home

SNE Master Research Projects 2020 - 2021

  http://uva.nl/
2004-
2005
2005-
2006
2006-
2007
2007-
2008
2008-
2009
2009-
2010
2010-
2011
2011-
2012
2012-
2013
2013-
2014
2014-
2015
2015-
2016
2016-
2017
2017-
2018
2018-
2019
2019-
2020
2020-
2021
2021-
2022
Contact TimeLine Projects LeftOver Projects Presentations-rp1 Presentations-rp2 Objective Process Tips Project Proposal

Contact

Cees de Laat, room: C.3.152
Course Codes:

Research Project 1 53841REP6Y
Research Project 2 53842REP6Y

TimeLine


RP1 (January):
  • Wednesday Sept 16, 10h00-11h30: Introduction to the Research Projects.
  • Wednesday Dec 2, 13h00-16h00: Detailed discussion on selections for RP1.
  • Monday Jan 4th - Friday Jan 29th 2021: Research Project 1.
  • Friday Jan 8th, 24h00: (updated) research plan due.
  • Monday Feb 1, 11h00-16h00: Presentations RP1 - online.
  • Tuesday Feb 2, 10h00 - 15h00: Presentations RP1 - online.
  • Sunday Feb 7, 24h00: RP - reports due
RP2 (June):
  • Wednesday May 12,13h00-16h00, Detailed discussion on selections for RP2.
  • Monday May 31th - Friday Jun 25: Research Project 2.
  • Friday Jun 4th, 24h00: (updated) research plan due.
  • Monday May 14, 16h00, discussion on progress (voluntarily)
  • Tuesday June 29, 10h00-17h00: presentations.
  • Monday Jul 5, 24h00: RP - reports due.

Projects

Here is a list of student projects. New ones added at the end. Old and unavailable rp's will be removed including the number, hence the gaps. Remaining rp's carry over to next year. They can be found here. In a futile attempt to prevent spam "@" is replaced by "=>" in the table. Color of cell background:
Project available Presentation received. Confidentiality was requested.
Currently chosen project. Report received. Blocked, not available.
Project plan received. Completed project. Report but no presentation
Outside normal rp timeframe project will be done in next block

wordle-s.png


title
summary
supervisor contact

students
R

P
1
/
2
6

Designing structured metadata for CVE reports.

Vulnerability reports such as MITRE's CVE are currently free format text, without much structure in them. This makes it hard to machine process reports and automatically extract useful information and combine it with other information sources. With tens of thousands of such reports published each year, it is increasingly hard to keep a holistic overview and see patterns. With our open source Binary Analysis Tool we aim to correlate data with firmware databases.

Your task is to analyse how we can use the information from these reports, what metadata is relevant and propose a useful metadata format for CVE reports. In your research you make an inventory of tools that can be used to convert existing CVE reports with minimal effort.

Armijn Hemel - Tjaldur Software Governance Solutions
Armijn Hemel <armijn=>tjaldur.nl>

Bart van Dongen <bdongen=>os3.nl>
R

P
1
10

Defeating the Fakes: Vocal Fake Detection using Discrete Fourier Transform in Neural Networks.

The detection of manipulation of broadcasting videostreams with facial morphing on the internet. Examples are provided from https://dl.acm.org/citation.cfm?id=2818122 and other on line sources.
Zeno Geradts <zeno=>holmes.nl>
Tina Tami <Tina.Tami=>os3.nl>
Lars Tijsmans <lars.tijsmans=>os3.nl>
R

P
2
14

Using a verifiable and decentralized ledger as a basis for trusting hospital endpoints.

Currently, the Whitebox provides a means for doctors (General Practitioner GPs) to establish static trusted connections with parties they know personally. These connections (essentially, authenticated TLS connections with known, validated keys), once established, can subsequently be used by the GP to authorize the party in question to access particular patient information. Examples are static connections to the GP post which takes care of evening/night and weekend shifts, or to a specific pharmacist. In this model, trust management is intuïtive and direct. However, with dynamic authorizations established by patients (see general description above), a question comes up on whether the underlying (trust) connections between the GP practice (i.e., the Whitebox) and the authorized organization (e.g,. hospital or pharmacist) may be re-usable as a 'trusted' connection by the GP in the future.

