Mathias Fischer

Doğanalp Ergenç, Nurefşan Sertbaş Bülbül, Lisa Maile et al.

IEEE 802.1 Time-sensitive Networking (TSN) protocols have recently been proposed to replace legacy networking technologies across different mission-critical systems (MCSs). Design, configuration, and maintenance of TSN within MCSs require advanced methods to tackle the highly complex and interconnected nature of those systems. Accordingly, artificial intelligence (AI) and machine learning (ML) models are the most prominent enablers to develop such methods. However, they usually require a significant amount of data for model training, which is not easily accessible. This short paper aims to recapitulate the need for TSN datasets to flourish research on AI/ML-based techniques for TSN systems. Moreover, it analyzes the main requirements and alternative designs to build a TSN platform to synthesize realistic datasets.

Steffen Haas, Robin Sommer, Mathias Fischer

Intrusion Detection Systems (IDSs) can analyze network traffic for signs of attacks and intrusions. However, encrypted communication limits their visibility and sophisticated attackers additionally try to evade their detection. To overcome these limitations, we extend the scope of Network IDSs (NIDSs) with additional data from the hosts. For that, we propose the integrated open-source zeek-osquery platform that combines the Zeek IDS with the osquery host monitor. Our platform can collect, process, and correlate host and network data at large scale, e.g., to attribute network flows to processes and users. The platform can be flexibly extended with own detection scripts using already correlated, but also additional and dynamically retrieved host data. A distributed deployment enables it to scale with an arbitrary number of osquery hosts. Our evaluation results indicate that a single Zeek instance can manage more than 870 osquery hosts and can attribute more than 96% of TCP connections to host-side applications and users in real-time.

Jan Kadel, August See, Ritwik Sinha et al.

Bots constitute a significant portion of Internet traffic and are a source of various issues across multiple domains. Modern bots often become indistinguishable from real users, as they employ similar methods to browse the web, including using real browsers. We address the challenge of bot detection in high-traffic scenarios by analyzing three distinct detection methods. The first method operates on heuristics, allowing for rapid detection. The second method utilizes, well known, technical features, such as IP address, window size, and user agent. It serves primarily for comparison with the third method. In the third method, we rely solely on browsing behavior, omitting all static features and focusing exclusively on how clients behave on a website. In contrast to related work, we evaluate our approaches using real-world e-commerce traffic data, comprising 40 million monthly page visits. We further compare our methods against another bot detection approach, Botcha, on the same dataset. Our performance metrics, including precision, recall, and AUC, reach 98 percent or higher, surpassing Botcha.

August See, Maximilian Gehring, Max Mühlhäuser et al.

New types of malware are emerging at concerning rates. However, analyzing malware via reverse engineering is still a time-consuming and mostly manual task. For this reason, it is necessary to develop techniques that automate parts of the reverse engineering process and that can evade the built-in countermeasures of modern malware. The main contribution of this paper is a novel method to automatically find so-called Points-of-Interest (POIs) in executed programs. POIs are instructions that interact with data that is known to an analyst. They can be used as beacons in the analysis of malware and can help to guide the analyst to the interesting parts of the malware. Furthermore, we propose a metric for POIs , the so-called confidence score that estimates how exclusively a POI will process data relevant to the malware. With the goal of automatically extract peers in P2P botnet malware, we demonstrate and evaluate our approach by applying it on four botnets (ZeroAccess, Sality, Nugache, and Kelihos). We looked into the identified POIs for known IPs and ports and, by using this information, leverage it to successfully monitor the botnets. Furthermore, using our scoring system, we show that we can extract peers for each botnet with high accuracy.

Florian Wilkens, Steffen Haas, Johanna Amann et al.

