Wisdom of the crowds is the idea that groups of people can collectively make wise decisions. Research suggests that these crowds can even outsmart experts. To gather the wisdom of the crowds, this project utilizes a prediction market. To successfully gather the wisdom of the crowds, a predictionmarket has to overcome serious challenges, such as gathering a large and active user base, and deciding on a fair initialmarket value. The main goal of the project is to create a prediction market that can overcome these challenges and successfully gather the wisdom of the crowds. Research has been done in the field of prediction markets. This process started with researching the theory behind prediction markets, the wisdom of the crowds. After that evaluating existing prediction markets and reviewing literature related to those markets was useful. Before and during the research phase, clear goals were set for the project, together with a clear set of requirements. These goals can be divided into: leveraging the wisdomof the crowd, solving problems associated with predictionmarkets and developing a product that is easily maintainable. The final product reaches the goals of the project and meets the requirements. The prediction market correctly aggregates the estimations of users on the market, and provides probabilities on real-world events. These probabilities are contained in the values on the market. The prediction markets solves the problems encountered on other prediction markets. The project makes use of gamification, an automated marketmaker and a reward system to correctly initialise market values. The system was thoroughly tested and developed with maintainability in mind.

The Internet has grown from a few interconnections of trusted parties to an incredibly large network with many different use cases. While the Internet grew, threats emerged as well. Although there are many different threats on the Internet, Distributed Denial of Service (DDoS) attacks are a threat that keeps rising in the threat landscape. The asymmetry between adversaries and defenders is enormous - whereas DDoS attack can be started for less than 5$, DDoS prevention takes up the majority of operational cost in data centers and damages are in the billions. Thus, it is of vital importance that more effective methods of DDoS prevention are found and implemented to improve defensive effectiveness and to reduce costs. DDoS attacks consist of various types, but the largest share of DDoS attacks are of the subtype Distributed Reflected Denial of Service (DRDoS) attacks. Adversaries that execute DRDoS attacks use vulnerable servers to create incredibly large attacks and to stay anonymous. Previous work by Rossow showed us which vulnerable services are typically used for these DRDoS attacks, and how well these vulnerable services are exploitable for these attacks. However, we do not know why an adversary uses one vulnerable service but not another. Thus, this work fills that research gap by researching how adversaries react to differently configured vulnerable services, using a large scale experiment. This work shows that the amplification factor of a honeypot is a primary factor that determines whether an adversary will use a vulnerable server in an attack or not. This work also shows that attackers do not distinguish between regular vulnerable servers and their obvious honeypot counterparts. Furthermore, the response time of a system is of no influence, and some honeypots with packet loss attract fewer adversaries. Additionally, different attacks can be detected while using different service providers and geographical locations for honeypot deployment. Finally, the MD-honeypot framework that was developed for this research may be further developed into fully-fledged DRDoS mitigation software.

Proper security mechanism are a crucial part of safe usage of Implantable Medical Devices. Multiple researchers presented various solutions to address this problem, basing them on different underlying principles. Within the scope of this thesis we perform a security analysis of the chosen authentication protocols. What is more, we present a new attack on a scheme based on physiological signal processing using a fuzzy vault cryptographic primitive. We exploit the fact that the signal generated by the heart beats does not change sufficiently in the frequency domain. Therefore it is possible that the adversary reuses signal recorded at some earlier point of time to authenticate to the implant in real time. We show in an experimental way that it is able to break the scheme with probability reaching 75%. Finally, we propose a novel lightweight authentication protocol based on hash chains. To ensure the applicability of our work, we have decided to use only energy efficient solutions, that is hash functions and block ciphers. In contrast to existing work, we have extended the threat model and considered the implant reader distrusted. We present a set of energy measurements to provide advantages of different elements to be used during implementation of our solution.

