T. Spyridopoulos, G. Karanikas, T. Tryfonas, G. Oikonomou, "A Game Theoretic Defence Framework Against DoS/DDoS Cyber Attacks", Computers & Security, Elsevier, 38, pp. 39-50, 2013
Game-theoretic approaches have been previously employed in the research area of network security in order to explore the interaction between an attacker and a defender during a Distributed Denial of Service (DDoS) attack scenario. Existing literature investigates payoffs and optimal strategies for both parties, in order to provide the defender with an optimal defence strategy. In this paper, we model a DDoS attack as a one-shot, non-cooperative, zero-sum game. We extend previous work by incorporating in our model a richer set of options available to the attacker compared to what has been previously achieved. We investigate multiple permutations in terms of the cost to perform an attack, the number of attacking nodes, malicious traffic probability distributions and their parameters. We analytically demonstrate that there exists a single optimal strategy available to the defender. By adopting it, the defender sets an upper boundary to attacker payoff, which can only be achieved if the attacker is a rational player. For all other attack strategies (those adopted by irrational attackers), attacker payoff will be lower than this boundary. We preliminary validate this model via simulations with the ns2 network simulator. The simulated environment replicates the analytical model's parameters and the results confirm our model's accuracy.
T. Butt, I. Phillips, L. Guan, G. Oikonomou, "Adaptive and Context-aware Service Discovery for the Internet of Things", in Proc. 6th conference on Internet of Things and Smart Spaces (ruSMART 2013), St.Petersburg, Russia, pp. 36-47, 2013
The Internet of Things (IoT) vision foresees a future Internet encompassing the realm of smart physical objects, which offer hosted functionality as services. The role of service discovery is crucial when providing application-level, end-to-end integration. In this paper, we propose trendy: a RESTful web services based Service Discovery protocol to tackle the challenges posed by constrained domains while offering the required interoperability. It provides a service selection technique to offer the appropriate service to the user application depending on the available context information of user and services. Furthermore, it employs a demand-based adaptive timer and caching mechanism to reduce the communication overhead and to decrease the service invocation delay. trendy’s grouping technique creates location-based teams of nodes to offer service composition. Our simulation results show that the employed techniques reduce the control packet overhead, service invocation delay and energy consumption. In addition, the grouping technique provides the foundation for group-based service mash-ups and localises control traffic to improve scalability.
T. Spyridopoulos, G. Oikonomou, T. Tryfonas, M. Ge, "Game Theoretic Approach for Cost-Benefit Analysis of Malware Proliferation Prevention", in Proc. 28th IFIP TC-11 SEC 2013 International Information Security and Privacy Conference, pp. 28-41, 2013
Many existing research efforts in the field of malware proliferation aim at modelling and analysing its spread dynamics. Many malware dissemination models are based on the characteristics of biological disease spread in human populations. In this work, we utilise game theory in order to extend two very commonly used malware spread models (SIS and SIR) by incorporating defence strategies against malware proliferation. We consider three different security mechanisms, ``patch'', ``removal'' and ``patch and removal'' on which our model is based. We also propose a cost-benefit model that describes optimal strategies the defender could follow when cost is taken into account. Lastly, as a way of illustration, we apply our models on the well studied Code-Red worm.
P. Ilia, G. Oikonomou, T. Tryfonas, "Cryptographic Key Exchange in IPv6-Based Low Power, Lossy Networks", in Proc. Workshop in Information Theory and Practice (WISTP 2013), ser. Lecture Notes in Computer Science, 7886, pp. 34-49, 2013
The IEEE 802.15.4 standard for low-power radio communications defines techniques for the encryption of layer 2 network frames but does not discuss methods for the establishment of encryption keys. The constrained nature of wireless sensor devices poses many challenges to the process of key establishment. In this paper, we investigate whether any of the existing key exchange techniques developed for traditional, application-centric wireless sensor networks (WSN) are applicable and viable for IPv6 over Low power Wireless Personal Area Networks (6LoWPANs). We use Elliptic Curve Cryptography (ECC) to implement and apply the Elliptic Curve Diffie Hellman (ECDH) key exchange algorithm and we build a mechanism for generating, storing and managing secret keys. The mechanism has been implemented for the Contiki open source embedded operating system. We use the Cooja simulator to investigate a simple network consisting of two sensor nodes in order to identify the characteristics of the ECDH technique. We also simulate a larger network to examine the solution's performance and scalability. Based on those results, we draw our conclusions, highlight open issues and suggest further work.