The basis question is:
  • what is the degree of trust a doctor can place in (trust) relations that are established by this doctor's patients, when they authorize another healthcare professional?
More in general:
  • what degree of trust that can be placed in relations/connections established by a patient, also in view of possible theft of authorization tokens held by patients?
  • What kind of validation methods can exist for a GP to increase or validate a given trust relation implied by an authorization action of a patient?
Perhaps the problem can be raised to a higher level also: can (public) auditing mechanisms -- for example, using block chains -- be used to help establish and validate trust in organizations (technically: keys of such organizations), in systems that implement decentralized trust-base transactions, like the Whitebox system does? In this project, the student(s) may either implement part of a solution or design, or model the behavior of a system inspired by the decentralized authorization model of the Whitebox. As an example: reputation based trust management based on decentralized authorization actions by patients of multiple doctors may be an effective way to establish trust in organization keys, over time. Modeling trust networks may be an interesting contribution to understanding the problem at hand, and could thus be an interesting student project in this context.

NB: this project is a rather advanced/involved design and/or modelling project. Students should be confident on their ability to understand and design/model a complex system in the relatively short timeframe provided by an RP2 project -- this project is not for the faint of heart. Once completed, an excellent implementation or evaluation may become the basis for a research paper.

See also (in Dutch): https://whiteboxsystems.nl/sne-projecten/#project-2-ontwerp-van-een-decentraal-vertrouwensmodel
General introduction
Whitebox Systems is a UvA spin-off company working on a decentralized system for health information exchange. Security and privacy protection are key concerns for the products and standards provided by the company. The main product is the Whitebox, a system owned by doctors (GPs) that is used by the GP to authorize other healthcare professionals so that they - and only they - can retrieve information about a patient when needed. Any data transfer is protected end-to-end; central components and central trust are avoided as much as possible. The system will use a published source model, meaning that although we do not give away copyright, the code can be inspected and validated externally.
The Whitebox is currently transitioning from an authorization model that started with doctor-initiated static connections/authorizations, to a model that includes patient-initiated authorizations. Essentially, patients can use an authorization code (a kind of token) that is generated by the Whitebox, to authorize a healthcare professional at any point of care (e.g., a pharmacist or a hospital). Such a code may become part of a referral letter or a prescription. This transition gives rise to a number of interesting questions, and thus to possible research projects related to the Whitebox design, implementation and use. Two of these projects are described below. If you are interested in these project or have questions about other possibilities, please contact <guido=>whiteboxsystems.nl>.

For a more in-depth description of the projects below (in Dutch), please see https://whiteboxsystems.nl/sne-projecten/
Guido van 't Noordende <guido=>whiteboxsystems.nl>

Matthijs Bartelink <Matthijs.Bartelink=>os3.nl>
R

P
1
27

Detection of false frame attacks in video systems.

A smart attack was investigated which can be performed at the time of recording video only against smart VSS (Video Surveillance System). The main feature of smart VSS is its ability to capture a scene immediately on the detection of particular activity or object. This new design has been made target by attackers who trigger the injection of false frames (false frame injection attack).

The RQ is if how we can detect that this happened afterwards if challenged in court.

Reference:
D. Nagothu, J. Schwell, Y. Chen, E. Blasch, S. Zhu, A study on smart online frame forging attacks against video surveillance system, in: Sensors and Systems for Space Applications XII, Vol. 11017, International Society for Optics and Photonics, 2019, p. 110170 (2019)
Zeno Geradts <zeno=>holmes.nl>

Joris Janssen <Joris.Janssen=>os3.nl>
R

P
1
31

Profiling the abuse of exposed secrets in public repositories.

Appropriate secret management during software development is important as such secrets are often high privileged accounts, private keys or tokens which can grant access to the system being developed or any of its dependencies. Systems here could entail virtual machines or other software/infrastructure/platform services exposing a service for remote management. To combat mismanagement of secrets during development time, software projects such as HachiCorp Vault or CyberArk Conjure are introduced to provide a structured solution to this problem and to ensure secrets are not exposed by removing them from the source code.

Unfortunately, secrets are still frequently committed to software repositories which has the effect of accidentally ending up in either packages being released or in publicly accessible repositories, such as on Github. The fact that these secrets are then easily accessed (and potentially abused) in an automated fashion has been recently demonstrated by POC projects like shhgit [1].

This research would entail the study and profiling of the behavior of the abuser of such secrets by first setting up a monitoring environment and a restricted execution environment before intentionally leaking secrets online through different channels.

Especially, the research focuses on answering the following questions:
  • Can abuse as a result of leaked credentials be profiled?
  • Can profiles be used to predict abuser behavior?
  • Are there different abusers / patterns / motives for different types of leaked credentials?
  • Are there different abusers / patterns / motives for different sources of leaked credentials?
  • Can profiles be used to attribute attacks to different attacker groups?
Prior experience with security monitoring and or cloud environments such as AWS / Azure is recommended in order to timely scope the research to a more feasible proposal.