Internet traffic is increasingly encrypted. While this protects the confidentiality and integrity of communication, it prevents network monitoring systems (NMS) and intrusion detection systems (IDSs) from effectively analyzing the now encrypted payloads. Therefore, many enterprise networks have deployed man-in-the-middle (MitM) proxies that intercept TLS connections at the network border to examine packet payloads and thus retain some visibility. However, recent studies have shown that TLS interception often reduces connection security and potentially introduces additional attack vectors to the network. In this paper, we present a cooperative approach in which end-hosts as cryptographic endpoints selectively provide TLS key material to NMS for decryption. This enables endpoints to control who can decrypt which content and lets users retain privacy for chosen connections. We implement a prototype based on the Zeek NMS that is able to receive key material from hosts, decrypt TLS connections and perform analyzes on the cleartext. The patch is freely available and we plan to upstream our changes to Zeek once they are mature enough. In our evaluation, we discuss how our approach conceptually requires significantly less computational resources compared to the commonly deployed MitM proxies. Our experimental results indicate, that TLS decryption increases a runtime overhead of about 2.5 times of the original runtime on cleartext. Additionally, we show that the latency for transmitting keys between hosts and the NMS can be effectively addressed by buffering traffic at the NMS for at least 40ms, allowing successful decryption of 99.99% of all observed TLS connections.

Florian Wilkens, Felix Ortmann, Steffen Haas et al.

Today, human security analysts collapse under the sheer volume of alerts they have to triage during investigations. The inability to cope with this load, coupled with a high false positive rate of alerts, creates alert fatigue. This results in failure to detect complex attacks, such as advanced persistent threats (APTs), because they manifest over long time frames and attackers tread carefully to evade detection mechanisms. In this paper, we contribute a new method to synthesize attack graphs from state machines. We use the network direction to derive potential attack stages from single and meta-alerts and model resulting attack scenarios in a kill chain state machine (KCSM). Our algorithm yields a graphical summary of the attack, APT scenario graphs, where nodes represent involved hosts and edges infection activity. We evaluate the feasibility of our approach in multiple experiments based on the CSE-CIC-IDS2018 data set. We obtain up to 446 458 singleton alerts that our algorithm condenses into 700 APT scenario graphs resulting in a reduction of up to three orders of magnitude. This reduction makes it feasible for human analysts to effectively triage potential incidents. An evaluation on the same data set, in which we embedded a synthetic yet realistic APT campaign, supports the applicability of our approach of detecting and contextualizing complex attacks. The APT scenario graphs constructed by our algorithm correctly link large parts of the APT campaign and present a coherent view to support the human analyst in further analyses.

Florian Wilkens, Samuel Botzler, Julia Curts et al.

In the factory of the future traditional and formerly isolated Operational Technology (OT) hardware will become connected with all kinds of networks. This leads to more complex security challenges during design, deployment and use of industrial control systems. As it is infeasible to perform security tests on production hardware and it is expensive to build hardware setups dedicated to security testing, virtualised testbeds are gaining interest. We create a testbed based on a virtualised factory which can be controlled by real and virtualised hardware. This allows for a flexible evaluation of security strategies.

Steffen Haas, Florian Wilkens, Mathias Fischer

Public networks are exposed to port scans from the Internet. Attackers search for vulnerable services they can exploit. In large scan campaigns, attackers often utilize different machines to perform distributed scans, which impedes their detection and might also camouflage the actual goal of the scanning campaign. In this paper, we present a correlation algorithm to detect scans, identify potential relations among them, and reassemble them to larger campaigns. We evaluate our approach on real-world Internet traffic and our results indicate that it can summarize and characterize standalone and distributed scan campaigns based on their tools and intention.

Steffen Haas, Florian Wilkens, Mathias Fischer

An Intrusion Detection System (IDS) to secure computer networks reports indicators for an attack as alerts. However, every attack can result in a multitude of IDS alerts that need to be correlated to see the full picture of the attack. In this paper, we present a correlation approach that transforms clusters of alerts into a graph structure on which we compute signatures of network motifs to characterize these clusters. A motif representation of attack characteristics is magnitudes smaller than the original alert data, but still allows to efficiently compare and correlate attacks with each other and with reference signatures. This allows not only to identify known attack scenarios, e.g., DDoS, scan, and worm attacks, but also to derive new reference signatures for unknown scenarios. Our results indicate a reliable identification of scenarios, even when attacks differ in size and at least slightly in their characteristics. Applied on real-world alert data, our approach can classify and assign attack scenarios of up to 96% of all attacks and can represent their characteristics using 1% of the size of the full alert data.

