http://uva.nl/

SNE Master Research Projects 2013 - 2014
2004-
2005 		2005-
2006 		2006-
2007 		2007-
2008 		2008-
2009 		2009-
2010 		2010-
2011 		2011-
2012 		2012-
2013 		2013-
2014 		2014-
2015 		2015-
2016 		2016-
2017 		2017-
2018 		2018-
2019 		2019-
2020 		2020-
2021 		2021-
2022
Contact TimeLine Projects LeftOver Projects Presentations-rp1 Presentations-rp2 Objective Process Tips Project Proposal

Contact

Cees de Laat
tel: +31205257590
room: C.3.152
Course Codes:

Research Project 1 MSNRP1-6 53841REP6Y
Networking Research Project 2 MSN2NRP6 53842NRP6Y
Forensics Research Project 2 MSN2FRP6 53842FRP6Y

TimeLine

RP1 (January):
  • Wednesday Sep 4 2013, 13h00: Introduction to the Research Projects.
  • Nov 8, 2013, 10h00-12h00: Detailed discussion on chosen subjects for RP1.
  • Monday Jan 6th - Friday Jan 31th 2014: Research Project 1.
  • Friday Jan 10th: (updated) research plan due.
  • Monday Jan 20, 16h00: possibility for students to discuss problems/progress in OS3 Lab.
  • Tuesday afternoon Feb 4th 2014: Presentations RP1 in INIT Auditorium 1.
  • Wednesday 5th 2014: Presentations RP1 in A1.10 and F1.02 at Science Park.
  • Monday Feb 10th 9h00: RP1 - reports due.
 RP2 (June):
  • Wednesday may 8, 2014, 14h00, B1.23 Detailed discussion on chosen subjects for RP2.
  • Monday Jun 2th - Tuesday Jul 1th 2014: Research Project 2.
  • Friday Jun 6th: (updated) research plan due.
  • Monday Jun 16th , 16h00: possibility for students to discuss problems/progress in OS3 Lab.
  • Wednesday Jul 2th 2014, 9h30-15h00:  presentations in C0.110 @ SP904.
  • Thursday Jul 3th 2014, 9h30-17h00:  presentations in C0.110 @ SP904.
  • July 4th 2014: RP2 - reports due (preferably not much later as holidays interfere).

Projects

Here is a list of student projects. Find here the left over projects this year: LeftOvers.

In a futile attempt to prevent spam "@" is replaced  by "=>" in the table. Color of cell background:
Currently chosen project. Blocked, not available.
Project plan received. Confidentiality was requested.
Presentation received. Report but no presentation
Report received. Presentation in june.
Completed project.
wordle-s.jpg


# title
summary		 supervisor contact
students 		R
P 		1
/
2
1
N

Mice and Elephants.

Mixing large (elephant) and small (mice) data flows on a network is challenging. A small amount of packet loss can cause a huge performance drop for large data flows (1 out of 22,000 lost packets causes 80x reduction in data transfer). When these large TCP flows are mixed with other (small) TCP flows, all TCP sessions are trying to be fair, but still optimize their own throughput until they reach the capacity of the link and packet drop occurs. This results in oscillations and bad throughput. The goal of this project is to use the tc(8) traffic shaping in Linux to generate TCP flows with a constant throughput and investigate what effect this has when multiple of these TCP flows are mixed on the same link. The intention is to fill a link to maximum capacity with multiple stable streams. Google is claiming a utilization of their links of close to 100% and they probably do something similar. These experiments will be done in the SURFnet testbed and on international links with high capacity and large RTT (big fat pipes). 		Ronald van der Pol <Ronald.vanderPol=>SURFnet.nl>
Ioannis Giannoulatos <Ioannis.Giannoulatos=>os3.nl> 		R
P 		1
3
SN

DNS security revisited.

The crucial DNS remains a liability today. In the past, several attempts - and huge government impulses - have been made towards DNSsec adaptation. Success has been far from evident, meriting a closer look. At this point, there might be actual field data to (dis)prove DNSsec skepticism. DNSsec support has been mandatory for several TLDs now for an extensive period. While mandatory, participation has been less than complete. And of the zones for which DNSsec was deployed, it's an open question whether this initial deployment has been followed by proper maintenance (as is necessary for DNSsec zones).

Specific questions are: What adaptation rate has DNSsec seen amongst (for example) .gov zones? What is the trend, and the adaptation timeline? Of the zones offering DNSsec at point in time T, which ones are still valid at point T+n?

Running hypothesis would that DNSsec has been plausibly tried, and has been proven a failure. Let's see this hypothesis disproved! Or… else…? 		Jeroen Scheerder <Jeroen.Scheerder=>on2it.net>
Anastasios Poulidis <Anastasios.Poulidis=>os3.nl>
Hoda Rohani <hoda.rohani=>os3.nl> 		R
P 		2
5

ExoGENI: Evaluating the Network Performance of ExoGENI Cloud Computing System.

The SNE group has build an OpenLab to study architectures and develop algorithms for distributed Big Data Analysis on a distributed high performance programmable infrastructure. This infrastructure consists of compute clusters, OpenFlow capable network switches and high speed (> 10 Gbit/s up to 100 Gbit/s) connectivity to SURFnet and the USA. Our openlab connects to the US-NSF GENI project and can communicate and work with about 40 similar setups accross many USA Universities. Next year june we will have a PIRE workshop where international students will research multi disciplinary science by using data from different repositories containing about a petabyte of data. This project is about preparing the infrastructure for that workshop.

In this project the student is asked to study the requirements to prepare and connect the ExoGeni rack in the SNE OpenLab to the OpenScienceDataCloud and test the performance of data transfer in different situations. If possible also the connection and use of data sources from the EU-Envri project should be attemted and benchmarked.

More info:
 Paola Grosso <p.grosso=>uva.nl>
Ralph Koning <R.Koning=>uva.nl>
Andreas Karakannas <Andreas.Karakannas=>os3.nl>
Anastasios Poulidis <Anastasios.Poulidis=>os3.nl> 		R
P 		1
7

A closer look at SQRL.

For many years the username/password combination has been used by billions of users to authenticate to web applications. During the last year several web applications like gmail have introduced a form of 2FA. Google uses a separate app for this authentication, but this app cannot be used with other web applications (yet). SQRL (https://www.grc.com/sqrl/sqrl.htm) is an alternative that also claims to offer 2FA. We would like the students to perform an in depth research on this (or an alternative) form of authentication. This includes not only the (cryptographic) strengths and weaknesses, but also the feasibility when companies want to implement a SQRL based authentication.
- what makes this better than Googles OAuth and other similar activities. 		Henri Hambartsumyan <HHambartsumyan=>deloitte.nl>
Hugo Ideler <HIdeler=>deloitte.nl>
Jos van Dijk <Jos.vanDijk=>os3.nl> 		R
P 		1
8

Controlled DDoS Security Testing.

Availability is one of the main concerns for large online applications such as online banking. Denial of Service is a realistic threat that can be executed with limited means, for example by employing a botnet of compromised systems. We would like to develop a methodology that allows performing a structured review of how ‘ready’ an organization is for a DDoS attack. This methodology would need to be developed in such a way that the testing can be performed in a controlled way, without causing an actual Denial of Service. The approach should consist of both technical review of configuration settings as well as ways of simulating specific DoS attacks in a controlled way. 		Pieter Westein <PWestein=>deloitte.nl>
Azad Kamali <Azad.Kamali=>os3.nl>
Mike Berkelaar <Mike.Berkelaar=>os3.nl>
 R
P 		2
10
F

Search Optimization through JPEG Quantization Tables using a Decision Tree Learning Approach.