[1] https://github.com/eth0izzle/shhgit
Fons Mijnen <fmijnen=>deloitte.nl>
Mick Cox <mcox=>deloitte.nl>

Maurice Mouw <Maurice.Mouw=>os3.nl>
R

P
1
33

Cloud Access Security Brokers (CASBs); Characterization of the CASB market and its alignment with corporate expectations.

CASB are often referred to as the new firewall of the Cloud era; they provide a middleman layer between a company network and a set of web services. However, many companies have been disappointed by their capabilities after implementation.

The objective of this research is to provide an detailed comparison of the current capabilities of the market leaders against the capabilities expected by corporate IT executives. You will have to address the following point:
  • Give an accurate definition of the CASB technology
  • Identify the risks related to Shadow IT and potential mitigation for each of them
  • List the capabilities of the Leaders and Visionaries in the Gartner Quadrant and verify they address the risks related to Shadow IT
  • Give your conclusion on the maturity of this market
NB: The challenge of this subject is to find reliable information. You can start with contacting providers’ sales department and request a demonstration, crossing the references of research publications or interacting on cybersecurity web forums.

Reference: https://www.bsigroup.com/globalassets/localfiles/en-ie/csir/resources/whitepaper/1810-magic_quadrant_for_casb.pdf
 Ruud Couwenberg <Couwenberg.Ruud=>kpmg.nl>

Anand Groenewegen <Anand.Groenewegen=>os3.nl>
Marius Brouwer <mbrouwer=>os3.nl>
R

P
2
34

Analysis of a rarely implemented security feature: signing container images with a Notary server.

Notary is Docker's platform to provide trusted delivery of content by signing images that are published. A content publisher can then provide the corresponding signing keys that allow users to verify that content when it is consumed. Signing Docker images is considered as a best security practice, but is little implemented in practice.

The goal of this project is to provide guidelines for safe service implementation. A starting point could be:
  • Get familiar with the service Architecture and Threat Model [1]
  • Deploy a production like service [2]
  • Test the compromise scenarios from the Threat Model
  • Conclude and release a secure production-ready manual and docker-compose template
Reference:
  1. https://docs.docker.com/notary/service_architecture/
  2. https://docs.docker.com/notary/running_a_service/
Demo from the presentation: https://www.youtube.com/watch?v=jcgkMYyzeYY
Aristide Bouix <Bouix.Aristide=>kpmg.nl>
Tim Dijkhuizen <Dijkhuizen.Tim=>kpmg.nl>
Ruben Koeze <Koeze.Ruben=>kpmg.nl>

Mohanad Elamin <melamin=>os3.nl>
Rio Kierkels <Rio.Kierkels=>os3.nl>
R

P
1
36

Transparent malicious traffic detection and mitigation using the Nvidia BlueField DPU.

Developing a transparent high-speed Intrusion detection and Firewall/ACL mechanism (a plus would be if it can be based on AI/Machine learning algorithms).
We have some experimental Mellanox Networking technology that needs to be used in this RP.
The goal of this project is figure out how to build a transparent automated IDS and Firewall/ACL mechanism that can handle large amounts of traffic (100Gbit/s or more).
Some starting points are:
  • Get to know things like OVS, DPDK and VPP
  • Test different technologies for high speed IDS
  • Test different technologies for high speed Firewalling/ACL's and offloading into hardware (Mellanox Based)
  • Figure out a way how to use AI/Machine learning algorithms to speed up the process.
Cedric Both <cedric=>datadigest.nl>

Jelle Ermerins <jermerins=>os3.nl>
Ward Bakker <wbakker@os3.nl>
R

P
2
37

DPU implementation of a scalable and transparent security solution for numerous VPN connections.

We would like to figure out a scalable security solution with IDS, antivirus and other mechanisms on monitoring incoming and outgoing traffic of different VPN connections. We have VPN servers running based on Open Source software (e.g. OpenVPN and IPSec) with lots of users and troughput and we would like to have a automated way in transparently monitoring all user traffic, detection of anomalies when a user for example access a malicious website or downloaded something that they shouldn't have and per user reporting.
The goal of this project is to give security information back to the user that is using the VPN connection to know if the data that is going over the VPN connection is "Safe and Clean".
Some starting points of this RP are:
  • Research how VPN traffic flows can be scanned based on individual users
  • Test different technologies for high traffic and high user IDS/antivirus scanning etc.
  • Figure out what the most secure way is in giving back the security information to each user.
Cedric Both <cedric=>datadigest.nl>

Ilyas Rahimi <irahimi=>os3.nl>
Mounir Kirafi <mkirafi=>os3.nl>
R

P
1
41

Real time asset inventory in ICS.

