Dimitris Geneiatakis

Adaptive defenses for commodity software through virtual application partitioning

Applications can be logically separated to parts that face different types of threats, or suffer dissimilar exposure to a particular threat because of external events or innate properties of the software. Based on this observation, we propose the virtual partitioning of applications that will allow the selective and targeted application of those protection mechanisms that are most needed on each partition, or manage an applications attack surface by protecting the most exposed partition. We demonstrate the value of our scheme by introducing a methodology to automatically partition software, based on the intrinsic property of user authentication. Our approach is able to automatically determine the point where users authenticate, without access to source code. At runtime, we employ a monitor that utilizes the identified authentication points, as well as events like accessing specific files, to partition execution and adapt defenses by switching between protection mechanisms of varied intensity, such as dynamic taint analysis and instruction-set randomization. We evaluate our approach using seven well-known network applications, including the MySQL database server. Our results indicate that our methodology can accurately discover authentication points. Furthermore, we show that using virtual partitioning to apply costly protection mechanisms can reduce performance overhead by up to 5x, depending on the nature of the application.

A multilayer overlay network architecture for enhancing IP services availability against dos

Protection against Denial of Service (DoS) attacks is a challenging and ongoing problem. Current overlay-based solutions can transparently filter unauthorized traffic based on user authentication. Such solutions require either pre-established trust or explicit user interaction to operate, which can be circumvented by determined attackers and is not always feasible (e.g., when user interaction is impossible or undesirable). We propose a Multi-layer Overlay Network (MON) architecture that does not depend on user authentication, but instead utilizes two mechanisms to provide DoS resistant to any IP-based service, and operates on top of the existing network infrastructure. First, MON implements a threshold-based intrusion detection mechanism in a distributed fashion to mitigate DoS close to the attack source. Second, it randomly distributes user packets amongst different paths to probabilistically increase service availability during an attack. We evaluate MON using the Apache web server as a protected service. Results demonstrate MON nodes introduce very small overhead, while users service access time increases by a factor of 1.1 to 1.7, depending on the configuration. Under an attack scenario MON can decrease the attack traffic forwarded to the service by up to 85%. We believe our work makes the use of overlays for DoS protection more practical relative to prior work.

Performance Evaluation of a Flooding Detection Mechanism for VoIP Networks

The Internet based telephony services (IPTel) are mainly exposed to set of vulnerabilities that inherited from the employed protocols such as TCP/IP and proprietary VoIP protocols. One of the most critical threats in this sensitive environments is considered the denial of service (DoS) attacks. The main concern of a mechanism that focuses on detecting such attacks is the potential end-to-end delay between communicating parties. In this paper is described a hash based flooding detection mechanism and evaluated in an experimental test bed architecture. The outcomes demonstrate the potentiality of the mechanism as the end-to-end delay is negligible.

Battling against DDoS in SIP: Is Machine Learning-based detection an effective weapon?

This paper focuses on network anomaly-detection and especially the effectiveness of Machine Learning (ML) techniques in detecting Denial of Service (DoS) in SIP-based VoIP ecosystems. It is true that until now several works in the literature have been devoted to this topic, but only a small fraction of them have done so in an elaborate way. Even more, none of them takes into account high and low-rate Distributed DoS (DDoS) when assessing the efficacy of such techniques in SIP intrusion detection. To provide a more complete estimation of this potential, we conduct extensive experimentations involving 5 different classifiers and a plethora of realistically simulated attack scenarios representing a variety of (D)DoS incidents. Moreover, for DDoS ones, we compare our results with those produced by two other anomaly-based detection methods, namely Entropy and Hellinger Distance. Our results show that ML-powered detection scores a promising false alarm rate in the general case, and seems to outperform similar methods when it comes to DDoS.

Security and privacy issues for an IoT based smart home

Internet of Things (IoT) can support numerous applications and services in various domains, such as smart cities and smart homes. IoT smart objects interact with other components e.g., proxies, mobile devices, and data collectors, for management, data sharing and other activities in the context of the provided service. Though such components contribute to address various societal challenges and provide new advanced services for users, their limited processing capabilities make them vulnerable to well-known security and privacy threats. Until now various research works have studied security and privacy in IoT, validating this claim. However, to the best of our knowledge literature lacks research focusing on security and privacy flaws introduced in IoT through interactions among different devices supporting a smart home architecture. In particular, we set up the scene for a security and privacy threat analysis for a typical smart home architecture using off the shelf components. To do so, we employ a smart home IoT architecture that enables users to interact with it through various devices that support smart house management, and we analyze different scenarios to identify possible security and privacy issues for users.

