Krzysztof Cabaj

Using Software-Defined Networking for Ransomware Mitigation: The Case of CryptoWall

Currently, different forms of ransomware are increasingly threatening Internet users. Modern ransomware encrypts important user data, and it is only possible to recover it once a ransom has been paid. In this article we show how software-defined networking can be utilized to improve ransomware mitigation. In more detail, we analyze the behavior of popular ransomware - CryptoWall - and, based on this knowledge, propose two real-time mitigation methods. Then we describe the design of an SDN-based system, implemented using OpenFlow, that facilitates a timely reaction to this threat, and is a crucial factor in the case of crypto ransomware. What is important is that such a design does not significantly affect overall network performance. Experimental results confirm that the proposed approach is feasible and efficient.

Software-defined networking-based crypto ransomware detection using HTTP traffic characteristics ☆

Abstract Ransomware is currently one of the key threats facing individuals and corporate Internet users. Especially dangerous is crypto ransomware that encrypts important user data, and it is only possible to recover it once a ransom has been paid. Therefore, devising efficient and effective countermeasures is a pressing necessity. In this paper we present a novel Software-Defined Networking (SDN) based detection approach that utilizes the characteristics of the ransomware communication. Based on an observation of network communication between two crypto ransomware families, namely CryptoWall and Locky, we conclude that an analysis of the HTTP message sequences and their respective content sizes is enough to detect such threats. We show the feasibility of our approach by designing and evaluating a proof-of-concept SDN-based detection system. The experimental results confirm that the proposed approach is feasible and efficient.

What are suspicious VoIP delays

Voice over IP (VoIP) is unquestionably the most popular real-time service in IP networks today. Recent studies have shown that it is also a suitable carrier for information hiding. Hidden communication may pose security concerns as it can lead to confidential information leakage. In VoIP, RTP (Real-time Transport Protocol) in particular, which provides the means for the successful transport of voice packets through IP networks, is suitable for steganographic purposes. It is characterised by a high packet rate compared to other protocols used in IP telephony, resulting in a potentially high steganographic bandwidth. The modification of an RTP packet stream provides many opportunities for hidden communication as the packets may be delayed, reordered or intentionally lost. In this paper, to enable the detection of steganographic exchanges in VoIP, we examined real RTP traffic traces to answer the questions, what do the “normal” delays in RTP packet streams look like? and, is it possible to detect the use of known RTP steganographic methods based on this knowledge?

HoneyPot systems in practice

The paper presents the HoneyPot technology as well as the experience gained from their usage in the network of the Institute of Computer Science Warsaw University of Technology. On this background the concept of HoneyPot systems is presented and discussed. The paper is illustrated with the real-life cases of some recent vulnerabilities observed on our HoneyPots. Streszczenie. Praca przedstawia technologie systemow HoneyPot oraz doświadczenia zebrane z ich uzycia w sieci Instytutu Informatyki Politechniki Warszawskiej. Na tym tle zaprezentowano i omowiono koncepcje systemow HoneyPot oraz prawdziwe przypadki najnowszych zagrozen zaobserwowane na naszych systemach HoneyPot. (Systemy HoneyPot w praktyce).

SDN Architecture Impact on Network Security.

The Software Defined Networking (SDN) paradigm introduces separation of data and control planes for flow-switched networks and enables different approaches to network security than those existing in present IP networks. The centralized control plane, i.e. the SDN controller, can host new security services that profit from the global view of the network and from direct control of switches. Some security services can be deployed as external applications that communicate with the controller. Due to the fact that all unknown traffic must be transmitted for investigation to the controller, maliciously crafted traffic can lead to Denial Of Service (DoS) attack on it. In this paper we analyse features of SDN in the context of security application. Additionally we point out some aspects of SDN networks that, if changed, could improve SDN network security capabilities. Moreover, the last section of the paper presents a detailed description of security application that detects a broad kind of malicious activity using key features of SDN architecture.

LRFI – Fault Injection Tool for Testing Mobile Software

Developing software for mobile platforms we face the problem of dealing with various erroneous situations, transient faults, component incompatibilities which influence their operations. This results in the need of embedding error detection mechanisms and handling them software procedures. This problem has been appreciated by Samsung. As the consequence of this need we have developed a special tool (LRFI) which allows simulating various fault effects and observe their propagation as well as the effectiveness of handling them in real mobile products of Samsung. The paper outlines the capabilities of fault injection technique and presents an original tool dedicated for mobile environment. Some practical experience with this tool has been also reported.

Exploring the Space of System Monitoring

During system exploitation and maintenance an important issue is to evaluate its operational profile and detect occurring anomalies or situations which may lead to such anomalies (anomaly prediction issue). To resolve these problems we have studied the capabilities of standard event and performance logs which are available in computer systems. In particular we have concentrated on checking the morphology and information contents of various event logs (system, application levels) as well as the correlation of performance logs with operational profiles. This analysis has been supported with some tools and special scripts.

A trust management architecture for autonomic Future Internet

The proliferation and integration of communication networks in social life has increased the need for trusted systems of advanced and intelligent capabilities. Future networks are calling for new ways to efficient management, operation and service provisioning. Autonomicity becomes an enabler for self-manageability of future networks and therefore autonomic networking provides the necessary new paradigm for these networks to become manageable and scalable. Autonomic entities base their decision within a network on experience gathered and information exchanged. Trust management mechanisms can provide the necessary security framework in such an environment towards robust coherent autonomic networking. In this paper we present trust models and sketch a trust management architecture, applicable to complex future networking environments. We handle the special requirements set by autonomicity and try to strengthen the autonomic characteristics of the nodes as well as the robustness of service provisioning.

TrustMAS: Trusted Communication Platform for Multi-Agent Systems

The paper presents TrustMAS --- Trusted Communication Platform for Multi-Agent Systems, which provides trust and anonymity for mobile agents. The platform includes anonymous technique based on random-walk algorithm for providing general purpose anonymous communication for agents. All agents, which take part in the proposed platform, benefit from trust and anonymity that is provided for their interactions. Moreover, in TrustMAS there are StegAgents (SA) that are able to perform various steganographic communication. To achieve that goal, SAs may use methods in different layers of TCP/IP model or specialized middleware enabling steganography that allows hidden communication through all layers of mentioned model. In TrustMAS steganographic channels are used to exchange routing tables between StegAgents. Thus all StegAgents in TrustMAS with their ability to exchange information by using hidden channels form distributed steganographic router (Steg-router).

A Virtualization-Level Future Internet Defense-in-Depth Architecture

An EU Future Internet Engineering project currently underway in Poland defines three Parallel Internets (PIs). The emerging IIP System (IIPS, abbreviating the project’s Polish name), has a four-level architecture, with Level 2 responsible for creation of virtual resources of the PIs. This paper proposes a three-tier security architecture to address Level 2 threats of alien traffic injection and IIPS traffic manipulation or forging. It is argued that the measures to be taken differ in nature from those ensuring classical security attributes. A combination of hard- and soft-security mechanisms produces node reputation and trust metrics, which permits to eliminate or ostracize misbehaving nodes. Experiments carried out in a small-scale IIPS testbed are briefly discussed.