Deep learning sustained great success in several domains, particularly in computer vision, where it facilitates tasks such as image classification and object recognition. However, one significant challenge in deep learning is data labeling, due to the high cost and effort required for human annotators to go over this process manually. Active learning addresses this problem by selecting a smaller amount of the most relevant data for this labeling process, maximizing efficiency. Despite its advantages, active learning presents new security threats. In particular, backdoor attacks, where adversaries poison part of the training data to modify the behavior of the model in the presence of a hidden trigger. Although backdoor attacks have been extensively studied in traditional deep learning contexts, their impact on active learning remains largely uncertain.

Here, the vulnerabilities of active learning against backdoor attacks in computer vision models were analyzed. Various configurations, datasets and deep learning models were used to evaluate their effectiveness. Backdoor attacks managed to hit ASR values over 95% with just 1% of the data being poisoned on simple datasets like MNIST, particularly when using certainty-based sampling and CNNs. More complex datasets like CIFAR-10 and models like ResNet proved to be more resilient. Furthermore, different attack techniques were explored, such as progressive parameter adjustment, sub-trigger division and clean label attacks on advanced backdoor triggers like LIRA and WaNet. The analysis revealed that although global LIRA triggers were the most effective, sub-trigger and progressive poisoning methods offered promising alternatives, especially because they allow poisoning smaller parts of images across training cycles. Additionally, it is revealed that attack success in clean-label scenarios was highly dependent on the number of poisoned samples per cycle, due to the post-query constraint that only allows poisoning already-selected samples, often limiting impact when the target label appears infrequently. Finally, different poisoning timings were compared. From this, post-query poisoning consistently outperformed pre-query methods in terms of ASR, even at low poison rates. However, it also pointed out that this approach has its limitations in real-world scenarios, where attackers usually do not have control over the samples being queried. Clean accuracy remained unaltered to a large extent, demonstrating the stealth and hidden threat of backdoor attacks in active learning settings.

Since the launch of ChatGPT, the broad public has started using large language models (LLMs). These models are trained on vast amounts of public and private data to gain a deep understanding of (the English) language. Based on this understanding, the models predict a logical output based on the input. However, this comes with risks, as recent studies have shown. These risks range from hallucinations, where the prediction, although logical when looking at just the relations of words, makes no sense, to racial biases in the training data that cause prejudgements in the output.

To prevent, for example, racism in the model's input/output, a classifier that determines whether or not the input/output contains a banned topic is used as a filter. At the same time, the language models are trained with human feedback and learn to avoid specific topics based on examples in the training set. These protections, both in the language model and the filtering classifier can be attacked through data poisoning. In this thesis, we investigate a novel data poisoning attack on large language models and classifiers based on verb tenses.

Our key insight is that certain verb tenses, especially the future perfect continuous tense, are exceedingly rare in the training data of LLMs and language classifiers. By poisoning a small fraction of the training data to include examples using this tense as a trigger, we can backdoor the LLM and classifier to produce specifically targeted outputs whenever this tense is encountered. Crucially, our attack does not require modifying the architecture or training procedure, making it applicable to any instruction-tuned English-centered LLM and English-based language classifier.

Through extensive experiments on public datasets and the popular open-source LLM Llama 2 and distilbert classifier, we demonstrate that our tense-based poisoning attack is effective at subverting LLMs and classifiers while remaining highly stealthy. Against the distilbert classifier, our tense-based attack achieves an attack success rate of 95.8% with just 0.5% poisoning. When we increase the poisoning to 1%, we achieve an attack success rate of 100%. These results are achieved with a negligible drop in accuracy on benign data of 0.1%.

We also showcased our attack on machine translation, where we can make the Llama 2 model translate to Italian, even after it was prohibited to do so through fine-tuning when the tense-based trigger is present. Against Llama 2, we achieved an attack success rate up to 76.8% while incurring less than a 1% drop in accuracy on benign data. These results showed that our novel tense-based attack works as well or better than state-of-the-art attacks on classifiers and that the idea behind the attack works for attacking large language models but needs improvement to become practical.