The amount of people and devices connected through the Internet has been growing at a rapid pace; as of June 2019 58,8% of the world’s population and billions of devices are joined by this vast network of information resources and services. Not every Internet user however has benign intentions. Cybercriminals use this technology for their own personal gain, by creating malicious software with the objective to compromise and even control the devices of unsuspecting victims. After devices have been infected with malicious software, they will be controlled by a central networking infrastructure, or Command and Control (C&C). Numerous studies have developed detection methods to find the commanding servers behind these attacks – which is important for locally implemented anti-virus software – but the infrastructures behind these attacks is only uncovered after these malicious servers have been taken down. We have collaborated with one of the largest Tier 1 Internet Service Providers and have collected ~4Tb of global NetFlow traffic consisting of daily connections made worldwide, giving us the possibility to analyze malicious infrastructures from a new perspective. This dataset allowed us to evaluate one of the most promising data sources to uncover and analyze adversarial C&C infrastructures; open source cyber threat intelligence. After having introduced a taxonomy to evaluate this intelligence, and having assessed the defensive advantages users will gain when adopting these information feeds, we came to the conclusion that – even though advertised differently – this intelligence only provides a small fragment of the total picture. For this reason we have decomposed Internet networking infrastructures into three categories in which Internet devices can be divided, computer clients, Internet of Things (or IoT ) and routers, and use a machine learning driven methodology to paint the threat landscape of the tactics, techniques and procedures adversaries employ within these three categories. When looking into infections on clients, a numerous amount of different structures can be observed which cybercriminals use to hide their infrastructure like round-robin DNS or interesting server hopping sequences. When learning these patterns, we successfully use a combination of machine learning and statistical functions to complement threat intelligence feeds. Where these feeds during the course of 2018 only show 1,105 malicious servers, we find that there are more than 188,000 malicious servers in our dataset. A more recent addition to the Internet are smart, or IoT, devices like surveillance cameras, which have proven to be incredibly vulnerable. In an analysis we report on the scale and impact of the first IoT based malware, Mirai, and its variants during the start of 2018. 1 in every 2,345 scanned and brute forced devices is successfully infected with a Mirai variant. This poses a great attack vector, taking into account that there are about 7 billion IoT devices as of 2019. For our last analysis we have focused on a firmware vulnerability towards MikroTik routers which cybercriminals have exploited to rewrite outgoing user traffic and embed cryptomining code in every outgoing connection. Accordingly, for every web page visited they can use the computation power of the victims computer to mine for the cryptocurrency Monero. We report on the tactics, techniques and procedures, and coordinating infrastructure of the adversaries, which had control of up to 1.4M routers over a period of 10 months, which is approximately 70% of all global MikroTik devices. Our work shows that an entire world of possibilities emerge in terms of network security when able to analyze NetFlow data. In the ongoing battle against cybercrime, anti-virus companies try to outsmart adversaries by using novel device based detection techniques. This is an evident rat-race between defenders and attackers. We have shown that ISP providers could play a big role in this, by analyzing NetFlow data flowing through their routers to perform detection of malicious behavior based on previous misuse and cyber threat intelligence.

This report documents the design and implementation of Clusus, a cyber range to provide students with a safe isolated environment to learn about cyber security and computer networks. This Bachelor project was proposed by the TU Delft cyber security group. During a two week research phase currently existing solutions were evaluated and requirements for the system were determined. Based on these requirements and research into the capabilities of cloud providers a design was proposed. In the second phase of the project was the implementation of the design. The chosen design consists of three major components, a central server that handles the communication between the learning management system and an individual exercise, a containerized exercise, and finally a program that builds these containers. The containerized exercise consists of all virtual machines required for an exercise and a monitoring program that reports progress to the central server.

