VPN Fingerprinting: Network protocol detection inside virtual private network tunnels

Virtual private networks are often used to secure communication between two hosts and preserve privacy by tunneling all traffic over a single encrypted channel. Previous work has already shown that metadata of different secured channels can be used to fingerprint various kinds of information. In this work, we will dive into the encrypted tunnels...

Formjackers: Towards an Internet-scale Survey of Credit Card Skimming on the Web

We propose a novel, dynamic analysis-based detection solution for formjackers. The operating principle of these formjackers, or card skimmers on the web, is typically simple, yet effective: when making a payment on webshop that has been infected with a formjacker, the submitted payment information is not just transmitted to the webshop, but also...

BGP security and the future: A meta-analysis of BGP threats and security to provide a new direction for practical BGP security

The Internet consists of many subnetworks, which are connected to each other. These subnetworks are the autonomous systems (ASes) that make up the Internet: each hosts a part of it. In order to successfully determine routes from one of these ASes to the other, the Border Gateway Protocol (BGP) is used. This protocol has several security flaws...

Analysing BGP Origin Hijacks

In the past years, society has become increasingly more reliant on the Internet. Consequently, the security of the Internet became of critical importance. This thesis focusses on the security of one of the Internet's main protocols. This protocol, called the Border Gateway Protocol (BGP), is used to exchange information that allows Internet...

Android App Tracking: Investigating the feasibility of tracking user behavior on mobile phones by analyzing encrypted network traffic

The mobile phone has become an important part of people's lives and which apps are used says a lot about a person. Even though data is encrypted, meta-data of network traffic leaks private information about which apps are being used on mobile devices.Apps can be detected in network traffic using the network fingerprint of an app, which shows...

Inadvertently Making Cybercriminals Rich: A Comprehensive Study of Cryptojacking Campaigns at Internet Scale

Cryptojacking, a phenomenon also known as drive-by cryptomining, involves stealing computing power from others to be used in illicit cryptomining. While first observed as host-based infections with low activity, the release of an efficient browser-based cryptomining application -- as introduced by Coinhive in 2017 -- has skyrocketed...

Clusus: A cyber range for network attack simulations

This report documents the design and implementation of Clusus, a cyber range to provide students with a safe isolated environment to learn about cyber security and computer networks. This Bachelor project was proposed by the TU Delft cyber security group. During a two week research phase currently existing solutions were evaluated and...

Placement Strategies to Monitor the Inter-Autonomous System Routing Information

Inter-Autonomous System (AS) route monitoring is the process of collecting the inter-AS routing information. This information flows on the Internet in the form of BGP UPDATE messages, and the BGP data are the messages obtained by the monitors. Existing methods of monitor placement rely on the network topology which provides inadequate visibility...

Detecting BGP Origin Hijacks: Using a filter-based approach

Many processes rely on the availability of the Internet. The Border Gateway Protocol (BGP) is widely used for exchanging routing information between routers and is essential for the successful operation of the Internet. Because BGP has not been designed with security in mind, BGP anomalies such as origin hijacks, route leaks, and link failure...

Inferring relationship types and simulating BGP traffic between Autonomous Systems using the valley-free constraint

In today's world, the Internet is the backbone of our society. The relatively unknown Border Gateway Protocol (BGP), and with its vulnerabilities, gives malicious parties an opportunity for abuse. By improving the currently known AS relation data set and by simulating BGP traffic this abuse is better spotted. Kastelein's topology generating...

Scanners: Discovery of distributed slow scanners in telescope data

The internet is rapidly growing, and with it grows the number of malicious actors. For many attacks, the attacker first scans the internet to detect vulnerable devices. In order to evade detection, the attacker distributes the scanning over a large number of machines. Because attackers are distributing this scanning and there is no way to find...

Approximate Automated Campaign Analysis with Density Based Clustering

The modern cybersecurity landscape is characterised by the increasing number of actors capable of performing advanced and highly impactful hacking. The situation has worsened significantly in the last decade because more and more of the critical infrastructure is connected to the Internet, because the capabilities of attackers have improved and...

Extending Honeytrap with Lua scripting: Honeytrap LUA implementation

This report describes the process, motivation and design choices made during the Bachelor End Project in collaboration with DutchSec. The project consists of implementing Lua-scripting into Honeytrap, which is programmed in Go. The following chapters will discuss which design choices were made, how the research was performed and how the final...

Classification of Distributed Strategies for Port Scan Reconnaissance

Prior to exploiting a vulnerable service, adversaries perform a port scan to detect open ports on a target machine. If an adversary is aiming for multiple targets, multiple IP addresses need to be scanned for possible open ports. As sending all this probing traffic with one source IP address causes a lot of suspicion in an intrusion detection...

Practical Microarchitectural Attacks from Integrated GPUs

Dark silicon is pushing processor vendors to add more specialized units such as accelerators to commodity processor chips. Unfortunately this is done without enough care to security. In this paper we look at the security implications of integrated Graphical Processor Units (GPUs) found in almost all mobile processors. We demonstrate that GPUs,...

Application-level Network Behavior Analysis and Anomaly Detection using Density Based Clustering

Nowadays, organization networks are facing an increased number of different attacks and existing intrusion and anomaly detection systems fail to keep up. By focusing on security policies, malicious signatures or generic network characteristics, existing systems are not able to cover the full landscape of attacks. In this thesis we try to tackle...

Popularity-based Detection of Domain Generation Algorithms: Or: How to detect botnets?

In order to stay undetected and keep their operations alive, cyber criminals are continuously evolving their methods to stay ahead of current best defense practices. Over the past decade, botnets have developed from using statically hardcoded IP addresses and domain names to randomly-generated ones, so-called domain generation algorithms (DGA)....

Exploitation of Cache Based Side-Channels on ARM: Correlation Analysis of Access-driven Cache Attacks on Android Smartphones

Android smartphones collect and compile a huge amount of sensitive information which is secured using cryptography. There is an unintended leakage of information during the physical implementation of a cryptosystem on a device. Such a leakage is often termed as side channel and is used to break the implementation of cryptographic algorithms. In...