Research Projects

Obtaining insights into the core Internet protocols is critical for understanding misconfigurations and vulnerabilities and for designing and adopting new mechanisms and technologies. Although much effort is invested in understanding the Internet, many tools are still missing. Existing tools often do not support important properties such as repeatability of experiments or evaluation over long time periods. Furthermore, existing tools are not simple to use since they do not come with user friendly interface and do not support easy generation of statistics and analysis of the collected data. Tools for performing dedicated measurements, tailored for specific tasks such as censorship, require either additional infrastructure or internal cooperation from within the measured network.

The main goal of this project is to devise tools for automated, repetitive data collection and analysis without requiring collaboration from the tested target network. Our goal is to provide insights into the Internet infrastructure: how the systems are configured, how the cryptographic material is generated, such as keys and signatures, what are the misconfigurations, what are the vulnerabilities, how attacks are launched (for instance, how censorship is enforced across different countries and continents), and also what are the obstacles towards deployment of defences and new technologies. We aim to explore these questions with respect to the core Internet protocols. Our experience shows that human factor is the main cause for misconfigurations and errors in usage of tools or deployment of technologies and defences. Hence, tools developed within this project need to be to the maximal extent possible automated. Their user interfaces will be developed in collaboration with Project 3 to ensure user friendly interface and easy invocation. Leveraging our tools, data from core Internet infrastructures will be collected, periodically analysed and results will be displayed in forms of graphs and charts. The new tools aim to be protocol specific, e.g., tools for measuring misconfigurations in DNS or BGP as well as in their respective defence mechanisms, and task specific, such as detection of censorship, DNS cache poisoning or BGP prefix hijacking. The project will also devise tools for detection of BGP prefix hijacking and DNS cache poisoning attacks: (1) off-line tools that analyse historical data, such as CAIDA and other traffic collection repositories and (2) online tools that perform live monitoring for detection of attacks. For latter, Project 1 aims at devising tools that would monitor services on entire networks, e.g., for Internet Service Operators (ISPs) as well as end host based tools, e.g., for browsers. The resulting tools will allow the collection of information needed to understand practical attacks and methodologies that are used by the Internet attackers. The deliverable will be a platform offering a comprehensive set of tools for collection of information about the core protocols in the Internet and about the attacks.

Internet infrastructure is extremely vulnerable to attacks. Based on the insights gained from Project 1, this project aims at designing new security mechanisms, possibly extending existing proposals to address the gaps in the current standards and implementations. Our investigations in this project mainly focus on three core Internet protocols: BGP, DNS and NTP. More precisely, the project explores: (1) attacks against core Internet protocols as well as abuse thereof for attacks against other systems and (2) deployment of defences.

Explore attacks against core Internet protocols and abuses thereof. The project develops practical attacks and tests their abuse for development of sophisticated attacks against security mechanisms, applications and systems. We perform DNS cache poisoning attacks and exploit it to evaluate attacks against a variety of systems in the Internet. In first step we will develop and evaluate novel attacks leveraging our testbed from Project 1. In second step we will perform live evaluation of the attacks on the Internet and will carry out large scale measurements to estimate the scope of the vulnerabilities, and the fraction of networks and systems that are at risk.

Development and deployment of defences. We will work on deployment of defences for core Internet protocols, drawing on the insights learnt from Project 1. We will try to build upon the existing defences when possible, potentially developing extensions to address the problems which prevent wide adoption of the security, for instance, by adding incentives or resolving obstacles. Our first and foremost goals is to push deployment of RPKI and DNSSEC forward. When deployed, these defence mechanisms will prevent most traffic hijack attacks (whether due to BGP prefix hijacking or as a result of DNS cache poisoning).

The ABC project Visual Security Analytics is focused on the visualization of large security data repositories. The Internet is a massive network with many devices connected to it. In this project we work on visualizations to analyze global internet routing as well as local network traffic. Our visual analysis tool for the global routing gives new insights on the connections between autonomous systems and creates a novel geographic approximation of how traffic is routed around the world. The second focus is on the visualization of local network traffic. As the number of devices in company or home networks grow and more undetected cyber attacks take place, we work on a novel progressive visual analytics tool to analyze the large network traffic log files. We provide a work-in-progress online prototype at netcapvis.igd.fraunhofer.de. Within this ATHENE mission we are also working in cooperation with TU Darmstadt on a large-scale visualization of computer botnets, to analyze crawler information gathered from current active botnets on the Internet.

The increasing cyber-attacks against Internet infrastructures, platforms, services, and users are resulting not only in huge financial losses and privacy breaches, loss of connectivity, violation of privacy, but also affect the stability of modern societies and even peoples’ lives. Recent attacks show that everything and everyone is a target and can be attacked, from critical infrastructures to the financial sector and to politicians and governments. Cyber espionage and cybercrime are increasingly growing threats to modern democracies. Attacks on networks are reported daily.

Un-patched and outdated systems pose one of the main entries into the networks. Despite the significance of closing the vulnerabilities and patching the systems, research shows that most of the actively exploited vulnerabilities are well known and that a large fraction of networks is vulnerable due to unpatched systems. The root cause for this unfortunate situation is a lack of automated tools to allow networks to perform continuous and periodical security measurements of their digital assets.