Research in Industrial Control Systems: We know how to do passive asset inventory within ICS and can create an “as-is” network diagram.
  • But how do you keep it updated while new assets are being added to the network?
ICS is more static than IT environment, but a real time asset discovery tooling could be very interesting in some cases.
Michel van Veen <mvanveen=>deloitte.nl>
Pavlos Lontorfos <plontorfos=>deloitte.nl>

Artemis Mytilinaios <amytilinaios=>os3.nl>
R

P
1
42

Improving availability in Industrial Control Systems using Software-Defined Networking.

Research in Industrial Control Systems: Splitting the automation data plane from the network management plane,
  • Is it possible in ICS?
  • What are the limitations?
  • What are the benefits?
Dominika Rusek <DRusek=>deloitte.nl>
Pavlos Lontorfos <plontorfos=>deloitte.nl>

Marios Andreou <Marios.Andreou=>os3.nl>
Joris Jonkers Both <Joris.JonkersBoth=>os3.nl>
R

P
2
44

Involuntary browser based torrenting (WebRTC).

WebRTC research: WebRTC allows for browser-based P2P torrenting.
  • Can this function be misused to let visitors of webpages involuntarily participate in P2P networks?
  • For example to share illegal or protected media?
  • If so, is this an already established and (widely) used tactic?
Possible addition can also be a look into how such attacks be performed and a Proof-of-Concept.
Cedric van Bockhaven <CvanBockhaven=>deloitte.nl>
Jan Freudenreich <jfreudenreich=>deloitte.nl>

Alexander Bode <alexander.bode=>os3.nl>
R

P
2
54

Hunting for malicious infrastructure using big data.

Malicious actors want to keep their command & control infrastructure away from prying eyes. Fake error messages, web redirects or dropped connections are some of the signs that something fishy is going on. In this research project students develop a framework to do anomaly detection on HTTP responses. Digging through gigabytes of data to find the malicious infrastructure that doesn't want to be found.

Students can use the scan data provided Rapid7. These are JSON-files containing the raw bytes response to an IPv4 wide scan for a "HTTP GET /"-command on specific ports. Students need to parse these JSON files and be able to query them (maybe use the ELK-stack?). Considering the size of the dataset any experience with Elasticsearch (or similar) solutions is advised.

There is room for another project using the SSL certificates from Rapid7 and/or certificate transparency log. Ideas are welcome.
Jop van der Lelie <Jop.vanderLelie=>ncsc.nl>
Daniel Sierat <Daniel.Sierat=>ncsc.nl>

Shadi Alhakimi <shadi.alhakimi=>os3.nl>
Freek Bax <freek.bax=>os3.nl>
R

P
1
56

An exploration of the suitability of Fawkes for practical applications.

The last decade has seen the rise of new image recognition technologies that, combined with the rise of IoT and the miniaturization of digital cameras, potentially endanger our traditional notion of personal privacy. In this context, a team of researchers from the SAND laboratory at the University of Chicago released a python tool called Fawkes, intending to disrupt how facial recognition algorithms relate between multiple images.
 
Limiting this technology's use to only a few tech-savvy individuals would not impact the current trend. Also, it is crucial to make sure that the technology work and can be deployed at scale. The goal of this project is to pave the way to broader adoption of such technologies on online uploading platforms. A proposed scientific demarche could be:
  • Verify a few results from the research paper, to confirm the code work as intended
  • Build a Proof of Concept photo website where uploaded face pictures would be cloaked on-the-fly using Fawkes
Optimize the configuration of the cloaking feature to get a seamless experience or proposed architectural workarounds
 
Reference:

Demo shown during presentation: https://www.youtube.com/watch?v=omG-5dqeTVA

Aristide Bouix <Bouix.Aristide=>kpmg.nl>
Huub van Wieren <vanwieren.huub=>kpmg.nl>

Simon Carton <Simon.Carton=>os3.nl>
Danny Janssen <Danny.Janssen=>os3.nl>
R

P
1
57

Cloud Certificate Authorities; The security considerations of moving your Public Key Infrastructure to the cloud.

Certification authorities (CA) provide the backbone of trust for people, systems applications etc. Setting up an internal CA can be a complex endeavor that many organization struggle with. A recent development in this field is that all large cloud providers are now offering CA functionality for their clients.
 