Acceleration methods for searching image databases, for example through optimizing search through quantization tables in JPEG. Some investigation has been done on how this JPEG characteristic can be used by such methods, but further investigation should give a better view on its feasibility. Other JPEG characteristics not yet exploited by any search method in current use may be investigated as well. These methods are used to search for images that have, for example, deviant or specific values for these characteristics. Certain values may indicate the use of a camera of some kind, or that it has been altered (or recreated) by specific image editing software. A proof-of-concept that shows the use of such characteristics in search methods will probably be implemented. 		Marcel Worring <m.worring=>uva.nl>
Zeno Geradts <zeno=>holmes.nl>
Sharon Gieske <sharon.gieske=>os3.nl>
 R
P 		2
11

Anomaly Detection on Internet Content Filter Data.

Network anomalies are traffic patterns that have properties that make them different from normal traffic. Examples include sudden traffic coming from a country that usually generates no traffic at all and traffic to ports that never receive traffic. Anomaly detection is used in Network Intrusion Detection Systems (NIDS), where different kinds of anomalies are detected. Anomaly detection can be done with different methods: statistical based, knowledge based and based on machine learning.

This research project proposes to look at statistical anomaly detection. More specifically, detection based on user-agent strings and requested files. The Intrepidus Group, a mobile security company, indicates that some malware can be detected based on their user-agent string. The effectiveness of statistical anomaly detection for user-agent strings will be tested on a set of outbound traffic. The same will be done for requested files, as compromised computers often download a set of scripts for easier control. Detection of this anomaly will be tested on the same data set. The research question is formulated as follows: What is the effectiveness of statistical anomaly detection, when applied to the user-agent and requested file information?
 Ramses de Beer <Ramses.deBeer=>shell.com>
Sjoerd Peerlkamp <S.Peerlkamp=>shell.com>
Johannes IJkel <Johannes.IJkel=>shell.com>
Peter van Bolhuis <Peter.vanBolhuis=>os3.nl>
 R
P 		2
13

Implementing Security Control Loops in Security Autonomous Response Networks.

Abstract:
Software defined networks (SDN) are networks which are created and managed by computer programs. The Virtual Internets project which is conducted by the SNE research group in collaboration with TNO research deals with creating such a program which also addresses the security issues that may arise with SDNs. The resulting application should deal with security threats in 2 stages. First the problem needs to be detected and feedback about it should be returned to the application. And in the second stage the application should select the best way to isolate/fix the problem and configure the network accordingly.

The goal of this research project is to implement a proof of concept for the threat detection and responsive network adaptation mechanisms and visualize that process, so that a better understanding of how such a system could work could be gained. Furthermore it should be clear from the visualization how big is the risk that an emerged problem introduces. In order to demonstrate that accordingly, a few different examples should be created and presented.
 Marc Makkes <M.X.Makkes=>uva.nl>
Robert Meijer <robert.meijer=>tno.nl>
Hristo Dimitrov <Hristo.Dimitrov=>os3.nl>
 R
P 		2
14

Measuring the deployment of DNSSEC over the Internet.

In the past years, focus has been on the deployment of DNSSEC in the domain name system. There has been an extensive effort in signing the DNS root and signing all top level domains (TLDs). This deployment has been monitored, measured, and analysed in the past years.

But the server side is only half of the story. The DNS resolvers also need to validate the responses they receive. These measurements are more difficult to accomplish, as you need presence in the client network to test whether the resolver is a DNSSEC validating resolver (or not).

In this project, you will design, implement, and run measurements with the RIPE Atlas infrastructure, which employs a global network of probes that measure Internet connectivity and reachability, providing an unprecedented understanding of the state of the Internet in real time. The Atlas probes will be instrumented to query DNS servers and test for local validating DNSSEC resolvers. The results of this study will be very relevant to the Internet community, in particular to those with interest in security and stability. 		Benno Overeinder <benno=>NLnetLabs.nl>
Willem Toorop <willem=>NLnetLabs.nl>
Nicolas Canceill <nicolas.canceill=>os3.nl>
 R
P 		2
17

Calculating Total System Availability.

Context

The environment for the research project is the Information Services organization of Air France- KLM. In this organization the datacenter is responsible for the management of the business applications and the underlying system and network infrastructure. The applications management department of the datacenter has defined a concept called The Artificial IT Intervention Handler (AITIH). This concept is realized as an AGILE/Scrum project. One of the functions in this concept is a Blueprint Generator. A Blueprint is a graphical representation of infrastructure components of the system and network infrastructure showing servers and its connectivity to the LAN and SAN network.
IST situation of the IT infrastructure

Auto discovery information is collected every day by system and network monitoring tools. This information shows the actual status of the IT infrastructure. This information is stored in a database for analysis. Blueprints can be generated from this database using a proprietary tool based on SVG.

SOLL situation of the IT infrastructure

IT architects are involved in the development and change process of business applications. They are responsible for the IT Global Design (ITGD) of the underlying infrastructure for the business applications. An ITGD is part of the documentation of a business application. IT architects define the principles that should be used when designing a particular application infrastructure.

Research question

Business applications have non-functional requirements for the infrastructure. The ITGD defines the non-functional requirements. Availability is the most important infrastructure requirement for business applications.

The research questions are:
  1. Define an architectural governance procedure that is able to detect deviations between the ITGD design and the actual infrastructure implementation (auto discovery status).
  2. One of the challenges for the AITIH is to automate Architectural Governance. How can the pattern generator be enhanced to detect deviations from the design automatically based on applicable design rules?
 Betty Gommans <betty.gommans2=>klm.com>
Hoda Rohani <hoda.rohani=>os3.nl>
Azad Kamali <Azad.Kamali=>os3.nl> 		R
P 		1
26

Information loss to public networks.

The first phase of the research focused on identifying data- loss hotspots. This was done by extracting data from a proxy logger for a large (Dutch) company. It showed a lot of outgoing traffic related to e-mail and attachments. Other large factors for outgoing traffic were office in the cloud and online storage.
The second part of the research was trying to search the identified hotspots, and other known file-storage locations, for confedential information. Because most data required authentication, these end-points could barely be searched through. In the cases that it was possible to search the storage locations, interesting information could be found with Google in almost all cases. 		Steven Raspe <steven.raspe=>nl.abnamro.com>
Peter van Bolhuis <peter.vanbolhuis=>os3.nl>
Jan-Willem Selij <Jan-Willem.Selij=>os3.nl> 		R
P 		1
27

Secure Socket Layer Health Assessment.

It has become a real fad for researchers to try and break SSL over the last few years. Several attacks have been published with illustrious names like "BEAST", "CRIME" and "Lucky 13", and issues have been discovered both on the protocol level as in the various ciphers that can be used.

In this day and age where almost everything is a webservice, organisations usually have many dozens, if not more, of SSL services running. Combined with the number of flaws already discovered, it gets hard to ensure that all these are of the proper security level and that it remains that way.

This project has the following goals:
  • Assess the various potential problematic uses of the SSL protocol and ciphers based on literature.
  • Create a tool that given a list of urls/hosts and port numbers, evaluates which protocols and ciphers are offered and present per host a list of results for various potential problems, like the attacks described earlier but also things like certificate validity or chain issues. The output should be machine-parsable so it can be integrated into monitoring infrastructure. Ideally it should summarise the "SSL health" of a host in a single metric. It should be an extensible framework so that if a new problem or attack is discovered, the tool can be easily updated.
  • Run the tool against all our known or discovered SSL services.
 Thijs Kinkhorst <thijs=>uvt.nl>
Teun Nijssen <teun=>uvt.nl>

Eric van den Haak <Eric.vandenHaak=>os3.nl>
Mick Pouw <mick.pouw=>os3.nl>
 R
P 		1
28

DDoS attacks on electronic payment systems.

P.S. 28 and 29 are the same but contains enough research questions to make it into two distinct rp's.