Erik Sy, Tobias Mueller, Christian Burkert et al.

Small TCP flows make up the majority of web flows. For them, the TCP three-way handshake induces significant delay overhead. The TCP Fast Open (TFO) protocol can significantly decrease this delay via zero round-trip time (0-RTT) handshakes for all TCP handshakes that follow a full initial handshake to the same host. However, this comes at the cost of privacy limitations and also has some performance limitations. In this paper, we investigate the TFP deployment on popular websites and browsers. We found that a client revisiting a web site for the first time fails to use an abbreviated TFO handshake in 40% of all cases due to web server load-balancing using multiple IP addresses. Our analysis further reveals significant privacy problems of the protocol design and implementation. Network-based attackers and online trackers can exploit TFO to track the online activities of users. As a countermeasure, we introduce a novel protocol called TCP Fast Open Privacy (FOP). TCP FOP prevents tracking by network attackers and impedes third-party tracking, while still allowing 0-RTT handshakes as in TFO. As a proof-of-concept, we have implemented the proposed protocol for the Linux kernel and a TLS library. Our measurements indicate that TCP FOP outperforms TLS over TFO when websites are served from multiple IP addresses.

Erik Sy, Christian Burkert, Tobias Mueller et al.

QUIC is a secure transport protocol that improves the performance of HTTPS. An initial QUIC handshake that enforces a strict validation of the client's source address requires two round-trips. In this work, we extend QUIC's address validation mechanism by an out-of-band validation token to save one round-trip time during the initial handshake. The proposed token allows sharing an address validation between the QUIC server and trusted entities issuing these tokens. This saves a round-trip time for the address validation. Furthermore, we propose distribution mechanisms for these tokens using DNS resolvers and QUIC connections to other hostnames. Our proposal can save up to 50% of the delay overhead of an initial QUIC handshake. Furthermore, our analytical results indicate that 363.6ms in total can be saved for all connections required to retrieve an average website, if a round-trip time of 90ms is assumed.

Erik Sy, Moritz Moennich, Tobias Mueller et al.

TLS can resume previous connections via abbreviated resumption handshakes that significantly decrease the delay and save expensive cryptographic operations. For that, cryptographic TLS state from previous connections is reused. TLS version 1.3 recommends to avoid resumption handshakes, and thus the reuse of cryptographic state, when connecting to a different hostname. In this work, we reassess this recommendation, as we find that sharing cryptographic TLS state across hostnames is a common practice on the web. We propose a TLS extension that allows the server to inform the client about TLS state sharing with other hostnames. This information enables the client to efficiently resume TLS sessions across hostnames. Our evaluation indicates that our TLS extension provides huge performance gains for the web. For example, about 58.7% of the 20.24 full TLS handshakes that are required to retrieve an average website on the web can be converted to resumed connection establishments. This yields to a reduction of 44% of the CPU time consumed for TLS connection establishments. Furthermore, our TLS extension accelerates the connection establishment with an average website by up to 30.6% for TLS 1.3. Thus, our proposal significantly reduces the (energy) costs and the delay overhead in the encrypted web.

Erik Sy, Christian Burkert, Hannes Federrath et al.

User tracking on the Internet can come in various forms, e.g., via cookies or by fingerprinting web browsers. A technique that got less attention so far is user tracking based on TLS and specifically based on the TLS session resumption mechanism. To the best of our knowledge, we are the first that investigate the applicability of TLS session resumption for user tracking. For that, we evaluated the configuration of 48 popular browsers and one million of the most popular websites. Moreover, we present a so-called prolongation attack, which allows extending the tracking period beyond the lifetime of the session resumption mechanism. To show that under the observed browser configurations tracking via TLS session resumptions is feasible, we also looked into DNS data to understand the longest consecutive tracking period for a user by a particular website. Our results indicate that with the standard setting of the session resumption lifetime in many current browsers, the average user can be tracked for up to eight days. With a session resumption lifetime of seven days, as recommended upper limit in the draft for TLS version 1.3, 65% of all users in our dataset can be tracked permanently.