Abstract: Many network protocol specifications are long and lack clarity, which paves the way to implementation errors. Such errors have led to vulnerabilities for secure protocols such as SSH and TLS. Active automata learning, a black-box method, is an efficient method to discover discrepancies between a specification and its implementation. It consists in extracting state machines by interacting with a network stack. It can be (and has been) combined with model checking to analyze the obtained state machines. Model checking is designed for exhibiting a single model violation instead of all model violations and thus leads to a limited understanding of implementation errors. As far as we are aware, there is only one specialized exhaustive method, leveraging DFA (Deterministic Finite Automaton) intersection, available for analyzing the outcomes of active automata learning applied to network protocols. We propose an alternative method, to improve the discovery of new bug and vulnerability patterns and enhance the exhaustiveness of model verification processes. In this presentation, we apply our method to two use cases: OPC UA, for which we present a full workflow from state machine inference to state machine analysis, and SSH, where we focus on the analysis of existing state machines.
The work will be presented in July at the ARES conference

Abstract: The deployment of 5G networks has significantly improved connectivity, providing remarkable speed and capacity. These networks rely on Software-Defined Networking (SDN) to enhance control and flexibility. However, this advancement poses critical challenges including expanded attack surface due to network virtualization and the risk of unauthorized access to critical infrastructure. Since traditional cybersecurity methods are inadequate in addressing the dynamic nature of modern cyber attacks, employing artificial intelligence (AI), and deep reinforcement learning (DRL) in particular, was investigated to enhance 5G networks security. This interest arises from the ability of these techniques to dynamically respond and adapt their defense strategies according to encountered situations and real-time threats. Our proposed mitigation system uses a DRL framework, enabling an intelligent agent to dynamically adjust its defense strategies against a range of DDoS attacks, exploiting ICMP, TCP SYN, and UDP, within an SDN environment designed to mirror real-life user behaviors. This approach aims to maintain the network’s performance while concurrently mitigating the impact of the real-time attacks, by providing adaptive and automated countermeasures according to the network’s situation.

Abstract: Advanced Persistent Threats (APTs) are on the rise. They are a typical tool for nation-state sponsored cyberattacks. This talk provides a background to understand this phenomenon. In particular, a historical overview is provided first. Afterwards, the core of the talk focuses on describing the (publicly known) capabilities of the main current APT groups.

Short Bio: Jose Maria de Fuentes is Associate Professor with the Computer Security Lab, Universidad Carlos III de Madrid (UC3M) of Spain. His research interests are related to cybersecurity and data protection. He has published +50 articles in journals and conferences, having been involved in several national and European projects. He is serving as Vice-convenor of the Spanish National Standardisation Committee UNE CTN320 on cybersecurity and data protection. He is member of the Editorial Board of the Journal of Network and Computer Applications and Wireless Networks.

Abstract: The use of artificial intelligence (AI) is a worldwide spread practice and it is used in multiple services and applications. However, poisoning attacks are not really considered when using IA, and being aware of them is the first step towards protection. In this regard, this talk introduces a use case of poisoning attacks in the vulnerability detection field. A novel vulnerability detector, called VulCoT, is presented, together with their analysis under three different poisoning attacks.

Short Bio: Lorena González Manzano is Associate Professor at the Carlos III University of Madrid (UC3M), in the Department of Computer Science within the Computer Security Lab Group (COSEC). Her career focuses on cybersecurity, having published more than 40 papers in international journals and conferences. She is member of the Editorial Board of the journals Future Generations and Computer Systems and Journal of Communications and Networks. Moreover, she has been involved in multiple R+D+i national and European projects, leading a pair of them.

Abstract: While automated code analysis techniques have succeeded in finding and reporting potential vulnerabilities in binary programs, they tend to report many false positives, which cannot be reliably exploited. This is typical in evaluations of fault injection attacks vulnerabilities as faults can create unexpected program behaviors dependent on complex initial states. As the precise setup of the initial states is hard to achieve, such faults lead code analysis techniques to report vulnerabilities that exist in theory but are infeasible in practice. Vulnerability characterization techniques are thus needed to distinguish such reports from those that come from serious vulnerabilities. Recently, Girol et al. have introduced the concept of robust reachability, a property of program inputs applied to code analysis frameworks to report only vulnerabilities that can be reproduced reliably. This is done by distinguishing inputs that are under the control of the attacker from those that are not, and by reporting only vulnerabilities that do not depend on the value of the uncontrolled inputs. Yet, this remains insufficient for distinguishing severe vulnerabilities from benign ones as robust reachability will be unable to report cases that, e.g., are easy to trigger but may not succeed in a few corner cases. To address this issue, we propose a method that leverages an abduction procedure to generate a robust reachability constraint, that is, a logical constraint on the uncontrolled inputs under which we have the guarantee that the vulnerability will be triggered. We demonstrate the vulnerability characterization capabilities of an implementation of this procedure on a fault injection attack case-study taken from FISSC. We show that our method refines robust reachability and leads to a much better characterization of the reported vulnerabilities. The methods additionally leads to the generation of high-level feedback that is easier to understand and reuse for further analysis.
[Slides]

Abstract: The complexity of current systems encourages the emergence of vulnerabilities. Detectors are developed in this regard, most of them using Artificial Intelligence (AI) techniques. However, AI is not without its problems, especially those attacks affecting the training set. In this talk a novel vulnerability detector, called VulCoT, is presented, together with their analysis under three different poisoning attacks.

Abstract: Bitcoin introduced a fully decentralized, peer-to-peer consensus protocol that enables secure transaction validation in an open network, marking a departure from previous Byzantine Fault Tolerant (BFT) protocols primarily designed for closed networks. An innovative combination of cryptographic and incentive mechanisms ensures the protocol’s robustness over the years. However, it’s important to acknowledge the considerable energy consumption of Bitcoin’s Proof-of-Work mechanism, which remains a significant concern. To address these energy concerns, there have been efforts to transition to more environmentally friendly solutions, such as Proof-of-Stake BFT protocols, like Ethereum 2.0. While these newer proposals hold promise in terms of energy efficiency, they come with complexities and ongoing issues in security and incentive design. In this talk I will present the main features and differences of Proof-Stake-BFT proposals with respect to Bitcoin, to appreciate their maturity and outline open issues and ongoing research challenges.

Abstract: In the realm of cybersecurity, logging system and application activity is a crucial technique to detect and understand cyberattacks by identifying Indicators of Compromise (IoCs). Since these logs can take vast amounts of disk space, it can be tempting to delegate their storage to an external service provider. This requires to encrypt the data, so the service provider does not have access to possibly sensitive information. However, this usually makes it impossible to search for relevant information in the encrypted log. To address this predicament, this paper delves into the realm of modern cryptographic tools to reconcile the dual objectives of protecting log data from prying eyes while enabling controlled processing. We propose a comprehensive framework that contextualizes log data and presents several mechanisms to solve the outsourcing problem, allowing searchable encryption, and we apply our approach to DNS logs. Our contributions include the introduction of two novel schemes, namely symmetric and asymmetric, which facilitate efficient and secure retrieval of intrusion detection-related information from encrypted outsourced storage. Furthermore, we conduct extensive experiments on a test bed to evaluate and compare the effectiveness of the different solutions, providing valuable insights into the practical implementation of our proposed infrastructure for monitoring.
[Slides]