The continuous increase in malware samples, both in sophistication and number, presents many challenges for organizations and analysts, who must cope with thousands of new heterogeneous samples daily. This requires robust methods to quickly determine whether a file is malicious. Due to its speed and efficiency, static analysis is the first line of defense.
In this work, we illustrate how the practical state-of-the-art methods used by antivirus solutions may fail to detect evident malware traces. The reason is that they highly depend on very strict signatures where minor deviations prevent them from detecting shellcodes that otherwise would immediately be flagged as malicious. Thus, our findings illustrate that malware authors may drastically decrease the detections by converting the code base to less-used programming languages. To this end, we study the features that such programming languages introduce in executables and the practical issues that arise for practitioners to detect malicious activity.

Current black-box backdoor attacks in convolutional neural networks formulate attack objective(s) as singleobjective optimization problems in single domain. Designing triggers in single domain harms semantics and trigger robustness as well as introduces visual and spectral anomaly. This work proposes a multi-objective black-box backdoor attack in dual domains via evolutionary algorithm (LADDER), the first instance of achieving multiple attack objectives simultaneously by optimizing triggers without requiring prior knowledge about victim model. In particular, we formulate LADDER as a multiobjective optimization problem (MOP) and solve it via multiobjective evolutionary algorithm (MOEA). MOEA maintains a population of triggers with trade-offs among attack objectives and uses non-dominated sort to drive triggers toward optimal solutions. We further apply preference-based selection to MOEA to exclude impractical triggers. LADDER investigates a new dualdomain perspective for trigger stealthiness by minimizing the anomaly between clean and poisoned samples in the spectral domain. Lastly, the robustness against preprocessing operations is achieved by pushing triggers to low-frequency regions. Extensive experiments comprehensively showcase that LADDER achieves attack effectiveness of at least 99%, attack robustness with 90.23% (50.09% higher than state-of-the-art attacks on average), superior natural stealthiness (1.12× to 196.74× improvement) and excellent spectral stealthiness (8.45× enhancement) as compared to current stealthy attacks by the average l2-norm across 5 public datasets.

The rapid expansion of multi-cloud environments and the growing prevalence of collaborative data ownership present significant challenges in ensuring the verifiable deletion of co-owned data. Current approaches predominantly address individual ownership and often rely on simplistic one-bit result protocols where a deletion command merely outputs success or failure, turning the deletion into a black box without proper verification. This paper tackles the problem of secure processing and verifiable deletion of shared outsourced data in multi-cloud environments. We design a framework that enables a data owner to outsource encrypted data to multiple co-owners, who perform computations directly within their respective cloud providers---ensuring that sensitive data never leaves the cloud. Our system leverages readily available cloud Hardware Security Modules (HSMs) to manage cryptographic keys from generation to controlled destruction---ensuring data remains inaccessible beyond its intended use. Secure Enclaves enforce on-cloud data computation, eliminating local copies and preventing unauthorized exposure. Encrypted data is structured within a fixed storage model, ensuring controlled allocation and strict storage constraints. When data expires or must be deleted to meet regulatory requirements, our framework triggers zero-residual permuted overwriting to remove the data traces irreversibly. Verifiability is achieved at two levels: Bounded Merkle Hash Tree (BMHT) ensures bounded storage and verifiable deletion within each cloud provider. In contrast, Global Merkle Forest (GMF) aggregates BMHT roots across providers, enabling consistent global verification. The data owner maintains a log of these BMHT roots, allowing independent verification of secure deletion across the multi-cloud environment.

This paper investigates the feasibility and potential role of using Large Language Models (LLMs) to support systemic risk audits under the European Union’s Digital Services Act (DSA). It examines how automated tools can enhance the work of DSA auditors and other ecosystem actors by enabling scalable, explainable, and legally grounded content analysis. An interdisciplinary expert workshop with twelve participants from legal, technical, and social science backgrounds explored prompting strategies for LLM-assisted auditing. Thematic analysis of the sessions identified key challenges and design considerations, including prompt engineering, model interpretability, legal alignment, and user empowerment. Findings highlight the potential of LLMs to improve annotation workflows and expand audit scale, while underscoring the continued importance of human oversight, iterative testing, and cross-disciplinary collaboration. This study offers practical insights for integrating AI tools into auditing processes and contributes to emerging methodologies for operationalizing systemic risk evaluations under the DSA.