Cryptojacking, a phenomenon also known as drive-by cryptomining, involves stealing computing power from others to be used in illicit cryptomining. While first observed as host-based infections with low activity, the release of an efficient browser-based cryptomining application -- as introduced by Coinhive in 2017 -- has skyrocketed cryptojacking activity in recent years. This novel method of monetizing Web activity attracted both website owners and cybercriminals seeking new methods to profit from. Website owners installed a cryptominer on their domains, while cybercriminals deployed cryptominers in large campaigns spread over numerous domains. Several studies developed detection methods to identify these browser-based cryptominers on websites, but none of these studies focused on the extent and coordination of campaigns deployed by adversaries. Furthermore, the prevalence of cryptojacking on websites is not well estimated yet and the potentially largest attack vector -- a man-in-the-middle attack -- has never been researched before.
In this thesis, we perform multiple large studies on cryptojacking to fill these gaps. After crawling a random sample of 49M domains, 20% of the Internet, we conclude that cryptojacking is present on 0.011% of all domains and that adult content is the most prevalent category of websites affected. We show that this percentage is significantly larger in the popular part of the Internet. This led to the conclusion that surveying solely domains listed in the Alexa Top 1M to estimate cryptojacking prevalence results in an overestimation of the problem. Furthermore, we show that infection rates on different Top Level Domains (TLDs) differ widely, as the Russian zone is home to a disproportionate number of cryptojacking domains, while other large TLDs -- such as .com -- show a significantly lower number of infections.
In another crawl, we have identified 204 cryptojacking campaigns on websites, an order of magnitude more than previous work, which indicates that the extent of these campaigns is heavily underestimated. The results of the two crawls combined reveal that 48% of all cryptojacking activity on websites is organized. The identified campaigns ranged in sizes from only 5 to 987 websites and we discovered that cybercriminals have chosen third-party software -- such as WordPress and Drupal -- as their method of choice for spreading cryptojacking infections efficiently. With a novel method of using NetFlow data recorded in a Tier 1 network, we estimated the popularity of mining applications, which showed that while Coinhive has a larger installed base, CoinImp WebSocket proxies were digesting significantly more traffic in the second half of 2018.
We have reported about a new attack vector that drastically overshadows all other cryptojacking activity. Through a firmware vulnerability in MikroTik routers, cybercriminals are able to rewrite outgoing user traffic and embed cryptomining code in every outgoing Web connection. Thus, every Web page visited by any user behind an infected router would mine to profit the adversaries. Based on the aforementioned NetFlow data, weekly third-party crawls and network telescope traffic, we were able to follow their activities over a period of 10 months. We report on the modus operandi and coordinating infrastructure of the perpetrators, which were during this period in control of up to 1.4M routers, which is approximately 70% of all MikroTik devices deployed in the world. During the peak of this attack, more than 440K routers were infected concurrently.
We have discovered that half of the infected routers are patched within 18 days after compromise, but 30% of the infections last longer than 50 days. Additionally, we observed different levels of sophistication among adversaries, ranging from individual installations to campaigns involving large numbers of routers. The combination of datasets allowed us to link tens of seemingly different infections to one actor.
Our analysis of cryptojacking with a focus on organized campaigns has shown that cybercriminals have successfully discovered a new method for monetary gain. With the discontinuation of Coinhive due to decreased Monero prices in March 2019, the cryptojacking landscape has changed enormously, and we are curious who will fill this power vacuum. As browser-based mining is not anywhere near as profitable as it was in early 2018, we believe that singular cryptojacking activity -- by individual website owners -- will decrease. However, we expect adversaries to find possibilities of deploying cryptojacking at an even larger scale to still be profitable. This stresses the importance of researching campaigns, as the reuse of techniques, tactics and procedures in deploying them provides an effective angle to detect and mitigate these malicious activities. With prices decreasing throughout 2018, one would expect that this problem will eventually solve itself. Apart from the discontinuation of Coinhive, there is no clear indication that this is the case, as Monero prices have started to recover in the first months of 2019. If this trend continues, we expect to experience another outbreak of large cryptojacking campaigns, as robust defenses are still not widely implemented.

Inter-Autonomous System (AS) route monitoring is the process of collecting the inter-AS routing information. This information flows on the Internet in the form of BGP UPDATE messages, and the BGP data are the messages obtained by the monitors. Existing methods of monitor placement rely on the network topology which provides inadequate visibility. This thesis proposes a novel scheme for monitoring the BGP data by selecting monitoring locations based on BGP message flow.

