funded by ONR Global

By invitation only, to be held in Prague, June 21 to 23

09:30

Registration

10:00

Opening

Paul Losiewicz, ONR Prague; and CTU organizers

10:40

Keynote: Challenges and Future Topics of Flow-based Traffic Analysis and Visualization

Andreas Kind, IBM Research, Switzerland

In this talk I will present challenges and future topics in network security from an enterprise perspective. A particular focus will be on flow-based analysis and visualization of network traffic. I will describe the experience with the development and commercialization of a NetFlow/IPFIX system and the opportunities for extending the system towards behavioral anomaly detection, advanced visualization and the integration with other data sources (e.g., packet-level monitoring data).

11:40

Break

12:00

Risk Management in VoIP Networks and Services

Rémi Badonnel, INRIA, FR

VoIP telephony is less confined and then more exposed to security threats than traditional PSTN telephony. These threats are specific to VoIP protocols such as SPIT, or are inherited from the IP layer such as ARP poisoning. A large variety of protection mechanisms is available, but these mechanisms may seriously impact on the quality and usability of such a critical service. For instance, the application of authentication, filtering and encryption techniques may seriously increase delays and loads of VoIP communications. In that context, we propose to exploit and automate risk management methods and techniques for VoIP infrastructures. Our approach aims at dynamically adapting the exposure of a VoIP enterprise network with respect to the threat potentiality while minimizing the impact on the VoIP service.

12:20

Coordination of Malware by Means of Steganography

Tomáš Pevný, CTU in Prague, CZ

12:40

Mixed Initiative Security Agents

Rachel Greenstadt, Drexel University, US 

Security decision-making is hard for both humans and machines. This is because security decisions are context-dependent, require specialized knowledge, highly dynamic due to sophisticated adversaries and evolving threats, and require complex risk analysis. Multiple user studies show that humans have difficulty making these decisions, due to insufficient information and bounded rationality. However, current automated solutions are often too rigid to adequately address the problem, and leave their users more confused and inept when they fail. A mixed-initiative approach, in which users and machines collaborate to make security decisions and make use of complementary strengths rather than weaknesses, is needed. This will require shared representations of contextual information, well-designed interfaces, adversarially-resistant learning mechanisms, and trustworthy methods for incorporating global information from outside sources. This talk will explore how these mechanisms can be used to aid in real world security decisions such as detecting phishing attacks, identifying and removing web infections from hosting providers, optimizing private constraints and posting anonymously to the Internet.  

13:00

Lunch

14:30

Panel Discussion: Emerging Threats and Future Risks

Participants to be announced.

15:30

Break

15:50

Chuck Norris Botnet

Pavel Celeda, Jiri Vykopal, Masaryk University

This presentation describes a new botnet that we have discovered at the beginning of December 2009. Our NetFlow-based network monitoring system reported an increasing amount of Telnet scanning probes. Tracing back to a source we have identified world wide infected DSL modems and home routers. Nowadays various vendors use Linux in this kind of devices. A further investigation has shown that most of deployed SoHo (small offce/home office) devices use default passwords or an unfixed vulnerable firmware. Some devices do not deny a remote access via Telnet, SSH or web interface. Linux malware exploiting weak passwords allows fast propagation and virtually unlimited potential for malicious activities. In comparison to a traditional desktop oriented malware, end users have almost no chance to discover a bot infection. We call the botnet after Chuck Norris because an early version included the string [R]anger Killato : in nome di Chuck Norris!

16:10

Large-Scale Dynamic Malware Analysis: Problems, Solutions, and Challenges

Engin Kirda

Malicious software (or malware) is one of the most pressing and major security threats facing the Internet today. Anti-virus companies typically have to deal with tens of thousands of new malware samples every day. To cope with these large quantities, researchers and practitioners alike have developed a number of automated, dynamic malware analysis systems. These systems automatically execute a program in a controlled environment, and produce a report describing the program's behavior. An example of such an analysis system is Anubis, a public dynamic malware analysis system that that we have developed, and have been maintaining for more than three years. In this talk, I discuss the problems and challenges in dynamic malware analysis. Finally, I will elaborate on the remaining challenges and open research topics in the area.

16:30

0-day Anomaly Detection Made possible Thanks to Machine Learning

Philippe Owezarski

Network traffic anomaly detection and analysis has been a hot research topic for many years. Current detection systems employ two different approaches to tackle the problem, even using signature-based detection methods or supervised machine-learning techniques. However, both approaches present serious ground limitations. The former fails to detect new unknown anomalies, the latter highly relies on labeled data for training, which is difficult and expensive to produce. These limitations become highly restrictive in current Internet traffic scenario, characterized by emerging network applications and new variants of network attacks. In this paper, we introduce a novel approach to detect network traffic attacks in a completely unsupervised fashion. The proposed method does not assume any anomaly signature or particular model for anomaly-free traffic, which allows for detection of previously unseen attacks. By combining the multiple evidence of traffic structure provided by sub-space clustering techniques, we show that our method can efficiently isolate and extract unknown anomalies buried inside large amounts of traffic. Apart from discovering new anomalies, the method automatically generates a new and easy-to-interpret signature for the novel detected anomaly, easing network administrator tasks. This new unsupervised anomaly detection method is a powerful means to detect zero-day attacks in a changing environment, where signature-based or supervised learning may fail. We evaluate the ability of our promising proposal to discover a distributed attack in real traffic from the public MAWI traffic repository, discussing future directions and ongoing work.