This research will focus on what it takes to setup a cloud CA and how it impacts the security posture of the organization. As much as time permits, they students will design and implement a cloud CA in our sandbox environment.
Itan Barmes <ibarmes=>deloitte.nl>

Anand Groenewegen <agroenewegen=>os3.nl>
Maurits Maas <Maurits.Maas=>os3.nl>
R

P
1
58

Large scale DNS hijacking detection using HTTPS scan data.

In recent years, several DNS hijacking / Man-in-the-Middle attacks have been documented in which attackers gained access to the DNS settings of a victim’s domain at the domain registrar and redirected traffic through an attacker-controlled MitM proxy.
Detecting DNS changes for individual domains only requires periodic lookups and comparisons with a set of expected DNS records. This approach is not very scalable though. Instead, in this research, the student will investigate the feasibility of a potential different approach to (indirectly) detect DNS hijacking attacks, by attempting to identify the attacker-controlled MitM servers.
The student should design, build and test different filter algorithms that can possibly identify the MitM servers in internet-wide scan / crawl data. For this research, the student can make use of SSL / HTTPS scan data provided by Rapid7.
Christian Veenman <c.veenman=>minjenv.nl>

Niels Warnars <nwarnars=>os3.nl>
R

P
2
59

The current state of DNS Lame delegations; An analysis of the current state of lame delegations within the Swedish .se tld.

The Domain Name System (DNS), described by Paul Mockapetris in rfc1034 [1], provides a mechanism for naming resources in such a way that the human-readable host names are usable on different hosts and networks as to machine-interpretable addresses. The DNS system was designed by engineers with a focus on scalability rather than security. The security requirement came with the availability of the internet to the general public in the 1990’s. At that time, DNS already acquired an indispensable position within the internet information structure.

This DNS system is used within email to locate the mail agent which belongs to the hostname used in the email address. This is done by mail exchange resource record (MX) within the DNS zone. This MX record specifies which host has the mail agent for the domain and this agent should accept mail for forwarding to the domain, possibly together with other delegations like SRV records for IMAP, POP and VoIP.
David Barr[2] describes errors often found within the operation of DNS in rfc1912.

One of the errors which have been described are lame delegations. Lame delegation are delegations like the MX record which delegate functionality to another entity without the other entity in place to serve this request. Some of them which are based on mis-configuration others on configuration changes or legacy. In this paper, we will study the impact of this lame delegations on the DNS system related to internet services like e-mail delivery.
Arris Huijgen <AHuijgen=>deloitte.nl>

Alexander Blaauwgeers <alexander.blaauwgeers=>os3.nl>
R

P
2
60

Scaling Stack Trace Fingerprinting.

Stack traces contain information about the source code which can be matched against the original code. If you have two versions of the source code and the stack trace matches only one of them, then you know which version is running on the server, and you can look into known vulnerabilities for that version. Tools like: https://beanstack.io/ can match Java stack traces against a corpus of indexed libraries. A similar technique (PoC available) is possible for JavaScript web applications which are becoming more popular (using Node.js and npm). An issue is that the database quickly grows to many millions of rows and lookups become ever slower despite indexing. This limits how many libraries one can reasonably import or how big a stack trace one wants to lookup. This issue is even more relevant for JavaScript than Java, since the ecosystem grows fast.

The goal of this project is to create a fingerprint database for JavaScript, with focus on research and design of a more efficient search and storage method for matching JavaScript stack traces against known source code. The applicant should evaluate different methods for indexing, storing, and querying data that allow to fingerprint a given stack trace against a database. Algorithms should be benchmarked for performance.
Luc Gommans <luc.gommans=>x41-dsec.de>

Mounir ElKirafi <Mounir.ElKirafi=>os3.nl>
R

P
2
65

Node to node communication in Vantage6

Vantage6 is a python framework for federated learning and used in medical research. What is important to know is that vantage6 is based on the Personal Health Train principle, where the algorithms (trains) are sent to the data (stations) instead of the other way around.

In the vantage6 implementation a user sends a task to a central server, which directs the task to the appropriate nodes (datastations). Some algorithms need some coordination between nodes. Right now the communication between the nodes goes through the central server. However, this is not very efficient. The plan is to create a new server which handles the node-to node communication. This will enable us to use secure multiparty computation libraries like pysyft and mpyc within the vantage6 framework. An "algorithm" within the vantage6 framework is simply a docker image that is made to work with the infrastructure, so it is very flexible. You will create a proof of concept to build this service for the vantage6 framework.
Djura Smits <D.Smits=>esciencecenter.nl>

Renee Witsenburg <Renee.Witsenburg=>os3.nl>
R

P
2
66

Containerized deployment of SURFnet8 service layer network.

