Contributions published at Communication Systems Group (Burkhard Stiller)

The market for cyber insurance seems to be at a turning point in the recent years. Premiums are surging at record rates with new claims continuing to be driven by ransomware attacks, as well as by insider threats. The cyber insurance capacity is becoming limited and it is clear that many challenges still need to be tackled in order to avoid market failure. For one, it is clear that traditional risk assessment methods currently applied do not sufficiently address the issues of information asymmetries and the adverse selection and moral hazard that go hand-in hand with them. Therefore, new approaches to audit and assess the level of self-protection of the insureds need to be developed. Taking this into account, this thesis focuses on the assessment of operational cyber risks related to failed internal processes and proposes a novel approach to apply the methods of process mining in cyber insurance. For this purpose, MeritMiner4CI approach was designed and developed. Also, the fundamental challenges and requirements of cyber insurance at the coverage level were clearly mapped to specific process mining methods. The MeritMiner4CI approach was evaluated by conducting a survey with experts and also by considering case study scenarios. The results of this survey provide strong indication that the analyses of the proposed method can be applied by practitioners and have an impact on the ratings of confidence factors that are applied in the industry. Furthermore, quantitative evaluations were conducted to evaluate the performance of the applied methods. Finally, this thesis also highlights how MeritMiner4CI can be integrated with other cybersecurity risk assessment approaches, such as SecRiskAI and MENTOR.

Since the early 2000s, DDoS attacks pose a major threat to the availability of services connected to the internet, as they can have far-reaching impacts on businesses, organizations, and society as a whole. As DDoS attacks continue to grow in frequency, volume, and severity, DDoS attack analysis systems have emerged both from research and industry. This thesis examines current tools that provide DDoS attack analysis and protection services based on network traffic analysis, and discusses the lack of distributed, collaborative features present in these tools. The main goal of this thesis is to design and implement a prototype that fulfills these features. This is done by extending the architecture of SecGrid, a platform for the extraction, processing, and analysis of cyberattack traffic in a post-mortem fashion. The case studies conducted as part of the evaluation of the prototype suggest that the presented solution enables the distributed and collaborative analysis of cyberattacks, while preserving the scalability and usability of the SecGrid system. The performance evaluation conducted as part of this thesis suggests that in certain use cases, scalability can even be increased.

null

Cloud Radio Access Networks (Cloud-RANs) have recently emerged as a promising architecture to meet the increasing demands and expectations of future wireless networks. Such an architecture can enable dynamic and flexible network operations to address significant challenges, such as higher mobile traffic volumes and increasing network operation costs. However, the implementation of compute-intensive signal processing Network Functions (NFs) on the General Purpose Processors (General Purpose Processors) that are typically found in data centers could lead to performance complications, such as in the case of overloaded servers. There is therefore a need for methods that ensure the availability and continuity of critical wireless network functionality in such circumstances. Motivated by the goal of providing highly available and fault-tolerant functionality in Cloud-RAN-based networks, this paper proposes the design, specification, and implementation of live migration of containerized Baseband Units (BBUs) in two wireless network settings, namely Long Range Wide Area Network (LoRaWAN) and Long Term Evolution (LTE) networks. Driven by the requirements and critical challenges of live migration, the approach shows that in the case of LoRaWAN networks, the migration of BBUs is currently possible with relatively low downtimes to support network continuity. The analysis and comparison of the performance of functional splits and cell configurations in both networks were performed in terms of fronthaul throughput requirements. The results obtained from such an analysis can be used by both service providers and network operators in the deployment and optimization of Cloud-RANs services, in order to ensure network reliability and continuity in cloud environments.

