Showing papers presented at "International Conference on Emerging Security Information, Systems and Technologies in 2020"

Automatic Mapping of Vulnerability Information to Adversary Techniques

Abstract: Along with the growth in the usage of software in almost every aspect of human life, the risks associated with software security vulnerabilities also increase. The number of average daily published software vulnerabilities exceeds the human ability to cope with it, hence various threat models to generalize the threat landscape has been developed. The most popular threat model MITRE ATT&CK proved to be a very useful tool for the security analyst to perform cyber threat intelligence, red and blue teaming, and so on. However, for his daily operation, the security analyst has to prioritize his defense by manually mapping the daily published software security vulnerabilities to the adversarial techniques listed in MITRE ATT&CK. In this paper, we propose a method to automatically map the software security vulnerability using a multi-label classification approach. We took the vector representation of the vulnerability description and classified it with various multi-label classification methods to evaluate in different measures and found out the LabelPowerset method with Multilayer Perceptron as base classifier performs best in our experiment. Keywords–Multi-label classification; MITRE ATT&CK; Security Vulnerability;

Authentic Quantum Nonces

Abstract: Random numbers are an important ingredient in cryptographic applications, whose importance is often underestimated. For example, various protocols hinge on the requirement of using numbers only once and never again (most prominently, the one-time pad), or rest on a certain minimal entropy of a random quantity. Quantum random number generators can help fulfilling such requirements, however, they may as well be subject to attacks. Here, we consider what we coin a randomness substitution attack, in which the adversary replaces a good randomness source by another one, which produces duplicate values (over time) and perhaps numbers of low entropy. A binding between a random number and its origin is thus a certificate of quality and security, when upper level applications rest on the good properties of quantum randomness.

Securing Smart Homes using Intrusion Detection Systems

Abstract: Botnets, such as Mirai or Reaper show that many Smart Home devices are low-hanging fruits for attackers. Nevertheless, it is an ongoing trend to replace everyday devices, such as TV, fridges or doorbells by smart successors. Thus, securing Smart Homes operated by private users remains an open issue. In this paper, we explore options to integrate an Intrusion Detection System (IDS) in a Smart Home installation. Smart Home devices use well-established technology. From a technical perspective, existing IDS approaches can be applied. We focus on non-technical challenges. This includes a system design that allows for a pre-configuration. It also calls for processes which allow users to invoke a security expert in the case of an attack that cannot be handled by simple means. We demonstrate our approach with a prototypical implementation.

Introduction to Being a Privacy Detective: Investigating and Comparing Potential Privacy Violations in Mobile Apps Using Forensic Methods

Abstract: This paper discusses means to evaluate the potential impact of data flows caused by the use of smartphone apps (applications) on the privacy of the user. While the data flows are often caused by trackers, permissions set the framework on which data can flow between the smartphones and the remote party. Hence, we devise a concept to examine privacy violations caused by trackers and permissions in mobile apps and to render the results of said examination more comparable and reliable based on the characteristics of the examination methods (custody, examined forensic data streams and type of communication). We define two different examination scenarios in which this approach can be deployed and conduct practical tests in these two scenarios. For the first scenario, the concept is applied to the static evaluation of 8 exemplary mobile apps running on the Android platform using 3 different methods (Exodus Privacy, Exodus Standalone and AppChecker) identifying 162 permissions and 42 trackers in total. The second scenario employs these three methods in order to examine the extent to which three mobile browsers reveal information towards the respective developers. Our main contributions are the application of a model of the forensic process to the examination of the loss of potential privacy due to the use of mobile apps in order to provide comparability of the findings. In addition, a proposal for a visualization scheme capable of displaying test results from privacy examinations covering a large number of examination items is proposed. Keywords–Privacy Measurement; Data sovereignty.

