Mathias Fischer

Taxonomy and Survey of Collaborative Intrusion Detection

The dependency of our society on networked computers has become frightening: In the economy, all-digital networks have turned from facilitators to drivers; as cyber-physical systems are coming of age, computer networks are now becoming the central nervous systems of our physical world—even of highly critical infrastructures such as the power grid. At the same time, the 24/7 availability and correct functioning of networked computers has become much more threatened: The number of sophisticated and highly tailored attacks on IT systems has significantly increased. Intrusion Detection Systems (IDSs) are a key component of the corresponding defense measures; they have been extensively studied and utilized in the past. Since conventional IDSs are not scalable to big company networks and beyond, nor to massively parallel attacks, Collaborative IDSs (CIDSs) have emerged. They consist of several monitoring components that collect and exchange data. Depending on the specific CIDS architecture, central or distributed analysis components mine the gathered data to identify attacks. Resulting alerts are correlated among multiple monitors in order to create a holistic view of the network monitored. This article first determines relevant requirements for CIDSs; it then differentiates distinct building blocks as a basis for introducing a CIDS design space and for discussing it with respect to requirements. Based on this design space, attacks that evade CIDSs and attacks on the availability of the CIDSs themselves are discussed. The entire framework of requirements, building blocks, and attacks as introduced is then used for a comprehensive analysis of the state of the art in collaborative intrusion detection, including a detailed survey and comparison of specific CIDS approaches.

A Distributed IP Mobility Approach for 3G SAE

Future generations of mobile operator networks, based on an all-IP-based flat architecture and a multitude of different access technologies, require a proper IP-based mobility management in place. In this article, a scalable and completely distributed mobility management is presented which is based on a Distributed Hash Table data structure. The Distributed IP Mobility Approach (DIMA) remains completely compatible towards Mobile IP and its variants Hierarchical Mobile IP and Proxy Mobile IP. We examine the average service time per packet and the load caused by lookups in the system, by applying a suitable mobility model and by using a traffic model consisting of a mix of representative traffic classes (HTTP, VoIP, Audio and Video streaming). Thereby, we show that the system remains scalable allowing to serve an arbitrary amount of participants, provides a network-based route optimization and a better resilience than Mobile IP at the cost of only slightly increased signalling effort.

Towards the design of unexploitable construction mechanisms for multiple-tree based P2P streaming systems

In peer-to-peer based live streaming systems, a great number of participants have to cooperate to efficiently and reliably distribute a continuous flow of data. Each receiving peer in return provides its resources to the system. Since these systems operate in a completely distributed manner, it is of particular importance, to prevent malicious members from harvesting important topology information or influencing the streaming system to their needs. In this article, we analyze potential attack methods on multiple-tree-based P2P streaming systems, discuss important design decisions to constrain the impact of malicious behaviour, and we introduce the new concept of peer testaments. By analyzing existing systems, we show that so far only few attention has been given to the design of unexploitable construction mechanisms. Based on the identified design decisions, we propose a novel streaming system and evaluate it by exposing it to different types of internal attackers. Our results show that these attackers have to spend large effort to reach relevant positions in the streaming topology and that their bandwidth contribution far outnumbers the damage they achieve.

On advanced monitoring in resilient and unstructured P2P botnets

Botnets are a serious threat to Internet-based services and end users. The recent paradigm shift from centralized to more sophisticated Peer-to-Peer (P2P)-based botnets introduces new challenges for security researchers. Centralized botnets can be easily monitored, and once their command and control server is identified, easily be taken down. However, P2P-based botnets are much more resilient against such attempts. To make it worse, botnets like P2P Zeus include additional countermeasures to make monitoring and crawling more difficult for the defenders. In this paper, we discuss in detail the problems of P2P botnet monitoring. As our main contribution, we introduce the Less Invasive Crawling Algorithm (LICA) for efficiently crawling unstructured P2P botnets and utilize only local information. We compare the performance of LICA with other known crawling methods such as Depth-first and Breadth-first search. This is achieved by simulating these methods on not only a real-world botnet dataset, but also on an unstructured P2P file sharing network dataset. Our analysis results indicate that LICA significantly outperforms the other known crawling methods.

On Complexity and Approximability of Optimal DoS Attacks on Multiple-Tree P2P Streaming Topologies

We investigate the hardness of malicious attacks on multiple-tree topologies of push-based Peer-to-Peer streaming systems. In particular, we study the optimization problem of finding a minimum set of target nodes to achieve a certain damage objective. For this, we differentiate between three natural and increasingly complex damage types: global packet loss, service loss when using Multiple Description Coding, and service loss when using Forward Error Correction. We show that each of these attack problems is NP-hard, even for an idealized attacker with global knowledge about the topology. Despite tree-based topologies seem susceptible to such attacks, we can even prove that (under strong assumptions about NP) there is no polynomial time attacker, capable of guaranteeing a general solution quality within factors of c1 log(n) and c22log1-δn (with n topology nodes, δ = 1/log logd n for d <; 1/2 and constants c1, c2), respectively. To our knowledge, these are the first lower bounds on the quality of polynomial time attacks on P2P streaming topologies. The results naturally apply to major real-world DoS attackers and show hard limits for their possibilities. In addition, they demonstrate superior stability of Forward Error Correction systems compared to Multiple Description Coding and give theoretical foundation to properties of stable topologies.