While wireless sensor networks (WSN) offer potential, their limited programmability and energy limitations determine operational challenges. Thus, a TinyIPFIX-based system was designed such that this application layer protocol is now used to exchange data in WSNs efficiently. The new prototype is based on the Espressif ESP32-WROOM-32D Internet-of-Things (IoT) platform, which is becoming famous, as it is inexpensive but powerful compared to older generations of IoT devices. The system implementation is provided in the programming language MicroPython, which provides a simple and efficient implementation, compared to a lower-level programming language. Therefore, this approach focuses on value creation rather than platform-specific implementation difficulties. The system is evaluated in smart home use cases and displays valuable overhead, reliability, and power efficiency. TinyIPFIX outperforms the data overhead of the type–length–value (TLV) paradigm by a factor of 7% when a TinyIPFIX data message carries only two records, and one TinyIPFIX template message is sent per three TinyIPFIX data messages. A further decrease in overhead is observed when the number of data records per message and the number of TinyIPFIX data messages sent per one TinyIPFIX template message increase to larger values. The message delivery between end devices and the application server resides at a very high level, close to 100%, when the transmission reliability is secured with acknowledgments and retransmissions. The energy efficiency resides at the limited level, as the experienced deep sleep power consumption of the ESP32 device resides at the milliwatt level.

Most of the current Brain–Computer Interfaces (BCIs) application scenarios use electroencephalographic signals (EEG) containing the subject’s information. It means that if EEG were maliciously manipulated, the proper functioning of BCI frameworks could be at risk. Unfortunately, it happens in frameworks sensitive to noise-based cyberattacks, and more efforts are needed to measure the impact of these attacks. This work presents and analyzes the impact of four noise-based cyberattacks attempting to generate fake P300 waves in two different phases of a BCI framework. A set of experiments show that the greater the attacker’s knowledge regarding the P300 waves, processes, and data of the BCI framework, the higher the attack impact. In this sense, the attacker with less knowledge impacts 1% in the acquisition phase and 4% in the processing phase, while the attacker with the most knowledge impacts 22% and 74%, respectively.

Billions of IoT devices lacking proper security mechanisms have been manufactured and deployed for the last years, and more will come with the development of Beyond 5G technologies. Their vulnerability to malware has motivated the need for efficient techniques to detect infected IoT devices inside networks. With data privacy and integrity becoming a major concern in recent years, increasing with the arrival of 5G and Beyond networks, new technologies such as federated learning and blockchain emerged. They allow training machine learning models with decentralized data while preserving its privacy by design. This work investigates the possibilities enabled by federated learning concerning IoT malware detection and studies security issues inherent to this new learning paradigm. In this context, a framework that uses federated learning to detect malware affecting IoT devices is presented. N-BaIoT, a dataset modeling network traffic of several real IoT devices while affected by malware, has been used to evaluate the proposed framework. Both supervised and unsupervised federated models (multi-layer perceptron and autoencoder) able to detect malware affecting seen and unseen IoT devices of N-BaIoT have been trained and evaluated. Furthermore, their performance has been compared to two traditional approaches. The first one lets each participant locally train a model using only its own data, while the second consists of making the participants share their data with a central entity in charge of training a global model. This comparison has shown that the use of more diverse and large data, as done in the federated and centralized methods, has a considerable positive impact on the model performance. Besides, the federated models, while preserving the participant’s privacy, show similar results as the centralized ones. As an additional contribution and to measure the robustness of the federated approach, an adversarial setup with several malicious participants poisoning the federated model has been considered. The baseline model aggregation averaging step used in most federated learning algorithms appears highly vulnerable to different attacks, even with a single adversary. The performance of other model aggregation functions acting as countermeasures is thus evaluated under the same attack scenarios. These functions provide a significant improvement against malicious participants, but more efforts are still needed to make federated approaches robust.

null

null

null

null

null

null

null

Most of the current Brain–Computer Interfaces (BCIs) application scenarios use electroencephalographic signals (EEG) containing the subject’s information. It means that if EEG were maliciously manipulated, the proper functioning of BCI frameworks could be at risk. Unfortunately, it happens in frameworks sensitive to noise-based cyberattacks, and more efforts are needed to measure the impact of these attacks. This work presents and analyzes the impact of four noise-based cyberattacks attempting to generate fake P300 waves in two different phases of a BCI framework. A set of experiments show that the greater the attacker’s knowledge regarding the P300 waves, processes, and data of the BCI framework, the higher the attack impact. In this sense, the attacker with less knowledge impacts 1% in the acquisition phase and 4% in the processing phase, while the attacker with the most knowledge impacts 22% and 74%, respectively.