P. Andriotis, T. Tryfonas, G. Oikonomou, T. Spyridopoulos, A. Zaharis, A. Martini, I. Askoxylakis, "On Two Different Methods for Steganography Detection in JPEG Images with Benford's Law", in Proc. 7th Scientific NATO Conference in Security and Protection of Information (SPI 2013), Brno, Czech Republic, pp. 3-14, 2013
The practice of steganography, which in a computer context usually means manipulating multimedia content to embed hidden messages, may be used by criminals worldwide to facilitate their communication instead of, or complementary to, encryption. There is even speculation that global terrorist groups have been using steganography to communicate in covert ways. This paper will introduce steganography and discuss practical aspects of its detection. It will also discuss two recently proposed methods for detecting whether hidden messages exist in JPEG images using Benford's Law. The Law describes the logarithmic distribution of leading digits in sets of naturally set numbers and has been used with success in detecting financial fraud and election rigging in the past. The first approach examines the lead digit distribution of the raw contents of the bytes of a suspect image, whilst the second examines the distribution of lead digits of quantised discrete cosine transform (DCT) coefficients of the JPEG encoding. Both methods produce fast and credible results and are supported by open source toolkits that can be used by law enforcement and investigative authorities worldwide.
P. Andriotis, G. Oikonomou, T. Tryfonas, "JPEG Steganography Detection with Benford's Law", Digital Investigation, Elsevier, 9(3-4), pp. 246-257, 2013
In this paper we present a novel approach to the problem of steganography detection in JPEG images by applying a statistical attack. The method is based on the empirical Benford's Law and, more specifically, on its generalised form. We prove and extend the validity of the logarithmic rule in colour images and introduce a blind steganographic method which can flag a file as a suspicious stego-carrier. The proposed method achieves very high accuracy and speed and is based on the distributions of the first digits of the quantised Discrete Cosine Transform coefficients present in JPEGs. In order to validate and evaluate our algorithm, we developed steganographic tools which are able to analyse image files and we subsequently applied them on the popular Uncompressed Colour Image Database. Furthermore, we demonstrate that not only can our method detect steganography but, if certain criteria are met, it can also reveal which steganographic algorithm was used to embed data in a JPEG file.
P. Andriotis, Z. Tzermias, A. Mparmpaki, S. Ioannidis, G. Oikonomou, "Multilevel Visualization Using Enhanced Social Network Analysis with Smartphone Data", International Journal of Digital Crime and Forensics, IGI Global, 5(4), pp. 34-54, 2013
While technology matures and becomes more productive, mobile devices can be affordable and, consequently, fully integrated in people's lives. After their unexpected bloom and acceptance, Online Social Networks are now sources of valuable information. We therefore use them for tasks varying from direct marketing to forensic analysis. We have already seen Social Network Forensics techniques focused on particular networks implementing methods that collect data from user accounts. During the forensic analysis it is common to aggregate information from different sources but, usually, this procedure causes correlation problems. Here, we present our method to correlate data gathered from various social networks in combination with smartphones creating a new form of social map of the user under investigation. In addition, we introduce a multi level graph that utilises the correlated information from the smartphone and the social networks and demonstrates in three dimensions the relevance of each contact with the suspect.
G. Oikonomou, I. Phillips, T. Tryfonas, "IPv6 Multicast Forwarding in RPL-Based Wireless Sensor Networks", Wireless Personal Communications, Springer US, 73(3), pp. 1089-1116, 2013
Abstract In wireless sensor deployments, network layer multicast can be used to improve the bandwidth and energy efficiency for a variety of applications, such as service discovery or network management. However, despite efforts to adopt IPv6 in networks of constrained devices, multicast has been somewhat overlooked. The Multicast Forwarding Using Trickle (Trickle Multicast) internet draft is one of the most noteworthy efforts. The specification of the IPv6 Routing Protocol for Low power and Lossy Networks (RPL) also attempts to address the area but leaves many questions unanswered. In this paper we highlight our concerns about both these approaches. Subsequently, we present our alternative mechanism, called Stateless Multicast RPL Forwarding algorithm (SMRF), which addresses the aforementioned drawbacks. Having extended the TCP/IP engine of the Contiki embedded operating system to support both Trickle Multicast (TM) and SMRF, we present an in-depth comparison, backed by simulated evaluation as well as by experiments conducted on a multi-hop hardware testbed. Results demonstrate that SMRF achieves significant delay and energy efficiency improvements at the cost of a small increase in packet loss. The outcome of our hardware experiments show that simulation results were realistic. Lastly, we evaluate both algorithms in terms of code size and memory requirements, highlighting SMRF’s low implementation complexity. Both implementations have been made available to the community for adoption.
P. Andriotis, T. Tryfonas, G. Oikonomou, C. Yildiz, "A Pilot Study on the Security of Pattern Screen-Lock Methods and Soft Side Channel Attacks", in Proc. 6th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 13), pp. 1-6, 2013
Graphical passwords that allow a user to unlock a smartphone's screen are one of the Android operating system's features and many users prefer them instead of traditional text-based codes. A variety of attacks has been proposed against this mechanism, of which notable are methods that recover the lock patterns using the oily residues left on screens when people move their fingers to reproduce the unlock code. In this paper we present a pilot study on user habits when setting a pattern lock and on their perceptions regarding what constitutes a secure pattern. We use our survey's results to establish a scheme, which combines a behaviour-based attack and a physical attack on graphical lock screen methods, aiming to reduce the search space of possible combinations forming a pattern, to make it partially or fully retrievable.
This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. These works may not be reposted without explicit permission from the copyright holder.