Harald P. E. Vranken

A Survey of Authentication and Communications Security in Online Banking

A survey was conducted to provide a state of the art of online banking authentication and communications security implementations. Between global regions the applied (single or multifactor) authentication schemes differ greatly, as well as the security of SSL/TLS implementations. Three phases for online banking development are identified. It is predicted that mobile banking will enter a third phase, characterized by the use of standard web technologies to develop mobile banking applications for different platforms. This has the potential to make mobile banking a target for attacks in a similar manner that home banking currently is.

Discovering software vulnerabilities using data-flow analysis and machine learning

We present a novel method for static analysis in which we combine data-flow analysis with machine learning to detect SQL injection (SQLi) and Cross-Site Scripting (XSS) vulnerabilities in PHP applications. We assembled a dataset from the National Vulnerability Database and the SAMATE project, containing vulnerable PHP code samples and their patched versions in which the vulnerability is solved. We extracted features from the code samples by applying data-flow analysis techniques, including reaching definitions analysis, taint analysis, and reaching constants analysis. We used these features in machine learning to train various probabilistic classifiers. To demonstrate the effectiveness of our approach, we built a tool called WIRECAML, and compared our tool to other tools for vulnerability detection in PHP code. Our tool performed best for detecting both SQLi and XSS vulnerabilities. We also tried our approach on a number of open-source software applications, and found a previously unknown vulnerability in a photo-sharing web application.

Denial-of-Service Attacks on LoRaWAN

LoRaWAN is the dominant protocol for communication in low-power Wide Area Networks in several European countries, and is being used increasingly in other parts of the world. We identified three vulnerabilities in the LoRaWAN protocol specification that can be used for launching Denial-of-Service (DoS) attacks against end-devices in a LoRaWAN network. We validated that these vulnerabilities can be exploited for DoS attacks by creating and simulating Coloured Petri Net models of relevant parts of the LoRaWAN protocol.

Applying deep learning on packet flows for botnet detection

Botnets constitute a primary threat to Internet security. The ability to accurately distinguish botnet traffic from non-botnet traffic can help significantly in mitigating malicious botnets. We present a novel approach to botnet detection that applies deep learning on flows of TCP/UDP/IP-packets. In our experimental results with a large dataset, we obtained 99.7% accuracy for classifying P2P-botnet traffic. This is comparable to or better than conventional botnet detection approaches, while reducing efforts for feature engineering and feature selection to a minimum.

User-friendly Manual Transfer of Authenticated Online Banking Transaction Data

Online banking relies on user-owned home computers and mobile devices, all vulnerable to man-in-the-middle n nattacks which are used to steal money from bank accounts. Banks mitigate this by letting users verify information n nthat originates from these untrusted devices. This is not user-friendly since the user has to process the n nsame information twice. It also makes the user an unnecessary critical factor and risk in the security process. n nThis paper concerns a case study of an information scheme which allows the user to enter critical information n nin a trusted device, which adds data necessary for the recipient to verify its integrity and authenticity. The n noutput of the device is a code that contains the information and the additional verification data, which the n nuser enters in the computer used for online banking. With this, the bank receives the information in a secure n nmanner without requiring an additional check by the user, since the data is protected from the moment the user n nentered it in the trusted device. This proposal shows that mundane tasks for the user in online banking can be n nautomated, which improves both security and usability.