In the past years, society has become increasingly more reliant on the Internet. Consequently, the security of the Internet became of critical importance. This thesis focusses on the security of one of the Internet's main protocols. This protocol, called the Border Gateway Protocol (BGP), is used to exchange information that allows Internet traffic to reach its intended destination. BGP is vulnerable to misconfigurations and attacks that can cause a range of problems. This thesis focusses on one of them: BGP origin hijacks. In this thesis, a year of possible origin hijacks is analysed. These possible origin hijacks were detected by BGPStream between 20 May 2018 and 31 May 2019. Analysing these hijacks gives insight into the causes and characteristics of origin hijacks. This can help to find the most pressing issues and may provide guidance in securing BGP. Various data sources are used to collect and compute features that give more information on each hijack. These features are used to find relations between hijacks and to label them using labels that indicate a cause or a certain aspect of the hijack. These relations and labels are used to analyse groups of similar hijacks. This approach is very effective. Using the context of a group of hijacks gives much more insight than looking at hijacks individually. It shows that many of the possible hijacks are likely not a hijack at all and that hijacks that look like origin hijacks are often the result of another type of attack called a path hijack. In addition, this thesis provides a way to detect several types of misconfigurations and points out weaknesses in the detection system used by BGPStream. It also gives an overview of the characteristics of hijacks and how often specific behaviour occurs.

The mobile phone has become an important part of people's lives and which apps are used says a lot about a person. Even though data is encrypted, meta-data of network traffic leaks private information about which apps are being used on mobile devices.Apps can be detected in network traffic using the network fingerprint of an app, which shows what a typical connection of the app resembles. In this work, we investigate whether fingerprinting apps is feasible in the real world. We collected automatically generated data from various versions of around 500 apps and real-world data from over 65 unique users. We learn the fingerprints of the apps by training a Random Forest on the collected data. This Random Forest is used to detect app fingerprints in network traffic. We show that it is possible to build a model that can classify a specific subset of apps in network traffic. We also show that it is very hard to build a complete model that can classify all possible apps traffic due to overlapping fingerprints. Updates to apps have a significant effect on the network fingerprint, such that models should be updated every one or two months. We show that by only selecting a subset of apps it is possible to successfully classify network traffic. Various countermeasures against network traffic analysis are investigated. We show that using a VPN is not an effective countermeasure because an effective classifier can be trained on VPN data. We conclude that fingerprinting in the real world is feasible, but only on specific sets of apps.

Many processes rely on the availability of the Internet. The Border Gateway Protocol (BGP) is widely used for exchanging routing information between routers and is essential for the successful operation of the Internet. Because BGP has not been designed with security in mind, BGP anomalies such as origin hijacks, route leaks, and link failure often occur. This research proposes a detection system for detecting origin hijacks, which is one of themost common anomalies seen on the Internet. Our detection system uses a filter-based approach. Each filter attempts to validate announcements seen by our detection system. Announcements that could not be verified by any filter are seen as origin hijacks. Because of this approach, origin hijacks that would otherwise be missed by other solutions will be detected. We use multiple data sources such as RIR Statistics Exchange Format Listings (RSEF), routing registries, RPKI Route Origin Authorizations (ROAs) and CAIDA’s AS relationship dataset in order to validate announcements. Upon running our detection system on 29 days of BGP traffic, we were able to detect 902 origin hijacks. 83% of the detected origin hijacks had a lifespan of fewer than 2.5 hours which strongly suggests that these were undesired announcements.

The counterfeit market is rapidly expanding into the online realm. Large amounts of fraudulent webshops advertise luxury clothing and fashion accessories, but ship counterfeit products to their customers. Apart from customers, brand owners and domain registries experience a negative impact caused by these fake webshops. Current countermeasures are slow and of a reactive nature, leaving a large enough window of opportunity for criminals to make a profit. This thesis introduces a proactive mitigation approach that can be deployed at domain registries. By predicting whether a newly registered domain will be used to sell counterfeit merchandise, preventive countermeasures can often be taken in advance, minimizing the criminals' window of opportunity and profits. These predictions are made by training a detection model using both registrant information and infrastructure measurements of the registered domains. To evaluate the prediction system, new domain registrations are classified for a period of 6 months. Registrations classified as malicious are then monitored for signs of abuse. Overall, the system is able to detect malicious registrations with reasonable precision. Additionally, the body of abusive domain registrations created during this thesis project is analyzed to gain insights into the methods used to host counterfeit webshops, which can be used as a starting point for future research.