Towards Situation-based IT Management During Natural Disaster Crisis

Abstract: To face disaster relief challenges, crisis management requires operational commitment and efficient coordination of all stakeholders. Deployment of new communication channels at the level of the infrastructure but also at the level of social media streams needs strengthened emergency response processes. We discuss open questions in building an effective decision support system to help crisis decision cells identifying early warnings and situation-specific awareness and figure out the right actions/partnerships to

Integration of Network Services in Tactical Coalition SDN Networks

Abstract: In order for Software Defined Network (SDN) technology to work in a military network, several identified problems need to be solved. This paper reports from experimental efforts to extend the application of SDN to a multi-domain, coalition, mobile network with wireless links and with end systems belonging to several Communities Of Interest (COI). The paper also demonstrates how SDN technology allows different network services to be integrated with a single class of Network Elements (NE). Considerations related to authentication, COI separation and intrusion prevention is given special attention during the discussions. Keywords—authentication; intrusion prevention; software defined networks; tactical networks; trust management

A Concept of an Attack Model for a Model-Based Security Testing Framework

Abstract: In this paper, we present a framework for modelbased security testing. The primary advantage of our framework will be the automation of manual security reviews as well as automation of security tests like penetration testing. The framework can be used to decide on single steps for the test procedure. This paper focuses on the concept of the framework, describing the necessary components and their use. Our framework can simulate the behaviour of an adversary that executes multiple attacks to reach his primary goal. Using our approach, it is possible to continuously and consistently address security in software development, even in the early phases of software engineering when no running code is available. Due to the consistency, some of the necessary tests can be executed with less effort. This makes security tests more efficient. Our preliminary evaluation shows that it is possible to use our attack model in a wide range of domains and that there is potential reuse of modelled elements. Keywords-attack model; adversary model; model-based testing; security testing; penetration test.

Towards Cybersecurity Act: A Survey on IoT Evaluation Frameworks

Abstract: On the 7 of June 2019, the Cybersecurity Act was adopted by the European Union. Its objectives are twofold: the adoption of the permanent mandate of ENISA and the definition of a European cybersecurity certification framework, which is essential for strengthening the security of Europe’s digital market. Delivered certificates according to this scheme will be mutually recognized among European countries. The regulation defines three certification levels with increasing requirements. Among them, the “basic level” which typically targets noncritical, consumer objects (e.g.,smart-home or “gadget” IoT). Yet, various evaluation and certification schemes related to the IoT already exist prior to the adoption of the Cybersecurity Act. Thus, discussions are being carried on at the moment of redaction in order to either choose an existing scheme or to design a unified scheme based on existing ones. In this paper, we focus on the basic level, and assemble a survey on existing evaluation and certification schemes for consumer IoT and compare them based on various criteria. Then, we propose a unified evaluation scheme for the basic level driven by Bureau Veritas, based on existing schemes. Keywords–Cybersecurity Act; Internet of Things; IoT; certification; evaluation scheme; smart-home.

Forensic Behavior Analysis in Video Conferencing Based on the Metadata of Encrypted Audio and Video Streams - Considerations and Possibilities

Abstract: This paper discusses the possibility to perform a forensic behavior analysis on the network recordings of video conferences in order to identify different activities taking part during such conferencing. This behavior analysis is based on the audioand video streams of such software. While the connections are usually encrypted, the possibility of using and deriving heuristic metadata from the encrypted stream in order to identify various activities (use cases) is explored. This paper shows first results of such an approach to identify various activities, which could then be used to construct a biometric pattern. Furthermore, a model for communication flows during video conferences is introduced, formalizing which specific data can be gathered at various points by an observer. A first case study employs a set of four different test cases applied to two different solutions for video conferencing. Keywords—Security, Video conferencing, Zoom, Big Blue Button, User and traffic profiling, Network forensics.

Information Extraction from Darknet Market Advertisements and Forums

Abstract: Over the past decade, the Darknet has created unprecedented opportunities for trafficking in illicit goods, such as weapons and drugs, and it has provided new ways to offer crime as a service. Along with the possibilities of concealing financial transactions with the help of crypto currencies, the Darknet offers sellers the possibility to operate in covert. This article presents research and development outcomes of the COPKIT project which are relevant to the SECURWARE 2020 conference topics of data mining and knowledge discovery from a security perspective. It gives an overview about the methods, technologies and approaches chosen in the COPKIT project for building information extraction components with a focus on Darknet Markets. It explains the methods used to gain structured information in form of named entities, the relations between them, and events from unstructured text data contained in Darknet Market web pages. Keywords–natural language processing; Information extraction; named entity recognition; relationship extraction, event detection.

