Eryk Jerzy Schiller, Andy Aidoo, Jara Fuhrer, Jonathan Stahl, Michael Ziörjen, Burkhard Stiller, Landscape of IoT security, Computer Science Review, Vol. 44, 2022. (Journal Article)
The last two decades have experienced a steady rise in the production and deployment of sensing-and-connectivity-enabled electronic devices, replacing “regular” physical objects. The resulting Internet-of-Things (IoT) will soon become indispensable for many application domains. Smart objects are continuously being integrated within factories, cities, buildings, health institutions, and private homes.
Approximately 30 years after the birth of IoT, society is confronted with significant challenges regarding IoT security. Due to the interconnectivity and ubiquitous use of IoT devices, cyberattacks have widespread impacts on multiple stakeholders. Past events show that the IoT domain holds various vulnerabilities, exploited to generate physical, economic, and health damage. Despite many of these threats, manufacturers struggle to secure IoT devices properly.
Thus, this work overviews the IoT security landscape with the intention to emphasize the demand for secured IoT-related products and applications. Therefore, (a) a list of key challenges of securing IoT devices is determined by examining their particular characteristics, (b) major security objectives for secured IoT systems are defined, (c) a threat taxonomy is introduced, which outlines potential security gaps prevalent in current IoT systems, and (d) key countermeasures against the aforementioned threats are summarized for selected IoT security-related technologies available on the market. |
|
Sergio Lopez Bernal, Enrique Tomas Martinez Beltran, Mario Quiles Perez, Ruben Ortega Romero, Alberto Huertas Celdran, Gregorio Martinez Perez, Study of P300 Detection Performance by Different P300 Speller Approaches Using Electroencephalography, In: 2022 IEEE 16th International Symposium on Medical Information & Communication Technology (ISMICT), IEEE, virtual, virtual, 2022-05-02. (Conference or Workshop Paper published in Proceedings)
Brain-Computer Interfaces (BCIs) are bidirectional devices that have allowed people to control computers or external devices through their brain activity. The P300 Speller is one of the most widely used BCI applications, where subjects can transmit textual information mentally with satisfactory performance. However, the P300 Speller still has room for improvement in practical use, such as selecting the best balance between accuracy and speed. Based on a lack of literature in this direction, this study evaluates two distinct approaches to the P300 Speller. The first is based on rows and columns following the traditional implementation, while the second is based on regions, employing subsets of characters during spelling. In both approaches, the effects of two different stimulus presentation parameters (the number of repetitions per stimulus and the interval between them) on the accuracy and performance efficiency of the P300 Speller are studied. The results show that both approaches obtain similar values in terms of detection performance, obtaining around 75% F1-score for predicting a character with four series of 12 blinks per character. In addition, the region-based approach presents a more robust scheme for false predictions, maintaining a similar spelling duration. The theoretical study performed indicates that spelling a character requires around one minute. |
|
Sina Rafati Niya, Julius willems, Burkhard Stiller, A Case Study of a Blockchain-GDPR Adaptation, In: IEEE International Conference on Blockchain and Cryptocurrency 2–5 May 2022, IEEE, Piscateway, New Jersey, U.S.A., 2022-05-02. (Conference or Workshop Paper published in Proceedings)
|
|
Muriel Figueredo Franco, Burkhard Stiller, Cybersecurity Support for SMEs, Readme, Vol. 2022 (47), 2022. (Journal Article)
|
|
Sina Rafati Niya, Raphael Beckmann, Claudio Brasser, Michael Bucher, Nicolas Spielmann, Burkhard Stiller, DeTi: A Decentralized Ticketing Management Platform, Journal of Network and Systems Management, Vol. 30 (2), 2022. (Journal Article)
|
|
Sina Rafati Niya, Efficient Designs for Practical Blockchain-IoT Integration, In: 18th IEEE/IFIP Network Operations and Management Symposium (NOMS 2022), Budapest, Hungary, 2022. (Conference or Workshop Paper)
|
|
Alberto Huertas, Pedro Sanchéz, Muriel Figueredo Franco, Theoretical and Practical Intelligent Behavioral Fingerprinting, In: IEEE/IFIP Network Operations and Management Symposium (NOMS 2022), Budapest, Hungary, 2022. (Conference or Workshop Paper)
|
|
Alberto Huertas, Pedro M Sánchez, Eder J Scheid, Timucin Besken, Gerome Bovet, Gregorio Martinez, Burkhard Stiller, Policy-based and Behavioral Framework to Detect Ransomware Affecting Resource-constrained Sensors, In: IEEE/IFIP Network Operations and Management Symposium 25-29 April 2022, IEEE, Budapest, Hungary, 2022-04-25. (Conference or Workshop Paper published in Proceedings)
