Master Project: Advanced Topics in IT Security
Objectives and Contents
The master project consists of an integrated seminar and a practical part. The project is focused on a specific topic in the intersection of IT Security and networks / distributed systems. In the integrated seminar the participants develop the theoretical foundations of the topic and bring each other up-to-date. The acquired knowledge is applied in the practical part of the project to design and implement concrete solutions to meet the objectives of the project.
• Understanding current research and transferring it into praxis
• Software development
• Team work
• Usage of project management and collaboration tools
Course Organization and Availability
This project will be offered regularly in the winter term and will be accompanied by an integrated seminar. The grading is based on a presentation, the developed software, and the software documentation.
- Integrated seminar
- Master project
Winter term 2021/2022
With the rising number of insecure IoT devices, home networks are more and more affected from automated and targeted attacks. Most people are not aware of security leaks and their consequences. Thus, they are not capable of deciding whether devices are correctly configured or hijacked. The gravity of this grows since home office becomes increasingly common for companies. Stealthy overtaking a home network of certain employees is often easier than compromising a protected company network.
This term's master project has the goal to develop a collaborative information and intrusion detection system for home networks. It will enable users to get an overview of the security status of their devices, detect (unknown) attacks, and provide users with potential countermeasures. The main component consists of an automated, privacy-preserving exchange of device characteristics and collaborative intrusion detection to detect attacks across networks while keeping personal network information as private as possible.
The system will be deployed in a real-world scenario with several home networks with different devices, where attacks are injected.
Therefore, the main components of the collaborative home network intrusion detection system in this project include:
- Extraction of network characteristics for intrusion detection using an open source intrusion detection system (IDS), e.g., Suricata or Zeek.
- Enabling collaborative intrusion detection to detect (unknown) attacks by applying anomaly detection using appropriate machine learning techniques, e.g., Federated Learning (FL).
- Evaluating the system using penetration testing and real-world attacks, e.g., with Caldera.
Winter term 2020/2021
Mission-critical networks interconnect IoT systems, smart cities, smart factories, and autonomous vehicles. They require many components to work together ensuring safety and security properties. Smart cities, for example, are quite heterogeneous with distributed IoT sensors and cars, drones, and air cabs that exchange time-sensitive data. Besides, people are involved as both users and providers of data via wearable sensors and smartphones. To deal with the resulting complexity, we aim to redesign core network components leveraging network programmability and using a very recent, popular, and high-level programming language, P4 (https://p4.org/). P4 enables us to program real networking hardware and equip it with new functionalities potentially including:
- Real-time and reliable communication protocols especially for safety-critical applications
- Security functions such as network traffic monitoring and filtering on data plane
- Telemetry collection for more advanced network applications such as intrusion detection systems
Finally, we are going to have extendable network components implemented with P4 to be used in mission-critical IoT systems, software-defined, and programmable networks. Mininet, a well-known simulation environment, will be used for the main development and also P4-supported hardware (e.g., network cards) will be provided for a real test bed.
Winter term 2019/2020
Data-driven Security Threat Assessment & Attack Mitigation
In this project, the goal is to develop a dynamic data-driven risk assessment and attack mitigation framework. For that, the participants will first develop methods to obtain data and knowledge on the network to be protected including an overview on software used, e.g., by the network IDS Zeek or by honeypots. Second, external threat intelligence has to be integrated, e.g., by attaching the open source platform MISP.
Finally, the internally obtained and the external information need to be combined via a dynamic risk assessment model, e.g., based on Bayesian network, to assess risks for the network to be protected in real-time. For example, when external threat intelligence provides information about a novel crytojacker malware that exploits a certain Windows vulnerability and via the internal information sources it is known that certain internal systems have the same vulnerability, the risk for these systems has to be adapted and countermeasures have to be planned, e.g., a Firewall rule is added. This project is held in cooperation with Tenzir, a small but modern startup based in Hamburg with strong competencies in network forensics and overall IT-security.
Winter term 2018/2019
Secure Urban Sensing
The digital development of cities, Smart Cities, relies on data. While stationary sensors are able to provide some data, they have to be purchased, deployed and maintained. All the while we carry powerful sensors with us: our smartphones!
This project's task will be the development of an Android app and a corresponding server component. Users of the app shall be able to leverage the various sensors of their smartphone to collect environmental data (e.g., noise, WiFi networks, illuminance) to show them in-app or on external dashboards.
Data collection via smartphones is privacy-invasive, so that the secure and privacy-aware data collection and processing is the most important requirement in this project. In the process, the trustworthiness of data and its origins has to be included. Thus, additional trust mechanisms need to be implemented to be able to assess the trustworthiness of provided data and its origins and to include this in the data processing to obtain more reliable results.
Summer term 2018
Efficient network-based IDS on the basis of libpcap
These days, attacks on IT systems can have severe consequences, including data leaks, financial loss, and outages in critical infrastructures. Thus, great effort has been made to detect a wide range of attacks with the help of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), especially those that monitor the network. The result are powerful but also complex security tools that are hard to maintain, to extend, and to deploy.
Thus, the task is to develop an IDS and network monitor from scratch that allows to easily analyze the network traffic in real-time. On top of basic protocol and packet decoding, the IDS should provide a framework to extend its functionality when it comes to attack detection and policy checking.
Winter term 2016/2017
Distributed Intrusion Detection in Large-scale Environments
Nowadays, the detection of attacks on IT-based infrastructures is mainly done by Intrusion Detection Systems (IDSs) or Intrusion Prevention Systems (IPSs). Most of these systems utilize a centralized analysis unit and thus do not scale for large networks. Collaborative IDS (CIDS) close this gap via a decentralized or even distributed data collection and analysis. The goal of the project is to enhance an existing CIDS that is based upon the open-source IDS Bro and the host-based sensor Osquery. The system has to be extended by honeypots as third class of sensors. Honeypots are a powerful security tool. They have no productive usage and their sole purpose is to get attacked and compromised. Hence, every attempt to access a honeypot can be considered to be an attack. Apart from adding honeypots, students can actively influence the project scope. Potential directions of additional topics can be among the following:
1. The task of a CIDS is to gather data and analyze it in a distributed manner in between a distributed set of sensors. This requires to have special correlation and detection mechanisms in place to fuse data coming from different sensors. This can, for example, include to use and implement adequate machine learning methods.
2. The CIDS has to be extended by a connection to a centralized cyber-incident monitor (based on Kibana) to visualize data and to support security administrators to maintain an accurate view on their networks and the attacks on them.