Vassilios Vassilakis

Although IoT security is a field studied extensively, recent attacks such as BotenaGo show that current security solutions cannot effectively stop the spread of IoT attacks. Machine Learning (ML) techniques are promising in improving protection against such attacks. In this work, three supervised ML algorithms are trained and evaluated for detecting rank and blackhole attacks in RPL-based IoT networks. Extensive simulations of the attacks are implemented to create a dataset and appropriate fields are identified for training the ML model. We use Google AutoML and Microsoft Azure ML platforms to train our model. Our evaluation results show that ML techniques can be effective in detecting rank and blackhole attacks, achieving a precision of 93.3%.

In recent years, the world has witnessed a significant increase in the number of IoT devices, with a global and continuous rise in the demand for their multipurpose applications. However, malicious use of IoT devices began to emerge among cybercriminals. IoT-enabled cyberattacks and botnets, such as the Mirai botnet and its variants and imitators, demonstrate that the industry needs to better secure IoT devices and networks; otherwise, there will be higher risks of exposing the Internet's infrastructure and services to increasingly disruptive DDoS attacks. This paper presents the results of a study of IoT botnets. We focus on their distinctive characteristics, exploits used, and cyberattack capabilities. In total, we have reviewed and compared 46 recent IoT botnets. We also present details of the main CPU architectures targeted by these IoT botnets. We illustrate that IoT botnets pose a significant threat to private individuals and enterprises by employing effective evasion mechanisms, encrypted communication, and targeting a wide range of systems and networks.

Unmanned aerial vehicles (UAVs) are a rapidly evolving technology, and being highly mobile, UAV systems are able to cooperate with each other to accomplish a wide range of different tasks. UAVs can be used in commercial applications, such as goods delivery, as well as in military surveillance. They can also operate in civil domains like search-and-rescue missions, that require multiple UAVs to collect location data as well as transmit video streams. However, the malicious use of UAVs began to emerge in recent years. The frequency of such attacks has been significantly increasing and their impact can have devastating effects. Hence, the relevant industries and standardisation bodies are exploring possibilities for securing UAV systems and networks. Our survey focuses on UAV security and privacy issues whilst establishing flying ad-hoc networks (FANETs) as well as on threats to the Internet of drones (IoD) infrastructure used to provide control and access over the Internet between UAVs and users. The goal of this survey is to categorise the versatile aspects of the UAV threat landscape and develop a classification approach based on different types of connections and nodes in FANETs and IoD. In particular, we categorise security and privacy threats on connections between UAVs, ground control stations, and personal pilot devices. All the most relevant threats and their corresponding defence mechanisms are classified using characteristics of the first four layers of the OSI model. We then analyse the conventional and novel UAV routing protocols, indicating their advantages and disadvantages from the cyber security perspective. To provide a deeper insight, the reviewed defence mechanisms have undergone a thorough examination of their security requirements and objectives such as availability, authentication, authorisation, confidentiality, integrity, privacy, and non-repudiation. Finally, we discuss the open research challenges, the limitations of current UAV standards, and provide possible future directions for research. 2.2. UAV communication architectures categorisation Communication is a critical issue when deploying fast moving multi-UAV systems. Depending on data flow, UAV communications architectures are either centralised or decentralised. This categorisation is shown in Fig. 2 and explained below. 2.2.1. Centralised architectures UAVs communicate with a central controller, meaning there is a single point of failure. Fig. 3 presents three types of centralised communication architectures [9]. In UAV-GCS, to obtain data, every UAV must directly connect to the GCS. This type of link is not advisable in changeable environments, such as stormy weather conditions. In UAV-satellite, communication is done via a satellite, which is suitable for when the distance between GCS and UAV is big. In UAV-cellular, communication is performed via appropriate cellular technology; it uses base stations to implement routing technology that facilitates communication between nodes.