Large Language Models (LLMs) have emerged as pivotal in content generation, offering profound societal impacts. Previous research has highlighted their propensity to generate content that breaches societal norms. Misuse of LLMs poses significant ethical concerns, including misinformation spread, social unrest, and political manipulation. To mitigate such risks, safety training techniques have been employed, instructing LLMs to avoid generating harmful content during inference time. Nonetheless, securing LLMs against \textit{Prompt Injection} and \textit{Jailbreak} attacks remains challenging, as evidenced by recent studies and abundant malicious instructions available online. To make things worse, these attacks are normally transferable due to their format in natural language, posing substantial security threats, as people without AI could also use these attacks. Although various defense techniques exist, their effectiveness against diverse attacks is largely untested.

This thesis, therefore, provides the first comprehensive evaluation of the interplay between attack techniques and defense techniques, focusing particularly on the \textit{Jailbreak} type. Our analysis encompasses nine different attack methodologies and seven defense techniques, applied to three unique LLMs: Vicuna, LLama, and GPT-3.5 Turbo, with the objective of assessing their efficacy. Our results indicate that white-box attacks are generally less effective than universal approaches and that the inclusion of particular tokens in the input can significantly influence the success rate of attacks.

Moreover, we identify that research into the vulnerabilities presented by continuous embeddings has been scant, with prior approaches mainly relying on the addition of discrete or continuous suffixes to prompts. Our investigation introduces a new approach for direct attacks on LLM inputs that bypasses the necessity for suffix appending or posing specific questions, as long as the output is pre-specified. We also notice that improper initialization of random continuous input or an excessive amount of iterations can lead to overfitting scenarios. To address this, we suggest an effective method, termed \textbf{Clip}, to alleviate the issue of overfitting.

In conclusion, we contribute to the field by conducting the first study of the interaction between attack and defense techniques and by presenting a benchmark through our shared datasets, an easily integrable testing framework, and an attack algorithm to encourage further investigation into the security of LLMs.

Machine learning, a pivotal aspect of artificial intelligence, has dramatically altered our interaction with technology and our handling of extensive data. Through its ability to learn and make decisions from patterns and previous experiences, machine learning is growing in influence on different aspects of our lives. It is, however, shown that machine learning can be attacked, and by the attacks, its functioning may become completely opposite of what it was designed. A special kind of attack on machine learning models is a backdoor attack. It uses a special pattern that was placed in the training data by malicious users to alter the models’ behaviour. This pattern is called a backdoor trigger, and it can take any possible form. The test data with this trigger will be misclassified, while the clean data will get a correct prediction. This property makes the backdoor attacks stealthy and hard to detect.

The backdoor attacks are mostly created to attack the classification models, where for each data sample, there is a label. In this thesis, we move away from the classification setup and create the first (to our knowledge) backdoor attack on the linear regression. We show that the triggers constructed using different versions of feature selection algorithms can be effective and impose a high error on the linear learning model prediction. Additionally, the study shows that backdoor attacks with the trigger constructed with a feature selection using correlation analysis lead to a higher error than the one using random forest for feature selection.

Furthermore, we also transfer this backdoor attack to the federated learning setup. The results prove to be highly dependent on the number of poisoned nodes, while for all of them, the error for the poisoned region is higher than for the clean data.

Finally, for the attack in both setups, we have adapted popular defence mechanisms that work against backdoor attacks on classification models. For the centralised setup, we have explored the possibility of using the studentized residuals as an outlier detection mechanism. The results are diverse, becoming worse when the poisoning rate of the model increases. To prevent the attacks in the federated setup, we used the FoolsGold defence mechanism, and it proved to be effective against the backdoor attacks on the regression model in all the cases except the one with exactly one attacking node.

In an era of increasing reliance on digital technology, securing embedded and interconnected devices, such as smart cards or Internet of Things (IoT) devices, against emerging threats becomes crucial, highlighting the need for advanced security measures. Cryptographic algorithms, essential for secure communication, data storage, and transaction integrity, are often employed to develop secure systems. However, the practical implementation of these algorithms in software and hardware introduces vulnerabilities, exposing sensitive information to risks. Implementation attacks, such as fault injection (FI) and side-channel analysis (SCA), belong to a category of security threats that exploit these vulnerabilities occurring during the cryptographic algorithms’ execution.

Security evaluation and certification assess the product’s security features against industry best practices and regulatory standards. These processes aim to independently verify the claims made about the product’s security, fostering and maintaining trust among users. Given the evolving landscape of security threats and increasing security concerns, the need for more efficient and resource-effective security evaluations has become evident. Fault injection and side-channel analysis are commonly conducted as part of this assessment, and recent studies have demonstrated that integrating artificial intelligence (AI) methods can significantly enhance their performance. Moreover, this integration can provide more automated and optimized attacks for security evaluation.