|
|
Dario Akhavan Safa, Design and Implementation of a Decision Support System for Ransomware Protections, University of Zurich, Faculty of Business, Economics and Informatics, 2022. (Bachelor's Thesis)
Due to the significant growth of occurrences in the space of global ransomware threats, companies and individuals alike are becoming more prone to possible attacks. The nature of these threats make it very difficult to reverse the damage that has been dealt, once an attack has taken place. Because of this fact, more and more malicious actors are
targeting high-profile individuals and organizations, often processing critical data. The goal of this thesis is to provide information and insights about ransomware, summarize and represent state of the art prevention measures, and consolidate this information into a newly developed tool to support decision-making in regards to applying preventive protection measures against ransomware threats. |
|
Jordan Cedeno, Mitigating Cyberattacks Affecting Resource-constrained Devices Through Moving Target Defense (MTD) Mechanisms, University of Zurich, Faculty of Business, Economics and Informatics, 2022. (Bachelor's Thesis)
Most Internet of Things (IoT) devices such as radio spectrum sensors are not designed and built with security in mind. The static nature of such IoT devices coupled with the resource constrains under which they operate, makes such devices a lucrative target for cyberattacks. One option when it comes to dealing with such cyberattacks is employing Moving Target Defense (MTD) in which some system parameters are ”moved” in order to disrupt an ongoing attack. This thesis aims to propose, design and implement a prototypical lightweight MTD based framework (MTD Framework) for Linux based IoT devices such as radio spectrum sensors, which is capable of deploying host-based MTD security solutions (MTD Solutions) based on reported attacks/events from an external program monitoring for attacks/events. Furthermore, this thesis implements a total of four MTD based security solutions to deal with the following three malware families once they have already infected the system: command & control based malware, crypto ransomware, user-level rootkits (using preloads). To test the effectiveness of the MTD Framework and the MTD Solutions they were tested against real malware to see how they perform.
Additionally some performance data is gathered to present the additional resource consumption that the MTD Framework incurs. The results are promising and suggest that the MTD Framework combined with the MTD Solutions proposed and implemented in this thesis work well as an additional security layer which is capable of disrupting/disabling running malware of the above mentioned malware families. |
|
Ramon Solo de Zaldivar, Creation of a Dataset Modeling the System Calls of Spectrum Sensors Affected by Malware, University of Zurich, Faculty of Business, Economics and Informatics, 2022. (Bachelor's Thesis)
The growing usage of IoT devices brings in itself multiple different new use cases. From healthcare, location tracking to process automations and crowdsensing, IoT devices are being used more than ever. In parallel there has been a growing cybersecurity concern, as IoT devices are becoming a desirable target for cyber attackers. IoT devices, depending on their purpose can have access to large amounts of data which makes them an attractive target for cyber criminals. To further this issue, these devices are poorly secured and inherently, as they are resource constrained, can not support conventional cybersecurity software. IoT devices have been the targets of different kinds of malware, from botnets and backdoors to rootkits, ransomwares and others.
A feasible way to sever these cyber security concerns and prevent these targeted malware attacks from happening, is with the help of Intrusion Detection Systems (IDSs). Nevertheless, traditional IDSs are powerless when it comes to detecting new unknown malware attacks, other wise known as zero day attacks. For this reason, new research is relying heavily on Machine Learning (ML) and Deep Learning (DL) decision engine based IDSs. A key component that determines the efficacy of these IDSs is a quality dataset, containing the behavior of a device under normal behavior and also the behavior when it has been compromised by novel malware, with which the ML or DL based IDS can be trained. A ML or DL based IDS with a quality dataset is then statistically better suited to detect novel malware. In spite of the importance of these datasets, quality datasets, especially ones modelling the internal behavior of IoT devices in a normal state and when under attack by zero day attacks such as botnets, backdoors and others, are scarce.