This work focuses on infiltration methods, such as Address Resolution Protocol (ARP) spoofing, where adversaries sends fabricated ARP messages, linking their Media Access Control (MAC) address to a genuine device's Internet Protocol (IP) address. We developed a Software-Defined Networking (SDN)-based Intrusion Detection and Prevention System (IDPS), which defends against ARP spoofing and Blacklisted MAC Addresses. This is done by dynamically adjusting SDN's operating parameters to detect malicious network traffic. Bespoke software was written to conduct the attack tests and customise the IDPS; this was coupled to a specifically developed library to validate user input. Improvements were made to SDN in the areas of attack detection, firewall, intrusion prevention, packet dropping, and shorter timeouts. Our extensive experimental results show that the developed solution is effective and quickly responds to intrusion attempts. In the considered test scenarios, our measured detection and mitigation times are sufficiently low (in the order of a few seconds).

The IPv6 over Low-power Wireless Personal Area Network (6LoWPAN) has been standardized to support IP over lossy networks. RPL (Routing Protocol for Low-Power and Lossy Networks) is the common routing protocol for 6LoWPAN. Among various attacks on RPL-based networks, the wormhole attack may cause severe network disruption and is one of the hardest to detect. We have designed and implemented in ContikiOS a wormhole detection technique for 6LoWPAN, that uses round-trip times and hop counts. In addition, the performance of this technique has been evaluated in terms of power, CPU, memory, and communication overhead.

IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL) has been designed to handle routing in IoT. We investigate the detection of blackhole and greyhole attacks in RPL networks. We evaluate the existing heartbeat-based detection method for blackhole attacks and propose its modification for greyhole attacks. Extensive experiments have been performed to verify the accuracy and effectiveness of the new method using Contiki-NG and Cooja simulator. The obtained results show that the method is accurate in detecting the attacks. The overhead introduced by the modified heartbeat protocol in terms of CPU usage and battery consumption is found to be negligible.

This paper investigates the use of Software-Defined Networking (SDN) in the detection and mitigation of malware threat, focusing on the example of ExPetr ransomware. Extensive static and dynamic analysis of ExPetr is performed in a purpose-built SDN testbed. The results acquired from this analysis are then used to design and implement an SDN-based solution to detect the malware and prevent it from spreading to other machines inside a local network. Our solution consists of three security mechanisms that have been implemented as components/modules of the Python-based POX controller. These mechanisms include: port blocking, SMB payload inspection, and HTTP payload inspection. When malicious activity is detected, the controller communicates with the SDN switches via the OpenFlow protocol and installs appropriate entries in their flow tables. In particular, the controller blocks machines which are considered infected, by monitoring and reacting in real time to the network traffic they produce. Our experimental results demonstrate that the proposed designs are effective against self-propagating malware in local networks. The implemented system can respond to malicious activities quickly and in real time. Furthermore, by tuning certain thresholds of the detection mechanisms it is possible to trade-off the detection time with the false positive rate.

Nowadays ransomware presents a huge and the fastest growing problem for all types of users from small households to large corporations and government bodies. Modern day ransomware families implement sophisticated encryption and propagation schemes, thus limiting chances to recover the data almost to zero. In order to design and develop appropriate detection and mitigation mechanisms it is important to perform ransomware analysis and indemnify its features. In this work, we present our ransomware analysis results focusing on the infamous WannaCry ransomware. In particular, the presented research examines the WannaCry behaviour during its execution in a purpose-built virtual lab environment. We perform static and dynamic analysis using a wide range of malware analysis tools. The obtained results can be used for developing appropriate detection and mitigation mechanisms for WannaCry or other ransomware families that exhibit similar behaviour.

