IMTrustSec
International Workshop on Incident Management, Trusted Computing, Open Hardware and Advanced Security Attacks
-
Jul 31, 2024
-
SR08
-
15:15 — 16:45
Workshop Chairs
- → Diana Gratiela Berbecaru
- → David Arroyo Guardeño
- → Rihards Novickis
Accepted Paper
Threat-TLS: A Tool for Threat Identification in Weak, Malicious, or Suspicious TLS Connections
Diana Gratiela Berbecaru
(Politecnico di Torino, Italy), Antonio Lioy
(Politecnico di Torino, Italy)
Full Paper
Transport Layer Security protocol is widely used nowadays to secure communication channels in various applications running in network, IoT, and embedded systems environments. In the last decade, several attacks affecting the TLS specification, the implementation, the cryptographic vulnerabilities, or the deployment of the TLS-enabled software have been discovered. Although solutions exist for each class of attacks, an attacker may corrupt the TLS support on an end node (even temporarily) making it vulnerable to attacks. To test the resistance of a TLS server to attacks several tools or services exist, that mainly scan a target host looking for wrong configurations. We propose instead a network-based intrusion detection tool named Threat-TLS, aimed to individuate weak, suspicious, or malicious TLS connections. Attackers might establish such connections to hide and distribute potentially dangerous data content, like malware. Alternatively, weak TLS connections could be opened by (legitimate) systems or servers that have been compromised and are prone to TLS attacks, such as systems whose TLS configuration has been changed to use an old TLS version or outdated cryptographic algorithms. We have tested the proposed tool in a testbed environment, illustrating its performance in detecting some TLS attacks.
Workshop IMTrustSec
Workshop IMTrustSec
Anomaly-Based Intrusion Detection for Blackhole Attack Mitigation
Ashraf Abdelhamid
(Nile University, Egypt), Mahmoud Said Elsayed
(University College Dublin, Ireland), Heba K. Aslan
(Nile University, Egypt), Marianne A. Azer
(National Telecommunication Institute, Egypt)
Full Paper
In the contemporary environment, mobile ad hoc networks (MANETs) are becoming necessary. They are absolutely vital in a variety of situations where setting up a network quickly is required; however, this is infeasible due to low resources. Ad hoc networks have many applications: education, on the front lines of battle, rescue missions, etc. These networks are distinguished by high mobility and constrained compute, storage, and energy capabilities. As a result of a lack of infrastructure, they do not use communication tools related to infrastructure. Instead, these networks rely on one another for routing and communication. Each node in a MANET searches for another node within its communication range and uses it as a hop to relay the message through a subsequent node, and so on. Traditional networks have routers, servers, firewalls, and specialized hardware. In contrast, each node in ad hoc networks has multiple functions. Nodes, for instance, manage the routing operation. Consequently, they are more vulnerable to attacks than traditional networks. This study's main goal is to develop an approach for detecting blackhole attacks using anomaly detection based on Support Vector Machine (SVM). This detection system looks at node activity to scan network traffic for irregularities. In blackhole scenarios, attacking nodes have distinct behavioral characteristics that distinguish them from other nodes. These traits can be efficiently detected by the proposed SVM-based detection system. To evaluate the effectiveness of this approach, traffic under blackhole attack is created using the OMNET++ simulator. Based on the categorization of the traffic into malicious and non-malicious, the malicious node is then identified. The results of the suggested approach show great accuracy in detecting blackhole attacks.
Workshop IMTrustSec
Workshop IMTrustSec
Analysis of the Capability and Training of Chat Bots in the Generation of Rules for Firewall or Intrusion Detection Systems
Bernardo Louro
(Universidade da Beira Interior, Portugal), Raquel Abreu
(Universidade da Beira Interior, Portugal), Joana Cabral Costa
(Universidade da Beira Interior and Instituto de Telecomunicações, Portugal), João B. F. Sequeiros
(Universidade da Beira Interior and Instituto de Telecomunicações, Portugal), Pedro R. M. Inácio
(Universidade da Beira Interior and Instituto de Telecomunicações, Portugal)
Full Paper
Large Language Models (LLMs) have the potential to aid in closing the knowledge gap in several specific technical areas, such as cybersecurity, by providing a means to translate instructions defined in natural language into specialized system or software specifications (e.g., firewall rules). The work described herein aims at an evaluation of the capability of LLMs to generate rules for firewall and Intrusion Detection Systems (IDS).