Today, a large number of use cases exist for the Internet-of-Things (IoT) and Wireless Sensor Networks (WSN), such as home automation, ambient assisted living, eHealth, and logistics. The IoT also includes constrained (tiny) devices – sensor nodes – limited in memory, computational capacity and power (a few AAA batteries). This chapter illustrates the Internet's history leading to the current connected world, presents insights of security for the IoT, and paves the way toward the security protocol “sTiki”, developed for constrained devices. sTiki is designed in a similar way to TinySAM, which is an application layer encryption protocol using AES-128 for the symmetric encryption. As sTiki will run on constrained devices, special focus in the implementation was on resource usage, especially memory and energy consumption. The chapter also covers the constraints of developing software for sensor networks, the architecture chosen, and the choice of AES.

Trust management in distributed systems has always been a topic of active interest in the research community to understand how to foster and manage aspects. In this sense, Distributed Ledger Technologies (DLT) and, among them, Blockchains (BC), emerge as an alternative for shifting trust assumptions between users to the protocol that regulates the interaction, fostering trust in distributed systems. Especially reputation management systems have enabled several applications to be revisited as an application running based on an underlying distributed system. Thus, a clear understanding of major properties, threats and vulnerabilities, and challenges of reputation systems based on different types of DLT and BC (i.e., permissioned and permissionless) are key to determine their usefulness and optimization potentials. In this sense, a use case of a BC-based reputation system within the context of cooperative network defenses illustrates such benefits and drawbacks of exploiting DLTs for reputation systems.

Over the past few decades, IoT technologies have surged, with billions of devices accessing the Internet through wireless networks, bringing convenience to human lives while consuming the valuable wireless spectrum. To optimize the radio frequency spectrum, crowdsensing-based radio frequency spectrum monitoring networks are proposed, consisting of distributed IoT sensors that collaborate to collect, transmit, and process radio spectrum data worldwide. However, these IoT sensors with constrained resources are extremely vulnerable to cyberattacks that compromise the integrity of the radio frequency spectrum data and affect the operation of the entire platform. On the one hand, Machine Learning-based device behavior fingerprinting for cyberattack identification is considered highly promising. On the other hand, the device behavior data is strongly sensitive, and its data privacy becomes an issue that has to be considered. Taking these into consideration, this thesis proposes a Federated Learning-based IoT network attack detection system using system calls behavioral data. This approach achieves both data privacy protection and effective identification of cyberattacks through its unique training strategy, i.e., sharing only model parameters but not the training data. After a systematic comparison, this thesis selects the most suitable feature extraction approach and local identification algorithm. The effectiveness and reliability of the proposed model is demonstrated by using quantitative analysis through a variety of different scenarios.

The surveillance of the density of crowds has always been important for safety reasons. In recent years, this topic has evolved to provide business with important information about their potential customers. During the outbreak of the SARS-CoV-2 virus, there were regulations requiring persons to social distance. Such a crowd density monitoring system could be used to ensure social distancing. This thesis proposes a person counting approach based on the Wi-Fi packets emitted by smartphones. It utilizes Wi-Fi sniffers, which monitor Wi-Fi traffic emitted by smartphone with WLAN enabled. The system is completely passive. The system uses RSSI values to estimate the distance between the Wi-Fi sniffers and the device, to then locate the device. During two experiments conducted indoor, it was evaluated, whether the capturing of packets works and whether the RSSI readings can be used to estimate the position of the smartphone.The proposed system was able to capture data emitted by smartphones. The RSSI values obtained indoor indicate, that the RSSI values are not precise enough for reliable trilateration.