Olaf Maennel

Network virtualization architecture: proposal and initial prototype

The tussle between reliability and functionality of the Internet is firmly biased on the side of reliability. New enabling technologies fail to achieve traction across the majority of ISPs. We believe that the greatest challenge is not in finding solutions and improvements to the Internets many problems, but in how to actually deploy those solutions and re-balance the tussle between reliability and functionality. Network virtualization provides a promising approach to enable the coexistence of innovation and reliability. We describe a network virtualization architecture as a technology for enabling Internet innovation. This architecture is motivated from both business and technical perspectives and comprises four main players. In order to gain insight about its viability, we also evaluate some of its components based on experimental results from a prototype implementation.

Bigfoot, sasquatch, the yeti and other missing links: what we don't know about the as graph

Study of the Internets high-level structure has for some time intrigued scientists. The AS-graph (showing interconnections between Autonomous Systems) has been measured, studied, modelled and discussed in many papers over the last decade. However, the quality of the measurement data has always been in question. It is by now well known that most measurements of the AS-graph are missing some set of links. Many efforts have been undertaken to correct this, primarily by increasing the set of measurements, but the issue remains: how much is enough? When will we know that we have enough measurements to be sure we can see all (or almost all) of the links. This paper aims to address the problem of estimating how many links are missing from our measurements. We use techniques pioneered in biostatistics and epidemiology for estimating the size of populations (for instance of fish or disease carriers). It is rarely possible to observe entire populations, and so sampling techniques are used. We extend those techniques to the domain of the AS-graph. The key difference between our work and the biological literature is that all links are not the same, and so we build a stratified model and specify an EM algorithm for estimating its parameters. Our estimates suggest that a very significant number of links (many of thousands) are missing from standard route monitor measurements of the AS-graph. Finally, we use the model to derive the number of monitors that would be needed to see a complete AS-graph with high-probability. We estimate that 700 route monitors would see 99.9% of links.

A Conceptual Nationwide Cyber Situational Awareness Framework for Critical Infrastructures

Protection of critical infrastructures against cyber threats is perceived as an important aspect of national security by many countries. These perceptions have extended the technical and organizational aspects of cyber security domain. However, decision makers still suffer from the lack of appropriate decision support systems. This position paper presents a conceptual framework for a nationwide system that monitors the national critical infrastructures and provides cyber situational awareness knowledge to organizational and national level decision makers. A research agenda is proposed for the implementation of this framework.

i-tee: A fully automated Cyber Defense Competition for Students

We present an Intelligent Training Exercise Environment (i-tee), a fully automated Cyber Defense Competition platform. The main features of i-tee are: automated attacks, automated scoring with immediate feedback using a scoreboard, and background traffic generation. The main advantage of this platform is easy integration into existing curricula and suitability for continuous education as well as on-site training at companies. This platform implements a modular approach called learning spaces for implementing different competitions and hands-on labs. The platform is highly automated to enable execution with up to 30 teams by one person using a single server. The platform is publicly available under MIT license.

Security and privacy issues in cloud computing

HAL is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés. Security and privacy issues in cloud computing Haider Abbas, Olaf Maennel, Saïd Assar

Creating and Detecting IPv6 Transition Mechanism-Based Information Exfiltration Covert Channels

The Internet Protocol Version 6 (IPv6) transition opens a wide scope for potential attack vectors. IPv6 transition mechanisms could allow the set-up of covert egress communication channels over an IPv4-only or dual-stack network, resulting in full compromise of a target network. Therefore effective tools are required for the execution of security operations for assessment of possible attack vectors related to IPv6 security.

Art and Automation of Teaching Malware Reverse Engineering

The threat environment is rapidly changing and the cyber security skill shortage is a widely acknowledged problem. However, teaching such skills and keeping professionals up-to-date is not trivial. New malware types appear daily, and it requires significant time and effort by a teacher to prepare a unique, current and challenging courses in the malware reverse engineering. Novel teaching methods and tools are required. This paper describes an experience with an automated hands-on learning environment in a malware reverse engineering class taught at Tallinn University of Technology in Estonia. Our hands-on practical lab is using a fully automated Cyber Defense Competition platform Intelligent Training Exercise Environment (i-tee) [1] combined with typical Capture-The-Flag competition structure and open-source tools where possible. We describe the process of generating a unique and comparable reverse-engineering challenge and measuring the students’ progress through the process of analysis, reporting flags and debugging data, recording and taking into account their unique approach to the task. We aim to measure the students’ using the Bloom’s taxonomy, i.e., mastering the art of malware reverse engineering at the higher cognitive levels. The presented teaching and assessment method builds foundation for enhancing the future malware reverse engineering training quality and impact.

Stenmap: Framework for Evaluating Cybersecurity-Related Skills Based on Computer Simulations

Cybersecurity exercises have become increasingly popular for training and assessing practical skills of information security. Nevertheless, the main focus of those exercises still tends to be on achieving completion or winning condition, not on understanding the individual skill set of each participant. This paper builds upon related work in creating and implementing cybersecurity exercises and proposes a revised process that includes competency mapping. A new conceptual framework called “Stenmap” is introduced that turns the results of cybersecurity simulations into a more meaningful evaluation of each participant’s individual skills. Cybersec-Tech window is introduced as a tool for discussing the high-level classification of cybersecurity-related skills and reaching a common understanding among exercise organisers coming from diverse backgrounds. An Estonian national cybersecurity competition is used as an example for implementing the suggested process and Stenmap framework.

Improving and Measuring Learning Effectiveness at Cyber Defense Exercises

Cyber security exercises are believed to be the most effective training for the training audiences from top professional teams to individual students. However, evidence of learning outcomes is often anecdotal and not validated. This paper focuses on measuring learning outcomes of technical cyber defense exercises (CDXs) with Red and Blue teaming elements. We studied learning at Locked Shields, which is the largest unclassified defensive live-fire CDX in the world. This paper proposes a novel and simple methodology, called the “5-timestamp methodology”, aiming at accommodating both effective feedback (including benchmarking) and learning measurement. The methodology focuses on collection of timestamps at specific points during a cyber incident and time interval analysis to assess team performance, and argues that changes in performance over time can be used to evidence learning. The timestamps can either be collected non-intrusively from raw network traces (such as pcaps, logs) or using traditional methods, such as interviews, observations and surveys. Our experience showed that traditional methods, such as self-reporting, fail at high-speed and complex exercises. The suggested method enhances feedback loop, allows identifying learning design flaws, and provides evidence of learning value for CDXs.

On the predictive power of shortest-path weight inference

Reverse engineering of the Internet is a valuable activity. Apart from providing scientific insight, the resulting datasets are invaluable in providing realistic network scenarios for other researchers. The Rocketfuel project attempted this process, but it is surprising how little effort has been made to validate its results. This paper concentrates on validating a particular inference methodology used to obtain link weights on a network. There is a basic difficulty in assessing the accuracy of such inferences in that a non-unique set of link-weights may produce the same routing, and so simple measurements of accuracy (even where ground truth data are available) do not capture the usefulness of a set of inferred weights. We propose a methodology based on predictive power to assess the quality of the weight inference. We used this to test Rocketfuels algorithm, and our tests suggest that it is reasonably good particularly on certain topologies, though it has limitations when its underlying assumptions are incorrect.