Zeus Milker: Circumventing the P2P Zeus Neighbor List Restriction Mechanism

The emerging trend of highly-resilient P2P botnets poses a huge security threat to our modern society. Carefully designed countermeasures as applied in sophisticated P2P botnets such as P2P Zeus impede botnet monitoring and successive takedown. These countermeasures reduce the accuracy of the monitored data, such that an exact reconstruction of the botnets topology is hard to obtain efficiently. However, an accurate topology snapshot, revealing particularly the identities of all bots, is crucial to execute effective botnet takedown operations. With the goal of obtaining the required snapshot in an efficient manner, we provide a detailed description and analysis of the P2P Zeus neighbor list restriction mechanism. As our main contribution, we propose ZeusMilker, a mechanism for circumventing the existing anti-monitoring countermeasures of P2P Zeus. In contrast to existing approaches, our mechanism deterministically reveals the complete neighbor lists of bots and hence can efficiently provide a reliable topology snapshot of P2P Zeus. We evaluated ZeusMilker on a real-world dataset and found that it outperforms state-of-the-art techniques for botnet monitoring with regard to the number of queries needed to retrieve a bots complete neighbor list. Furthermore, ZeusMilker is provably optimal in retrieving the complete neighbor list, requiring at most 2n queries for an n-elemental list. Moreover, we also evaluated how the performance of ZeusMilker is impacted by various protocol changes designed to undermine its provable performance bounds.

This network is infected: HosTaGe - a low-interaction honeypot for mobile devices

In recent years, the number of sophisticated cyber attacks has increased rapidly. At the same time, people tend to utilize unknown, in terms of trustworthiness, wireless networks in their daily life. They connect to these networks, e.g., airports, without knowledge of whether they are safe or infected with actively propagating malware. In traditional networks, malicious behavior can be detected via Intrusion Detection Systems (IDSs). However, IDSs cannot be applied easily to mobile environments and to resource constrained devices. Another common defense mechanism is honeypots, i.e., systems that pretend to be an attractive target to attract malware and attackers. As a honeypot has no productive use, each attempt to access it can be interpreted as an attack. Hence, they can provide an early indication on malicious network environments. Since low interaction honeypots do not demand high CPU or memory requirements, they are suitable to resource constrained devices like smartphones or tablets. In this paper we present the idea of Honeypot-To-Go. We envision portable honeypots on mobile devices that aim on the fast detection of malicious networks and thus boost the security awareness of users. Moreover, to demonstrate the feasibility of this proposal we present our prototype HosTaGe, a low-interaction honeypot implemented for the Android OS. We present some initial results regarding the performance of this application as well as its ability to detect attacks in a realistic environment. To the best of our knowledge, HosTaGe is the first implementation of a generic low-interaction honeypot for mobile devices.

Distributed and Anonymous Publish-Subscribe

Publish-subscribe is a scheme for distributing information based on interests. While security mechanisms have been added to publish-subscribe, privacy, in particular anonymous communication is hardly considered. We summarize security and privacy requirements for such systems, including an adversary model for privacy. We introduce a construction for publish-subscribe overlays that fulfills the requirements. Contrary to previous approaches, it does neither presume an online trusted third party, nor expensive cryptographic operations performed by brokers. Further, we informally discuss how our requirements are met.

AnonPubSub: Anonymous publish-subscribe overlays

Publish-subscribe is an increasingly popular messaging pattern for distributed systems, supporting scalable and extensible programming, and optimal spatial, temporal, and control-flow decoupling of distributed components. Publish-subscribe middleware and methods were extended towards supporting security, in particular confidentiality, and increased availability, yet a few prior works addressed anonymity of participants. Anonymity of senders and receivers may however be crucial, e.g., for supporting freedom of expression in regimes where political repression and censorship prevail. In this article, we review basic security and privacy requirements and introduce a new attacker model based on statistical disclosure, used to challenge anonymity. We elaborate on design options for privacy-preserving publish-subscribe systems and present a novel system that leverages peer-to-peer networking concepts; this novel approach protects subscriber anonymity by means of Probabilistic Forwarding (PF) and through a novel so-called Shell Game (SG) algorithm. We verify our solution against the requirements and provide a simulation-based analysis of the effectiveness of our approaches in light of our attacker model. The results show that the SG algorithm efficiently protects subscriber anonymity, and that anonymity sets can be adjusted via PF.

HosTaGe: a Mobile Honeypot for Collaborative Defense

The continuous growth of the number of cyber attacks along with the massive increase of mobile devices creates a highly heterogeneous landscape in terms of security challenges. We argue that in order for security researchers to cope with both the massive amount and the complexity of attacks, a more pro-active approach has to be taken into account. In addition, distributed attacks that are carried out by interconnected attackers require a collaborative defense. Diverging from traditional security defenses, honeypots are systems whose value lies on in being attacked and compromised. In this paper, we extend the idea of HosTaGe, i.e., a low interaction honeypot for mobile devices. Our system is specifically designed in a user-centric manner and runs out-of-the-box in the Android operating system. We present the design rational and discuss the different attack surfaces that HosTaGe is able to handle. The main contribution of this paper is the introduction of the collaborative capabilities of HosTaGe.