Equens is the first pan-European full-service payment processor. We are at the forefront of payment and card transaction processing. Maintaining the integrity of our networks is essential and as the nature of payments change, making use of the public internet, additional measures have to be considered to ensure that Equens can handle the risks associated with this mechanism. These risks can be identified in many forms and currently, possibly the most significant are related to (Distributed) Denial of Service (DDoS) attacks.
DDoS attacks are becoming an increasing threat in the cyber-world, both with regard to the chance of becoming a victim as well as the impact of such an attack. At least that is what is perceived from information from the media and security experts.

Equens wishes to understand the risks better, and in particular the risks associated with Distributed Denial of Service attacks. To this end we are proposing that a study be performed.
At this time the following subjects are considered relevant. The successful candidate(s) may concentrate on one or more subjects as applicable:
  • The risk of Distributed Denial of Service (DDoS) attacks at this time and the anticipated development of these attacks. In particular aspects such as:
    • What is the trend in dDoS attacks in relation to line of business (including financial risk) business size, geographical location (from a victim's point of view) and other parameters like technical advancement (type), duration, bandwidth, ... (from an attackers point of view)?
  • The types of mechanism available to mitigate DDoS attacks and anticipated development. In particular aspects such as:
    • What is the best remedy against such an attack, both theoretically as well as based on the solutions available in the market (with a relation to company size/price-performance) These questions can then be applied to Equens' services, differentiated towards their visibility: public, private, or semi-private and based on Equens' position in the European market.
  • Experience of other organisation(s) with DDoS and how they have managed their approach to DDoS.
The authors of this study should have the following experience
  • A basic understanding of TCP/IP and the various other protocols that together form what is termed Internet (DNS, IPSEC etc.) "Learning on the Job", that is being assisted by Equens' experts in this area, will be provided;
  • Able to discuss network issues both with Equens' own experts, as well as necessarily collect information from external sources;
  • The ability to be analytical and produce an analytical, subject based report.
Additional points
  • The candidate(s) will form part of a small expert team that is essentially self-managed. Therefore the candidate(s) will be expected to be self-motivated and capable of performing most activities with little or no support. However advice and assistance in contacting the various current stakeholders and our suppliers etc. will be provided;
  • The team will allocate time to assist the candidate on a regular basis and will provide timely advice during the entire project.
The deliverables will be defined by the expert team in discussion with the candidate. It is thought that the following will be produced:
  • A single report (per subject or group of subjects) in which the various current initiatives are described and compared with each other.
  • The produced report will be owned by Equens, but after suitable review (for example making certain parts of the report anonymous etc.) may be used by the candidate as part of their work experience and CV etc.
 Stefan Dusée <Stefan.Dusee=>nl.equens.com>
Joris Claassen <joris.claassen=>os3.nl>
Sean Rijs <sean.rijs=>os3.nl> 		R
P 		1
30

Identifying Infections with Spamming Malware in a Network, based on Analysis of DNS MX Requests.

Quarantainenet uses DNS-detection as one of its sensors when monitoring a network for malware, by matching DNS requests against known bad domains (blacklists). Another, so far untested, aspect of DNS-detection is using DNS MX-requests to detect computers that are sending spam. By looking at parameters like requests per interval, number of different requests and requests for specific domains, we suspect that it is possible to create a model to predict the probability that a computer is indeed sending spam. Supervisors:
  • Administrative and overview: Casper Joost Eyckelhof
  • Technical content: Bas van Sisseren
The source code produced in this research project can be found here: source.zip
 Casper Joost Eyckelhof <support=>quarantainenet.nl>
Bas Vlaszaty <Bas.Vlaszaty=>os3.nl> 		R
P 		2
31

Using EVPN to minimize ARP traffic in an IXP environment.

EVPN[1] is an IETF draft[2] which promises to address problems currently encountered by IXPs (Internet eXchange Points) which implement VPLS based networks.

One of the main problems IXPs face which use VPLS to create a big broadcast domain is that of extensive ARP traffic on the network. Several projects have been done to find a solution to this problem such as an ARP sponge[3] and using OpenFlow[4].

The goal of this project is to investigate if current EVPN implementations can replace VPLS and whether EVPN can eliminate the ARP problem experienced by IXPs.

This project is located at the European Internet Exchange (ECIX) at their Berlin headquarters.

[1] http://tools.ietf.org/pdf/draft-ietf-l2vpn-evpn-req-07.pdf
[2] http://tools.ietf.org/pdf/draft-ietf-l2vpn-evpn-07.pdf
[3] http://rp.os3.nl/2008-2009/p23/report.pdf
[4] http://rp.os3.nl/2012-2013/p57/report.pdf

The measurement data produced in this research project can be found here: measurements.zip
 Kay Rechtien <kre=>ecix.net>
Thorben Krüger <tkr=>ecix.net>
Stefan Plug <stefan.plug=>os3.nl>
Lutz Engels <lutz.engels=>os3.nl> 		R
P 		2
32

E-Safenet encryption: Reversing and practical attacks.

Abstract: Device manufacturers and their suppliers in China are increasingly using encryption to make it hard for competitors to reuse code, even though the code in question is the Linux kernel which has been released under the GPLv2. Since companies in the consumer electronics industry go belly up very frequently it would not be the first time that source code gets lost, putting companies downstream of the supply chain in a very uncomfortable position of not being able to comply with license conditions and having their product taken off the market. It also makes it a lot harder to do license compliance audits and security audits.

One tool that is used for this is from a Chinese company called E-SafeNet. I recently obtained an archive with "source" code, containing U-Boot and the Linux kernel for an Android device. The encryption seems to be block based and I have (partial) source code which would make it interesting to perform a known plaintext attack on the encryption.

Your task would be to find out more about the encryption and if possible break it! 		Armijn Hemel <armijn=>tjaldur.nl>
Cedric Van Bockhaven <cedric.vanbockhaven=>os3.nl>
Jan Laan <jan.laan=>os3.nl> 		R
P 		1
33

Rich identity provisioning.

In order for the next phase of the internet to be as open and user centric as the past, end users of the internet should be in control of the mechanisms and credentials with which they use internet services and collaborate with others. There are a number of well known and lesser known technologies already in existance as building blocks for federation for this emerging future - notable openID, browserID, OAuth 1/2, U-Prove and XRI/Webfinger next to older technologies such as X509 certificates, Radius and PGP. Each provides another piece of the puzzle and the use cases for each of them vary as much as their adoption. This means that in order for the end user to remain flexible internet service providers should aim at supporting multiple mechanisms in parallel. The project will investigate the best possible architecture to create an integrated polyglot identity provisioning system that allows for pseudonimity, and identify possible open source components that could be integrated in such a solution. 		Michiel Leenaars <michiel=>nlnet.nl>
Jos van Dijk <Jos.vanDijk=>os3.nl> 		R
P 		2
39

Implementing proximity based device-to-device communication in commercial LTE networks in The Netherlands.

A hot new topic under development in the telecommunications world is "Proximity Based Services", also referred to as "LTE Direct". LTE Direct is an improvement of the way mobile devices can discover services that are available in the local area as well as an improvement on the way these
mobile devices can communicate with those services available in the local area.

Establishment of communication using LTE Direct is fundamentally different from establishment of communication based on e.g. Bluetooth or LTE Direct. In contrast with the existing approaches for direct communication, Radio Network Spectrum licensed to Mobile Operators is used with LTE Direct. Mobile operators want and need to be in control of the usage of their licensed spectrum. This results in new requirements for LTE Direct compared to
  • e.g. Bluetooth and LTE Direct,
  • e.g. because the mobile operator wants to charge for the usage of its spectrum or e.g. resulting from regulatory requirements such as Lawful Intercept.
The purpose of this research is to look into the LTE Direct concept to see what new issues this way of direct communication between mobile devices raises, explore one or more of these issues and to examine proper solutions. If new solutions are developed during your assignment at TNO, TNO is willing to file a patent application of this new solution on your behalf. 		Wissingh, B.F. (Bastiaan) <bastiaan.wissingh=>tno.nl>
Remco van Vugt <Remco.vanVugt=>os3.nl>
 R
P 		2
40

Android patching from a Mobile Device Management perspective.

