The 5th European Conference on Computer Network Defence will take place in November 2009 at the Politecnico di Milano technical university in Milano, Italy.

The theme of the conference is the protection of computer networks. The conference will draw participants from academia and industry in Europe and beyond to discuss hot topics in applied network and systems security.

EC2ND invites submissions presenting novel ideas at an early stage with the intention to act as a discussion forum and feedback channel for promising, innovative security research. While our goal is to solicit ideas that are not completely worked out, and might have challenging and interesting open questions, we expect submissions to be supported by some evidence of feasibility or preliminary quantitative results.

Topics include but are not limited to:

• Intrusion Detection
• Denial-of-Service
• Privacy Protection
• Security Policy
• Peer-to-Peer and Grid Security
• Network Monitoring
• Web Security
• Vulnerability Management and Tracking
• Network Forensics
• Wireless and Mobile Security
• Cryptography
• Network Discovery and Mapping
• Incident Response and Management
• Malicious Software
• Web Services Security
• Legal and Ethical Issues

The conference will be technically co-sponsored by the IEEE ComputerSociety – Italy Chapter .

Submitting a Paper

You are hereby invited to submit papers up to 6-8 pages, 8.5″ x 11″, two-column format. We particularly encourage position papers on preliminary work that shows promise, rather than mature and well-polished papers. Surprising results and thought-provoking ideas will be strongly favored. All submissions will be reviewed by the Program Committee . Authors of accepted papers will be given the optionof including their paper in the proceedings of the conference.

We suggest you to format your paper according to IEEE-CS guidelines .

Important Dates

• Submissions due: September 15th, 2009
• Reviews due: October 1st, 2009
• Notification of Acceptance: October 15th, 2009
• Final papers due: November 1st, 2009

General Chair

• Stefano Zanero, Politecnico di Milano, Italy

Program Committee

• Kostas Anagnostakis, I2R, Singapore
• Davide Balzarotti, Eurecom, France
• Wayne L. Bethea, Johns Hopkins University, USA
• Marco Cremonini, University of Milan, Italy
• Eric Cronin, University of Pennsylvania, USA
• Sandro Etalle, Eindhoven Technical University and University of Twente, Netherlands
• Stefanos Gritzalis, University of the Aegean, Greece
• Thorsten Holz, University of Mannheim, Germany
• Sotiris Ioannidis, FORTH-ICS, Greece
• Engin Kirda, Eurecom, France
• Pavel Laskov, University of Tuebingen, Germany
• Tieyan Li, I2R, Singapore
• Paolo Milani Comparetti, TUV, Austria
• George Mohay, QUT, Australia
• Cyril Onwubiko, Research Series, UK
• Philippe Owezarski, LAAS-CNRS, France
• Michalis Polychronakis, FORTH-ICS and University of Crete, Greece
• George C. Polyzos, AUEB, Greece
• Carlos Ribeiro, Instituto Superior Tecnico, Portugal
• Panos Trimintzios, ENISA
• Theo Tryfonas, University of Bristol, UK
• Stefano Zanero, Politecnico di Milano, Italy

Steering Committee

• Panos Trimintzios, ENISA
• Kostas Anagnostakis, I2R, Singapore
• Andrew Blyth, University of Glamorgan, UK
• Sotiris Ioannidis, FORTH-ICS, Greece
• Evangelos Markatos, FORTH-ICS, Greece

EuroSec seeks contributions on all aspects of systems security. Topics of interest include (but are not limited to):

• new attacks, evasion techniques, and defenses
• operating systems security
• network/distributed systems security
• hardware architectures
• trusted computing and its applications
• identity management, anonymity
• small trusted computing bases
• mobile systems security
• measuring security
• malicious code analysis and detection
• Web security
• systems-based forensics
• systems work on fighting spam/phishing

In accordance with the spirit of the EuroSys conference we also seek:

• Quantified or insightful experience with existing systems
• Reproduction or refutation of  previous results
• Negative results
• Early ideas

You are hereby invited to submit papers of up to 8 single-spaced pages (including figures, tables and references). Submission information: http://www.ics.forth.gr/dcs/eurosec09/

For convenience, we allow authors to indicate potential conflicts of interest (e.g., to exclude PC members from within their research group).  EuroSec explicitly encourages members of the systems community to explore leading-edge topics and ideas before they are presented at a major conference. All submissions will be reviewed by the Program Committee. Only original, novel work will be considered for publication. Accepted papers will be published in the proceedings of EuroSec in the  ACM Digital Library. EuroSec will be held on the 31st  of March, 2009, in Nuremberg, Germany.

