Research efforts related to in-vehicle communication security were largely focused on the Controller Area Network (CAN) protocol. While CAN is still the most widely used protocol for building in-vehicle networks, many safety critical functionalities are based on other communication protocols such as FlexRay or Ethernet which constantly expand their use inside vehicles. In this paper we address the problem of authenticating transmissions in FlexRay networks. We approach this task by adapting an authentication protocol to the time-triggered nature of FlexRay communication while also accounting for non-deterministic transmissions that may occur in the FlexRay dynamic segment. We illustrate the effects of introducing authentication on keeping strict message deadlines by evaluating our proposal based on a real-life scenario from a major vehicle manufacturer.","PeriodicalId":409365,"journal":{"name":"Proceedings of the Third Central European Cybersecurity Conference","volume":"72 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-11-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125759234","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The increasing diffusion of malware endowed with steganographic techniques requires to carefully identify and evaluate a new set of threats. The creation of a covert channel to hide a communication within network traffic is one of the most relevant, as it can be used to exfiltrate information or orchestrate attacks. Even if network steganography is becoming a well-studied topic, only few works focus on IPv6 and consider real network scenarios. Therefore, this paper investigates IPv6 covert channels deployed in the wild. Also, it presents a performance evaluation of six different data hiding techniques for IPv6 including their ability to bypass some intrusion detection systems. Lastly, ideas to detect IPv6 covert channels are presented.
{"title":"IPv6 Covert Channels in the Wild","authors":"W. Mazurczyk, Krystian Powójski, L. Caviglione","doi":"10.1145/3360664.3360674","DOIUrl":"https://doi.org/10.1145/3360664.3360674","url":null,"abstract":"The increasing diffusion of malware endowed with steganographic techniques requires to carefully identify and evaluate a new set of threats. The creation of a covert channel to hide a communication within network traffic is one of the most relevant, as it can be used to exfiltrate information or orchestrate attacks. Even if network steganography is becoming a well-studied topic, only few works focus on IPv6 and consider real network scenarios. Therefore, this paper investigates IPv6 covert channels deployed in the wild. Also, it presents a performance evaluation of six different data hiding techniques for IPv6 including their ability to bypass some intrusion detection systems. Lastly, ideas to detect IPv6 covert channels are presented.","PeriodicalId":409365,"journal":{"name":"Proceedings of the Third Central European Cybersecurity Conference","volume":"4 4","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-11-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"113963596","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pierre Graux, Jean-François Lalande, Valérie Viet Triem Tong
Obfuscation techniques help developers to hide their code when distributing an Android application. The used techniques are linked to the features provided by the programming language but also with the way the application is executed. Using obfuscation is now a common practice and specialized companies sell tools or services for automatizing the manipulation of the source code. In this paper, we present how to develop obfuscated applications and how obfuscation technique usage is evolving in the wild. First, using advanced obfuscation techniques requires some advanced knowledge about the development of Android applications. We describe how to build such applications for helping researchers to generate samples of obfuscated applications for their own research. Second, the use of obfuscation techniques is evolving for both regular applications or malicious ones. We aim at measuring the development of these usages by studying application and malware samples and the artifacts that indicate the use of obfuscation techniques.
{"title":"Obfuscated Android Application Development","authors":"Pierre Graux, Jean-François Lalande, Valérie Viet Triem Tong","doi":"10.1145/3360664.3361144","DOIUrl":"https://doi.org/10.1145/3360664.3361144","url":null,"abstract":"Obfuscation techniques help developers to hide their code when distributing an Android application. The used techniques are linked to the features provided by the programming language but also with the way the application is executed. Using obfuscation is now a common practice and specialized companies sell tools or services for automatizing the manipulation of the source code. In this paper, we present how to develop obfuscated applications and how obfuscation technique usage is evolving in the wild. First, using advanced obfuscation techniques requires some advanced knowledge about the development of Android applications. We describe how to build such applications for helping researchers to generate samples of obfuscated applications for their own research. Second, the use of obfuscation techniques is evolving for both regular applications or malicious ones. We aim at measuring the development of these usages by studying application and malware samples and the artifacts that indicate the use of obfuscation techniques.","PeriodicalId":409365,"journal":{"name":"Proceedings of the Third Central European Cybersecurity Conference","volume":"54 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-11-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131518356","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Andrew Sergeev, Eyal Ben-Sa'adon, Elad Tannenbaum, Asi Saar
Network Function Virtualization (NFV) is an emerging approach gaining popularity among network providers. Nowadays, NFV infrastructure platforms are, predominantly based on x86 architecture CPUs. However, vulnerabilities of the CPU architecture may allow an attacker to obtain root privileges and to plant malware. Among such malware is crypto mining, which is hardly detectable either by malware scanner or by a firewall. In this paper we investigate the applicability of side-channels Key Performance Indicators (KPIs) for malware detection. We propose detecting the abnormal behavior using Machine Learning tools. Upon analyzing different side-channel technologies, we suggest using a combination of CPU performance KPIs with KPIs for the forwarding latency of NFV applications as an input to a Neural Network model. The model shall be trained in advance using two data sets: one set representing a clean system and the second set -- a compromised system (containing planted crypto-mining malware). The proposed approach would allow us to detect abnormal behavior caused by activation of the malware.