In wake of this limitation, this thesis aims to create a quality dataset that accurately represents the internal behavior of an IoT device, both when it is functioning normally and when it is under attack. In order to accomplish this, the system calls of the IoT device, which in this specific case is an ElectroSense sensor, are monitored under normal behavior, gathered, cleaned and stored in a centralized directory. Then, the device is infected with current malware affecting IoT devices, such as the bashlite botnet, thetick backdoor, bdvl rootkit and a ransomware proof of concept and the monitoring process is repeated for each malware. The infections are sequential, meaning that the device is not infected with more than one malware at a time. Finally the generated dataset contains normal and anomalous behavior classified by malware. It is then evaluated through analyzing the sequences and frequencies of the system calls statistically. |
|
Konstantin Moser, Intelligent and Behavioral-based Detection of Cryptominers in Resource-constrained Spectrum Sensors, University of Zurich, Faculty of Business, Economics and Informatics, 2022. (Bachelor's Thesis)
With the rising popularity of cryptocurrencies and IoT devices, the number of cryptomining attacks on such devices is intensifying as they are often poorly secured. The reason cybercriminals are increasingly interested in cryptominers is that they offer fast and anonymous way of making money while taking low risks. A modern approach for detecting cyber attacks is to combine behavioural fingerprinting analysis with machine learning models. While recent works provide numerous state-of-the-art approaches for general computers, literature shows little research on detecting malicious cryptomining on IoT devices. Therefore, the underlying thesis proposes different supervised and unsupervised models that aim at detecting cryptojacking on IoT devices from the devices' perspective. One of the requirements to train machine learning models effectively are data sets containing clean, as well as infected device behaviour.
Therefore, behavioural monitoring is predominantly performed on a Raspberry Pi using a monitoring script that periodically measures the number of performance events. The test device is part of a real world IoT crowdsensing platform called ElectroSense, whose sensor will be infected with a cryptojacker as part of this thesis. The framework creation process involves collecting and preprocessing data and the training of different ML-based algorithms. The performance of the models is evaluated using various statistical methods. The model based on the Isolation Forest algorithm, which takes an unsupervised approach, achieves the best overall weighted accuracy of 93.9%. The unsupervised Local Outlier Factor model performs best with 97.7% if the accuracy is not weighted. Regarding the supervised models, the Decision Tree classifier achieves the best F1-Score macro average of 76%, which transforms to 100% if the F1-Scores are weighted per class. Because supervised and unsupervised approaches work fundamentally different, the percentages should not be compared directly due to varying evaluation metrics and individual strengths and weaknesses. Nonetheless, it becomes clear that all the trained detection modules are able to detect the vast majority of attack samples during the evaluation. This proves, that using machine learning models combined with behaviour fingerprinting is a viable option to detect cryptojackers in IoT devices. |
|
Sebastian Küng, Opening Pandora’s Box: An Analysis of the Usage of the Data Field in Blockchains, University of Zurich, Faculty of Business, Economics and Informatics, 2022. (Bachelor's Thesis)
Since the inception of the Bitcoin blockchain in 2009 with the inclusion of the message "The Times 03/Jan/2009 Chancellor on brink of second bailout for banks" in its genesis block, blockchains have been used to store generic media. These include text, images, and documents. However such media is often not easily discoverable in the blockchains and is embedded deep within their binary data structures. The main goal of this thesis is to design and implement a tool that scans blockchains for their media content. The software tool developed for this work, the blockchain-parser, is capable of detecting text strings and files embedded in blockchains. The blockchains of the Bitcoin, Monero, and Ethereum cryptocurrencies were examined to find commonalities and differences between different blockchains in terms of their generic media storage usage. Prior related work has focused on the methods for storing media in Bitcoin. This thesis provides statistics and examples of the blockchain parser's detected media across Bitcoin, Monero, and Ethereum, which are presented and discussed herein. It concludes that Ethereum has been the most-used blockchain for media data storage of the three and might also be the best-suited blockchain for this task. |
|
Raphael Imfeld, Increasing Privacy in Smart Contracts: Exploring Encryption Mechanisms, University of Zurich, Faculty of Business, Economics and Informatics, 2022. (Bachelor's Thesis)
After the introduction of the concept of Smart Contracts (SC) in 1994, it took another decade until a use case was found. The blockchain's focus on transactions appeared to be a perfect ground to implement the concept of automated, self-executing contracts. Popular blockchains such as Ethereum tied the integration of SC closely to their core functionalities, using the programming language Solidity specifically introduced for this purpose. Since physical contracts know distinct security properties due to privacy requirements, the digital equivalents are expected to fulfill the same. However, the transfer of such properties are challenging as some blockchains are trustless systems and therefore no channel of communication between the two contracting parties is expected.
