Vasilios Katos

The Sphinx enigma in critical VoIP infrastructures: Human or botnet?

Sphinx was a monster in Greek mythology devouring those who could not solve her riddle. In VoIP, a new service in the role of Sphinx provides protection against SPIT (Spam over Internet Telephony) by discriminating human callers from botnets. The VoIP Sphinx tool uses audio CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) that are controlled by an anti-SPIT policy mechanism. The design of the Sphinx service has been formally verified for the absence of side-effects in the VoIP services (robustness), as well as for its DoS-resistance. We describe the principles and innovations of Sphinx, together with experimental results from pilot use cases.

A critical review of 7 years of Mobile Device Forensics

Mobile Device Forensics (MF) is an interdisciplinary field consisting of techniques applied to a wide range of computing devices, including smartphones and satellite navigation systems. Over the last few years, a significant amount of research has been conducted, concerning various mobile device platforms, data acquisition schemes, and information extraction methods. This work provides a comprehensive overview of the field, by presenting a detailed assessment of the actions and methodologies taken throughout the last seven years. A multilevel chronological categorization of the most significant studies is given in order to provide a quick but complete way of observing the trends within the field. This categorization chart also serves as an analytic progress report, with regards to the evolution of MF. Moreover, since standardization efforts in this area are still in their infancy, this synopsis of research helps set the foundations for a common framework proposal. Furthermore, because technology related to mobile devices is evolving rapidly, disciplines in the MF ecosystem experience frequent changes. The rigorous and critical review of the state-of-the-art in this paper will serve as a resource to support efficient and effective reference and adaptation.

Real time DDoS detection using fuzzy estimators

We propose a method for DDoS detection by constructing a fuzzy estimator on the mean packet inter arrival times. We divided the problem into two challenges, the first being the actual detection of the DDoS event taking place and the second being the identification of the offending IP addresses. We have imposed strict real time constraints for the first challenge and more relaxed constraints for the identification of addresses. Through empirical evaluation we confirmed that the detection can be completed within improved real time limits and that by using fuzzy estimators instead of crisp statistical descriptors we can avoid the shortcomings posed by assumptions on the model distribution of the traffic. In addition we managed to obtain results under a 3 sec detection window.

A randomness test for block ciphers

This paper describes a randomness test which can be used to measure the cryptographic strength of a block cipher or its underlying cryptographic primitive(s). Cryptographic strength in the context of this paper is related to the ability of the round function to produce a random output which in turn is defined as the distance between a theoretical calculation and an experimental measure. The measurements are based on the diffusion characteristic of the cipher. Potentially, the test for randomness proposed in this paper could be used as a distinguisher based on diffusion.

A cyber-crime investigation framework

Epistemic uncertainty is an unavoidable attribute which is present in criminal investigations and could affect negatively the effectiveness of the process. A cyber-crime investigation involves a potentially large number of individuals and groups who need to communicate, share and make decisions across many levels and boundaries. This paper presents an approach adopting elements of the Strategic Systems Thinking Framework (SST) by which conflicting information due to the unavoidable uncertainty can be captured and processed, in support of the investigation process. A formal description of this approach is proposed as a basis for developing a cyber-crime investigation support system.

Modelling corporate wireless security and privacy

As corporations adopt wireless technologies then both privacy and security landscapes change dramatically, causing a reassessment of how the wireless systems can be secured and at the same time ensuring privacy obligations to their customers, staff and shareholders are met. This paper explores the relationship between wireless security and privacy issues, and develops the foundation for metrics with which to develop and examine appropriate policies. The challenge is to get consistent and supportive security and privacy policies. In addition, the adoption of a wireless infrastructure will result in richer sets of information flows, requiring additional resources to achieve the same level of security as in a wired infrastructure. Richer sets of information are also likely to have a negative impact on privacy.

A partial equilibrium view on security and privacy

Purpose – This paper aims to propose a tool to help policy makers understand the dynamic relationships between security and privacy on a strategic (macro) level.Design/methodology/approach – The methodology is ported from the discipline of Macroeconomics, and applied to the information security and privacy domain. The methodology adopted is the so‐called “cross methodology” which claims ownership of the well‐known supply/demand market equilibrium exercise.Findings – Early evaluation reveals that this is a potentially very effective tool in understanding societal behaviour and position towards information security and privacy and therefore makes this a suitable tool for investigating and exploring scenarios that can assist in policy making.Originality/value – Up to date, research on the economics of security and privacy has been primarily focusing on a micro level. The main contribution of this paper is a methodology for investigating privacy and security on a macro level. We believe that our approach in u...

Information Assurance and Forensic Readiness

Egalitarianism and justice are amongst the core attributes of a democratic regime and should be also secured in an e-democratic setting. As such, the rise of computer related offenses pose a threat to the fundamental aspects of e-democracy and e-governance. Digital forensics are a key component for protecting and enabling the underlying (e-)democratic values and therefore forensic readiness should be considered in an e-democratic setting. This position paper commences from the observation that the density of compliance and potential litigation activities is monotonically increasing in modern organizations, as rules, legislative regulations and policies are being constantly added to the corporate environment. Forensic practices seem to be departing from the niche of law enforcement and are becoming a business function and infrastructural component, posing new challenges to the security professionals. Having no a priori knowledge on whether a security related event or corporate policy violation will lead to litigation, we advocate that computer forensics need to be applied to all investigatory, monitoring and auditing activities. This would result into an inflation of the responsibilities of the Information Security Officer. After exploring some commonalities and differences between IS audit and computer forensics, we present a list of strategic challenges the organization and, in effect, the IS security and audit practitioner will face.

Differential malware forensics

In this paper we present a malware forensics framework for assessing and reporting on the modus operandi of a malware within a specific organizational context. The proposed framework addresses the limitations existing dynamic malware analysis approaches exhibit. More specifically we extended the functionality of the cuckoo sandbox malware analysis tool in order to automate the process of correlating and investigating the analysis results that multiple executions of a suspect binary on distinct and specific system configurations can produce. In contrast to standard malware analysis methods that assess the potential damage a malware may cause in general, this approach enables the analyst to identify contingent behavioral changes when the malware is executed and answer questions relating to the malwares activities within a specific environment. By doing this, the analyst is in the position to report on the actual rather theoretical actions a malware has performed, allowing the stakeholders to make informed recovery decisions. In this context, we identify the necessary forensic readiness prerequisites which are critical for the successful application and adoption of the proposed framework.

On-scene triage open source forensic tool chests: Are they effective?

Considering that a triage related task may essentially make-or-break a digital investigation and the fact that a number of triage tools are freely available online but there is currently no mature framework for practically testing and evaluating them, in this paper we put three open source triage tools to the test. In an attempt to identify common issues, strengths and limitations we evaluate them both in terms of efficiency and compliance to published forensic principles. Our results show that due to the increased complexity and wide variety of system configurations, the triage tools should be made more adaptable, either dynamically or manually (depending on the case and context) instead of maintaining a monolithic functionality.