Prior to exploiting a vulnerable service, adversaries perform a port scan to detect open ports on a target machine. If an adversary is aiming for multiple targets, multiple IP addresses need to be scanned for possible open ports. As sending all this probing traffic with one source IP address causes a lot of suspicion in an intrusion detection system, attackers have adopted towards a more distributed approach by using multiple source IP addresses to perform a port scan.
In this paper, we describe various strategies on how a distributed port scan is performed by adversaries in the wild. The results in this paper are found by analyzing network packets that stem from a large network telescope.
Concretely, we analyzed network traffic from one month received by 2 /16 networks. From this analysis, we conclude that many levels of coordination are exhibited by adversaries performing distributed port scans.

The number of Internet of Things devices, small low-powered devices with internet connectivity, is undergoing strong growth. As connected devices become the standard, more types of devices are connected to home networks and made accessible from the Internet for convenience. As IoT devices are widely deployed in mass numbers, they can be easily exploited once a vulnerability has been published. Many of these devices will never be updated and remain vulnerable for their entire lifespan. This has lead to the rise of IoT botnets, focusing specifically on low-powered devices connected to the Internet. Well known attacks such as those on Krebs on Security and Dyn show that IoT botnets are a serious threat to be reckoned with.

We introduce Honeytrack, a persistent scalable virtual high-interaction honeypot for the Internet of Things. Honeytrack aims to solve the limitations of the current available honeypots by providing the means to analyse adversaries in large networks. By using isolated containers for the high-interaction module, it allows for saving state for each adversary. In addition to that, the data collected by
Honeytrack allows for an in-depth analysis of every phase of an attack, going beyond the traditional malware-sample based research. By saving machine state, and binding this state to a certain attacker, we can serve attackers their “own” previously attacked honeypot, serving a large number of parallel adversaries at a time and allowing research into follow-up attacks.

This report describes the process, motivation and design choices made during the Bachelor End Project in collaboration with DutchSec. The project consists of implementing Lua-scripting into Honeytrap, which is programmed in Go. The following chapters will discuss which design choices were made, how the research was performed and how the final functionalities were implemented. A detailed system verification is done with proof of added value and besides that the system testing methods are described. Furthermore a conclusion is given that discusses what the project has achieved, what the use-cases are and whether it does what the client wants it to do.

In today's world, the Internet is the backbone of our society. The relatively unknown Border Gateway Protocol (BGP), and with its vulnerabilities, gives malicious parties an opportunity for abuse. By improving the currently known AS relation data set and by simulating BGP traffic this abuse is better spotted. Kastelein's topology generating algorithm outperforms the state-of-the-art topology generating algorithms and state-of-the-art AS relation data sets. The proposed BGP simulator misses vital information such as LOCAL_PREFERENCE values to accurately simulate BGP traffic. This lack of information results in longer BGP paths that are not matched with BGP paths from route collectors.

The internet is rapidly growing, and with it grows the number of malicious actors. For many attacks, the attacker first scans the internet to detect vulnerable devices. In order to evade detection, the attacker distributes the scanning over a large number of machines. Because attackers are distributing this scanning and there is no way to find these scanners, we have no knowledge of what groups are actually scanning the internet and what they are up to. This thesis proposes a method to identify and fingerprint these distributed scanning groups. It does so in order to detect and analyze slow scanning groups that are actively trying to remain undetected by companies. The data used for this thesis originates from a large network telescope operated by the TU Delft, which contains packet data aimed at the TU delft network range. First, this data is analyzed in detail and several patterns are discovered. Using the analysis, a method is created to cluster the dataset without losing critical information needed to identify scanning groups. After the clustering, the resulting smaller datasets are analyzed in more detail. To do this post-processing, a new method of analyzing scanning behavior is created. This method is called XOR-analysis and works by looking at different patterns that scanners use to re-identify their packets. From the analysis, groups are extracted and fingerprinted. These fingerprints can ultimately be used as Indicators of Compromise to detect and mitigate scanning behavior in order to deny adversaries the possibility to learn about weaknesses of a system.