In order to resolve this challenge, cryptographic mechanisms were introduced to ensure privacy by either encrypting the values on-chain and allow them to be read and manipulated by authorized contracting parties or using an o-chain approach, which outsources the storage and manipulation of sensitive data to a Trusted Third Party. Different encryption approaches were explored by implementing a simple transaction scenario using a SC with different types of data, showing limitations of each approach when using a on- or o-chain solution. Furthermore, performance of the encryption approaches were investigated in order to determine aspects, such as the contract size, the Gas used during the process and runtime. Finally, a comparison of all approaches was done, showing the difficulties of on-chain approaches for the chosen scenario and proposing some adjustments for further research to simplify the implementation. The evaluation showed a positive correlation between the complexity of the encryption mechanism and the three parameters mentioned, since the unencrypted approach used the least amount of memory or Gas and was the fastest, while the homomorphic approach was located at the other end of the scale. |
|
David Stalder, Machine-learning based Detection of Malicious DNS-over-HTTPS (DoH) Traffic Based on Packet Captures, University of Zurich, Faculty of Business, Economics and Informatics, 2022. (Bachelor's Thesis)
The goal of this thesis is to implement a working prototype for the detection of malicious DNS-over-HTTPS (DoH) traffic into the already existing System SecGrid, a platform for the extraction of internet traffic, its analysis, and the detection of cyber-attacks developed by the CSG-Group at the University of Zurich. The implementation contains a special feature extraction for DoH traffic based on TCP-flows and a two Layered Machine Learning pipeline for the detection of malicious DoH traffic. The evaluation proves that the prototype is extremely precise for single data-sets, but as soon as the models are trained and tested with different data the accuracy of the prototype deteriorates drastically. The conclusion is the diversification of the training data-sets into data-sets that are aligned with real-world browser settings and all available DoH resolvers and especially the quantitative and qualitative extension of the state-of-the-art data. |
|
José María Jorquera Valero, Pedro Miguel Sánchez Sánchez, Manuel Gil Pérez, Alberto Huertas Celdran, Gregorio Martínez Pérez, Toward pre-standardization of reputation-based trust models beyond 5G, Computer Standards and Interfaces, Vol. 81 (1), 2022. (Journal Article)
In the last years, the number of connections in mobile telecommunication networks has increased rampantly, and in consequence, the number and type of relationships among entities. Should such interactions are to be profitable, entities will need to rely on each other. Hence, mobile telecommunication networks demand trust and reputation models that allow developing feasible communications in 5G and beyond networks, through which a group of entities can establish chains of services between cross-operators/domains, with security and trustworthiness. One of the key obstacles to achieving generalized connectivity beyond 5G networks is the lack of automatized, efficient, and scalable models for establishing security and trust. In this vein, this article proposes a pre-standardization approach for reputation-based trust models beyond 5G. To this end, we have realized a thorough review of the literature to match trust standardization approaches. An abstract set of requirements and key performance indicators has been extracted, and some pre-standardization recommendations proposed to fulfill essential conditions of future networks and to cover the lack of common trust and reputation models beyond 5G. |
|
Julius willems, PMD-Track: Portable Medical Devices? Real-time Inventory and Tracking, In: 17th Wireless On-demand Network Systems and Services Conference 2022 (WONS 2022), On-line, virtual, 2022. (Conference or Workshop Paper)
|
|
Bruno Rodrigues, Eder John Scheid, Julius willems, Burkhard Stiller, PMD-Track: Portable Medical Devices’ Real-time Inventory and Tracking, In: 2022 17th Wireless On-Demand Network Systems and Services Conference (WONS), IEEE, Oslo, Norway, 2022-03-30. (Conference or Workshop Paper published in Proceedings)