Mobile. Private devices. Corporate data. Bring your own device and work from it. You can love it or hate it, but it is here. Unfortunately classical lockdown procedures cannot be applied to secure these devices. Besides legal and privacy related issues another interesting domain is becoming more critical: physical security. In order to manage the risks involved around mobile, corporates are rolling out Mobile Device Management (MDM) systems in order to monitor and control devices that are hooked onto corporate data or corporate infrastructure. But how secure are these solutions?

There are already known methods to hide rooted or jailbroken statuses to applications. Test your reverse engineering skills and see how you can manipulate these control systems. 		Henri Hambartsumyan <HHambartsumyan=>deloitte.nl>
Martijn Knuiman <MKnuiman=>deloitte.nl>
Coen Steenbeek <CSteenbeek=>deloitte.nl>
Cedric Van Bockhaven <cedric.vanbockhaven=>os3.nl>
 R
P 		2
42

Practical OpenFlow: Real-Time Black-Hole of (D)DoS traffic.

In recent years DDoS attacks have grown from a nuisance to a real threat for ISPs. Most ISPs have a number of high capacity links (often >= 10Gbit) to the Internet backbone. DDoS mitigation solutions that can handle these kinds of traffic are very expensive and most ISPs are not able to afford them. A much better solution would be to use the existing network infrastructure (switches, routers), and give them some extra intelligence to drop malicious DDoS packets.

OpenFlow gives network administrators the ability to off-load most of the intelligence to an external controller. This also opens up the possibility to integrate additional intelligence into the basic packet forwarding. This project investigates the possibility to leverage this development to perform DDoS detection on the external controller and use the high capacity hardware of an OpenFlow switch to filter the malicious packets, without completely taking the target offline.

The inspiration was from a project performed by Sakura Internet [1]. They used sFlow with a custom script that instructs the controller through a REST API. Although testing the detection rate of this setup could be part of the project, a solution based solely on OpenFlow (so without the use of other / less widely accepted protocols) is preferred.

[1]http://packetpushers.net/openflow-1-0-actual-use-case-rtbh-of-ddos-traffic-while-keeping-the-target-online/ 		Hidde van der Heide <hidde.vanderheide=>os3.nl>
Mike Berkelaar <mike.berkelaar=>os3.nl>
Connor Dillon <connor.dillon=>os3.nl> 		R
P 		1
45

Open Data analysis to retrieve sensitive information regarding national-centric critical infrastructures.

The Open Data initiative is relatively new idea, and most countries are adapting to the principle that data should be freely available to users without major restriction constraints such as copyrights, non-disclosure agreements or patents. The concept is to provide free access to knowledge bases containing structured information from several datasets such as agriculture, business, energy, health, safety, supply chain, transport, etc. However, an important rule is applied to these datasets is that public information must not contain National Security information. Namely, is must be compliant with the basic policies of confidentiality, integrity and availability. Even with such restrictions, users with standard access might be capable to derive conclusions about how to identify critical sectors areas within a country by using visualization techniques.

Research questions:
  • Can users make use of Government Open Databases to retrieve country sensitive information?
  • Is it possible to categorize critical and strategic areas within a Country or even in City level?
http://www.opengovpartnership.org/ 		Benno Overeinder <benno=>NLnetLabs.nl>
Ralph Dolmans <ralph=>NLnetLabs.nl>
Renato Fontana <renato.fontana=>os3.nl> 		R
P 		2
46

Detecting IP Hijacking Through Server Fingerprinting.

To derive consistently functional and correct IP routing tables from a fluxing menagerie of BGP advertisements is not a matter of mere collection. Autonomous Systems employ filtering strategies to select the best available route to a given destination. Because the Internet is dynamic in its interconnectedness, routing changes are commonplace, and route filtering can only aspire to produce an ideal routing table, never with absolute certainty. This uncertainty opens a window to malicious route advertisements, in which a claim is made that a given IP subnet (victim subnet) is reachable via an AS with no legitimate claim to that subnet (malicious AS). If such malicious data is accepted into a routing table of an AS (victim AS) then a successful event of 'IP address hijacking' has occurred. At Greenhost, a hosting provider in Amsterdam, we have observed such an attack in the wild.
  • How can we analyze aggregated BGP data from around the world to identify subnets the potential victims of IP hijacking?
  • How can we subsequently probe these at-risk subnets to gain additional positive or negative evidence of hijacking?
Greenhost is exploring possible answers to these questions through the development of analytical programs and distributed network probing agents. 		Anatole Shaw <ash=>greenhost.nl> Douwe Schmidt <douwe=>greenhost.nl>
Sacha van Geffen <sacha=>greenhost.nl>
Magiel van der Meer <magiel.vandermeer=>os3.nl>
Eddie Bijnen <eddie.bijnen=>os3.nl> 		R
P 		1
47

DDOS detection and alerting.

A distributed denial-of-service attack is an attempt to make a machine or network resource unavailable to its intended users. DDoS attacks are rising. Recently many Dutch websites/services (bank, commercial, governmental) were unreachable because of DDoS attacks. Popular DDoS attacks generate abundant network traffic and thereby flood the network pipe of a machine or network node. Other attacks exhaust the processing power of the internet service.

Research questions:
  • how easy is it to DDoS an internet service?
  • which (internet) resources are available to start a DDoS?
  • what is needed (tools, infrastructure, design) in order to mitigate DDoS attacks?
  • Is there any correlation between the DDoS packets in an attack?
During this research project SURFnet will offer a special lab-environment that can be used to test the effectiveness of real internet DDoS’s. SURFnet also offer mitigation services that can be tested on their effectiveness SURFnet and HoneyNED, the Dutch Honeynet chapter, will supervise this research task. 		Rogier Spoor <Rogier.Spoor=>SURFnet.nl>
Daniel Romao <d.f.romao=>uva.nl>
Niels van Dijkhuizen <niels.vandijkhuizen=>os3.nl> 		R
P 		1
48

Timestomping NTFS.

The NTFS filesystem has numerous artifacts tracking temporal based information. Those artifacts can become key in an investigation, forming the bedrock of a timeline. For some of these artifacts it is known and demonstrated that modification is possible outside the regular update events. Thus introducing problem in the analysis phase, forcing investigators to always consider manipulation.

Index records ($i30) track the contents of directories (and server as an index for filtering and sorting functions). This NTFS structure also records timestamps for the files inside the directory. Would it be possible to manipulate these values in such a way a seasoned investigator will be fooled? This assignments includes both illustrating the possibility of manipulation using the schematics of NTFS, explaining possible telltale signs to detect manipulation and demonstrating the technique using a program allowing for modification. 		Kevin Jonkers <jonkers=>fox-it.com>
Marco van Loosen <marco.vanloosen=>fox-it.com>
Wicher Minnaard <wicher.minnaard=>os3.nl>
 R
P 		2
51

MySQL record carving.

Carving for (parts of) deleted files is a very commong procedure in forensic investigations on computers. Carving retrieves the content of previously deleted but not yet overwritten files from a data carrier. This same procedure can be applied within database files to recover deleted or old versions of records and/or tables. Due to the structured nature of data storage in database files, carving for record structures has been proven to be a feasible process by Pooters et al in 2011 (http://sandbox.dfrws.org/2011/fox-it/DFRWS2011_results/Report/Sqlite_carving_extractAndroidData.pdf).