In this project, we aim at answering the following questions: How secure is my network? Which devices do I have on my networks? Is everything patched? These appear to be simple questions, yet they are difficult to answer in practice given the existing tools. Misconfigurations and vulnerabilities in networks and services are used as the main attack vector to penetrate networks. The attacks are on a constant rise, known vulnerabilities and exploits are increasingly used as a first step to penetrate a victim. Understanding the security landscape at large as well as vulnerabilities in specific organizations and networks can enable the operators to patch them before they are discovered and abused by the criminals.

Although some tools exist, such as Zmap, they require expertise to be configured and operated. The output is also not easy for non-experts to understand. As a result, the networks do not perform periodic security scans, the security tests are unfortunately performed rarely, typically through a provider that delivers pen testing services. Our tools will enable every network to run periodic security studies and to have updated information about its digital assets, its digital presence, and its security posture. Organizations will be able to patch vulnerabilities in a timely manner, which will prevent attacks.

Deployment of cryptography on the Internet is challenging. Despite decades of research with multiple proposals, most of the services and networks on the Internet are not cryptographically protected. The existing mechanisms are manual, resulting in high costs, overhead, and misconfigurations. An additional factor for this dismal situation is the classic chicken-and-egg problem: to be effective, all the involved sides have to deploy the cryptographic mechanism, yet single-sided deployment is largely ineffective without the other being widely deployed. This poses a significant obstacle towards wide deployment since not only do the early adopters gain no security benefit, but they also expose themselves to attacks as well as connectivity problems due to potential misconfigurations.

These issues apply to a wide range of systems in the Internet's control plane, such as RPKI [RFC6480], DNSSEC [RFC4033-RFC4035], which was proposed more than two decades ago, yet is still not widely deployed, cryptographic protection for NTP such as Chronos, and also mechanisms that are used to bootstrap cryptography, such as domain validation.

Our goal is to resolve obstacles and challenges towards the deployment of cryptographic defenses on the Internet, reduce costs and overhead of adoption as well as prevent misconfigurations. We defined the following goals which we will accomplish to address the existing security and performance problems:

• Automation. To facilitate the deployment of cryptographic mechanisms on the Internet while reducing errors and misconfigurations we will automate the certification and registration of the digital resources, such as IP prefix blocks, AS numbers, and domains. This will resolve the current manual certification and ownership validation processes. We will develop mechanisms to automate the setup and configuration of certification and registration as well as digital resources’ ownership validation.
• Benefits to early adopters. Our goal is to extend the existing mechanisms to allow the early adopters to enjoy security benefits without waiting for the rest of the Internet to deploy the new mechanism too. For instance, consider adopting a new cipher in DNSSEC, such as the post-quantum secure algorithm FALCON that is a round 3 digital signature NIST finalist. Since the DNS resolvers do not support this algorithm, a DNSSEC signed domain using it gains no security benefits, but instead, DNS responses from that domain will experience additional overhead and even possible connectivity problems due to the increase in their size. We will develop solutions that will resolve these issues and will allow the security benefits to kick in even in unilateral deployments, say if only one side supports the new mechanisms. We are also actively involved in NIST standardization and organized a workshop within the NIST standardization conference on challenges and obstacles towards the deployment of PQC ciphers in the Internet infrastructure.
• Experimental research platforms. Our goal is to develop platforms that will enable testing different mechanisms and their security solutions, as well as attacks against them in an environment that resembles the real Internet yet without introducing performance, connectivity, or security risks to the Internet services or users. To this end, we develop two research platforms: a programmable networks testbed and a platform for active BGP experiments on the Internet.

Cyber-attacks rapidly grow in number and sophistication. Initial access to victim’s networks is increasingly offered via Malware-as-a-Service business model, where the first infection is performed with an Information stealer (Infostealer) malware. Infostealers are designed to search on the infected target system for sensitive and private information, such as passwords and cookies, browser history and cached data, and pose safety, privacy and security risks causing also significant economic losses. Security researchers use a wide range of approaches to detect and analyze suspicious software for the presence of malware. Standard malware detection techniques include scans for so-called fingerprints, i.e. syntactic patterns of known malware code. It is also common to run suspected malware inside a sandbox and to observe its behavior, such as attempts to access certain APIs of network services, user data, etc.

We will develop a novel approach that we term Control-Flow Fingerprinting (CF fingerprinting), which computes a fingerprint of a given program not based on syntactic patterns, but from observed runtime behavior logged in an execution trace. The idea behind that is that infected software necessarily deviates from its intended behavior, at the latest when present malware is activated.

Our goal is to develop a fingerprinting technique based on the control-flow trace of programs suitable to detect malware with high accuracy. It is designed to have a high detection rate, not only applicable to known malware, while maintaining a low false alarm rate. The core idea is to generate traces of program runs that provide information on the control flow decisions and, possibly, even part of the state. Dynamic analysis at this level of detail goes beyond state-of-art approaches, which work at a higher level of abstraction, such as frequency patterns of API calls. These methods will be integrated into an online platform that will be able to analyze in real time uploaded software and identify if it was manipulated and infected with malware. An integral part will be a crawler bundle, that will be periodically collecting popular software on the Internet and analyzing it for possible manipulations and infections.