The Border Gateway Protocol is critical for the correct working of the Internet. When it fails the impact is usually high and therefore failures should be minimized. Unfortunately the configuration of BGP is prone to errors. Besides that, BGP is targeted by attacks of cyber criminals. A simulator capable of running BGP can reduce the number of honest mistakes and successful attacks. In a simulated environment different configurations and optional attacks can be tried out safely. The simulator can also assist with the investigation of real world events by replicating the conditions and triggers that led up to it and providing a detailed view on every aspect. The correct workings of the simulator was verified with real world events testing the simulator from both a macro and micro perspective. The CPU and memory usage during simulation are discussed. Additionally, a quick recap on the working of BGP is provided.

The modern cybersecurity landscape is characterised by the increasing number of actors capable of performing advanced and highly impactful hacking. The situation has worsened significantly in the last decade because more and more of the critical infrastructure is connected to the Internet, because the capabilities of attackers have improved and because their numbers have increased.
Threat Intelligence emerged as a valuable domain to enhance security defences by studying threats motives, techniques, tools and procedures. Campaign analysis is a process that belongs to this domain and deals with following attackers through time by linking several hack attempts that share a threat actor, a victim and that have a specific goal. Unfortunately, this process is rarely applied in practice because the campaign analysis models available in literature rely on manual investigation by security professionals. This approach can become quickly too expensive, both regarding time and human resources.
In this thesis project, we improve the state of the art by automating a popular campaign analysis framework introduced in 2011 by Lockheed Martin security researchers Hutchins et al. We do not only automate the process: we also improve its recall performance to provide security analyst with more interesting and complete findings. Hopefully, this will empower all organisations, of any size an security profile, to perform their threat intelligence. Lowering the adoption threshold is a fundamental requirement that is inescapable if we want security to improve horizontally throughout all industry sectors. Widespread adoption of campaign analysis would lead to a broader and quicker understanding of threat campaigns and goals, contributing to a safer society.

In order to stay undetected and keep their operations alive, cyber criminals are continuously evolving their methods to stay ahead of current best defense practices. Over the past decade, botnets have developed from using statically hardcoded IP addresses and domain names to randomly-generated ones, so-called domain generation algorithms (DGA). Malicious software coordinated via DGAs leaves however a distinctive signature in network traces of high entropy domain names, and a variety of algorithms have been introduced to detect certain aspects about currently used DGAs.
Today's detection mechanisms are evaluated for botnets that make the next obvious evolutionary step, and replace domain names generated from random letters with randomly selected, but actual dictionary words. It can be seen that the performance of state-of-the-art solutions that rely on linguistic feature detection would significantly decline after this transition, and an alternative novel approach to detect DGAs without making any assumptions on the internal structure and generating patterns of these algorithms is proposed.

Android smartphones collect and compile a huge amount of sensitive information which is secured using cryptography. There is an unintended leakage of information during the physical implementation of a cryptosystem on a device. Such a leakage is often termed as side channel and is used to break the implementation of cryptographic algorithms. In this work, we utilize cache memory based side channels on android smartphones to retrieve crypto-process information. These side channels are based on the information leakage through the operating system, micro-architecture of the processor and the state of the processor's memory cache. We demonstrate the retrieval of data dependent memory access patterns using a spy application running in the background to recover the full secret key of cryptographic primitives such as AES T-table implementation in OpenSSL, all that would be necessary is a rogue app downloaded from an app store that is run under normal privileges.
We show that a mathematical correlation which depends on the guessed key and can be utilized to recover the \emph{complete} key in access-driven cache attacks (CAs). We show the effectiveness of the proposed method using access time measured in noisy environments. We analyze the changes in the correlation values with the number of plaintexts/ciphertexts for a successful attack using key estimation. Furthermore, we discuss and demonstrate the applicability of cache memory based side channel attacks on a white-box implementation of AES.