The objective of this assignment is to develop a carving methodology for recovery of database records that works for at least one storage engine used in MySQL. The following are the deliverables of this project:
  • A short literature study into data carving and MySQL storage format(s)
  • A description of the proposed carving method, supported data types, storage engine(s) and limitations of the method
  • A proof of concept implementation of the proposed method
 Kevin Jonkers <jonkers=>fox-it.com>
Leendert van Duijn <Leendert.vanDuijn=>os3.nl>
Esan Wit <Esan.Wit=>os3.nl> 		R
P 		1
52

Securing the last-mile of DNS.

The Domain Name System (DNS) is slowly being secured using DNSSEC, this technology allows a resolver to verify the authenticity of DNS answers from authoritative nameservers. However, DNSSEC does not provide end-to-end security, the resolver on the end-user’s machine still has to trust the resolver in the network (or verify signatures itself).

The second problem is that the DNS does not provide any form of confidentiality, queries and the data therein are transmitted in-the-clear. Several techniques exist to encrypt and authenticate the DNS data between hosts like TSIG and SIG(0). The most promising technology to provide confidentiality of DNS data between the end-user and the resolver is the DNSCrypt from OpenDNS. This project uses DNSCurve to secure the connection between the client and the resolver. It supplies software for end-users that ships with the certificate of OpenDNS to verify the answers coming from the OpenDNS resolvers.

The goal of this research project is to define, and perhaps implement a mechanism that allows the end-user (stub-)resolver to securely retrieve information on its configured resolver to verify its identity. So the client knows that the it is talking to the correct resolver and the data sent to and from the resolver is protected from eavesdroppers. 		Matthijs Mekking <matthijs=>nlnetlabs.nl>
Jeroen van der Ham <vdham=>uva.nl>
Marc Buijsman <Marc.Buijsman=>os3.nl> 		R
P 		2
54

Detecting routing anomalies with RIPE Atlas.

RIPE Atlas (and other services) provides an excellent way to measure all sorts of data on the Internet. A feature that is currently underused is the analysis of traceroute data. The data from these traceroute experiments can provide some valuable insights especially if they are aggregated. The aggregated data can provide insight to possible anomalies in the network, such as:
  • Filtering
  • Eavesdropping
  • Man in the Middle attacks
  • Or simply routing policy changes
The goal of this project is to make the data from traceroute experiments easier to analyse, and to think about creating possible specific analyses that can be done with that data. 		Jeroen van der Ham <J.J.vanderHam=>uva.nl>
Barry van Kampen <fish=>randomdata.nl>
Todor Yakimov <todor.yakimov=>os3.nl> 		R
P 		2
55

Datamap.

The recent revelations on the NSA and other secret services have shown that your data in the US may not be that safe. While it has been in the papers, people do not seem very alarmed. Randomdata is cooperating with NRC Next to create a platform to increase awereness for normal people, http://whereismydata.nl/
The goal is to allow people to easily:
  • see where is your email
  • see where are websites
  • drop in "emails" and analyse the MX records to see what happened on its route
  • Give a better answer what is happing with your data
  • Firefox plugin to map (on the world) where website data is coming from
The goal of this project is to analyse what kind of data sources regular Internet users use, how to figure out where that data would be, and how to present this in a user-friendly way to provide them more insight. 		Jeroen van der Ham <vdham=>uva.nl>
Barry van Kampen <fish=>randomdata.nl>
Thijs Houtenbos <mathijs.houtenbos=>os3.nl>
Sharon Gieske <sharon.gieske=>os3.nl> 		R
P 		1
56

Feasibility of attacks against weak SSL/TLS ciphers.

Weak SSL ciphers have been around since many years. In theory many ciphers are cracked. But in current networks we find that the usage of weak ciphers is still very common. In practice only a few attempts have been successful, with EFF’s FPGA attack on DES with COPACOBANA being a noteworthy one. Many other ‘theoretically cracked’ weak ciphers are still not easy to crack in practice.

We would like the students to research the feasibility of cracking weak ciphers used. The research can include the entire process from intercepting communication, extracting the data used for attack, select best way of cracking, perform crack and uncover the secrets. Ideally, the research results in a statement on the feasibility of cracking these weak ciphers. What ciphers exactly to be included will be selected at the start of the research.

Research at KPMG IT Advisory can be challenging. We strive for the best results and therefore invest a considerable amount of time in you, to help you achieve the best. But to succeed together we require fully determined students that would like to go the extra mile.

The RP topics as stated on the website are fixed but we are open to changes in the exact research approach if the student prefers. We encouraged students to come up with own ideas and approaches. During the short intake interview your are invited to bring your ideas and approaches to the table. We use the intake to select the students who will get the opportunity to perform their research project at KPMG.
 Marc Smeets <marc=>linq42.nl>
Jeroen van der Ham <J.J.vanderHam=>uva.nl>
Kim van Erkelens <Kim.vanErkelens=>os3.nl>
 R
P 		2
57

Security assessment on a VXLAN-based network.

In current cloud infrastructure of service providers most of the servers are virtual machines (VM’s). Sometimes VM’s need to be migrated from one environment to another. Currently migration between different environments is done by connecting them on a layer 2 infrastructure with IEEE standard 802.1Q tags or QinQ. There are some limitations. VXLAN (Virtual eXtensible Local Area Network) has been submitted to the IETF for standardization (http://tools.ietf.org/html/draft-mahalingam-dutt-dcops-vxlan-05). This protocol can extend logical networks in different Layer 2 domains via a Layer 3 network. Where normal VLAN connected VM’s can only migrate using layer 2.

We would like the students to investigate the possibilities of the use of VXLAN in addition to ‘normal’ VLAN infrastructures and show these differences in a practical example. A testlab will be set-up by the students with the help of the supervisors for 5 hours per week each. 		Sander Ruiter <Sander.Ruiter=>vancis.nl>
Maarthen Kastanja <Maarthen.Kastanja=>vancis.nl>
Maarten Dammers <Maarten.Dammers=>vancis.nl>
Guido Pineda <guido.pineda=>os3.nl> 		R
P 		1
59

Detecting DDOS attacks using distributed processing frameworks.

Hadoop is a framework for distributed processing of large data sets. Originally Hadoop only supported the MapReduce algorithm. However, new frameworks have been developed which are capable of utilizing the distributed processing capabilities of the Hadoop framework in a wide variety of computer science disciplines. For example; machine learning, database systems, statistics and artificial intelligence. In this research we will utilize these new frameworks in order to find patterns in large amounts (terrabytes) of NetFlow data. In specific we will look for patterns which predict the occurence of DDOS attacks.

Research Question: Can historical NetFlow data lead to new insights and automation in detecting and mitigating networking incidents such as DDOS attacks? 		Sander Ruiter <Sander.Ruiter=>vancis.nl>
Anthony Potappel<Anthony.Potappel=>vancis.nl>
Sudesh Jethoe <sudesh.jethoe=>os3.nl> 		R
P 		2
60

Evaluation of the feasible attacks against RFID tags for access control systems.

Many organizations rely on RFID technology for access control to their buildings. It is well known in academia that many of the underlying technologies like Mifare are insecure. However little research has been done into the practical application of these attacks for actual physical access control systems. We would like to develop a practical approach that can be used to assess the security of an RFID access control system. What are the do’s and don’ts and how can this be tested in an assessment. Deloitte has existing RFID hacking equipment that can be used. This needs to be translated into a practical approach for performing an assessment on an access control system. 		Henri Hambartsumyan <HHambartsumyan=>deloitte.nl>
Pieter Westein <pwestein=>deloitte.nl>
Hristo Dimitrov <hristo.dimitrov=>os3.nl>
Kim van Erkelens <kim.vanerkelens=>os3.nl> 		R
P 		1
62

PIRE ExoGeni - ENVRI preparation for Big Data science.

