Sebastian Abt

Blessing or curse? Revisiting security aspects of Software-Defined Networking

Software-Defined Networking (SDN) is an emerging technology, physically separating data and control planes of network devices. From a security point of view SDN has two sides. First, it enables network security functions by design, because traffic flows can be redirected or filtered based on packet content or application layer state - functionality, which to date requires additional network security devices like fire-walls, intrusion detection systems or spam filters in conventional networks. On the other hand, due to physical separation of planes, SDN possibly offers additional attack vectors compared to traditional network architectures, which may severely impact overall network availability as well as confidentiality, authenticity, integrity and consistency of network traffic and control data. In this paper, we discuss and balance security provided by SDN with security threats of SDN also in respect of traditional networks. We develop an evaluation methodology for both sides and show that from a security point of view SDN is a blessing for todays and future network design and operation.

Biometric template protection

ZusammenfassungBiometrische Systeme sind zwar technisch weit ausgereift und bieten heute Erkennungsleistungen, die noch vor 10 Jahren unerreichbar waren. Jedoch ist ein weit verbreiteter Einsatz von biometrischen Authentisierungsverfahren durch Bedenken hinsichtlich des notwendigen Schutzes von Referenzdaten gebremst. Eine sichere und datenschutzfreundliche Verarbeitung von biometrischen Daten wird möglich, wenn Template Protection Verfahren zum Einsatz kommen. Diese Verfahren wurden in einer wissenschaftlichen Studie (BioKeyS-Pilot-DB Teil 2) des Bundesamtes für Sicherheit in der Informationstechnik (BSI) untersucht. Dieser Artikel berichtet über die Ergebnisse im Projekt. Er zeigt auf, wie Mechanismen zum Schutz von biometrischen Daten mit Zusatzinformationen z.B. Passwörtern verknüpft und wie die Verfahren auch in Identifikationssystemen eingesetzt werden können.

Are We Missing Labels? A Study of the Availability of Ground-Truth in Network Security Research

Network security is a long-lasting field of research constantly encountering new challenges. Inherently, research in this field is highly data-driven. Specifically, many approaches employ a supervised machine learning approach requiring labelled input data. While different publicly available data sets exist, labelling information is sparse. In order to understand how our community deals with this lack of labels, we perform a systematic study of network security research accepted at top IT security conferences in 2009-2013. Our analysis reveals that 70% of the papers reviewed rely on manually compiled data sets. Furthermore, only 10% of the studied papers release the data sets after compilation. This manifests that our community is facing a missing labelled data problem. In order to be able to address this problem, we give a definition and discuss crucial characteristics of the problem. Furthermore, we reflect and discuss roads towards overcoming this problem by establishing ground-truth and fostering data sharing.

A Plea for Utilising Synthetic Data when Performing Machine Learning Based Cyber-Security Experiments

Cyber-security research is a challenging venture where researchers especially face the problem of not having broad access to labelled real-world data sets. This unavailability of data challenges performing scientific sound experiments. Especially, for machine learning based systems this unavailability effectively hinders us to assess performance, attributes and limitations of such systems. One approach to address this lack of publicly available data is to perform experiments using synthetic data. However, we experience that synthetic data is seldom used in our community. This position paper gives a plea for utilising synthetic data when performing machine learning based cyber-security experiments. For this, we collect major challenges our community faces today and discuss how synthetic data can help solving them. Furthermore, we discuss open questions in the area of data synthesis and propose directions for future work.

Passive remote source NAT detection using behavior statistics derived from netflow

Network Address Translation (NAT) is a technique commonly employed in todays computer networks. NAT allows multiple devices to hide behind a single IP address. From a network management and security point of view, NAT may not be desirable or permitted as it allows rogue and unattended network access. In order to detect rogue NAT devices, we propose a novel passive remote source NAT detection approach based on behavior statistics derived from NetFlow. Our approach utilizes 9 distinct features that can directly be derived from NetFlow records. Furthermore, our approach does not require IP address information, but is capable of operating on anonymous identifiers. Hence, our approach is very privacy friendly. Our approach requires only a 120 seconds sample of NetFlow records to detect NAT traffic within the sample with a lower-bound accuracy of 89.35%. Furthermore, our approach is capable of operating in real-time.

A Small Data Approach to Identification of Individuals on the Transport Layer using Statistical Behaviour Templates

Our daily life is dominated by constant Internet connectivity. In order to retrieve up-to-date information and to share personal experiences and impressions, our computers and mobile devices periodically communicate with servers or peers. During this data exchange, we constantly leave digital traces on different systems across the communication stack. These traces can be used to compute profiles of individuals. While such profiles may be used to increase user experience and convenience, they seriously affect privacy of individuals. Typically, service providers like Google or Facebook collect gigabytes to terabytes of user payload data to compute user profiles from. That is, they make use of a big data approach. In contrast to that, this paper shows a novel small data approach to compute profiles using behaviour templates derived from IP address and port number statistics. Our use case is to increase network security through concurrent identification. Our approach is capable of identifying individuals with true- and false-positive rates of 0.995 and 0.001, respectively, without relying on payload information, significantly outperforming related work.

Correlating network events and transferring labels in the presence of IP address anonymisation

The availability of labelled data, i.e. ground-truth or reference data, is typically a requirement for performing network research, especially for network security research. Labelled data, however, are sparsely available. Data sets present in repositories such as CAIDA or PREDICT are mostly missing labels and have IP addresses anonymised. Especially the latter compounds correlating these data sets with third-party information in order to assign labels a posteriori. To address this problem, we propose a scheme to anonymise IP addresses such that later correlation is still possible, without compromising security of either data sponsoring entity. The scheme we propose is based on Crypto-PAn [1] and is able to correlate events using anonymised IP addresses as correlation keys, without restricting choice of the cryptographic secret.

Towards reproducible cyber-security research through complex node automation

Performing cyber-security experiments is challenging as access to necessary data is limited, especially at large-scale. If data is available, sharing is typically not possible due to privacy concerns and contractual requirements. Hence, reproducibility of research and comparability of results is difficult. For a prevailing empirical domain of research, this is a methodological problem. To address this problem, in this paper we propose a data generation toolchain based on automation of complex nodes - cnaf. This system is better suited for performing cyber-security experiments than related work. Especially, as our approach explicitly welcomes and leverages complexity, cnaf is capable of generating realistic data sets.

A research process that ensures reproducible network security research

Access to ground-truth data is limited in network security research, especially at large-scale. If data is available, sharing is typically not possible due to privacy concerns and contractual requirements. Hence, reproducibility of research and comparability of results is difficult. For a prevailing empirical domain of research, the resulting lack of transparency is a methodological problem which especially affects network security management in practice. To address this problem, in this paper we propose a research process that ensures reproducibility by embodying both, synthetic and real-world data. Our motivation for this is to combine best of both worlds: synthetic data is used to establish ground-truth and real-world data to assure validity of results. To the best of our knowledge, no such process has been formulated until today.