The virtue of data forgetting has become a substantial demand in the digital era. Once online content has served its purpose, the concept of forgetting arises to ensure that data remains private between data owners and service providers. Despite significant advancements in supporting data forgetting through approaches like access heuristics, elastic expiration times, and manual revocation, the existing research falls short in addressing the demand for a multi-level forgetting structure that can cater to diverse audience-based expiration requirements while considering additional criteria. To the best of our knowledge, no prior works have investigated this gap, emphasizing the need for a comprehensive solution that can effectively accommodate the varying expiration needs of different audience groups. In this paper, we introduce a novel disjunctive multi-level forgetting scheme designed to meet the aforementioned demand for data forgetting. Our scheme introduces unique expiration periods for the encrypted data the service provider stores, called levels. Users are grouped into different levels based on priorities assigned by the data owners. Each level corresponds to a specific expiration threshold, enabling designated user groups to access the content within its validity period before it is forgotten. This approach enables selective data forgetting for one group while enabling concurrent access and retention for other user groups until the stipulated expiration period elapses. To achieve this, we have devised a cutting-edge system that integrates a hierarchical and dynamic scheme utilizing a key decay for managing expiration periods. Moreover, we introduce an innovative approach that harnesses smart contracts on a local Ethereum blockchain to enforce regulations and streamline the secure and efficient expiration and deletion of data. Finally, we thoroughly evaluate our proposed scheme, focusing on decay sensitivity, computational complexity, and rigorous security analysis.

During the last ten years, thousands of kilometers of submarine cables have been rolled out to connect regions around the globe and improve intercontinental connectivity. However, while it is relatively easy to get information about the frequent roll-outs of these cables, it is challenging to translate these developments into network information to facilitate networking research. For example, announcements for new submarine cables typically mention landing points and not router IP addresses. With this network information, it is easier to assess the impact of a new submarine cable on end-to-end delays in the connecting regions. In this paper, we investigate the necessary and sufficient conditions to translate public announcements for submarine cables to network information that enables networking research on this topic. We also develop and evaluate a methodology to automatically extract IP-level information for deployed submarine cables and assess their impact on end-to-end performance.

Phishing on the web is a model of social engineering and an attack vector for getting access to sensitive and financial data of individuals and corporations. Phishing has been identified as one of the prime cyber threats in recent years. With the goal to effectively identifying and combating phishing as early as possible, we present in this paper a longitudinal analysis of phishing attacks from the vantage point of three country-code top-level domain (ccTLD) registries that manage more than 8 million active domains – namely the Netherlands’ .nl, Ireland’s .ie, and Belgium’s .be. We perform a longitudinal analysis on phishing attacks spanning up to 10 years, based on more than 28 thousand phishing domains. Our results show two major attack strategies: national companies and organizations are far more often impersonated using malicious registered domains under their country own ccTLD, which enables better mimicry of the impersonated company. In stark contrast, international companies are impersonated using whatever domains that can be compromised, reducing overall mimicry but bearing no registration and financial costs. We show that 80% of phishing attacks in the studied ccTLDs employ compromised domain names and that most research works focus on detecting new domain names instead. We find banks, financial institutions, and high-tech giant companies at the top of the most impersonated targets. We also show the impact of ccTLD’s registration and abuse handling policies on preventing and mitigating phishing attacks, and that mitigation is complex and performed at both web and DNS level at different intermediaries. Last, our results provide a unique opportunity for ccTLDs to compare and revisit their policies and impacts, with the goal of improving mitigation procedures.

Satellites have become part of critical infrastructure utilized for diverse applications, from Earth observation to communication and military missions. Several trends have reshaped satellite deployment and utilization in recent years, making satellite systems more accessible and vulnerable to cybersecurity threats. A notable trend is adopting Commercially Off-the-Shelf (COTS) hardware and software for satellite systems. However, this approach renders satellites susceptible to well-known cyberattacks. This paper presents a comprehensive exploration of attacks on satellite systems, with a specific emphasis on the security aspects of the satellite platform, encompassing both the bus and payload subsystems. The discussion includes existing security defenses that can enhance the security of the satellite platform. Ultimately, we present a real-world security framework designed to improve the overall security of the satellite platform.