{"title":"Combined side-channels malware detection for NFV infrastructure","authors":"Andrew Sergeev, Eyal Ben-Sa'adon, Elad Tannenbaum, Asi Saar","doi":"10.1145/3360664.3360727","DOIUrl":"https://doi.org/10.1145/3360664.3360727","url":null,"abstract":"Network Function Virtualization (NFV) is an emerging approach gaining popularity among network providers. Nowadays, NFV infrastructure platforms are, predominantly based on x86 architecture CPUs. However, vulnerabilities of the CPU architecture may allow an attacker to obtain root privileges and to plant malware. Among such malware is crypto mining, which is hardly detectable either by malware scanner or by a firewall. In this paper we investigate the applicability of side-channels Key Performance Indicators (KPIs) for malware detection. We propose detecting the abnormal behavior using Machine Learning tools. Upon analyzing different side-channel technologies, we suggest using a combination of CPU performance KPIs with KPIs for the forwarding latency of NFV applications as an input to a Neural Network model. The model shall be trained in advance using two data sets: one set representing a clean system and the second set -- a compromised system (containing planted crypto-mining malware). The proposed approach would allow us to detect abnormal behavior caused by activation of the malware.","PeriodicalId":409365,"journal":{"name":"Proceedings of the Third Central European Cybersecurity Conference","volume":"130 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-11-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127382541","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The requirements of today's data center networks include scalability, multi-tenancy and isolation from the underlying infrastructure, which are primarily achieved through the use of network virtualization. As a downside, the overall complexity increases with the number of technologies involved, which has a significant impact upon network forensic investigation. In this context we investigated OpenContrail, an open source framework for network virtualization that provides built-in methods for collecting network traffic. In our research, we concluded that these methods work in principle, but are not suitable to capture network traffic that can be used in court. The packet mirroring turned out to be incomplete and the capture process can be detected by the virtual machine under investigation. Based on these findings, we developed a more flexible agent that especially ensures the transparency of the capture process for the suspicious virtual machine.
{"title":"Network Forensic Investigation in OpenContrail Environments","authors":"Alexander Heckel, Daniel Spiekermann","doi":"10.1145/3360664.3360676","DOIUrl":"https://doi.org/10.1145/3360664.3360676","url":null,"abstract":"The requirements of today's data center networks include scalability, multi-tenancy and isolation from the underlying infrastructure, which are primarily achieved through the use of network virtualization. As a downside, the overall complexity increases with the number of technologies involved, which has a significant impact upon network forensic investigation. In this context we investigated OpenContrail, an open source framework for network virtualization that provides built-in methods for collecting network traffic. In our research, we concluded that these methods work in principle, but are not suitable to capture network traffic that can be used in court. The packet mirroring turned out to be incomplete and the capture process can be detected by the virtual machine under investigation. Based on these findings, we developed a more flexible agent that especially ensures the transparency of the capture process for the suspicious virtual machine.","PeriodicalId":409365,"journal":{"name":"Proceedings of the Third Central European Cybersecurity Conference","volume":"41 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-11-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128800446","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Cryptographic hash functions are used in authentication, and repeated application in hash chains is used in communication protocols. In embedded devices, the width of hash values and the associated effort to evaluate the hash function is crucial, and hence the hash values should be as short as possible but should still be sufficient to guarantee the required level of security. We present a new proof for a known result by Flajolet and Odlyzko (Euro-crypt 1989), using only elementary combinatoric and probabilistic arguments. Using this result, we derive a bound on the expected number of hash values still reachable after a given number of steps in the hash chain, so that given any two of the three parameters hash chain length, width of the hash value, and security level, the remaining parameter can be computed. Furthermore, we illustrate how to "refresh" a hash chain to increase the number of reachable hash values if the initial seed is long enough. Based on this, we present a scheme that allows reduced width of hash values, and thus reduced energy consumption in the device, for a hash chain of similar length and similar security level. We illustrate our findings with experiments.