At SURF we have a virtual test-bed that runs on an OpenStack cluster. With WiStar we are able to deploy virtual network environments with instances of the physical Juniper MX hardware (and some controller software) that we also have available in the production network. Each virtual instance and network environment however requires loads of memory and CPU and therefore it is currently impossible to mimic our complete network. Another drawback of the current setup is that the internal network setup is not completely transparent. Q-in-Q on the vMX's for example does not work out of the box. We would like to investigate what could be a solution to completely mimic our SURFnet8 service layer network. This investigation should include deploying lightweight containers (with the required functionality) in a suggested topology. It it also preferred to have a working/transparent internal network setup.

More information on the SURFnet8 network:
Other useful info:
  1. https://github.com/networkop/k8s-topo
  2. https://www.juniper.net/documentation/en_US/crpd/information-products/topic-collections/release-notes/19.2/jd0e26.html
Migiel de Vos <migiel.devos=>surf.nl>
Marijke Kaat <marijke.kaat=>surf.nl>
Peter Boers <peter.boers=>surf.nl>

Pim Paardekooper <Pim.Paardekooper=>os3.nl>
Inigo Gonzalez de Galdeano <Inigo.GonzalezdeGaldeano=>os3.nl>
R

P
1
67

Tipsy: How to Correct Password Typos Safely.

Summary: Instead of denying a login attempt with an incorrect password, our typo-tolerant authentication system tries to correct common typographical errors on behalf of the user.
Some forms of this have been seen in the industry but there is limited research & open source development. We will explore the tension between the security and usability of passwords.
Zeno Geradts <zeno=>holmes.nl>
Philippe Partarrieu <philippe.partarrieu=>os3.nl>
R

P
1
68

Antivirus evasion by user mode unhooking on Windows 10.

Endpoint Detection & Response (EDR) software aims to detect and mitigate security threats by responding to malicious program activity. EDR software for Windows typically monitors activity through hooking of Windows APIs. Attackers, in turn, abuse this fact by unhooking the APIs to hide a malicious program from the EDR's view.

Goal of this research is to support security assessments by:
  • Gaining insight in detectability of current EDR unhooking techniques by specific EDRs running on Windows 10
  • Finding a practical way to apply these unhooking techniques during red teaming exercises
Sander Ubink <Ubink.Sander=>kpmg.nl>

Tom Broumels <tom.broumels=>os3.nl>
R

P
2
70

Scaling of containerized network functions.

Utilizing programmable infrastructures is a promising approach to address the challenges of supporting secure data sharing across domains of different capabilities (in terms of network and security). In order to dynamically set up a collaborative environment, we aim to containerize network functions, ship out, and instantiate at the edge of a network. Subsequently, we aim to ensure un-degraded security, reachability, and performance during a data-sharing session. These functions might be, e.g., applying packet encryption, deep packet inspection, segmentation. These network functions should then be chainable in any order. There are already two designs available to effectively intercept and redirect traffic. One based on the combination of IP multiplexing and a reverse proxy. The other one is partially based on the SOCKS protocol.

The focus of this work is placed on the scaling and load-balancing of containerized network functions. Different network functions might require different scaling strategies, e.g., horizontal or vertical. Ideally, the scaling is done on-demand based on real-time metrics (auto-scaling 1). Furthermore, in-transit network traffic should not be affected by scaling. The student will extend one of the two designs available (see above) with such a scaling mechanism and evaluate the solution under different load scenarios. The questions to be answered include:
  • What metrics should trigger the scaling?
  • What are the characteristics that result in either horizontal or vertical scaling?
  • How to ensure that the reconfiguration does not affect in-transit traffic?
Reference medium.com - Autoscaling in Kubernetes: A Primer on Autoscaling | by Sasidhar Sekar | Expedia Group Technology | Medium
  1. https://medium.com/expedia-group-tech/autoscaling-in-kubernetes-a-primer-on-autoscaling-7b8f0f95a928
Jamila Alsayed Kassem <j.alsayedkassem=>uva.nl>

Mohanad Elamin <melamin=>os3.nl>
ppaardekooper <Pim.Paardekooper=>os3.nl>
R

P
2
75

Good || evil: defending infrastructure at scale with anomaly- and classification-based network intrusion detection.