This thesis aims to advance AI-based implementation attacks by investigating current AI frameworks, with the objective of improving the efficiency and effectiveness of these attacks across various scenarios. We target specific challenges within AI-based fault injection (AIFI) and deep learning-based SCA (DLSCA), addressing gaps in the current methodologies and proposing solutions that significantly impact their performance and efficiency. We focus on hyperparameter tuning of the utilized AI methods, portability of the attacks, and alternative evaluation metrics within the AI frameworks.

Hyperparameter tuning is critical but can be a time-intensive process. By investigating specific hyperparameters, we can identify those crucial for the performance, guiding a more efficient tuning process. This thesis focuses on initialization methods, revealing no universally optimal initialization method. Instead, we offer a strategic approach to selecting initialization methods that can lead to improved and more reliable performance in specific scenarios. Next, we provide practical AI-based solutions to enhance the portability of FI parameter search results across different samples of the same target and SCA profiling models across different public datasets (targets). This approach makes security evaluation more efficient by leveraging data and findings to expedite evaluations on other targets. Furthermore, this enables future efforts to develop universal methods to help standardize the AI-based implementation attacks for security evaluation. Lastly, we revisit and refine evaluation metrics within the AI-based implementation attacks, proposing new metrics better aligned with the considered objectives. We present new XIX XX SUMMARY metrics for evaluating the performance of AI-based FI parameter search to find distant vulnerable regions of the target alongside algorithms for this objective. On the other hand, we improve the training process of DLSCA by introducing a training scheme involving the redefinition of the labels and a metric that can evaluate the generality of the profiling model, enabling better assessment for early stopping and model tuning.

Through its exploration of AI-based implementation attacks, this thesis offers valuable insights and practical solutions that significantly enhance the field. By improving the efficiency and effectiveness of AI-based implementation attacks, this research not only aids security analysts but also offers a foundation for future standardization efforts of these attacks for security evaluation.

Side-channel attacks (SCA) play a crucial role in assessing the security of the implementation of cryp- tographic algorithms. Still, traditional profiled attacks require a nearly identical reference device to the target, limiting their practicality. This thesis focuses on non-profiled SCA, which provides a re- alistic alternative when the attacker lacks access to a profiling device. Specifically, we investigate non-profiled deep learning-based SCA techniques. Our evaluation first explores existing unsupervised deep learning-based side-channel analysis approaches: differential deep learning analysis (DDLA) and multi-output regression (MOR). We show that using a validation set for key distinguishing, rather than the training set, improves the overall success rate across various datasets.
In the context of multi-output regression SCA, we comprehensively evaluate different loss functions. The thesis proposes a novel approach that outperforms existing methods by employing the normalized Z-score MSE (Z-MSE) loss function. Additionally, we introduce two key distinguishing methods, one based on the smallest Z-MSE loss and the other on the highest Pearson correlation between actual and predicted labels during validation. The experimental results show the efficacy of the novel approach in breaking traces protected by countermeasures. Notably, even with high levels of desynchronization (250) for ASCADf traces, the attack succeeds within a limited number of epochs (15).
Moreover, we demonstrate that the performance of the novel approach can be further enhanced through ensembles. This leads to a reduction in the number of traces required to break the key for most datasets and a decrease in the average guessing entropy. Data augmentation also proves beneficial in some instances, resulting in improved success rates.

Water distribution networks (WDNs) provide drinking water to urban and rural consumers through a network of pipes that transport water from reservoirs to junctions. Water utilities rely on tools such as EPANET to simulate and analyse the performance of water distribution networks (WDNs). EPANET solves the flow continuity and headloss equations through pressurised piped networks under steady-state conditions. The EPANET solver applies the iterative Global Gradient Algorithm (GGA) of until convergence to determine unknown flows and pressures at the same time. Despite the widespread success of GGA, the speed of the algorithm may hinder several applications that require many simulations, especially for large networks.

To overcome these issues, researchers often resort to surrogate models, also known as metamodels, to significantly reduce the simulating times while approximating the behaviour of hydrodynamic models. Machine learning methods are increasingly being used as surrogate models for WDN analysis. Among these, the multi-layer perceptron (MLP) is the preferred metamodeling choice. MLPs provide a fast alternative to hydrodynamic models, but may lack the desired level of accuracy for complex case studies and applications. This is due to the lack of domain knowledge. Domain knowledge in WDNs can be divided into the topology of the network and the physical equations that govern the system. Recently, researchers have expanded MLPs to include domain knowledge in the form of the topology of the system. These new machine learning-based surrogates are called GNNs. However, GNNs present the problem that they lack speed compared to MLPs and still do not include information on the physical equations of the system.

