Showing papers by "Felix C. Freiling published in 2008"

Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm

Abstract: Botnets, i.e., networks of compromised machines under a common control infrastructure, are commonly controlled by an attacker with the help of a central server: all compromised machines connect to the central server and wait for commands. However, the first botnets that use peer-to-peer (P2P) networks for remote control of the compromised machines appeared in the wild recently. In this paper, we introduce a methodology to analyze and mitigate P2P botnets. In a case study, we examine in detail the Storm Worm botnet, the most wide-spread P2P botnet currently propagating in the wild. We were able to infiltrate and analyze in-depth the botnet, which allows us to estimate the total number of compromised machines. Furthermore, we present two different ways to disrupt the communication channel between controller and compromised machines in order to mitigate the botnet and evaluate the effectiveness of these mechanisms.

Measuring and Detecting Fast-Flux Service Networks

Abstract: We present the first empirical study of fast-flux service networks (FFSNs), a newly emerging and still not widelyknown phenomenon in the Internet. FFSNs employ DNS to establish a proxy network on compromised machines through which illegal online services can be hosted with very high availability. Through our measurements we show that the threat which FFSNs pose is significant: FFSNs occur on a worldwide scale and already host a substantial percentage of online scams. Based on analysis of the principles of FFSNs, we develop a metric with which FFSNs can be effectively detected. Considering our detection technique we also discuss possible mitigation strategies.

Monkey-Spider: Detecting Malicious Websites with Low-Interaction Honeyclients

Abstract: Client-side attacks are on the rise: malicious websites that exploit vulnerabilities in the visitor’s browser are posing a serious threat to client security, compromising innocent users who visit these sites without having a patched web browser. Currently, there is neither a freely available comprehensive database of threats on the Web nor sufficient freely available tools to build such a database. In this work, we introduce the Monkey-Spider project [Mon]. Utilizing it as a client honeypot, we portray the challenge in such an approach and evaluate our system as a high-speed, Internetscale analysis tool to build a database of threats found in the wild. Furthermore, we evaluate the system by analyzing different crawls performed during a period of three months and present the lessons learned.

Vulnerabilities and Attacks in Wireless Sensor Networks

Abstract: We investigate how wireless sensor networks can be attacked in practice. From this we develop a generic adversary model that allows to classify adversaries according to two dimensions of power: presence and intervention. Thus, we provide a framework for realistic security analysis in wireless sensor networks.

On metrics and measurements

Abstract: The following chapter attempts to define the notions of metric and measurement which underlie this book. It further elaborates on general properties of metrics and introduces useful terms and concepts from measurement theory, without being overly formal.

Towards Dynamic Malware Analysis to Increase Mobile Device Security

Abstract: Mobile devices like smartphones have different properties compared to common personal computers. Therefore, the basic principles of mobile device security are also different and this situation is advantageous because it gives more possibilities of securing the mobile device, based on the more centrally controlled environment in which they operate, and a different role of the user. This paper describes the framework for a background monitoring system to collect software that a user is going to install on its device, and to automatically perform a dynamic analysis of the software. The implementation of a dynamic analysis module of the monitoring system is presented. It has the task of performing the dynamic analysis by transferring common sandboxing approaches to the Windows Mobile operating system on the ARM architecture.

Dependability metrics: advanced lectures

Abstract: to Dependability Metrics.- to Dependability Metrics.- I Foundations.- On Metrics and Measurements.- Validation of Predictions with Measurements.- Consistent Metric Usage: From Design to Deployment.- Basic and Dependent Metrics.- Goal, Question, Metric.- Quality of Service Modeling Language.- Markov Models.- II Reliability Metrics.- Hardware Reliability.- Software Reliability.- III Security Metrics.- to Security Metrics.- Cryptographic Attack Metrics.- Security Measurements and Metrics for Networks.- Industrial Approaches and Standards for Security Assessment.- Economic Security Metrics.- Human Factors.- IV Performance Metrics.- to Performance Metrics.- Performance-Related Metrics in the ISO 9126 Standard.- Analytical Performance Metrics.- Performance Metrics in Software Design Models.- Measuring Performance Metrics: Techniques and Tools.- Performance Metrics for Specific Domains.- V Overlapping Metrics.- to Overlapping Attributes.- Performability.- Reliability vs. Security: A Subjective Overview.

Introduction to dependability metrics

Abstract: The goal of this book is to give a wide overview about the metrics that exist for different aspects of dependability, namely reliability, security, and performance. The following chapter attempts to define the term dependability and give an overview of this book.

Introduction to security metrics

Abstract: In one of his well-readable and instructively provocative newsletters [434], Bruce Schneier elaborates on the role of the insurance industry within the field of network security He argues that eventually the insurance industry will run the computer security just like any other field which has risks: If you want to protect yourself from the damage caused by denial-of-service, simply buy insurance against this kind of attack

Reconstructing People's Lives: A Case Study in Teaching Forensic Computing

Abstract: In contrast to the USA and the UK, the academic field of forensic comput- ing is still in its infancy in Germany. To foster the exchange of experiences, we report on lessons learnt in teaching two graduate level courses in forensic computing at a Ger- man university. The focus of the courses was to give a research-oriented introduction into the field. The first course, a regular lecture, was accompanied by two practical exercises: (1) a live-analysis of a compromised honeypot, and (2) a dead-analysis of a set of hard disks purchased on the web. The second course was a laboratory course with extensive experiments including forensic analysis of mobile phones. We give an overview over these courses and pay special attention to the reports resulting from the exercises which clearly document the ubiquity of data available to forensic analysis.

Query Dissemination with Predictable Reachability and Energy Usage in Sensor Networks

Abstract: Energy-efficient query dissemination plays an important role for the lifetime of sensor networks. In this work, we consider probabilistic flooding for query dissemination and develop an analytical framework which enables the base station to predict the energy consumed and the nodes reached according to the rebroadcast probability. Furthermore, we devise a topology discovery protocol that collects the structural information required for the framework. Our analysis shows that the energy savings exceed the energy spent to obtain the required information after a small number of query disseminations in realistic settings. We verified our results both with simulations and experiments using the SUN Spot nodes.

Iterative Kompromittierungsgraphverfeinerung als methodische Grundlage für Netzwerkpenetrationstests

Abstract: In einem Penetrationstest wird die Sicherheit eines Systems durch einen kontrollierten Angriff überprüft. Penetrationstests sind in der Praxis weit verbreitet, das Phänomen ist jedoch wissenschaftlich bisher noch kaum untersucht. Dieser Beitrag entwickelt ein Vorgehensmodell für Penetrationstests aus praktischen Erwägungen heraus. Eine anschließende Formalisierung des Modells basierend auf graphentheoretischen Konzepten erlaubt es, Penetrationstests präzise zu beschreiben und Effizienzmetriken für praktische Tests zu definieren, die Penetrationstestern als Hilfestellung bei der Planung, Budgetierung und Durchführung solcher Tests behilflich sein können.

Easy Consensus Algorithms for the Crash-Recovery Model

Abstract: Problem Setting. One of the most popular failure models for asynchronous fault-tolerant distributed systems is called crash-stop, which allows that a certain number of processes stops executing steps during the computation. Despite its theoretical interest, crash-stop is not expressive enough to model many realistic scenarios. In practice, processes crash but their processors reboot and the crashed process is restarted from a recovery point and rejoins the computation. This behavior is formalized as a failure model called crash-recovery, in which the processes can crash and recover multiple times.

Reliability vs. security: a subjective overview

Abstract: This chapter presents a preliminary overview of the research area on the border between reliability and security (termed “relurity”) together with extensive pointers to the literature.