16:50

Discussion and closing day

08:30

Registration

09:00

Keynote: Bio-Inspired approaches in Cyber Security

Dipankar Dasgupta, University of Memphis, US

This talk will describe some important immunological principles like distributed processing, novel pathogen detection, multi-layered protection, decentralized control, diversity and signaling. Understanding the immune mechanisms on the abstract level will result in the development of novel approaches to solve problems of cyber security - early and dependable detection and recognition of information attacks, rational utilization of the network resources for minimization of the damage and fast recovery, and development of successful means and ways to prevent further attacks. I will demonstrate a bio-inspired tool, called Negative Authentication, which can provide a robust solution in immunizing authentication systems (local, remote or online) by putting an additional layer of protection (invisible) to the user.

10:00

Break

10:20

Biologically Inspired Security for Ad-Hoc and Tactical Networks

Marco Carvalho, IHMC, Florida, US

Virtual Worlds (VW) popularity is on the increase, this increase in popularity is due to the fact that such VW provide new and exciting opportunities both for the casual user up to enterprises. VW facilitate communication and social interaction between digital personas but also provide new business opportunities. These VW although they provide new opportunities all this come with a huge cost on security. Problems like confidentiality, non repudiation and integrity are few of the security issues to be faced every day in VW. These security problems might be admissible and acceptable for the casual user that just use these VW as another medium of entertainment but in the enterprise environment these issues are unacceptable. Casual users might not even care who is on the other side of the communication medium. This is quite the opposite for enterprises, especially when handling financial transactions of sensitive company information, where it is of paramount importance to be able to identify and classify the user on the other side.

10:40

Obfuscation Resilient Behavior Based IDS based on Colored Petri Nets

Arnur Trakhtabayev, SUNY Binghamton, NY, US

Behavior based intrusion detection became the only effective solution against modern malware that usually employ binary morphism to avoid conventional anti-viruses. Dynamic behavior-based IDS (BBIDS) depend on three interrelated factors: signature expressiveness, behavioral obfuscation and run-time efficiency. Signature expressiveness determines the success of IDS in detecting multiple realizations of the same malware. Behavioral obfuscation/metamorphism is an emerging threat perceived as a common feature of the future information attacks. Signature matching efficiency determines the scalability of dynamic BBIDS. These aspects of BBIDS development are addressed. To achieve higher signature expressiveness, we present a new approach for formal specification of the malicious functionalities based on activity diagrams (AD) defined in an abstract domain. So-called abstract functional objects are introduced for creating highly generic specifications yet preserving the discriminatory properties. Resultant AD would incorporate multiple realizations of the specified functionality hence increasing semantics and expressiveness of the signature. Possible behavioral obfuscation techniques, inter-process and intra-process, that can compromise existing BBIDS are analyzed and classified. We propose the augmentation (generalization) of otherwise obfuscation prone specifications into more generic, obfuscation resilient specifications. We propose the utilization of colored Petri nets (CPN) for recognizing functionalities at the system call level. We suggest the incorporation of the information flows into CPN to achieve a fine-grained recognition. Finally, we propose a procedure that translates AD into CPN that recognize these AD in the system call domain enriched with information flow data. As enabling technology we developed a generic CPN simulator, a software module suitable for specifying any complex event (such as functionality of interest) as a unique combination of interrelated low-level events. It also performs the assembling (detection) of the complex event from the observed low-level events. The proposed techniques have been implemented in a prototype IDS and evaluated on dozens of malware and hundreds of legitimate programs. The experimental results indicate low false positives and negatives, as well as low execution overhead and negligible overhead penalty due to anti-obfuscation generalization. 

11:00

Virtual world, opportunities and security

Graham Hili, RHUL, UK

Within this talk we present our novel friend injection attack which exploits the fact that the great majority of social networking sites fail to protect the communication between its users and their services. In a practical evaluation, on the basis of public wireless access points, we furthermore demonstrate the feasibility of our attack. The friend injection attack enables a stealth infiltration of social networks and thus outlines the devastating consequences of possible eavesdropping attacks against social networking sites.

11:20

The emerging threat of large-scale spam campaigns via social networking sites

Sebastian Schrittwieser, TU Wien, Austria

Within this talk we present our novel friend injection attack which exploits the fact that the great majority of social networking sites fail to protect the communication between its users and their services. In a practical evaluation, on the basis of public wireless access points, we furthermore demonstrate the feasibility of our attack. The friend injection attack enables a stealth infiltration of social networks and thus outlines the devastating consequences of possible eavesdropping attacks against social networking sites.