The SNE group has build an OpenLab to study architectures and develop algorithms for distributed Big Data Analysis on a distributed high performance programmable infrastructure. This infrastructure consists of compute clusters, OpenFlow capable network switches and high speed (> 10 Gbit/s up to 100 Gbit/s) connectivity to SURFnet and the USA. Our openlab connects to the US-NSF GENI project and can communicate and work with about 40 similar setups accross many USA Universities. Next year june we will have a PIRE workshop where international students will research multi disciplinary science by using data from different repositories containing about a petabyte of data. This project is about preparing the infrastructure for that workshop.

In this project the student is asked to study the requirements to prepare and connect the ExoGeni rack in the SNE OpenLab to the OpenScienceDataCloud and test the performance of data transfer in different situations. If possible also the connection and use of data sources from the EU-Envri project should be attemted and benchmarked.

More info:
 Ana Oprescu <a.m.oprescu=>uva.nl>
Zhiming Zhao <z.zhao=>uva.nl>
Ioannis Grafis <Ioannis.Grafis=>os3.nl>
Stavros Konstantaras <Stavros.Konstantaras=>os3.nl> 		R
P 		1
63

Information Centric Networking for Delivering Big Data with Persistent Identifiers.

Information Centric Networking (ICN) is a new network paradigm for content delivery. Instead of routing information based on nodes and hosts like in IP networks, ICN routes data content based on unique identifiers of data objects and caching them in the delivery paths between sources and destinations. In research data infrastructures, data preservation and Persistent Identifier (PID) become an important functional requirement for accessing data contents after the their curation or publication, in particular for time series observations. The ICN provides a natural architecture for transferring preserved research data with a PID. However, ICN also faces challenges for mapping different PID types onto the routing schemes, and the scalability, efficiency and security for routing and caching strategies for time series data contents.
The goal of this project is to investigate these challenges and propose a suitable ICN solution for research data infrastructures. In the project, we will perform the following tasks:
  1. review the current naming schemes for ICN and PID,
  2. review the caching and routing strategies for delivering scientific data with PID
  3. prototype and evaluate the efficiency of the routing strategy.
 Zhiming Zhao <z.zhao=>uva.nl>
Andreas Karakannas <Andreas.Karakannas=>os3.nl>
 R
P 		2
64

Combating DNS amplification using cookies.

Distributed Denial of Service (DDoS) attacks are one of the biggest threats to the security and stability of the Internet. In SURFnet's constituency, we see an ever increasing number of attacks against schools on our network. Many of these attacks are UDP-based amplification attacks, relying on protocols like DNS, NTP and SNMP. The purpose of this project is to focus on one of these, DNS amplification attacks. A recent draft RFC [1] proposes to introduce "DNS cookies", which seems to be a promising approach to mitigating this particular attack. In this project we would like you to:
  • Study the draft RFC
  • Analyse if, and if so, how, the draft RFC can mitigate DNS amplification attacks
  • How effective this mitigation is
  • How this particular mitigation strategy compares to other approaches such as DNS Response Rate Limiting (RRL) [2]
  • Whether there is room for improvement
  • What operational hurdles can be expected if this RFC were to be implemented
If there is time, you are encouraged to implement a prototype version of this RFC.
Some background knowledge about DNS, DNSSEC and DNS amplification attacks is highly recommended.

[1] Eastlake, D., Domain Name System (DNS) Cookies, Internet Draft, http://tools.ietf.org/html/draft-eastlake-dnsext-cookies-04
[2] ISC, A Quick Introduction to Response Rate Limiting, https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-Rate-Limiting.html 		Roland van Rijswijk-Deij <roland.vanrijswijk=>surfnet.nl>
Sean Rijs <sean.rijs=>os3.nl> 		R
P 		2
65

Peer-to-Peer Botnet Detection Using NetFlow.

Goal : Analyse live NetFlow data on suspicious behaviour.

Approach : The Malware Intelligence Team is interested in pragmatic students and graduates willing to explore new grounds in analysing in NetFlow captured network traffic for detecting malicious behaviour. A good knowledge and understanding of internet and internet related network traffic is required:
  • Research existing malicious behaviour detection algorithms applicable to NetFlow analysis
  • Developing new malicious behaviour detection algorithms applicable to NetFlow analysis on a conceptual level
  • Select a subset of malicious behaviour on relevance and implementation feasibility
  • Implement the subset in pseudo-code
  • Present the subset meta-code to the Malware Intelligence Team
  • Realize a proof of concept implementations of approved subset members in Python
  • Test the individual implementations on effectiveness in a lab-environment
Result : The result is a report on effectiveness and relevance based on lab results, recommendation on applicability of the individual implementations and recommendations for future research.

Working environment : The Malware Intelligence Team is offering a pleasant, spacious working environment. Our lab environment is located on walking distance of a main train station. Skilful and experienced team members are responsive and supportive, the working environment is open, informal and relaxed.

Website : www.redsocks.nl 		Pepijn Janssen <pepijn.janssen=>redsocks.nl>
Connor Dillon <connor.dillon=>os3.nl>
 R
P 		2
66

Covert channel detection using flow-data.

Goal : Analyse NetFlow history data on suspicious behaviour.

Approach : The Malware Intelligence Team is interested in pragmatic students and graduates willing to explore new grounds in analysing stored NetFlow network traffic for detecting malicious behaviour. Statistical skills and a good knowledge and understanding of internet and internet related network traffic is required:
  • Research existing statistical malicious behaviour detection methods applicable to NetFlow history analysis
  • Developing new statistical behaviour detection algorithms applicable to NetFlow history analysis on a conceptual level, using techniques like dimensionality reductions, feature extractions, Bayesian probabilities and probabilistic classifiers
  • Select a subset of malicious behaviour on relevance and implementation feasibility
  • Create a detailed presentation for implementing the subset
  • Present the result to the Malware Intelligence Team
  • Realize a proof of concept implementations of approved subset members in Python/SQL/XML
  • Test the individual implementations on effectiveness in a lab-environment
Result : The result is a report on effectiveness and relevance based on lab results, recommendation on applicability of the individual implementations and recommendations for future research.

Working environment : The Malware Intelligence Team is offering a pleasant, spacious working environment. Our lab environment is located on walking distance of a main train station. Skilful and experienced team members are responsive and supportive, the working environment is open, informal and relaxed.

Website : www.redsocks.nl 		Pepijn Janssen <pepijn.janssen=>redsocks.nl>
Guido Pineda <guido.pineda=>os3.nl>
 R
P 		2
67

ElectroMagnetic Fault Injection Characterization on ARM Cortex-A9.

Fault injection attacks are proven to be practical and pose a risk against the secure operation of embedded devices. Unfortunately, reasoning what the injected fault causes inside the chip is very difficult and usually only the result is clearly describable (e.g. successful bypass of a security feature). Therefore, it is very difficult to predict what an effective approach will be.

A previous conducted RP project, by Albert Spruyt, focused on understanding the effects of power fault injection for a specific target.

This RP will focus on extending the work performed by Albert with the option to switch from power fault injection to optical fault injection or EMFI. Additionally, a faster chip with a difference architecture will be the target.

The following deliverables are requested from the student:
· A clear description of the performed tests and results
· Comparison of the results with Albert’s work
· Comparison with research available on the internet (if applicable)
· Recommendations for future testing 		Niek Timmers <Timmers=>riscure.com>
Albert Spruyt <Spruyt=>riscure.com>
George Thessalonikefs <George.Thessalonikefs=>os3.nl> 		R
P 		1
68

Practical Security and Key Management.

These days just about every protocol and service features encryption. This can either be in the protocol itself, or by using a secure transport layer. For all these services and transports we need keys. Unfortunately, security is as strong as the weakest link. This is also true for all operations around keys as we have seen in the results of Heartbleed.