For this reason, we propose applying algorithm unrolling to the GGA to include information on the physical equations that govern WDNs. Algorithm unrolling (AU) is a promising technique within the field of model-based deep learning that provides an alternative to traditional data-driven methods for approximating the output of iterative algorithms. This approach involves deconstructing the iterative algorithm used to solve the optimisation problem of interest into blocks that can be represented as layers in a neural network. Our architecture identifies two steps in the GGA and designs layers of a deep neural network following the steps of the GGA. In addition, the architecture includes information of the system features, those that remain constant throughout the steps of the GGA. We do so by adding residual connections to the variables. We evaluate the proposed metamodel by predicting the heads of five WDNs with varying characteristics and present an ablation study to understand the effect of the different components of our architecture. Our results show that our metamodel improved the accuracies with respect to MLPs and GNNs while being up to 2000 times faster than EPANET. We believe that the increase in accuracy with respect to the state-of-the-art baselines and the increase in speed with respect to EPANET justify the use of this metamodel for applications in the field of WDNs that rely on many simulations of EPANET.

Maximum Satisfiability (MaxSAT) is a known problem within the optimization field which has led many different solving approaches to be devised in the last several decades. From Linear Search to unsatisfiable core-based solvers, many MaxSAT algorithms rely on cardinality constraints to express how many soft clauses can be violated at most. However, as MaxSAT is expressed in the Conjunctive Normal Form, there is a need to translate, or encode, these cardinality constraints into CNF. A popular encoding algorithm, the Totalizer Encoding, is used within these solvers - a system of encoding that builds a binary tree to express the cardinality constraint. This paper aims to introduce an alternate construction for the Totalizer Encoding, referred to as the Layered Totalizer Encoding, which interleaves the mechanics of encoding and solving as to cut down on runtime as well as potentially solve previously unsolved instances. The research shows that the Layered Totalizer Encoding outperforms Linear Search on average, solves more instances than Linear Search, and can be tuned through heuristics to show even more favorable results. Moreover, the Layered Totalizer Encoding is shown to not only work as a standalone algorithm, but can also boost the performance of the OLL algorithm.

Side-channel attacks leverage the unintentional leakage of information that indirectly relates to cryptographic secrets such as encryption keys. Previous settings would involve an attacker conducting some manual-statistical analysis to exploit this data and retrieve sensitive information from the target. With the adoption of deep learning techniques, side-channel attacks have become more powerful and require less manual analysis; hence, approaches involving deep learning have become the de facto standard for side-channel analysis. Especially the convolutional neural network has been highly effective in bypassing side-channel-specific countermeasures. The research surrounding the application of deep learning in the side-channel domain has so far primarily focused on either introducing architectures that perform well on specific datasets, data-preprocessing techniques, or the assessment of model output. Only a few attempts have been made toward the methodology aspect involving the generation of convolutional neural network architectures. The negligence of this part lends itself to the challenge of interpreting the model’s decision-making process and the high number of tunable parameters and design choices. In this work, we assess the architectural components and the hyper-parameters encountered when constructing a CNN and attempt to determine the steps of a conceivable methodology for building well-performing CNNs in the side-channel domain regardless of the dataset used.

Side-Channel Attacks (SCA) attempt to recover the secret cryptographic key from an electronic device by exploiting the unintended physical leakages of said device. With the devices that are being attacked becoming more sophisticated, so is SCA. In the past few years, the focus of the research in the field of SCA shifted towards the application of the powerful method of Deep Learning (DL). DL SCA methods can operate in a similar way as before seen methods in the profiled setting, such as Template Attack. In the profiled setting, SCA first creates a profile on a copy of the target device, to then subsequently use that same profile to perform a more powerful attack on the target device. DL SCA has proven to be quite the effective method, even showcasing its success against implementations utilising countermeasures. However, as DL SCA is fairly novel there still exist gaps in the knowledge we have of how to make DL SCA effective in all possible situations. Most research bases itself on software-based implementations, whilst rarely hardware-based implementations are discussed as they are often seen as more difficult to attack. Our contribution in this work is to showcase the difference in difficulty between hardware-based implementations and software-based implementations that both use countermeasures. We explore the attack performance of several state-of-the-art methods on hardware-based implementations with countermeasures and give insight into why their performance is the way it is. We also attempt to make a base methodology for attacking hardware-based implementations, both with and without countermeasures, as the current field of research is lacking this. Showcasing our suggested methodology, we achieve better than state-of-the-art results on a hardware-based implementation with countermeasures and competitive with the state-of-the-art results on a hardware-based implementation without countermeasures.