A preliminary evaluation has shown that widely available chat bots have limited capability to generate correct rules and that caution is needed when using their outputs for the aforementioned objective.
This work explores three fine-tuning approaches to address these limitations, each of them with a different objective and achieving different success rates. The first approach aimed at testing how well the model was able to use the knowledge obtained from the prompts when the question was structured differently, achieving a success rate of 89%. The second approach aimed at testing how well the model could link the knowledge obtained from two different prompts and reached a success rate of 61%. The final approach aimed at testing if the model could create complex rules by first learning simple rules, achieving a success rate of 79%.
It can be concluded that fine-tuning is sufficient to improve chat bots into creating syntactically and technically correct rules for firewalls and IDS. Results suggest that the development of a specialized model for as many attacks, firewalls and IDSs can indeed be achieved.
Workshop IMTrustSec
Workshop IMTrustSec
A preliminary evaluation has shown that widely available chat bots have limited capability to generate correct rules and that caution is needed when using their outputs for the aforementioned objective.
This work explores three fine-tuning approaches to address these limitations, each of them with a different objective and achieving different success rates. The first approach aimed at testing how well the model was able to use the knowledge obtained from the prompts when the question was structured differently, achieving a success rate of 89%. The second approach aimed at testing how well the model could link the knowledge obtained from two different prompts and reached a success rate of 61%. The final approach aimed at testing if the model could create complex rules by first learning simple rules, achieving a success rate of 79%.
It can be concluded that fine-tuning is sufficient to improve chat bots into creating syntactically and technically correct rules for firewalls and IDS. Results suggest that the development of a specialized model for as many attacks, firewalls and IDSs can indeed be achieved.
Acceleration of DICE Key Generation using Key Caching
Dominik Lorych
(Fraunhofer SIT | ATHENE, Germany), Lukas Jäger
(Fraunhofer SIT | ATHENE, Germany), Andreas Fuchs
(Fraunhofer SIT | ATHENE, Germany)
Full Paper
DICE is a Trusted Computing standard intended to secure resource-constrained off-the-shelf hardware. It implements a Root of Trust that can be used to construct a Chain of Trust boot system, with symmetric keys representing firmware integrity and device identity. Based on this, asymmetric keys can be generated, but this slows down the boot process significantly as the keys need to be generated on every boot. Asymmetric keys provide multiple advantages when compared to symmetric ones, especially for updatable systems. This prevents the adoption of DICE in fields with strict boot time requirements, for example in the automotive context.
Boot times can be accelerated if keys can be cached in flash memory. However, keys must not be accessible if the state of the system changes, as otherwise the keys would not represent the state anymore. We implement two approaches for this and evaluate them on multiple MCUs regarding automotive requirements.
Workshop IMTrustSec
Workshop IMTrustSec
Boot times can be accelerated if keys can be cached in flash memory. However, keys must not be accessible if the state of the system changes, as otherwise the keys would not represent the state anymore. We implement two approaches for this and evaluate them on multiple MCUs regarding automotive requirements.
Detail IMTrustSec 02/05
International Workshop on Incident Management, Trusted Computing, and Advanced Security Attacks to be held in conjunction with the 19th International Conference on Availability, Reliability and Security
Security incidents and attacks are becoming increasingly complex nowadays, requiring deep technical knowledge in several areas (including cybersecurity attacks, machine learning algorithms, and risk management) for their detection, handling, and analysis, and efficient tools for fast reaction. While traditional approaches are currently in use to detect and counter the security attacks (including firewalls, intrusion detection systems), with the advent of Artificial Intelligence (AI) models and trusted computing standards, other innovative solutions can be further designed and deployed to detect, investigate, and respond to cybersecurity incidents in as little time as possible.
Another controversial issue is how openness can be consistent with, and respectful of, the protection of industrial secrets and intellectual property rights. While IT manufacturing should endorse transparency and trust verification, it is also necessary to guarantee that innovators exploit the result of their creations. In the current technological scenario it is also necessary to take into account the risks associated to software and hardware supply chains, and the benefits of promoting openness in software and hardware manufacturing to better contained those risks.