Right now if somebody, or an organization regardless of its size, needs information on best practices on creation, issuing, usage, storage, revocation, deletion and rollover of keys, there is no one place to go to. All info on bit length, hashing mechanisms, secure storage in a vault, setup of revocation - all is scattered across numerous sources that may or may not be up to date. If we want to be ready for wider use of IT security, this needs to change.
  • But what is the best way to do this?
  • Can we create an overview of all best practices for relevant keys?
  • What is the best way to store them securely?
  • What about revocation and roll-over procedures?
  • And does the answers to the above questions change when you have only little, a lot or even loads of money to spend?
  • How does this then become more secure?
We would like the students to provide a comprehensive and usable(!) overview of all things key security related. Ideally it should be the goto paper for all people interested in secure communications, from security officers in organization to people without a technical background that require use of secure communication, e.g. journalists. If done correctly we can see this having a large impact on the security of the Internet.
 Jeroen van der Ham <vdham=>uva.nl>
Marc Smeets <marc=>linq42.nl>
Magiel van der Meer <magiel.vandermeer=>os3.nl>
 R
P 		2
69

Software Defined VPN's.

SDN aims to replace a variety of network technologies by a open and unified ecosystem in which software controls commodity networking hardware in datacenters, campus networks, and wide-area networks. As a positive sign the industry has taken up SDN concepts, though the first SDN deployments use proprietary technologies. The concern for the uptake of an open SDN ecosystem is that  its protocol specifications should allow practical and efficient implementation of networks services in comparison with already highly optimized network technologies, such as MPLS, VPLS, and VXLAN. In short, the question is if an open and unified ecosystem can provide similar capabilities and efficiency as proprietary implementations. In this research, we will focus on the design of a Virtual Private LAN Service (VPLS) using the latest Openflow specification (1.3).
  • How can a practical and efficient implementation of VPLS be made in SDN?
  • How do the practical SDN constraints or capabilities impact the design of a VPLS?
The research should address and present a practical solutions for each subproblem in VPLS: establishing end-user connectivity, core network routing, multi-domain connectivity, and crossing legacy networks. The results of this study provides direct input to Community Connect, a GN3+ project in which TNO and Surfnet are designing a VPLS for the e-Science community over the SDN infrastructure of GEANT. 		Rudolf Strijkers <rudolf=>strijkers.eu>
George Thessalonikefs <George.Thessalonikefs=>os3.nl>
Stavros Konstantaras <Stavros.Konstantaras=>os3.nl>
 R
P 		2
70

Bootable Linux CD / PXE for the remote acquisition of multiple computers.

In the field of digital forensics the acquisition of multiple computers in large IT infrastructures have always been a complex and time consuming task. Especially when not knowing which computer to investigate and needing to acquire all of them. At companies, data centres, high schools and universities this is quite an issue for digital forensic investigators. When performing an acquisition a lot of steps have to be considered, like performing live forensics (acquiring the RAM and other volatile information). The most important aspect to take into account is the forensic value and validity of the process, among making no (preferred) or minimized changes to the computer. These steps and aspects can hardly be automated, but some enhancements can be made.
It’s hard to automate the acquisition of the RAM (volatile memory), but the acquisition of the storage devices of multiple computers in a network could be automated. There is some software available that could perform such tasks, but this software doesn’t give a clear insight on its process and is expensive. With a lot of open source Linux distributions and software available there could be a solution for this problem which will make the acquisition in large IT infrastructures easier and faster, while maintaining the forensic value and validity.

The main question for this research project is:
How can a bootable Linux CD / PXE be build for the remote acquisition of multiple computers?

The main question is researched by the following sub questions:
  1. Which Linux distribution will be suited as a bootable environment for the remote acquisition of multiple computers?
  2. How will the bootable environment distribute the storage devices securely across the network?
  3. What is needed within the bootable environment?
  4. Which settings need to be configured beforehand for the bootable environment?
 Zeno Geradts <zeno=>holmes.nl>
Ruud Schramp <schramp=>holmes.nl>
Dennis Cortjens <dennis.cortjens=>os3.nl>
 R
P 		2
71

Remote data acquisition on block devices in large environments.

In modern days the amount of available data in data centers is enormous. In a forensics aspect, this is a nightmare because it is becoming a bigger challenge everyday to get all of the data out of a data center in order to do forensics on it. The Dutch Forensic Institute(NFI) has requested to research a solution to this problem by developing an "easy" way to remotely connect directly to the required hard drives of a certain system and be able to store only the required content necessary for forensics locally. This research has been split into three subresearches; a client, which should be a very small operating system bootable by CD or PXE which automatically connect the systems block devices over a secure channel to a server, a server, which offers to read this block devices in a smart way, and finally the acquisition part which can do analyses on the acquired data.

This research will focus upon the server part and mainly upon the block device level. As it is not always possible to copy all data, only necessary data should be transferred to the server’s storage. In order to do this, a copy-on-read(CoR) system is desired combined with a copy-on-write system. As copy-on-write(CoW)1 (file) systems already exist at large scale, for example fusecow, it is hard to find copy- on-read (file) systems. A copy-on-read file system would give the possibility to only store data locally that has been read remotely, resulting in always having access to already read data. Ideally, a solution is found that can mount an existing block device that performs both CoW and CoR simultaneously. 		Zeno Geradts <zeno=>holmes.nl>
Ruud Schramp <schramp=>holmes.nl>
Eric van den Haak <eric.vandenhaak=>os3.nl> 		R
P 		2
73

Beacon detection in PCAP files.

De beacon detection in pcaps analysis is not about beacon frames as part of 802.11. The research question is how you can recognize compromised systems that are beaconing to command & control infrastructure if you have access to (large numbers of) packet captures while the actual beaconing can take place with differing frequencies.

The project will work with detecting beacons from PCAP files, the possible superviser is Robert Jan Mora, Robert.Mora@shell.com 		Sjoerd Peerlkamp <S.Peerlkamp=>shell.com>
Leendert van Duijn <Leendert.vanDuijn=>os3.nl> 		R
P 		2
74

NetFlow Anomaly Detection; Finding covert channels on the network.

The research will focus on detection malicious traffic (such as malware or covert channels) via NetFlow data. Popular IDS (combined with SIEM) such as Suri- cata or Snort usually rely on signatures for detection. This research will try to normalize legitimate traffic versus malicious traffic without explicitly trying to look at packet (OSI Software Layer) content. Several metrics can be taken into account when trying to detect malicious traffic, a few examples can be:
  • Source and destination addresses
  • Source and destination ports
  • Frequency of traffic (per protocol, per port or per address) • Response / Request times
  • TCP versus UDP traffic
  • Protocol type (ie. DNS, HTTP, FTP)
  • Packet sizes
Taking some of these (or more) of these metrics into account, an analysis will be made to measure the true-positive vs false-positive ratio (also compared to signature- based systems). The final results should include statistics of detection and an implementation demonstrating NetFlow anomaly detection. 		Robert Jan Mora <Robert.Mora=>shell.com>
Joey Dreijer <Joey.Dreijer=>os3.nl> 		R
P 		1
75

Cross-realm Kerberos implementations.

Kerberos is a very popular authentication system for internal networks. It is used by software like Samba and Active Directory. Kerberos can be used for cross realm authentication in predefined configurations

There are four core implementations of Kerberos namely: MIT Kerberos 5, Heimdal, Active Directory and GNU Shishi. This project will focus on the cross compatibility of these four implementations and on how to enable the kerberos servers to identify other realms and use these for cross-realm authentication.

The future goal is to pave way for a system which can be used to authenticate users on services offered on the internet using a single identity provider of choice. This to offset the dependence on Facebook, Google, Twitter, etc. as an OAuth provider. 		Michiel Leenaars <michiel=>nlnet.nl>
Mick Pouw<mick.pouw=>os3.nl>
Esan Wit <Esan.Wit=>os3.nl>
 R
P 		2
77

(Distributed) Denial of Service attacks via 4G/LTE networks.