Phishing on the web is a model of social engineering and an attack vector for getting access to sensitive and financial data of individuals and corporations. Phishing has been identified as one of the prime cyber threats in recent years. With the goal to effectively identify and mitigate phishing as early as possible, we present in this paper a longitudinal analysis of phishing attacks from the vantage point of three country-code top-level domain (ccTLD) registries that manage more than 8 million active domains -- namely the Netherlands' .nl, Ireland's .ie, and Belgium's .be. We perform a longitudinal analysis on phishing attacks spanning up to 10 years, based on more than 28 thousand phishing domains. Our results show two major attack strategies: national companies and organizations are far more often impersonated using malicious registered domains under their country's own ccTLD, which enables better mimicry of the impersonated company. In stark contrast, international companies are impersonated using any domains that can be compromised, reducing overall mimicry but bearing no registration and financial costs. Although most research works focus on detecting new domain names, we show that 80% of phishing attacks in the studied ccTLDs employ compromised domain names. We find banks, financial institutions, and high-tech giant companies at the top of the most impersonated targets. We also show the impact of ccTLDs' registration and abuse handling policies on preventing and mitigating phishing attacks, and that mitigation is complex and performed at both web and DNS level at different intermediaries. Last, our results provide a unique opportunity for ccTLDs to compare and revisit their policies and impacts, with the goal of improving mitigation procedures.

Time synchronization is of paramount importance on the Internet, with the Network Time Protocol (NTP) serving as the primary synchronization protocol. The NTP Pool, a volunteer-driven initiative launched two decades ago, facilitates connections between clients and NTP servers. Our analysis of root DNS queries reveals that the NTP Pool has consistently been the most popular time service. We further investigate the DNS component (GeoDNS) of the NTP Pool, which is responsible for mapping clients to servers. Our findings indicate that the current algorithm is heavily skewed, leading to the emergence of time monopolies for entire countries. For instance, clients in the US are served by 551 NTP servers, while clients in Cameroon and Nigeria are served by only one and two servers, respectively, out of the 4k+ servers available in the NTP Pool. We examine the underlying assumption behind GeoDNS for these mappings and discover that time servers located far away can still provide accurate clock time information to clients. We have shared our findings with the NTP Pool operators, who acknowledge them and plan to revise their algorithm to enhance security.

Malware is recognized as one of the most severe cybersecurity threats today. Although malware attacks are as old as the Internet, our understanding of which part of the Internet infrastructure is used to distribute malware software is still rather limited.
In this work, we analyze more than 3 million sessions established with honeypots deployed in 55 countries that are associated with the download and execution of malware binaries. We identify two main tactics to load malware to infected machines: injection of malware by hosts initiating the connection (clients) and downloading malware from third parties (loaders). The latter tactic contributes to more than 80% of this class of sessions but involves a smaller number of cloud and content delivery servers with very different profiles than that of the clients. Our analysis also shows that it is not uncommon for different malware families to rely on the same hosting infrastructures for downloading malware. Further investigation into the code executed to download and activate malware shows that criminals tend to hide their traces by deleting their history and modifying logs and files on the compromised machines.

On February 24, 2022, Russia invaded Ukraine after months of military preparations. Although secondary to the human tragedy resulting from the war, the Internet connectivity in the region was disrupted due to the military conflicts and economic sanctions. We study the Internet peering connectivity of the conflicted countries before, during, and after the Russian invasion of Ukraine. Our analysis shows that de-peering activity by Ukrainian, Russian, and international networks started months before the invasion at peering facilities in Ukraine and Russia, respectively. De-peering continued after the Russian invasion of Ukraine, with only minor changes in peering taking place until end of 2023. Our study shows that several Internet exchange points have stopped operating in Ukraine. We also report that the invasion has impacted the registry country code of operational networks in Ukraine and Russia, creating a new status quo in Internet peering in the region.

To avoid exploitation of known vulnerabilities, it is standard security practice to not disclose any model information regarding the antennas used in cellular infrastructure. However, in this work, we show that end-user devices receive enough information to infer, with high accuracy, the model-family of antennas. We demonstrate how low-cost hardware and software setups can fingerprint the cellular infrastructure of whole regions within a few minutes by only listening to cellular broadcast messages. To show the effectiveness and hence risk of such fingerprinting, we collected an extensive dataset of broadcast messages from three different countries. We then trained a machine-learning model to classify broadcast messages based on the model-family they belong to. Our results reveal a worryingly high average accuracy of 97% for model-family classification. We further discuss how inferring the model-family with such high accuracy can lead to a class of identification attacks on cellular infrastructure and we subsequently suggest countermeasures to mitigate the fingerprint effectiveness.