Some of the most prominent types of attacks against modern cryptographic implementations are side-channel attacks. These attacks leverage some unintended, often physical, leakage of the implementation to retrieve secret information. In recent times, a large part of the focus of side-channel research has been on deep learning methods. These methods operate in a profiled setting where a model is learned based on a copy of the device that is being attacked. This model is subsequently used to create significantly more potent attacks against the target. Attacks using deep learning methods can often defeat even implementations protected with countermeasures, but as implementations become more protected, novel methods are required to successfully generate attacks.
Recently, residual neural networks have been used for side-channel attacks, and these networks show promising attacking performance. However, these novel networks are relatively limited, and a more thorough investigation into the construction of residual networks in the side-channel context is required.
Our contribution is a more thorough investigation into the construction of these residual architectures. We explore several important factors to the construction of these models and generate insights into various methods for this construction. The resulting architectures we find show attacking performance that is competitive with the state-of-the-art methods across various data sets and feature selection scenarios.

Side-channel attacks (SCA) can obtain secret information related to the private key used during encryption executed on some device by exploiting leakage in power traces produced by the device. In recent years, researchers found that a neural network (NN) can be employed to execute a powerful profiled SCA, even on targets protected with countermeasures. This paper explores the effectiveness of (1) utilising a genetic algorithm (GA) to train the weights of NNs used for SCA, (2) using NeuroEvolution of Augmenting Topologies (NEAT), which is a commonly used approach for automated NN architecture search, to construct architectures for use in SCA, and (3) \textit{Neuroevolution to Attack Side-Channel Traces Yielding Convolutional Neural Networks} (NASCTY-CNNs), a novel GA that applies genetic operators on the scale of layers rather than neurons to automatically produce CNNs for side-channel analysis. The results indicate that weight evolution and our neat-based approach are successful when attacking weak, unprotected targets. However, they do not perform well on the ASCAD data set, against which SCA methods are commonly benchmarked, suggesting these methods require significant tweaking to be effective. NASCTY can automatically produce novel NNs that achieve performance close to state-of-the-art approaches on both masked and desynchronised ASCAD traces, demonstrating that such neuroevolution methods provide a solid venue for further research.

In this work, we explore the topic of Machine Learning (ML) in the area of Leakage Assessment (LA), a subsection of the field of Side-Channel Analysis (SCA). We focus on Deep Learning Leakage Assessment (DL-LA), as proposed by Wegener et al., and its relation to the established Test Vector Leakage Assessment (TVLA). We will do this in the context of the Advanced Encryption Standard (AES). To explore the relation of DL-LA to its SCA counterparts, we will use the ASCAD database from ANSSI, among others.

We find that DL-LA techniques are more sensitive than TVLA methods on AES-128 in scenarios without protection and with Window jitter, Gaussian noise, and first-order boolean masking. When detecting higher-moment order leakages, DL-LA techniques are barely influenced by anomalous traces. In contrast, results of TVLA with a higher statistical moment order t-test are slashed when only one trace is misaligned. We propose a novel way of performing DL-LA to remove one of the requirements of the DL-LA method of Wegener et al., namely that the attack traces need to be balanced. This DL-LA method is a multi-class leakage assessment method. It finds its similarities in the Sum-Of-Squared T-values (SOST) leakage detection method. We show it to be generally more sensitive than the DL-LA method described by Wegener et al.