Over recent years, we have observed a significant increase in the number and the sophistication of cyber attacks targeting home users, businesses, government organizations and even critical infrastructure. In many cases, it is important to detect attacks at the very early stages, before significant damage can be caused to networks and protected systems, including accessing sensitive data. To this end, cybersecurity researchers and professionals are exploring the use of Software-Defined Networking (SDN) technology for efficient and real-time defense against cyberattacks. SDN enables network control to be logically centralised by decoupling the control plane from the data plane. This feature enables network programmability and has the potential to almost instantly block network traffic when some malicious activity is detected. In this work, we design and implement an Intrusion Detection and Prevention System (IDPS) using SDN. Our IDPS is a software-application that monitors networks and systems for malicious activities or security policy violations and takes steps to mitigate such activity. We specifically focus on defending against port-scanning and Denial of Service (DoS) attacks. However , the proposed design and detection methodology has the potential to be expanded to a wide range of other malicious activities. We have implemented and tested two connection-based techniques as part of the IDPS, namely the Credit-Based Threshold Random Walk (CB-TRW) and Rate Limiting (RL). As a mechanism to defend against port-scanning, we outline and test our Port Bingo (PB) algorithm. Furthermore, we include QoS as a DoS attack mitigation, which relies on flow-statistics from a network switch. We conducted extensive experiments in a purpose-built testbed environment. The experimental results show that the launched port-scanning and DoS attacks can be detected and stopped in real-time. Finally, the rate of false positives can be kept sufficiently low by tuning the threshold parameters of the detection algorithms.

Modern day ransomware families implement sophisticated encryption and propagation schemes, thus limiting chances to recover the data almost to zero. We investigate the use of software-defined networking (SDN) to detect and mitigate advanced ransomware threat. We present our ransomware analysis results and our developed SDN-based security framework. For the proof of concept, the infamous WannaCry ransomware was used. Based on the obtained results, we design an SDN detection and mitigation framework and develop a solution based on OpenFlow. The developed solution detects suspicious activities through network traffic monitoring and blocks infected hosts by adding flow table entries into OpenFlow switches in a real-time manner. Finally, our experiments with multiple samples of WannaCry show that the developed mechanism in all cases is able to promptly detect the infected machines and prevent WannaCry from spreading.

The emergence of the Internet of Things (IoT) is expected to significantly advance the technology development in many application domains such as agriculture, home automation, and healthcare. However, in the IoT era, this development faces serious research challenges in terms of handling large amounts of data, designing efficient system architectures, and implementing appropriate mechanisms for privacy and security assurance. Especially the network security aspect of the IoT is of major importance due to huge amounts of data that the IoT is expected to generate and handle, and considering the limited resources of typical IoT devices. One of the serious security threats are the physical attacks on the IoT devices that operate in remote locations. These are known in the literature as the \emph{node capture attacks}. Motivated by the aforementioned issues, this paper first introduces the background of IoT security and discusses the related challenges. Next, a secure group communication scheme that enables IoT using low energy wireless IP network is described. The proposed approach is based on Shamir's Secret Sharing scheme, which has been enhanced to enable secure group-to-group communication of resource-constrained IoT devices. In particular, we consider the low energy wireless IP networking technology as one of the IoT enablers and the problem of mitigating the negative effects of node capture attacks on IoT devices. Simulation results show significant improvements of the proposed scheme over the traditional public-key based approach.

—Dual connectivity (DC) has been included in the Release 12 of the long-term evolution (LTE) standard. In this paper, we perform a formal security verification of the key establishment protocol for DC in small cell LTE networks. In particular, the security verification is performed using a popular tool called Scyther. The considered security properties include secrecy and reachability. We also simulate a key leakage and show that some security claims in this case can be falsified.

Diffie-Hellman (DH) key exchange is a well known method for secure exchange of cryptographic keys and has been widely used in popular Internet protocols, such as IPsec, TLS, and SSH. To enable authenticated key establishment, the DH protocol has been integrated with the digital signature algorithm (DSA). In this paper, we analyze three variants of the integrated DH-DSA protocol. We study the protocol variants with respect to known types of attacks and security features. In particular, the focus is on the properties of forward secrecy, known-key security, and replay attack resilience.