Important dates

• Paper Submission Deadline: January 19th, 2009
• Notification of Acceptance : February 16th, 2009
• Final Paper Due: March 2nd, 2009
• Workshop Date: March 31st, 2009

Organization

• Program Co-chairs:
  • Evangelos Markatos (FORTH and Univ. of Crete)
  • Manuel Costa (Microsoft Research Cambridge)
• Publicity Co-chairs:
  • Thorsten Holz (Universitat Mannheim)
  • Sotiris Ioannidis (FORTH)

• Program Committee:
  • Kostas Anagnostakis (Institute for Infocomm Research)
  • John Aycock (University of Calgary)
  • Herbert Bos (Vrije Universiteit Amsterdam)
  • Manuel Costa (Microsoft Research Cambridge)
  • Jedidiah Crandal (U of New Mexico)
  • Marc Dacier (Symantec)
  • Leendert van Doorn (AMD)
  • Kevin Elphinstone (U of New South Wales)
  • Jon Giffin (Georgia Tech)
  • Ashvin Goel (U. of Toronto)
  • Hermann Hartig (TU Dresden)
  • Gernot Heiser (UNSW / NICTA / Open Kernel Labs)
  • Thorsten Holz (Universitat Mannheim)
  • Sotiris Ioannidis (FORTH)
  • Angelos Keromytis (Columbia)
  • Engin Kirda (Eurecom Institute)
  • Christopher Krugel (UC Santa Barbara and TU Vienna)
  • Wenke Lee (Georgia Tech)
  • Zhenkai Liang (CMU)
  • Evangelos Markatos (FORTH and Univ. of Crete)
  • Niels Provos (Google)
  • R Sekar (Stony Brook)
  • Angelos Stavrou (George Mason University)
  • Wietse Venema (IBM TJ Watson)
  • Michael Waidner (IBM Tivoli Software, Somers, NY)
  • Stefano Zanero (Politecnico di Milano)

Even though the aim of the project is to help NRENs and ISPs companies, feedback from them is crucial, since the main attacks committed through their networks. Using NoAH system can help detect, monitor and report suspect activities in real-time.

NoAH system main features:

• Provide source of data for security analysis.
• Produce attacks signatures for further use (integration with IDS, firewalls and other network protection tools).
• It has few false positives, low cost and low risk.
• It does not capture legitimate users traffic (No sensitive data).
• Help the security teams understand the threats they face and how to defend against them.
• Raw data available for the administrators.
• Easy to adapt new honeypots on the company’s network.
• Open-source software.
• Contribute to a large network of Honeypots.

The opening presentation by Spiros Antonatos (FORTH) focused on honey@home, an application developed by the NoAH project that can be installed on a Windows or Linux PC. The application allocates an unused IP address in order to collect information about potential cyberattacks; forwarding it to a remote NoAH honeypot for further analysis. As a result, the geographical coverage of the NoAH infrastructure is greatly extended.

The second presentation by Stefano Zanero (Politecnico di Milano) examined the usefulness of intrusion detection systems (IDS) compared with honeypots. Whereas a honeypot actually needs to be comprised in order to be useful, an IDS is able to detect security violations on any system. This in principle allows better collection of attack data, and this can be taken a step further to develop anomaly detection systems, which learn by contrast with normality.

The third presentation by Pascal Gamper (ETHZ) focused on improved methods for signatures for generating zero-day attacks. Time is critical when dealing with such attacks, which means fast automated methods are necessary if they are to be useful in IDSs.

There then followed an talk by Melanie Rieback (VU) on the issues related to RFID (Radio Frequency Identity) technology. This provided an interesting historical overview about the development of the technology, but also the security issues and concerns that it currently presented.

It was then back to more NoAH developments, with a presentation from Asia Slowinska (VU) on the Argos secure system emulator that provides a secure containment environment for running a honeypot system. Whenever potential malicious use is detected, the unsafe data is saved for off-line processing and the emulator terminates its execution. The aim is to prevent the honeypot systems from themselves being compromised, and to ensure that early-warning information can be forwarded to other systems.

The final presentation was given by Marc Dacier (Symantec) on the Leurré.com distributed honeynet. This is a network of low interaction honeypots based on the honeyd software. Currently there are around 50 platforms deployed in 30 countries around the globe. The software can be installed on a low-specification PC from a CD available from Eurecom, and also provides access to the entire SQL database of collected traffic traces. In fact, the success of the system in collecting useful data, encouraged the establishment of the three-year EC-funded WOMBAT project to establish a worldwide observatory of malicious behaviours and attack threats.

The feedback received about the workshop was very positive, and the speakers were highly rated by those attendees completing feedback forms. The presentations from the workshop are available online from the NoAH website.

• The attacker connected from 80.60.158.116 to our win2k server honeypot.
• Aim was to exploit a vulnerability in the WINS service at port 42.
• Date was 2nd June 2008 18:45 GMT +0200.
• The attack was not detected by the snort IDS.
• Argos raised an alert of type “RET”.
• The EBP contained the value 0×90909090 which results obviously from a stack buffer overflow. Thus, a false positive can be excluded.

Analysis of the attack

First step in my analysis was to find all known vulnerabilities/advisories affecting this service. The search results in the Microsoft advisory MS04-045. A more detailed explanation has been published by immunitysec.com. This seems to be the only severe vulnerability in this service. In addition, multiple exploits exist targeting at this vulnerability.

