June 4, 2014
Winners of the Ph.D. competition at the NCSRA Symposium, Dennis Andriesse and Rick Hofstede, repeated their presentations today at the NCSC One Conference.
All applicants of the first and second NWO Cyber Security Call for Proposals were asked to encourage their Ph.D. students and have them submit an abstract (max. 250 words) for a (max. 15 minutes) presentation. Out of these abstracts an assessment committee selected their top six. This committee consisted of Herbert Bos (VU), Pieter Hartel (UT, TNO), Frank Fransen (TNO). A total of 12 abstracts were received, which were assessed by the committee on originality, relevance and accessibility. This pre-selection process resulted in an invitation to six researchers to give their full presentation at the June 2nd symposium. Preselected presentations were made part of the symposium tracks Building, Measuring and Discovering.
A jury, Frank Fransen (chair), Kas Clark (NCSC) and Marion van Oeveren (NWO) attended all presentations and selected the winning two. Selection criteria were: originality, relevance, presentation style, quality of arguments and engagements. At the end of the NCSRA Symposium the two winning presenters were invited to repeat their presentations at the prestigious International NCSC One Conference 2014 on June 4th in the World Forum in The Hague. Because of the international audience of this conference, the presentations were given in English.
The announcement of the two winners took place at the end of NCSRA Symposium. After a short explanation chairman Gerben Klein Baltink invited jury chair Frank Fransen to come forward and give the names of the winners, and some reasoning behind their choice. After a round of applause, the winners Dennis Andriesse and Rick Hofstede came forward, together with NCSC Manager Eelco Stofbergen, whose organization is responsible for the NCSC Conference. Eelco congratulated Dennis and Rick with flowers and welcomed these well-deserved winners to be part of the NCSC One Conference NCSC 2014.
PhD Competion winners Rick Hofstede and Dennis Andriesse with flowers at the NCSRA Symposium
Dennis Andriesse (System and Network Security Group, VU Amsterdam) - Stealthy Reconnaissance in Peer-to-Peer Botnets.
“Botnets are malicious networks of hundreds of thousands of malware-infected systems, and are among the biggest Internet threats today. They perform a myriad of malicious activities, including credential theft and banking fraud, victimizing many thousands of users in the Netherlands alone. Peer-to-Peer (P2P) botnets are the latest and most resilient incarnation of botnets. In contrast to traditional botnets, they contain no centralized weaknesses, forcing the use of decentralized countermeasures. Any such countermeasure requires reconnaissance to understand the botnet composition. Reconnaissance is commonly based on crawlers, which map the botnet by actively contacting bots. We show that crawlers used by malware analysts feature numerous flaws, making them extremely easy to detect. This places crawlers at risk of misinformation attacks by the criminals running botnets, who can thus coerce malware analysts to draw incorrect conclusions, and even block or attack innocent end-users. We perform large-scale monitoring efforts in Zeus and Sality, two of the most notorious P2P botnets, and detect numerous crawlers used by well-known malware analysis companies, which feature multiple defects. Moreover, we show that crawlers have inherent properties which make them detectable, even if defects are fixed. We demonstrate this by implementing a decentralized crawler detection algorithm, and testing it in Zeus, showing that it can detect all crawlers without false positives, based on the proactive behavior of crawlers. We discuss strategies and best practices to improve the stealthiness of future reconnaissance, and show that passive monitoring provides more accurate results than crawlers, while also being much harder to detect.”
Rick Hofstede (Design and Analysis of Communication Systems (prof. Aiko Pras), University of Twente) - SSHCure: Flow-based Intrusion Detection for SSH
“Dictionary attacks against SSH daemons are a common type of brute-force attack, in which attackers perform authentication attempts on a remote machine. Although we are by now used to observe a steady number of SSH dictionary attacks in our networks every day, these attacks should not be underestimated. Once compromised, machines can cause serious damage by joining botnets, distributing illegal content, participating in DDoS attacks, etc. The threat of SSH attacks was recently stressed again by the Ponemon 2014 SSH Security Vulnerability Report: 51% of the surveyed companies has been compromised via SSH in the last 24 months. Even more attacks should be expected in the future; several renowned organizations, such as OpenBL and DShield, report a tripled number of SSH attacks between August 2013 and April 2014. These numbers demonstrate the need for a scalable solution that tells security teams exactly which systems have been compromised and should therefore be taken care of. This is where our open-source IDS SSHCure comes into play. SSHCure is a flow-based Intrusion Detection System (IDS) and the first network-based IDS that is able to detect whether an attack has resulted in a compromise. By analyzing the aggregated network data received from edge routers, it analyzes the SSH behavior of all hosts in a network. Successful deployments have shown that SSHCure is capable of analyzing the SSH traffic of a backbone network in real-time and can therefore be deployed in any network with flow export enabled.”
Fotography: Jenny van Bremen-Boom (NWO)