{"title":"Determining Minimum Hash Width for Hash Chains","authors":"Martin Dietzfelbinger, J. Keller","doi":"10.1145/3360664.3360682","DOIUrl":"https://doi.org/10.1145/3360664.3360682","url":null,"abstract":"Cryptographic hash functions are used in authentication, and repeated application in hash chains is used in communication protocols. In embedded devices, the width of hash values and the associated effort to evaluate the hash function is crucial, and hence the hash values should be as short as possible but should still be sufficient to guarantee the required level of security. We present a new proof for a known result by Flajolet and Odlyzko (Euro-crypt 1989), using only elementary combinatoric and probabilistic arguments. Using this result, we derive a bound on the expected number of hash values still reachable after a given number of steps in the hash chain, so that given any two of the three parameters hash chain length, width of the hash value, and security level, the remaining parameter can be computed. Furthermore, we illustrate how to \"refresh\" a hash chain to increase the number of reachable hash values if the initial seed is long enough. Based on this, we present a scheme that allows reduced width of hash values, and thus reduced energy consumption in the device, for a hash chain of similar length and similar security level. We illustrate our findings with experiments.","PeriodicalId":409365,"journal":{"name":"Proceedings of the Third Central European Cybersecurity Conference","volume":"31 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-11-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116339131","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Risk management (RM) process is one of the key aspects in IT management standards. However, additionally to the existing ambiguity about risk concept in IT management standards and guidelines, IT RM process is usually very simplistic and brief. We propose an improved IT RM process in this paper. The enchanced process is based on an advanced definition of risk and its consequences.
{"title":"A practical view on IT risk management process","authors":"Maksim Goman","doi":"10.1145/3360664.3360730","DOIUrl":"https://doi.org/10.1145/3360664.3360730","url":null,"abstract":"Risk management (RM) process is one of the key aspects in IT management standards. However, additionally to the existing ambiguity about risk concept in IT management standards and guidelines, IT RM process is usually very simplistic and brief. We propose an improved IT RM process in this paper. The enchanced process is based on an advanced definition of risk and its consequences.","PeriodicalId":409365,"journal":{"name":"Proceedings of the Third Central European Cybersecurity Conference","volume":"115 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-11-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116926603","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abdulaziz Altamimi, N. Clarke, S. Furnell, Fudong Li
At the present time, there has been a rapid increase in the variety and popularity of messaging systems such as social network messaging, text messages, email and Twitter, with users frequently exchanging messages across various platforms. Unfortunately, in amongst the legitimate messages, there is a host of illegitimate and inappropriate content - with cyber stalking, trolling and computerassisted crime all taking place. Therefore, there is a need to identify individuals using messaging systems. Stylometry is the study of linguistic features in a text which consists of verifying an author based on his writing style that consists of checking whether a target text was written or not by a specific individual author. Whilst much research has taken place within authorship verification, studies have focused upon singular platforms, often had limited datasets and restricted methodologies that have meant it is difficult to appreciate the real-world value of the approach. This paper seeks to overcome these limitations through providing an analysis of authorship verification across four common messaging systems. This approach enables a direct comparison of recognition performance and provides a basis for analyzing the feature vectors across platforms to better understand what aspects each capitalize upon in order to achieve good classification. The experiments also include an investigation into the feature vector creation, utilizing population and user-based techniques to compare and contrast performance. The experiment involved 50 participants across four common platforms with a total 13,617; 106,359; 4,539; and 6,540 samples for Twitter, SMS, Facebook, and Email achieving an Equal Error Rate (EER) of 20.16%, 7.97%, 25% and 13.11% respectively.