Towards Reducing the Impact of Data Breaches

Abstract: Organizations are increasingly being victimized by breaches of private data, resulting in heavy losses to both the organizations and the owners of the data, i.e., the people described by the data. For organizations, these losses include large expenses to resume normal operation and damages to its reputation. For data owners, the losses may include financial loss and identity theft. To defend themselves from such data breaches, organizations install security controls (e.g., encryption) to secure their vulnerabilities. While such controls help, they are far from being fool proof. This paper examines the behaviour of Business-to-Consumer (B2C) e-commerce companies, in terms of why they collect and store personal data. It then proposes an approach that reduces the impact of a data breach by limiting the amount of private data that the company stores in its computer system, while preserving the company’s ability to accomplish its purposes for collecting the private data. The paper illustrates the approach by applying it to different types of B2C e-commerce companies. Keywords-reducing impact; data breach; private data loss; B2C e-commerce.

A Gap Analysis of Visual and Functional Requirements in Cybersecurity Monitoring Tools

Abstract: In order to access valuable indicator information in the field of cybersecurity, domain experts tend to use visualizations to quickly gain an overview of a given situation, even more so in the age of big data where initially following visual summaries tends to be more efficient before diving into raw data. For this purpose, researchers analyze the visual and functional requirements of systems to facilitate data exploration. In this paper, we conduct a trend analysis of latest research contributions presented in VizSec symposia in terms of visualization techniques and functional requirements. Additionally, an international and a currently ongoing national project, focusing on Local Public Administrations (LPAs) and Critical Infrastructures (CIs) are analyzed and compared to current state-of-the-art research in terms of requirements of real users in the field of CIs and LPAs. Particularly, a deficiency concerning the requirements of collaboration, enhanced situational awareness, multi-stakeholder involvement, and multi-stakeholder visualization were identified and are discussed in the context of the utilization of cybersecurity visualizations in their work environments.

Trust Through Origin and Integrity: Protection of Client Code for Improved Cloud Security

Abstract: Military computing is migrating to cloud architecture for several reasons, one of them is the opportunities for improved security management. One opportunity is to ensure that cloud clients are running approved and untainted program code, provided as a proof presented to the cloud service. Such proofs can extend the trust in the client’s integrity further than what traditional access control protocols can provide. While access control protocols can ensure that a computer is operated by authorized and trained personnel, they cannot ensure that the client computer is unaffected by malware or poor software control. Problems related to illegitimate program code cannot, in general, be solved by traditional security protocols. The contribution of this paper is an arrangement whereby proof of software approval and integrity can be established, exchanged and validated during service invocations. The demonstration program is a chat forum where the exchanged messages are signed and validated in the client computers, a typical use case which may benefit from our contribution. Two different client-server protocols were tested in order to study the applicability of our contribution. Keywords—cloud security; integrity attestation; trusted computing; Google ChromeOS

An Information Flow Modelling Approach for Critical Infrastructure Simulation

Abstract: Building a realistic environment for simulating cascading effects in critical infrastructures depends heavily on information received from experts, as well as on an accurate representation of processes and assets related to critical infrastructures. The approach introduced in this paper provides the conceptualization and implementation of an information flow model as a foundation for the subsequent development of a multi-layered risk model. The designed models represent both a process view, with the focus on procedures carried out by critical infrastructures, and a more technical object view, by defining objects and parameters representing assets and interactions. Starting with an analysis of relevant threats and affected infrastructures, use case scenarios are prepared in textual form and subsequently evaluated together with critical infrastructure representatives in end-user workshops. Based on the respective use case, a process view is established in form of an activity diagram including information flows, displaying processes of critical infrastructures during a threat. The activity diagram supports the evaluation and collection of information during subsequent end-user workshops with the aim to review and substantiate the model. The object diagram provides technical aspects of the use cases, for supporting the realization of a simulation and a corresponding risk model. The approach was developed in the context of a national research project for analyzing cascading effects in and between critical supply networks. The resulting diagrams demonstrate how cascading effects can be modelled in a structured form to support discussions with and between experts of critical infrastructures and emergency services, and how such models can serve as a foundation for subsequent simulation.

Detection Algorithm for Non-recursive Zip Bombs

Abstract: Traditional compression bombs often work by recursive decompression, so the usual defensive way is by single decompression. However, a new type of compression bombs has recently appeared, which can take effect with a single decompression. We show the two structures of this type of compression bombs and provide the basic idea of detecting such bombs. At the same time, we point out the details in need of attention in the detection process as well. Moreover, we propose a detection algorithm for this type of bombs and we analyze the accuracy and detection efficiency of this algorithm.