The aim of the workshop is to gather contributions of leading-edge researchers from network and information security, as well as artificial intelligence, both academia and industry, working on the detection and countermeasures of cyberattacks. The workshop will also tackle the latest developments in open hardware applications for cybersecurity and privacy protection. The aim is to see to what extent openness as a principle can contribute to improve standards and the security evaluation and certification of IT products, evaluating also the compliance with the EU Cyber Resilience Act and the EU cybersecurity certification framework.
The workshop aims to provide a forum of discussion about: a) discovery of (advanced) cybersecurity attacks exploiting both technical and non-technical means; b) exploitation of trusted computing techniques and standards to counter attacks, e.g., by using the Trusted Platform Module (TPM) 2.0, or alternative standards like DICE (Device Identifier Composition Engine) or MARS (Measurement and Attestation RootS) that are more flexible and suitable for different platforms; c) design and development of innovative solutions for incident management, required by incident response teams and security operation centers; d) machine learning algorithms for security attacks detection; e) cyber-risks associated to hardware supply chains and the relevance of open hardware as a means to reduce those risks; e) guidelines, recommendations, procedures for security risk management.
Another controversial issue is how openness can be consistent with, and respectful of, the protection of industrial secrets and intellectual property rights. While IT manufacturing should endorse transparency and trust verification, it is also necessary to guarantee that innovators exploit the result of their creations. In the current technological scenario it is also necessary to take into account the risks associated to software and hardware supply chains, and the benefits of promoting openness in software and hardware manufacturing to better contained those risks.
The aim of the workshop is to gather contributions of leading-edge researchers from network and information security, as well as artificial intelligence, both academia and industry, working on the detection and countermeasures of cyberattacks. The workshop will also tackle the latest developments in open hardware applications for cybersecurity and privacy protection. The aim is to see to what extent openness as a principle can contribute to improve standards and the security evaluation and certification of IT products, evaluating also the compliance with the EU Cyber Resilience Act and the EU cybersecurity certification framework.
The workshop aims to provide a forum of discussion about: a) discovery of (advanced) cybersecurity attacks exploiting both technical and non-technical means; b) exploitation of trusted computing techniques and standards to counter attacks, e.g., by using the Trusted Platform Module (TPM) 2.0, or alternative standards like DICE (Device Identifier Composition Engine) or MARS (Measurement and Attestation RootS) that are more flexible and suitable for different platforms; c) design and development of innovative solutions for incident management, required by incident response teams and security operation centers; d) machine learning algorithms for security attacks detection; e) cyber-risks associated to hardware supply chains and the relevance of open hardware as a means to reduce those risks; e) guidelines, recommendations, procedures for security risk management.
Topics of interest include, but are not limited to 03/05
- Cybersecurity incident management and response
- Certification and open hardware
- Intrusion detection and prevention systems
- Machine learning algorithms for intrusion detection
- Network security attacks investigation
- Open source hardware security
- Open source remote attestation
- Open standards
- Privacy and security implications of open source hardware
- RISC-V applications for security and privacy protection
- Risk management
- Standards, guidelines and certification
- Tools for evaluation of security protocols
- Techniques and tools for cybersecurity attacks defense
- Tools for security vulnerabilities processing
- Trusted computing, confidential computing
Workshop Chairs 04/05
Workshop Chairs
Program Committee
Antonio Lioy
|
Politecnico di Torino, Italy
Daniele Canavese
|
IRIT (Institut de Recherche en Informatique de Toulouse), France
Fulvio Valenza
|
Politecnico di Torino, Italy
Igor Kotenko
|
St. Petersburg Institute for Informatics and Automation, Russia
Annachiara Ruospo
|
Politecnico di Torino, Italy
Andrea Vesco
|
LINKS Foundation, Italy
Pasquale Imputato
|
Universita’ degli studi di Napoli Federico II, Italy
Isaac Agudo
|
University of Málaga, Spain
Billy Bob Brumley
|
Rochester Institute of Technology , USA
Samira Briongos
|
NEC Laboratories Europe GmbH, Germany
Jesús Díaz Vico
|
IOHK, Spain
Andres Marín López
|
Polytechnic University of Madrid, Spain
Constantinos Patsakis
|
University of Piraeus, Greece
Nicola Tuveri
|
Tampere University, Finland
Submission 05/05
Submission Guidelines
The submission guidelines valid for the workshop are the same as for the ARES conference.
Important Dates
Extended Submission Deadline
May 17, 2024
Author Notification
May 27, 2024
Proceedings Version
Jun 18, 2024
Conference
Jul 30
—
Aug 02, 2024