{"title":"Multi-Platform Authorship Verification","authors":"Abdulaziz Altamimi, N. Clarke, S. Furnell, Fudong Li","doi":"10.1145/3360664.3360677","DOIUrl":"https://doi.org/10.1145/3360664.3360677","url":null,"abstract":"At the present time, there has been a rapid increase in the variety and popularity of messaging systems such as social network messaging, text messages, email and Twitter, with users frequently exchanging messages across various platforms. Unfortunately, in amongst the legitimate messages, there is a host of illegitimate and inappropriate content - with cyber stalking, trolling and computerassisted crime all taking place. Therefore, there is a need to identify individuals using messaging systems. Stylometry is the study of linguistic features in a text which consists of verifying an author based on his writing style that consists of checking whether a target text was written or not by a specific individual author. Whilst much research has taken place within authorship verification, studies have focused upon singular platforms, often had limited datasets and restricted methodologies that have meant it is difficult to appreciate the real-world value of the approach. This paper seeks to overcome these limitations through providing an analysis of authorship verification across four common messaging systems. This approach enables a direct comparison of recognition performance and provides a basis for analyzing the feature vectors across platforms to better understand what aspects each capitalize upon in order to achieve good classification. The experiments also include an investigation into the feature vector creation, utilizing population and user-based techniques to compare and contrast performance. The experiment involved 50 participants across four common platforms with a total 13,617; 106,359; 4,539; and 6,540 samples for Twitter, SMS, Facebook, and Email achieving an Equal Error Rate (EER) of 20.16%, 7.97%, 25% and 13.11% respectively.","PeriodicalId":409365,"journal":{"name":"Proceedings of the Third Central European Cybersecurity Conference","volume":"34 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-11-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116959367","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Computer programs often work with a variety of sensitive data and class String is widely used in object-oriented programming languages for this purpose. However, saving sensitive data to a String object is not safe as it is not encrypted and may still be in the operating memory even after it is no longer needed. Due to non-deterministic behaviour of mechanism responsible for removing unused items from the memory, we cannot say with certainty when String with sensitive data will actually be removed. If an attacker gets either part of or even the entire memory image, then they can easily read these sensitive data. This paper discusses the options in object oriented languages that provide programmers with a way of storing the data in memory in an encrypted form. We present a pseudo code for a secure String class that is compliant with Data retention and Cryptography requirements of the PCI DSS standard.
{"title":"A Secure String Class Compliant with PCI DSS","authors":"Katarína Amrichová, Terézia Mézesová","doi":"10.1145/3360664.3360681","DOIUrl":"https://doi.org/10.1145/3360664.3360681","url":null,"abstract":"Computer programs often work with a variety of sensitive data and class String is widely used in object-oriented programming languages for this purpose. However, saving sensitive data to a String object is not safe as it is not encrypted and may still be in the operating memory even after it is no longer needed. Due to non-deterministic behaviour of mechanism responsible for removing unused items from the memory, we cannot say with certainty when String with sensitive data will actually be removed. If an attacker gets either part of or even the entire memory image, then they can easily read these sensitive data. This paper discusses the options in object oriented languages that provide programmers with a way of storing the data in memory in an encrypted form. We present a pseudo code for a secure String class that is compliant with Data retention and Cryptography requirements of the PCI DSS standard.","PeriodicalId":409365,"journal":{"name":"Proceedings of the Third Central European Cybersecurity Conference","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-11-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114252933","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Following the repeated reports of high prevalence of functional illiteracy in the countries of the Western Balkans, we go on to study the password composition habits of cultural groups from this region. Ina password cracking experiment, we obtain and analyze a number of passwords composed for use in learning management systems (LMS) by recent high-school graduates from North Macedonia. We estimate the strength of these passwords and their crackability by methods adjusted to local cultural specifics. Our results indicate that high extent of general illiteracy is intertwined with low awareness about good password practices, which in turn may lead to creating various vulnerabilities to deployed systems and confidential data. We conclude that, in the studied region, there is an immediate need for educating the population of good password practices and good system and data security practices in general.
{"title":"The Password Literacy in North Macedonia: A Case Study","authors":"Andrej Cvetkovski, Flavio Esposito","doi":"10.1145/3360664.3360678","DOIUrl":"https://doi.org/10.1145/3360664.3360678","url":null,"abstract":"Following the repeated reports of high prevalence of functional illiteracy in the countries of the Western Balkans, we go on to study the password composition habits of cultural groups from this region. Ina password cracking experiment, we obtain and analyze a number of passwords composed for use in learning management systems (LMS) by recent high-school graduates from North Macedonia. We estimate the strength of these passwords and their crackability by methods adjusted to local cultural specifics. Our results indicate that high extent of general illiteracy is intertwined with low awareness about good password practices, which in turn may lead to creating various vulnerabilities to deployed systems and confidential data. We conclude that, in the studied region, there is an immediate need for educating the population of good password practices and good system and data security practices in general.","PeriodicalId":409365,"journal":{"name":"Proceedings of the Third Central European Cybersecurity Conference","volume":"78 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-11-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122297087","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: