Deployment of cryptography on the Internet is challenging. Despite decades of research with multiple proposals, most of the services and networks on the Internet are not cryptographically protected. The existing mechanisms are manual, resulting in high costs, overhead, and misconfigurations. An additional factor for this dismal situation is the classic chicken-and-egg problem: to be effective, all the involved sides have to deploy the cryptographic mechanism, yet single-sided deployment is largely ineffective without the other being widely deployed. This poses a significant obstacle towards wide deployment since not only do the early adopters gain no security benefit, but they also expose themselves to attacks as well as connectivity problems due to potential misconfigurations.

These issues apply to a wide range of systems in the Internet's control plane, such as RPKI [RFC6480], DNSSEC [RFC4033-RFC4035], which was proposed more than two decades ago, yet is still not widely deployed, cryptographic protection for NTP such as Chronos, and also mechanisms that are used to bootstrap cryptography, such as domain validation.

Our goal is to resolve obstacles and challenges towards the deployment of cryptographic defenses on the Internet, reduce costs and overhead of adoption as well as prevent misconfigurations. We defined the following goals which we will accomplish to address the existing security and performance problems:

• Automation. To facilitate the deployment of cryptographic mechanisms on the Internet while reducing errors and misconfigurations we will automate the certification and registration of the digital resources, such as IP prefix blocks, AS numbers, and domains. This will resolve the current manual certification and ownership validation processes. We will develop mechanisms to automate the setup and configuration of certification and registration as well as digital resources’ ownership validation.
• Benefits to early adopters. Our goal is to extend the existing mechanisms to allow the early adopters to enjoy security benefits without waiting for the rest of the Internet to deploy the new mechanism too. For instance, consider adopting a new cipher in DNSSEC, such as the post-quantum secure algorithm FALCON that is a round 3 digital signature NIST finalist. Since the DNS resolvers do not support this algorithm, a DNSSEC signed domain using it gains no security benefits, but instead, DNS responses from that domain will experience additional overhead and even possible connectivity problems due to the increase in their size. We will develop solutions that will resolve these issues and will allow the security benefits to kick in even in unilateral deployments, say if only one side supports the new mechanisms. We are also actively involved in NIST standardization and organized a workshop within the NIST standardization conference on challenges and obstacles towards the deployment of PQC ciphers in the Internet infrastructure.
• Experimental research platforms. Our goal is to develop platforms that will enable testing different mechanisms and their security solutions, as well as attacks against them in an environment that resembles the real Internet yet without introducing performance, connectivity, or security risks to the Internet services or users. To this end, we develop two research platforms: a programmable networks testbed and a platform for active BGP experiments on the Internet.

Our goal is to prevent attacks proactively as well as block running attacks. We will explore which attacks can be actively and proactively blocked, focusing on popular threats, such as Denial of Service, traffic hijacks, ransomware, and phishing attacks.

For each technique we will simulate the potential impact to understand the effectiveness of blocking different attacks and the possible collateral damages, fine tuning the techniques where needed. We will also analyze the techniques from different aspects, such as the need for collaboration with third parties, such as registrars or Internet Service Providers (ISPs), or requirements for joint efforts with multiple countries for effectiveness.

What is important to understand is that there is a wide range of technological solutions for active cyber defense that can be developed to solve, mitigate and prevent a wide range of attacks. Such attacks range from nuances to devastating financial and other damages. Preventing them is critical. We will show that prevention can be done in Germany and on a European level: both technologically, legislatively and operatively.

Cyber-attacks rapidly grow in number and sophistication. Initial access to victim’s networks is increasingly offered via Malware-as-a-Service business model, where the first infection is performed with an Information stealer (Infostealer) malware. Infostealers are designed to search on the infected target system for sensitive and private information, such as passwords and cookies, browser history and cached data, and pose safety, privacy and security risks causing also significant economic losses. Security researchers use a wide range of approaches to detect and analyze suspicious software for the presence of malware. Standard malware detection techniques include scans for so-called fingerprints, i.e. syntactic patterns of known malware code. It is also common to run suspected malware inside a sandbox and to observe its behavior, such as attempts to access certain APIs of network services, user data, etc.

We will develop a novel approach that we term Control-Flow Fingerprinting (CF fingerprinting), which computes a fingerprint of a given program not based on syntactic patterns, but from observed runtime behavior logged in an execution trace. The idea behind that is that infected software necessarily deviates from its intended behavior, at the latest when present malware is activated.

Our goal is to develop a fingerprinting technique based on the control-flow trace of programs suitable to detect malware with high accuracy. It is designed to have a high detection rate, not only applicable to known malware, while maintaining a low false alarm rate. The core idea is to generate traces of program runs that provide information on the control flow decisions and, possibly, even part of the state. Dynamic analysis at this level of detail goes beyond state-of-art approaches, which work at a higher level of abstraction, such as frequency patterns of API calls. These methods will be integrated into an online platform that will be able to analyze in real time uploaded software and identify if it was manipulated and infected with malware. An integral part will be a crawler bundle, that will be periodically collecting popular software on the Internet and analyzing it for possible manipulations and infections.

Despite the criticality of the information transferred over S/MIME (Secure/Multipurpose Internet Mail Extensions) encrypted emails, there is no large-scale security analysis of the S/MIME email ecosystem covering the security of S/MIME certificates. Their interplay with different email clients and LDAP (Lightweight Directory Access Protocol), which is used to distribute S/MIME certificates, have not received sufficient attention either. Not only is it unclear how many organizations even use S/MIME, but scientists also currently have no insights into the cryptographic properties of certificates, revocation and expiry mechanisms, and potentially insecure keys. The most promising source for S/MIME certificates are public LDAP directories in which many organizations distribute S/MIME certificates for internal and external communication partners. Significant challenges in collecting certificates from LDAP servers lie in the discovery of the directories, limitations on data extraction, and the legal and ethical aspects of collecting S/MIME certificates.

The two main objectives of this project are the collection and analysis of S/MIME certificates and the security analysis of the LDAP protocol, its implementations, and its usage on the Internet. We plan to separate this analysis into five parts: Public LDAP Landscape Analysis, LDAP Protocol Analysis, LDAP Implementation Analysis, S/MIME PKI Analysis, and Guidelines for Secure LDAP and S/MIME Deployments. Our planned guidelines will study the challenges and mitigations of secure deployment of S/MIME and LDAP.

Obtaining insights into the core Internet protocols is critical for understanding misconfigurations and vulnerabilities and for designing and adopting new mechanisms and technologies. Although much effort is invested in understanding the Internet, many tools are still missing. Existing tools often do not support important properties such as repeatability of experiments or evaluation over long time periods. Furthermore, existing tools are not simple to use since they do not come with user friendly interface and do not support easy generation of statistics and analysis of the collected data. Tools for performing dedicated measurements, tailored for specific tasks such as censorship, require either additional infrastructure or internal cooperation from within the measured network.

The main goal of this project is to devise tools for automated, repetitive data collection and analysis without requiring collaboration from the tested target network. Our goal is to provide insights into the Internet infrastructure: how the systems are configured, how the cryptographic material is generated, such as keys and signatures, what are the misconfigurations, what are the vulnerabilities, how attacks are launched (for instance, how censorship is enforced across different countries and continents), and also what are the obstacles towards deployment of defences and new technologies. We aim to explore these questions with respect to the core Internet protocols. Our experience shows that human factor is the main cause for misconfigurations and errors in usage of tools or deployment of technologies and defences. Hence, tools developed within this project need to be to the maximal extent possible automated. Their user interfaces will be developed in collaboration with Project 3 to ensure user friendly interface and easy invocation. Leveraging our tools, data from core Internet infrastructures will be collected, periodically analysed and results will be displayed in forms of graphs and charts. The new tools aim to be protocol specific, e.g., tools for measuring misconfigurations in DNS or BGP as well as in their respective defence mechanisms, and task specific, such as detection of censorship, DNS cache poisoning or BGP prefix hijacking. The project will also devise tools for detection of BGP prefix hijacking and DNS cache poisoning attacks: (1) off-line tools that analyse historical data, such as CAIDA and other traffic collection repositories and (2) online tools that perform live monitoring for detection of attacks. For latter, Project 1 aims at devising tools that would monitor services on entire networks, e.g., for Internet Service Operators (ISPs) as well as end host based tools, e.g., for browsers. The resulting tools will allow the collection of information needed to understand practical attacks and methodologies that are used by the Internet attackers. The deliverable will be a platform offering a comprehensive set of tools for collection of information about the core protocols in the Internet and about the attacks.

Internet infrastructure is extremely vulnerable to attacks. Based on the insights gained from Project 1, this project aims at designing new security mechanisms, possibly extending existing proposals to address the gaps in the current standards and implementations. Our investigations in this project mainly focus on three core Internet protocols: BGP, DNS and NTP. More precisely, the project explores: (1) attacks against core Internet protocols as well as abuse thereof for attacks against other systems and (2) deployment of defences.