The first look at the packet dump of the attack using wireshark reveals that according to the MS advisory the WINS replication service was attacked. The first three 4-Byte words in the tcpstream of the attack correspond to the “packet” as referenced by immunitysec: “size of packet” “XX XX FF XX”, and “real address pointer”. The vulnerability exists because the “real address pointer” can be manipulated by the attacker and user data is subsequently written to this location. In our Argos CSI data it points at a memory location which is marked as tainted. Thus, the behavior of the exploit is consistent with the description of the vulnerability.

Attack verification

To verify that the vulnerability attacked is the one found by immunitysec.com I tested the corresponding exploit in the metasploit suite against our honeypot and compared both results. The comparison with the traces of the real attack was surprising. First, the payload size of the attack was much smaller than the size of the metasploit attack. Moreover, the three bytes that are characteristic for the exploitation of the vulnerability are different.  They start at the memory location 0000002d: packet lenght: 0×208, “00 00 78 00″, “05 37 1e 90″. Thus, the critical Byte “FF” in the second word is missing as seen in the metasploit attack. Moreover, the bytes at the address 0×05371e90 do not seem to be tainted which is in contrast to the metasploit attack. Thus, I am confident that this vulnerability is definitely not the one published by immunitysec. Further analysis of this attack will follow.

Screenshots

Packet dump of the attack

TCP stream data of the attack payload

TCP stream data of the metasploit attack data

If any of the users discovers false positives, after these changes please notify the developers immediately. You can get argos from the VU gforge site.

The application is available from the Honey@home website. Continue reading for more details on the new features.

List of improvements

The new version offers numerous improvements over the previous releases:

1. Installation: The Honey@home installer now uses the Microsoft Windows Installer engine. This enables the installer to update existing Honey@home installations, without the user having to uninstall and then reinstall the software.

2. Integrated update mechanism: The software is now capable of identifying when a new version comes out on the Honey@home website. The new version is downloaded as an MSI archive and the software is automatically updated.

3. Registration wizard: The user no longer has to launch a browser to register his Honey@home client. If after the installation it is identified that the software hasn’t been registered, a registration wizard is started and the user is able to register his client without switching to a different application.

4. Settings Manager: No longer has the user to manually edit the configuration files of the software. Now all required changes to the configuration are made through the Honey@home settings manager GUI.

5. Anonymous Routing: The software now includes the components required to route the traffic it captures over TOR. This enhances the overall security of the NoAH infrastructure, as well as the privacy of the user.

6. Improved Visualization: Honey@home now offers three different charts and graphs. The first one is a pie-chart breakdown of the packets received per protocol (TCP, UDP, ICMP, Other). The second is a speed graph which shows the rate at which traffic is captured and injected. The last one shows the TCP and UDP ports that received the most traffic.

7. Misc. Improvements: The new version has a reduced memory footprint. Also it provides novice users with a recommendation for which of the existing network interfaces is suitable for the software.

Screenshots

Network interface recommendation at startup

Honey@home settings manager

Breakdown chart of received traffic per protocol

Traffic rate graph

Top ports graph

Despite all of the attractive properties of Argos and the various signature generators, we are still missing some attacks: those on the client-side. Honeypots have as a disadvantage that they mostly act like servers and wait for attackers to contact them. However, client-side attacks are on the rise. In such attacks, the client visits a malicious website and is infected by the content. Honeypots never see such attacks.

Moreover, the Argos honeypot only protects the exact configuration that it is actually running on top of its emulator. If the production machines have a slightly different configuration (e.g., a different version of the OS, applications, or plugins), Argos may miss attacks. So, ideally we would like to protect the `real’ machines.

In the Eudaemon project, some of the groundwork is done for implementing techniques to bring Argos-like honeypot technology to the desktop of normal users. In other words: client-side protection. This is a major challenge as the emulator that implements all the required instrumentation to detect attacks incurs a slowdown of a factor 15-20. As a result, running a desktop PC in instrumented mode constantly is probably not acceptable.

Instead, the idea is to take over running processes and force them to continue running in honeypot mode when needed or when possible. For instance, in the former case one may run a browser in honeypot mode when we click on an unknown URL in an email message. The browser is then protected against browser attacks by malicious server content. In the latter case, one may switch all of the user’s networking applications to honeypot mode when the machine is idle. For instance, we may switch to honeypot mode as a screensaver.

The mechanism for doing this is described in the Eudaemon paper presented at EUROSYS 2008 in Glasgow. [bibtex]

The innovative concept of NoAH Router allows to detect suspicious flows that are currently not seen by the existing Honeypots. Being installed on a router installed at the heart of the Internet, it can identify and redirect flows coming from scanning bots even if the targeted machines are not under monitoring.

During the next phase, the capacity of the NoAH Router for preventing zero-day attacks will be evaluated in a live environment. Keep an eye on the blog for further updates on the NoAH router.