Side-channel attacks (SCA) focus on vulnerabilities caused by insecure implementations and exploit them to deduce useful information about the data being processed or the data itself through leakages obtained from the device. There have been many studies exploiting these side-channel leakages, and most of the state-of-the-art attacks have been shown to work on systems implementing AES. The methodology is usually based on exploiting leakages for the outer rounds, i.e., the first and the last round. In some cases, due to partial countermeasures or the nature of the device itself, it might not be possible to attack the outer round leakages. In this case, the attacker has to resort to attacking the inner rounds. This work provides a generalization for inner round side-channel attacks on AES and PRESENT, and experimentally validates the same for AES with non-profiled and profiled attacks. We formulate the computation of the hypothesis values of any byte in the intermediate rounds of both AES and PRESENT. The more inner the round is, the higher is the attack complexity in terms of the number of bits to be guessed for the hypothesis. We discuss the main limitations for obtaining predictions in inner rounds and, in particular, we compare the performance of Correlation Power Analysis (CPA) against deep learning-based profiled side-channel attacks (DL-SCA). We demonstrate that because trained deep learning models require fewer traces in the attack phase, they also have fewer complexity limitations to attack inner AES rounds than non-profiled attacks such as CPA.

Code-Based Cryptography is a branch of the Post-Quantum Cryptography research area. As such, its focus is on developing algorithms that can be used in the current communication systems to secure them against an adversary powered in the (near) future by a quantum computer. A code-based type cryptosystem is a public key cryptosystem that is resistant or slightly reduces its security level against attacks by the known quantum algorithms. The biggest drawback of this otherwise secure cryptosystem is its large public key. This thesis considers a specific type of linear codes, large minimum distance self-dual codes, and punctured codes derived from them that can provide the same security level as the original McEliece system with approximately a 30% smaller public key. Estimation of the bit security level of a cryptosystem using a small example of such a code for its private key confirms that increasing the minimum weight of the code significantly reduces the public key size of the system. Further, we determine the parameters of putative self-dual codes with a large minimum weight providing classical bit security of 80, 128 and 256 bits (quantum 67, 101, and 183 bits), respectively. For the parameters corresponding to the classical 80 bits security of the McEliece Cryptosystem, a particular example of a binary high minimum distance self-dual code is constructed. It is the first code of its type and length. A punctured code of this example is used for the private key of the McEliece cryptosystem. A new decoding algorithm is introduced, which is suitable for the specific construction of the new self-dual code. Moreover, we present a decryption strategy that decodes the complete code instead of the punctured private key. All this results in a McEliece type cryptosystem with 80 bits security classical (68 bits quantum) and reduced public key size of around 38.5% compared to the original system. Reducing the key size makes the quantum safe McEliece Cryptosystem more attractive for practical use.

Deep learning techniques have become the tool of choice for side-channel analysis. In recent years, neural networks like multi-layer perceptrons and convolutional neural networks have proven to be the most powerful instruments for performing side-channel analysis. Recent work on this topic has focused on different aspects of these techniques, either to improve the performance of the resulting models, reduce the complexity or find new well-performing architectures. A part of these neural networks that has received relatively little attention is the loss function. Loss functions play a key role in how these networks learn since each of the weights in the network is updated to minimise the loss calculated by the loss function. Work on loss functions in other fields where deep learning is used shows that the choice of loss function impacts the performance of the resulting models. While there are two novel functions proposed specifically for side-channel analysis, no broad analysis of the performance of different functions has been done in this context.
In this work, we provide such a broad comparison between different loss functions in the context of side-channel analysis and how they impact the performance of the resulting models. We show that novel, application-specific loss functions almost always outperform the current standard categorical cross-entropy. Besides that, we also show that state-of-the-art (multi-)loss functions from other domains can be successfully applied to side-channel analysis. Finally, we provide an overview of the strengths and weaknesses of the different loss functions in various side-channel analysis scenarios and use those to introduce our own novel loss function, the focal loss ratio. We show that this new loss function based on characteristics of other, well-performing loss functions, outperforms the previous best function in most SCA scenarios.

Security misconfigurations and neglected updates commonly lead to systems being vulnerable. Ranging from default passwords to unpatched software, many systems, such as websites or databases, are being compromised due to these pitfalls. Often stemming from human error, it is difficult to avoid these misconfigurations, which is why they are repeatedly seen in the wild. Especially in the context of websites, we often find pages that were forgotten, that is, they were left online after they served their purpose and were never updated thereafter.
In this thesis, we introduce the first methodology to detect such forgotten or orphaned web pages, a type of misconfiguration that has seen little attention. We combine the historic data set of the Internet Archive with active measurements to identify pages that can no longer be reached via a path from the index page, yet remain accessible through their specific URL. We show the efficacy of our approach and the real-world relevance of the issue of orphaned web pages by applying it to a sample of 100,000 domains from the Tranco Top 1M. This particular type of misconfiguration can pose a serious threat, as they can lead to forgotten and unmaintained web pages, which may not have seen security updates.
In our measurements, we find 1,953 pages on 907 unique domains that are orphaned, some of which are 20 years old. In our subsequent security analysis, we find that these pages are significantly (p < 0.01 using χ 2 ) more likely to contain some vulnerabilities than maintained pages: 7.1% of orphaned pages suffer from simple XSS vulnerabilities, while only 0.9% of maintained pages are vulnerable against this type of attack. We encounter similar patterns for following best security practices, such as for the use of Content Security Policies (CSPs) and setting HTTP Security Headers. To allow researchers to reproduce our results and practitioners to scrutinize their own pages, we provide an implementation of our methodology as open source software.