Port scanning is the de-facto method to enumerate active hosts and potentially exploitable services on the Internet. Over the last years, several studies have quantified the ecosystem of port scanning. Each work has found drastic changes in the threat landscape compared to the previous one, and since the advent of high-performance scanning tools and botnets a lot has changed in this highly volatile ecosystem.
Based on a unique dataset of Internet-wide scanning traffic collected in a large network telescope, we provide an assessment of Internet-wide TCP scanning with measurement periods in the last 10 years (2015 to 2024). We collect over 750 million scanning campaigns sending more than 45 billion packets and report on the evolution and developments of actors, their tooling, and targets. We find that Internet scanning has increased 30-fold over the last ten years, but the number and speed of scans have not developed at the same pace. We report that the ecosystem is extremely volatile, where targeted ports and geographical scanner locations drastically change at the level of weeks or months. We thus find that for an accurate understanding of the ecosystem we need longitudinal assessments. We show that port scanning becomes heavily commoditized, and many scanners target multiple ports. By 2024, well-known scanning institutions are targeting the entire IPv4 space and the entire port range.

List of keywords used to build the text classifier for the paper Reviewing War: Unconventional User Reviews as a Side Channel to Circumvent Information Controls. For more information on how these keywords were obtained, see the "Data Labeling" section of this paper. The provided CSV file contains 3 columns: "keyword": Lowercased keyword in either English, Russian, Ukranian or Polish. "weight": Score indicating the keyword's war-related affinity, with 3 being the most related. Negative weights are used to correct for exceptions in our classifier. "topic": Subject of the keyword used for topic analysis.

Time synchronization is of paramount importance on the Internet, with the Network Time Protocol (NTP) serving as the primary synchronization protocol. The NTP Pool, a volunteer-driven initiative launched two decades ago, facilitates connections between clients and NTP servers. Our analysis of root DNS queries reveals that the NTP Pool has consistently been the most popular time service. We further investigate the DNS component (GeoDNS) of the NTP Pool, which is responsible for mapping clients to servers. Our findings indicate that the current algorithm is heavily skewed, leading to the emergence of time monopolies for entire countries. For instance, clients in the US are served by 551 NTP servers, while clients in Cameroon and Nigeria are served by only one and two servers, respectively, out of the 4k+ servers available in the NTP Pool. We examine the underlying assumption behind GeoDNS for these mappings and discover that time servers located far away can still provide accurate clock time information to clients. We have shared our findings with the NTP Pool operators, who acknowledge them and plan to revise their algorithm to enhance security.

List of keywords used to build the text classifier for the paper Reviewing War: Unconventional User Reviews as a Side Channel to Circumvent Information Controls. For more information on how these keywords were obtained, see the "Data Labeling" section of this paper. The provided CSV file contains 3 columns: "keyword": Lowercased keyword in either English, Russian, Ukranian or Polish. "weight": Score indicating the keyword's war-related affinity, with 3 being the most related. Negative weights are used to correct for exceptions in our classifier. "topic": Subject of the keyword used for topic analysis.

Time synchronization is crucial on the Internet, and the Network Time Protocol
(NTP) serves as the primary synchronization protocol. The NTP Pool, a
volunteer-driven project introduced 20 years ago, connects clients with NTP servers. Our analysis of Root DNS queries reveals the NTP Pool's widespread use as the most popular time service. Despite its popularity, there has been limited scrutiny of how NTP servers are assigned to clients. In this paper, we investigate the NTP Pool's DNS component (GeoDNS), which maps clients to servers, and find that the current algorithm is overly strict, creating unnecessary risks. We have shared our findings with the NTP Pool operators, who acknowledge them and plan to revise their algorithm to enhance security.

The Internet architecture has facilitated a multi-party, distributed, and heterogeneous physical infrastructure where routers from different vendors connect and inter-operate via IP. Such vendor heterogeneity can have important security and policy implications. For example, a security vulnerability may be specific to a particular vendor and implementation, and thus will have a disproportionate impact on particular networks and paths if exploited. From a policy perspective, governments are now explicitly banning particular vendors-or have threatened to do so.

Despite these critical issues, the composition of router vendors across the Internet remains largely opaque. Remotely identifying router vendors is challenging due to their strict security posture, indistinguishability due to code sharing across vendors, and noise due to vendor mergers. We make progress in overcoming these challenges by developing LFP, a tool that improves the coverage, accuracy, and efficiency of router fingerprinting as compared to the current state-of-the-art. We leverage LFP to characterize the degree of router vendor homogeneity within networks and the regional distribution of vendors. We then take a path-centric view and apply LFP to better understand the potential for correlated failures and fate-sharing. Finally, we perform a case study on inter and intra-United States data paths to explore the feasibility to make vendor-based routing policy decisions, i.e., whether it is possible to avoid a particular vendor given the current infrastructure.