Computer networks are frequently attacked with new or previously unseen malware in order to steal information or cause financial damage. Defending against these has become a difficult task because the current signature based detection mechanism only detects known malicious programs or behaviors. Even if a signature exists for a known strain of malware, obfuscation techniques can be used to avoid detection. Anomaly detection attempts to solve this problem by modeling the normal behavior of clients on a computer network and alerting an analyst of any deviations from these patterns.

In order to achieve this, Machine Learning (ML) algorithms are used, that range from classical fingerprinting and frequency based observations, to Artificial Intelligence (AI) algorithms and the use of Deep Neural Networks (DNN). A core challenge for this approach is the selection, collection and extraction of feature vectors that are fed into the classification algorithms.

We are interested in evaluating state of the art open source solutions to classify malicious behavior in computer networks on a modern large scale dataset, and compare the performance of the trained model against a set of attacks in our own testbed. During this research project, we intend to answer the following questions:
  1. How does a model perform that has been trained on a modern dataset, when deployed in a real world scenario?
  2. Which features prove the most useful for the detection task, and why?
  3. What performance can be achieved with the proposed imple- mentation with regard to throughput and hardware require- ments?
  4. Which algorithms are best suited for the task of anomaly detec- tion in computer networks and why?

Experiment and log files: https://mega.nz/file/MuY3BCaS#6E4ZBddcn4xxtbmeU4Ae6xEWJoE-lMR4uIuE15qppS0

Joao Novaismarques <joao.novaismarques=>kpn.com>
Jordi Scharloo <jordi.scharloo=>kpn.com>
Giovanni Sileno <G.Sileno=>uva.nl>

Philipp Mieden <Philipp.Mieden=>os3.nl>
Philippe Partarrieu <philippe.partarrieu=>os3.nl>
R

P
2
76

alidating the replacement filtering features of popular alternative admission controllers for Pod Security Policies.

Kubernetes is the de facto container orchestration system which is introduced in 2015. The open source project, supported by the Cloud Native Computing Foundation, introduced a new security feature in version 1.4 (2016) called Pod Security Policies (PSP). This feature is implemented as admission controller and allows cluster administrators to enforce a security configuration baseline across a namespace and therefore limiting the amount of pod capabilities that users and groups can configure.

The research question we defined is:

  • How to mitigate the security deficiencies that the removal of Pod Security Policy leave behind?

First, we will compare the different capabilities of PSP and the alternative controllers named Gatekeeper, K-Rail and Kyverno. The comparison will be based on literature, and the documentation of the admission controllers and technical experiments in Kubernetes testing clusters. The results should give insight to whatever extend the controllers can replace PSP and possible remaining gaps that they leave behind.

Secondly, we investigate the remaining gaps and explore if other solutions cover these. If needed and time permits, we will write examples of admission controllers that will close these gaps and test it on a so-called kube-apiserver. The solutions will be tested in the Kubernetes testing environments.

Lastly, we want to discuss the shortcomings of PSP and whether or not they exist in the evaluated controllers.

Wouter Otterspeer <wouter.otterspeer=>nl.pwc.com>

Maarten van der Slik <maarten.vanderslik=>os3.nl>
Frank Wiersma <frank.wiersma=>os3.nl>
R

P
2
77

Active Queue Management on Tofino programmable Dataplanes.

Centralization of the network’s intelligence, though Software Defined Networking, is an advantage for applications where changes in the forwarding state do not have strict real time requirements and depend upon global network state. However, in cases where there delivered service depends upon local state information, e.g., to support QoS constraints, the support of programmable stateful data planes, can minimize the impact of latency and overhead imposed by the intervention of a controller. Additional functionalities provided by legacy switching equipment, such as rate control and Active Queue Management to reduce network congestion and/or scheduling, to provide QoS and fairness etc., require state information maintained in the switch. Making stateful data plane algorithms programmable, complementing the current programmable forwarding plane solutions, can provide significant benefits in terms of meeting QoS requirements/constraints (e.g. low latency communications), reduce the control load on the SDN controller(s) and corresponding network overhead while at the same time enhance network flexibility by enabling customized traffic management. Towards the support of programmable data-planes, P4 is a high-level declarative language for describing how packets are processed in data paths. While the P4 language provide an excellent way to define the packet processing behavior of network devices, most programmable targets still typically have significant non-programmable pieces.
 
The student will implement and evaluate a low latency, low loss and scalable throughput (L4S) Active Queue Management scheme in P4 using OpenLab’s P4 infrastructure (Edge-core Wedge 100BF-32X switches with Barefoot Tofino P4 programmable ASIC).
Chrysa Papagianni <c.papagianni=>uva.nl>

Maurice Mouw <Maurice.Mouw=>os3.nl>
R

P
2

Presentations-rp2

Due to the pandemic situation only the presenting students and staff will be in the SNE-lab B1.23, everyone else is asked to attend online.
Program (Printer friendly version: HTML).