Explore attacks against core Internet protocols and abuses thereof. The project develops practical attacks and tests their abuse for development of sophisticated attacks against security mechanisms, applications and systems. We perform DNS cache poisoning attacks and exploit it to evaluate attacks against a variety of systems in the Internet. In first step we will develop and evaluate novel attacks leveraging our testbed from Project 1. In second step we will perform live evaluation of the attacks on the Internet and will carry out large scale measurements to estimate the scope of the vulnerabilities, and the fraction of networks and systems that are at risk.

Development and deployment of defences. We will work on deployment of defences for core Internet protocols, drawing on the insights learnt from Project 1. We will try to build upon the existing defences when possible, potentially developing extensions to address the problems which prevent wide adoption of the security, for instance, by adding incentives or resolving obstacles. Our first and foremost goals is to push deployment of RPKI and DNSSEC forward. When deployed, these defence mechanisms will prevent most traffic hijack attacks (whether due to BGP prefix hijacking or as a result of DNS cache poisoning).

The increasing cyber-attacks against Internet infrastructures, platforms, services, and users are resulting not only in huge financial losses and privacy breaches, loss of connectivity, violation of privacy, but also affect the stability of modern societies and even peoples’ lives. Recent attacks show that everything and everyone is a target and can be attacked, from critical infrastructures to the financial sector and to politicians and governments. Cyber espionage and cybercrime are increasingly growing threats to modern democracies. Attacks on networks are reported daily.

Un-patched and outdated systems pose one of the main entries into the networks. Despite the significance of closing the vulnerabilities and patching the systems, research shows that most of the actively exploited vulnerabilities are well known and that a large fraction of networks is vulnerable due to unpatched systems. The root cause for this unfortunate situation is a lack of automated tools to allow networks to perform continuous and periodical security measurements of their digital assets.

In this project, we aim at answering the following questions: How secure is my network? Which devices do I have on my networks? Is everything patched? These appear to be simple questions, yet they are difficult to answer in practice given the existing tools. Misconfigurations and vulnerabilities in networks and services are used as the main attack vector to penetrate networks. The attacks are on a constant rise, known vulnerabilities and exploits are increasingly used as a first step to penetrate a victim. Understanding the security landscape at large as well as vulnerabilities in specific organizations and networks can enable the operators to patch them before they are discovered and abused by the criminals.

Although some tools exist, such as Zmap, they require expertise to be configured and operated. The output is also not easy for non-experts to understand. As a result, the networks do not perform periodic security scans, the security tests are unfortunately performed rarely, typically through a provider that delivers pen testing services. Our tools will enable every network to run periodic security studies and to have updated information about its digital assets, its digital presence, and its security posture. Organizations will be able to patch vulnerabilities in a timely manner, which will prevent attacks.

Our goal is to obtain insights into the vulnerabilities in the currently deployed operational technology (OT) systems. To that end, we aim to achieve the following:

1. To develop a taxonomy of the attack surface of different deployed OT types. There are different types of OT systems with different topology and components and the tools that we will develop will be specific to each different type.
2. We will develop methods to measure different types of OT, their architectures and components and develop tools to identify vulnerabilities to external attacks.
3. Using our findings, we will derive the potential exploits for attacks and analyze their impact. In particular, the impact of failures in IT or OT, the feasibility of remote attacks on IT to manipulate OT, and so on.
4. Finally, we will provide recommendations for techniques for securing the OT and their associated IT systems.

Botnets represent a particular danger on the internet. They can be used to attack individual targets such as a company or government agency in a distributed manner by massively concentrating the traffic of nodes used for the attacks. To protect potential victims it is therefore necessary to detect botnets as early as possible and to thwart their attacks before they can roll out their full attack force. Today’s centralized attack detection systems in the internet are not adequate to detect and fight botnets as early on as required. The project’s goal is to develop a new system that aggregates and analyzes data collected in a decentralized manner through cooperative data analysis. This is achieved through local processing of data by decentralized instances and the exchange of the local attack detection results among each other to detect threats on a larger scale.

The ABC project Visual Security Analytics is focused on the visualization of large security data repositories. The Internet is a massive network with many devices connected to it. In this project we work on visualizations to analyze global internet routing as well as local network traffic. Our visual analysis tool for the global routing gives new insights on the connections between autonomous systems and creates a novel geographic approximation of how traffic is routed around the world. The second focus is on the visualization of local network traffic. As the number of devices in company or home networks grow and more undetected cyber attacks take place, we work on a novel progressive visual analytics tool to analyze the large network traffic log files. We provide a work-in-progress online prototype at netcapvis.igd.fraunhofer.de. Within this ATHENE mission we are also working in cooperation with TU Darmstadt on a large-scale visualization of computer botnets, to analyze crawler information gathered from current active botnets on the Internet.