A Privacy Enforcing Framework for Android Applications

The widespread adoption of the Android operating system in a variety type of devices ranging from smart phones to smart TVs, makes it an interesting target for developers of malicious applications. One of the main flaws exploited by these developers is the permissions granting mechanism, which does not allow users to easily understand the privacy implications of the granted permissions. In this paper, we propose an approach to enforce fine-grained usage control privacy policies that enable users to control the access of applications to sensitive resources through application instrumentation. The purpose of this work is to enhance user control on privacy, confidentiality and security of their mobile devices, with regards to application intrusive behaviours. Our approach relies on instrumentation techniques and includes a refinement step where high-level resource-centric abstract policies defined by users are automatically refined to enforceable concrete policies. The abstract policies consider the resources being used and not the specific multiple concrete API methods that may allow an app to access the specific sensitive resources. For example, access to the user location may be done using multiple API methods that should be instrumented and controlled according to the user selected privacy policies. We show how our approach can be applied in Android applications and discuss performance implications under different scenarios.

Evaluating the Security and Privacy Protection Level of IP Multimedia Subsystem Environments

In complex environments like the IP multimedia Subsystem (IMS), state of the art security solutions cannot always provide satisfactory protection against any type of attack. This paper addresses the security mechanisms utilized by IMS with respect to their susceptibility to SIP based attacks that have been described in the literature. This analysis also studies the effects of 3GPPs security directions (i.e., IMS architectures) on limiting the attack chances. The protection mechanisms involved are evaluated considering three distinct and crucial factors: (i) whether the attacker is an insider or an external one, (ii) the time frame of the attack and (iii) how these attacks affect the messages confidentiality, authenticity and integrity as well as architectures availability and users privacy. A thorough review of the recently proposed protection frameworks is also provided together with an evaluation of the protection level they offer to the IMS architecture.

A call conference room interception attack and its detection

The IP Multimedia Subsystem (IMS) infrastructure is currently considered to be the main core of Next Generation Networks (NGNs), integrating IP and other network types under one common infrastructure. Consequently, IMS inherits security flaws and vulnerabilities residing in all those technologies. Besides, the protection against unauthorized access in NGN services is of great importance. In this paper we present a call conference room interception attack and we propose a new cross layer architecture to shield IMS against it.

Till All Are One: Towards a Unified Cloud IDS

Recently there is a trend to use cloud computing on service deployment, enjoying various advantages that it offers with emphasis on the economy which is achieved in the era of the financial crisis. However, along with the transformation of technology, several security issues are raised and especially the threat of malicious insiders. For instance, insiders can use their privileged position to accomplish an attack against the cloud infrastructure. In this paper we introduce a practical and efficient intrusion detection system solution for cloud based on the advantages of CUDA technology. The proposed solution audits the deployed virtual machines operation, and correlates the collected information to detect uncommon behavior based on Smith-Waterman algorithm. To do so, we collect the system calls of cloud virtual machines and compare them with pre-defined attack signatures. We implement the core of the detection module both sequentially and in parallel on CUDA technology. We evaluate our solution on experimental CUDA enabled cloud system in terms of performance using well known attack patterns. Results indicate that our approach improve highly the efficiency of detection in terms of processing time compared to a sequential implementation.

A lightweight countermeasure to cope with flooding attacks against session initiation protocol

Session Initiation Protocol (SIP) is a widely used protocol for voice and video communication in Internet architecture. Due to its open nature and the lack of robust security mechanisms, SIP is vulnerable to several attacks similar to those existing in Internet infrastructure, such as the flooding attack. An attacker can use any SIP request to launch a flooding attack, leading to severe consequences at either client or server side SIP elements or both of them. In this context, end users devices are considered more vulnerable to flooding attacks due to their limited capabilities. In this paper, we focus on INVITE flooding attack for which we propose a simple and robust detection scheme. This scheme prevents an attacker from launching an INVITE flood through a transition state table used by the proxy to analyse the incoming INVITE requests and exclude the suspicious ones. Our scheme requires also that the end-user keeps track of the time and IP addresses of each incoming request. Furthermore, we modify the header of the REGISTER request by adding a new field named Critical number which holds the value of maximum number of users or callers that could easily be handled by the end user. Unlike the existing solutions, our scheme does not require any special detection device or firewall at the SIP server. The proposed mechanism has been implemented in SIP Express Router (SER) and the obtained results have confirmed its effectiveness.