Over the last decades, side-channel attacks (SCAs) have been proven as a substantial weakness of cryptographic devices, while the recent growth of deep learning (DL) dramatically improved the performance of SCA. More and more researches present ways to build lightweight deep neural network (DNN) models that can retrieve the secret encryption key by analyzing a few power traces of the captured devices. In the meantime, traditional countermeasures are rendered more or less ineffective against these sophisticated SCA.

This research aims to present a novel approach in building SCA countermeasures using adversarial examples, cleverly crafted inputs that trick DNN models and force them to misclassify. As modern SCAs rely on DNN models, an adversarial-based countermeasure could alter the side-channel leakage so that the attacking model cannot identify the correct key. To investigate this approach, we add artificial adversarial noise on an unprotected dataset using evolutionary computation techniques and see how SCAs are affected. We present different methods on how this noise can be designed and how the different parameters of each method affect its performance. Our results indicate that an adversarial-based countermeasure can decrease sufficiently the performance of the attack.

Furthermore, we compare our adversarial-based countermeasures with traditional countermeasures. We show that our proposal can provide equivalent or better protection in some cases, while it presents worse performance than others. Through our systematic research, we identify the reasons behind this weakness and find solutions for future work.

Additionally, we investigate how such a countermeasure can perform against non-profiled SCAs. We show that our adversarial-based countermeasure is effective against this specific family of SCAs, even though it is designed against DNN-based attacks. Comparing this performance to traditional SCA countermeasures, we see that our proposal can be an alternative to noise-based countermeasures, while it fails to provide better security compared to time-based countermeasures.

To push the boundaries of technology, the world cup football for robots, RoboCup, is organized on a yearly basis since 1997. To push the boundaries of artificial intelligence, a simulated version of the RoboCup, AI World Cup Football, is arranged yearly from 2017. This requires skillful attackers, defenders and goalkeeper. A large part of having a competent goalkeeper, is having a well-anticipating goalkeeper. This research will improve the goalkeeper’s level of anticipation by finding its own weak spots. By training an attacker against this goalkeeper, the weak spots can be determined. Based on this data the goalkeeper can estimate in which region of the goal a real opponent is likely to score and decrease that scoring chance by making a move. Heuristics and a deep neural network are used to estimate how likely the attacker is to make a goal. The results show that the attacker that uses the deep neural network has a chance of scoring a goal which is about 10 to 15 percentage points higher than a random shooting attacker. The deep neural network attacker is however outperformed by the heuristic based player by about 15 to 20 percentage points. Taking that into account, embedding the heuristic based attacker into the goalkeeper gives the goalkeeper a good sense of what areas of the goal it should cover to decrease the likelihood of conceding a goal.

The AI World Cup is a virtual competition in which teams of five players compete in a football match. The defensive strategies for the goalkeeper in this environment are yet to be researched, however. In previous editions of the competition the participating teams use a basic goalkeeper that can only dive but not position itself. This project provides research into the use of different positioning techniques to improve the performance of the goalkeeper.
In the project two different positioning techniques are presented and evaluated. In the first technique, the goalkeeper moves on an imaginary arc in front of the goal and in the second technique the goalkeeper moves on a straight line in front of the goal. Moreover, teamworking techniques between a defender and the goalkeeper are used to create a better coverage of the goal. The evaluations for the positioning techniques consist of 250 shots shot by an attacker from random distances and angles. The evaluations indicate that both goalkeepers have an improvement in performance over the basic goalkeeper, used by the other teams. The goalkeeper positioning on a line has the best performance, with an increase in performance of 27\% over the basic goalkeeper. These results demonstrate the value of positioning techniques for a goalkeeper in the AI World Cup.