The recent COVID pandemic challenged healthcare systems worldwide and highlighted not only a lack of sufficient resources in some cases, but also an overall inefficiency in managing available PMDs (Portable Medical Devices). Hospitals typically provide their staff with smartphones to facilitate internal communication and access to hospital services. The key contribution of PMD-Track lies in the use of smartphones replacing expensive stationary gateways scattered across a hospital, acting as mobile gateways associated with a front-end that allows staff to quickly find PMDs. Thus, employees walking nearby tagged PMDs — as they perform daily activities — constantly help to automatically update these PMDs’ locations in a live inventory tracker allowing to retrieve up-to-date information.PMDs equipped with traditional Bluetooth Low Energy (BLE) tags will update a backend service with the location of recently spotted tags and display information concerning their position in real-time. Different PMD types can issue alerts according to the type of their mobility (i.e., considering that portable devices can be more or less “dynamic”). Thus, it is expected that PMD-Track will enable hospitals to make efficient use of their PMDs in emergency situations, such as a pandemic or eventual natural disasters, where a sudden increase in demand can now be foreseen. |
|
Alain Küng, BluePIL 2.0: Toward Automated Deployment and Operation, University of Zurich, Faculty of Business, Economics and Informatics, 2022. (Bachelor's Thesis)
Recent studies in the field of localization and identification of persons indoors have shown that there are various possibilities to track individuals indoors. Such localization techniques can be divided into either active or passive indoor localization systems, needing a direct or no direct connection with the system respectively. The corona pandemic unveiled the importance and benefit of applying such techniques to trail possible infections of persons to contain the spread. In other fields, it has also been valuable for marketing analysis. In a recent master’s thesis at UZH, a passive localization and identification tool for tracking devices using only passive Bluetooth signals was explored in collaboration with Livealytics.
The solution called BluePIL provided moderate accuracy, which can be considered to work despite the underlying naturally noisy data. The time consuming deployment, calibration and analysis yield a second version of it, called BluePIL 2.0, on which this thesis focuses on. Using new hardware, additional power-banks and by adding a new analysis tool with adjustable parameters, a new version is developed. The experiments have shown that BluePIL 2.0 improves the system by reducing the manual steps to deploy the system and improving mobility. The time to launch the system is 7.32 seconds on average. In addition, the analysis tool contributes to a better understanding of the indoor scenarios by displaying an updating plot of the tracked devices and providing the option to calibrate the path loss coefficient of the localization algorithm during data collection. The near-real-time plot is set to update within 0.5 seconds. In general, BluePIL 2.0 met the goals in a requirements-based evaluation. |
|
Kyrill Hux, Design and Implementation of a Traffic Sinkhole for Cyberattack Analysis, University of Zurich, Faculty of Business, Economics and Informatics, 2022. (Bachelor's Thesis)
This thesis deals with the design and implementation of a network traffic sinkhole integrated into the existing SecGrid platform developed by the University of Zurich, with the main goal of allowing easy detection and diversion of malicious traffic originating from malware. After an overview of existing solutions and approaches for traffic detection and diversion, DNS in conjunction with a blacklist is chosen as the approach for both of these issues for it's low intrusiveness and easy deployability.
A full-fledged, easily user-configurable DNS sinkhole is then implemented as a part of this work. It offers a graphical user interface with options for the user to configure the blacklist in various ways, including automatic polling from an URL, as well as an overview of the most requested blacklisted domains, among other features. This implementation is subsequently tested for performance and effectiveness in mitigating various malware families. The results are overall positive: the sinkhole only introduces an additional delay of just over 2ms while providing blacklist detection capabilities, and most tested malware families could successfully be prevented from fulfilling their malicious intent, with the notable exception of ransomware. |
|