11:40

Discussion and closing day

12:00

Lunch

14:00

Social Program

09:00

Keynote: Top 5 challenges in Internet Security

Thomas Duebendorfer, Google, Switzerland

We will look at today's five most prevailing security challenges in the Internet. Security professionals nowadays face a complex communication and service system, where users host data in the cloud and where organized crime runs targeted attacks. Furthermore, people connect through social networks often without fully understanding the privacy implications of sharing data with people they hardly know. The talk will outline areas where more research and novel technical solutions are needed to increase security of the ever evolving Internet.

10:00

Break

10:20

Game-Theoretic Metods for IDS Adaptation

Michal Pechoucek, CTU in Prague, CZ

We present a self-adaptation mechanism for Network Intrusion Detection System which uses a game-theoretical mechanism to increase system robustness against targeted attacks on IDS adaptation. We model the adaptation process as a strategy selection in sequence of single stage, two player games. The key innovation of our approach is a secure runtime game definition and numerical solution and real-time use of game solutions for dynamic system reconfiguration. Our approach is suited for realistic environments where we typically lack any ground truth information regarding traffic legitimacy/maliciousness and where the significant portion of system inputs may be shaped by the attacker in order to render the system ineffective. Therefore, we rely on the concept of challenge insertion: we inject a small sample of simulated attacks into the unknown traffic and use the system response to these attacks to define the game structure and utility functions. This approach is also advantageous from the security perspective, as the manipulation of the adaptive process by the attacker is far more difficult. Our experimental results suggest that the use of game-theoretical mechanism comes with little or no penalty when compared to traditional self-adaptation methods.

10:40

Game-Theoretic Honeypot Control

Radu State, Uni. Luxembourg, LUX

High-interaction honeypots are relevant to provide rich and useful information obtained from attackers. Honeypots come in different flavors with respect to their interaction potential. A honeypot can be very restrictive, but then only a few interactions can be observed. If a honeypot is very tolerant though, attackers can quickly achieve their goal. Having the best trade-off between attacker freedom and honeypot restrictions is challenging. In this talk addresses the issue of self adaptive honeypots, that can change their behavior and lure attackers into revealing as much information as possible about themselves. The key idea is to leverage game-theoretic concepts for the configuration and reciprocal actions of high-interaction honeypots. 

11:00

A game-theoretical perspective of the above talks

Rann Smorodinsky, Technion, IL

11:20

Discussion

11:40

Sensing, Controlling, Communicating: Vital Electronics and PSOC Building Blocks of Modern Marine Research

Andrzej Rucinski, University of New Hampshire, USA

Next generation ocean mapping is migrating towards higher resolution and real time applications to monitor all hazard disasters such as a recent oil spill in the Gulf of Mexico. Unfortunately, it is much more susceptible to errors, noise, and inaccuracies occurring in such massive data acquisition process. Vital Electronics provides the methodology, tools, and practicum to design and implement reliable embedded systems to improve the quality of collecting data in such a noisy and unpredictable environment. Vital Electronics is the study and use of electrical components, circuits, networks, and systems to achieve a design goal of protecting, saving, and improving critical infrastructure and hence the quality of life. Its domain is a heterogeneous computing environment derived from sensors, actuators, networks, embedded systems, and ambient intelligence with incorporating intelligent, robust, and trustworthy GNODEs. Application-Centric Vital Electronics Computers consist of interconnected, "self-aware" GNODEs based on "off-the-shelf" virtual computational and networking parts.

12:00

Ubiquity

Gary Burnette, US NAVY, US

I recently explained to my twin 12-year old sons that by the time they get their driver's license, they had better be careful where they drive and how fast they go. I told them that when I do eventually give them the keys and they set out on their own, I will know where they are, how fast they are going, where they are headed, whether or not they are in a dangerous area and that I'd be able to reach out and keep them from starting the car if necessary. To which one of them replied, "you'll be like a parental stalker!" I said, "absolutely Son." Welcome to the Age of Ubiquity. The buzz lately is all about cyber (e.g. US Cyber Command, cyberwarfare, cyberspace, etc). While understanding cyber is important, it is too narrow a topic and misses the broader aspects of what's coming. As the National Research Council (NRC) concluded in its report on Network Science, "Networks are pervasive in all aspects of life: biological, physical, and social. They are indispensable to the workings of a global economy and to the defense of the United States against both conventional military threats and the threat of terrorism." If the NRC is correct, then the buzz is misplaced - cyber is but just one means that people and entities use to interact. We need to understand all facets of human and entity interaction in the future environment. This presentation will explore where technology is taking us and what it means for the humans who will interact with it.

12:20

Discussion

12:30

Lunch

13:30

Panel Discussion: From Technologies to Solutions

14:30

Break

14:50

Discussion and closing FNCS 2010