Tuesday June 29 2021, 10h00 - 15h30 online using bigbluebutton => bbb2.os3.nl , user rp2-guest , for pw contact us.
Time #RP Title Name(s) LOC RP
10h00
Introduction Cees de Laat

10h05
10
Defeating the Fakes: Vocal Fake Detection using Discrete Fourier Transform in Neural Networks.
Tina Tami, Lars Tijsmans
NFI
2
10h30
60 Scaling Stack Trace Fingerprinting. Mounir ElKirafi x41-dsec 2
10h55
Break



11h05 68 Endpoint Detection and Response evasion by unhooking.     Tom Broumels KPMG 2
11h30 33 Cloud Access Security Brokers (CASBs); Characterization of the CASB market and its alignment with corporate expectations. Anand Groenewegen, Marius Brouwer KPMG 2
11h55
Lunch



13h05 76 Validating replacement filtering features of popular alternative admission controllers for Pod Security Policies. Maarten van der Slik, Frank Wiersma PWC 2
13h30 36 Transparent malicious traffic detection using a BlueField DPU.
Jelle Ermerins, Ward Bakker DataDigest 2
13h55
Break


14h05 70 Scaling of containerized network functions     Mohanad Elamin, Pim Paardekooper UvA 2
14h30 75 Anomaly Based Network Intrusion Detection.
Philipp Mieden, Philippe Partarrieu KPN 2
14h55
Break


15h05 77 Active Queue Management on Tofino programmable Dataplanes.
Maurice Mouw UvA 2
15h30
Close
Cees de Laat



Presentations-rp1

Program (Printer friendly version: HTML).

Monday Feb 1, 2021, 10h05 - 16h55 online using bigbluebutton
Time #RP Title Name(s) LOC RP
10h25
Introduction Cees de Laat

10h30
66 Containerized deployment of SURFnet8 service layer network. Pim Paardekooper, Inigo Gonzalez de Galdeano SURF 1
10h55

Break



11h05 34 Analysis of a rarely implemented security feature: signing Docker images with a Notary server.
Mohanad Elamin, Rio Kierkels KPMG
1
11h30 56 Analysis of a new privacy technology and its implementation: Image Cloaking.
Simon Carton, Danny Janssen KPMG 1
11h55
Lunch



13h05
14
Using a verifiable and decentralized ledger as a basis for trusting hospital endpoints.
Matthijs Bartelink WhiteBox
1
13h30
6
Designing structured metadata for CVE reports.
Bart van Dongen Tjaldur 1
13h55
Break


14h05 41
Real time asset inventory in ICS. Artemis Mytilinaios Deloitte 1
14h30 42
Improving availability in Industrial Control Systems using Software-Defined Networking. Marios Andreou, Joris Jonkers Both Deloitte 2
14h55
Break


15h05 57
Certificate Authorities as a Service in the Cloud: Is It Secure? Anand Groenewegen, Maurits Maas Deloitte 1
15h30 31
Profiling (ab)user behavior of leaked credentials.
Maurice Mouw Deloitte 1
15h55
Break


16h05 27
Detection Real time video attack. Joris Janssen NFI 1
16h30 67
Typo-tolerant authentication systems.
Philippe Partarrieu NFI 1
16h55
Close
Cees de Laat


Tuesday Feb 2, 2021, 10h05 - 16h55 online using bigbluebutton.
Time #RP Title Name(s) LOC RP
10h00
Introduction
Cees de Laat

10h05
37
Bluefield.
Ilyas Rahimi, Mounir Kirafi DataDigest 1
10h30 65
Node to node communication in Vantage6 Renee Witsenburg eScienceCenter 2
10h55
Break


11h05 54
Hunting for malicious infrastructure using big data.
Shadi Alhakimi, Freek Bax NCSC
1
11h30

Close Cees de Laat


Out of normal schedule presentations

Room B1.23 at Science Park 904 NL-1098XH Amsterdam.
Date Time Place #RP Title Name(s) LOC RP
2020-09-16
10h00
online
59
The current state of DNS Lame delegations; An analysis of the current state of lame delegations within the Swedish .se tld. Alexander Blaauwgeers Deloitte
2
2020-12-17
11h00
online
58
Large scale DNS hijacking detection using HTTPS scan data.
Niels Warnars NCSC
2