The term 4G, short for fourth generation, is the fourth generation of mobile telecommunications technology. The requirements for 4G are specified in the International Mobile Telecommunications Advanced (IMT-Advanced). Specific requirements include; based on IP protocol, packet switched, 100 Mb/s for moving clients and 1Gb/s for stationary clients. At the moment of writing there are two 4G capable technologies, Wimax and LTE- Advanced. Even though LTE-Advanced is advertised as 4G, no ISP (in the Netherlands) provides speeds above 50Mb/s.
There have been a lot of (D)DOS attacks in the last few years, mainly via botnets. Botnets provide both the necessary speed and power as well as the anonymity. Making the attack difficult to mitigate and the attacker hard to find. (Ab)using the anonymity that prepaid cards provide and the high speed of 4G networks, (D)DOS attacks via 4G networks could be just as harmful, but with the added risk that anonymity can be bought. Computers need to be hacked to form a botnet, prepaid cards can be purchased. However, Wireless networks dif- fer from wired networks in speed, latency, reliability and bandwidth [3],making them possibly less suited to perform a (D)DOS attack. This paper will research the difference in DDOS at- tacks and mitigation on LTE networks.
 Hans Nelissen <hans.nelissen=>vodafone.com>
W. van Dullink <Wouter.vanDullink=>os3.nl>
R. Ramdhan <Rawi.Ramdhan=>os3.nl>
 R
P 		2

Presentations-rp2

The event is stretched over two days: Wednesday-Thursday July 2-3 th, 2014.

Wednesday July 2 th, 2014. Auditorium C0.110, FNWI, Sciencepark 904, Amsterdam.
09h45 # Welcome, introduction. Cees de Laat Loc RP
09h55 14
 Measuring the deployment of DNSSEC over the Internet.
 Nicolas Canceill NLnetLabs 2
10h15 56 Feasibility of attacks on weak SSL ciphers. Kim van Erkelens Linq42 2
10h35 68
 Practical Security and Key Management.
 Magiel van der Meer Linq42 2
10h55
Break


11h15 70
 Linux CD / PxE boot t.b.v. live aquisitie van servers in een data center.
 Dennis Cortjens NFI 2
11h35 71
 Veiligstel server.
 Eric van den Haak NFI 2
11h55 10
 Determining camera model from JPEG quantization tables.
 Sharon Gieske NFI 2
12h15 64
 Combating DNS amplification using cookies. Sean Rijs SURFnet 2
12h35
Lunch


13h30 48
 NTFS index records timestamp manipulation. Wicher Minnaard FOX-IT 2
13h50 30 Quarantainenet. Bas Vlaszaty QuarantaineNet 2
14h10 40 Android patching from the MDM. Cedric Van Bockhaven Deloitte 2
14h30 8
 DDoS Security Testing.
 Azad Kamali, Mike Berkelaar
 Deloitte 2
14h55
Closing. Cees de Laat & OS3 team


Thursday July 3 th, 2014, Auditorium C0.110, FNWI, Sciencepark 904, Amsterdam.
09h45 #RP Welcome, introduction. Jaap van Ginkel Loc RP
10h00 39
 Exploring problem areas of newly developed telecom technology "LTE Direct". Remco van Vugt TNO 2
10h20 69
 Software Defined VPN's.
 George Thessalonikefs, Stavros Konstantaras UvA 2
10h45 63 Information Centric Networking (ICN) for delivering time series data with Persistent Identifier (PID) Andreas Karakannas UvA 2
11h05
Break


11h25 33
 Rich identity provisioning.
 Jos van Dijk NLnet 2
11h45 34
 Automated migration testing.
 Ioannis Giannoulatos
 NLnet 2
12h05 75 Cross-realm Kerberos implementations. Mick Pouw, Esan Wit NLnet 2
12h30
Lunch


13h30 73
 Beacon detection in pcaps.
 Leendert van Duijn Shell 2
13h50 11
 Internet Content Filter (ICF) analysis.
 Peter van Bolhuis Shell 2
14h10 74
 Detecting malware traffic from flow-data.
 Joey Dreijer Shell 1
14h30 3
 DNS security revisited.
 Anastasios Poulidis, Hoda Rohani on2it 2
14h55
Break


15h15 65
 Malicious network activity detection. Connor Dillon RedSocks 2
15h35 66
 Covert channel detection using flow data.
 Guido Pineda RedSocks 2
15h55 31
 Using EVPN to minimize ARP traffic in an IXP environment.
 Stefan Plug, Lutz Engels ECIX 2
16h20 13
 Detecting and fixing security threats in Security Autonomous Response Network.
 Hristo Dimitrov
 TNO/UvA 2
16h40
Closing. Cees de Laat & OS3 team

16h41
Drinks OS3 team


Presentations-rp1

Tuesday feb 4th, 13h30 in INIT Auditorium 1 Amsterdam.
Time #RP Title Name(s) RP
13h40 27
 Automated SSL health assessment. Eric van den Haak, Mick Pouw 1
14h05 60
 RFID Access Control Security Assessments.
 Hristo Dimitrov, Kim van Erkelens 1
15h30 7
 Research authentication alternatives.
 Jos van Dijk
 1
14h50
break

15h10 64 Anonymous market places. Andy Ptasinski
 1
15h30 26
 What internal company data can you find outside of the company?
 Peter van Bolhuis, Jan-Willem Selij
 1
15h55
break

16h10 45 Open Data Analysis - Critical infrastructures. Renato Fontana 2
16h30 17 Live IT Infrastructure Requirements Verification. Hoda Rohani, Azad Kamali 1
16h55
Cees de Laat & OS3 team Evaluation.
17h00
End


Wednesday feb 5th in room A1.10 (morning) and F1.02 (afternoon) at Science Park 904 NL-1098XH Amsterdam.
Time #RP Title Name(s) RP
9h30
Welcome, introduction. Cees de Laat
9h40 5
 PIRE ExoGeni preparation for Big Data science.
 Andreas Karakannas, Anastasios Poulidis
 1
10h05 62
 PIRE ExoGeni - ENVRI preparation for Big Data science. Ioannis Grafis, Stavros Konstantaras 1
10h30 5 break

10h45 28
 DDos Attacks & Electronic Payment systems.
 Joris Claassen, Sean Rijs
 1
11h10 32
 (semi-)known plaintext attack against files encrypted with E-SafeNet.
 Cedric Van Bockhaven, Jan Laan
 1
11h35 42
 Practical OpenFlow: Real-Time Black-Hole of (D)DoS traffic.
 Mike Berkelaar, Connor Dillon
 1
12h00
break for lunch

13h00 46
 IP hijacking.
 Magiel van der Meer, Eddie Bijnen
 1
13h25 47
 DDoS attacks.
 Daniel Romao, Niels van Dijkhuizen
 1
13h50 54
 RIPE Atlas traceroute data.
 Todor Yakimov
 2
14h10
break

14h30 51
 MySQL record carving.
 Leendert van Duijn, Esan Wit
 1
14h55 55
 Data Map.
 Thijs Houtenbos, Sharon Gieske
 1
15h20
break

15h40 57
 Cloud migrations using VXLAN.
 Guido Pineda
 1
16h00 67
 Injection Characterization. George Thessalonikefs 1
16h20
End


Presentations of RP's outside normal schedule

Program:

Date/Time Location #RP Title Name(s) Sup RP
Aug 20, 13h30 B.1.23 59 Detecting DDOS attacks using distributed processing frameworks. Sudesh Jethoe VANCIS 2
Aug 20, 14h00 B.1.23 77 (Distributed) Denial of Service attacks via 4G/LTE networks. Wouter Dullink, Rawi Ramdhan Vodafone 2