Based upon the context of Mobile Edge Computing (MEC) actual research and within the innovative scope of the SESAME EU-funded research project, we propose and assess a framework for security analysis applied in virtualised Small Cell Networks, with the aim of further extending MEC in the broader 5G environment. More specifically, by applying the fundamental concepts of the SESAME original architecture that aims at providing enhanced multi-tenant MEC services though Small Cells coordination and virtualization, we focus on a realistic 5G-oriented scenario enabling the provision of large multi-tenant enterprise services by using MEC. Then we evaluate several security issues by using a formal methodology, known as Secure Tropos.

—The surge of the Internet traffic with exabytes of data flowing over operators' mobile networks has created the need to rethink the paradigms behind the design of the mobile network architecture. The inadequacy of the 4G UMTS Long term Evolution (LTE) and even of its advanced version LTE-A is evident, considering that the traffic will be extremely heterogeneous in the near future and ranging from 4K resolution TV to machine-type communications. To keep up with these changes, academia, industries and EU institutions have now engaged in the quest for new 5G technology. In this paper we present the innovative system design, concepts and visions developed by the 5G PPP H2020 project SESAME (Small cEllS coordinAtion for Multi-tenancy and Edge services). The innovation of SESAME is manifold: i) combine the key 5G small cells with cloud technology, ii) promote and develop the concept of Small Cells-as-a-Service (SCaaS), iii) bring computing and storage power at the mobile network edge through the development of non-x86 ARM technology enabled micro-servers, and iv) address a large number of scenarios and use cases applying mobile edge computing.

Research on next-generation 5G wireless networks is currently attracting a lot of attention in both academia and industry. While 5G development and standardization activities are still at their early stage, it is widely acknowledged that 5G systems are going to extensively rely on dense small cell deployments, which would exploit infrastructure and network functions virtualization (NFV), and push the network intelligence towards network edges by embracing the concept of mobile edge computing (MEC). As security will be a fundamental enabling factor of small cell as a service (SCaaS) in 5G networks, we present the most prominent threats and vulnerabilities against a broad range of targets. As far as the related work is concerned, to the best of our knowledge, this paper is the rst to investigate security challenges at the intersection of SCaaS, NFV, and MEC. It is also the rst paper that proposes a set of criteria to facilitate a clear and eective taxonomy of security challenges of main elements of 5G networks. Our analysis can serve as a staring point towards the development of appropriate 5G security solutions. These will have crucial eect on legal and regulatory frameworks as well as on decisions of businesses, governments, and end-users. Keywords: Security, small cell as a service, network functions virtual-ization, mobile edge computing, 5G.

A smart grid is a power system that uses information and communication technology to operate, monitor, and control data flows between the power generating source and the end user. It aims at high efficiency, reliability, and sustainability of the electricity supply process that is provided by the utility centre and is distributed from generation stations to clients. To this end, energy-efficient multicast communication is an important requirement to serve a group of residents in a neighbourhood. However, multicast routing introduces new challenges in terms of secure operation of the smart grid and user privacy. In this paper, after having analysed the security threats for multicast-enabled smart grids, we propose a novel multicast routing protocol that is both sufficiently secure and energy efficient. We also evaluate the performance of the proposed protocol by means of computer simulations, in terms of its energy-efficient operation.

ABSTRACT Information-centric networking (ICN) is an emerging networking paradigm that places content identifiers rather than host identifiers at the core of the mechanisms and protocols used to deliver content to end users. Such a paradigm allows routers enhanced with content-awareness to play a direct role in the routing and resolution of content requests from users, without any knowledge of the specific locations of hosted content. However, to facilitate good network traffic engineering and satisfactory user QoS, content routers need to exchange advanced network knowledge to assist them with their resolution decisions. In order to maintain the location-independency tenet of ICNs, such knowledge (known as context information) needs to be independent of the locations of servers. To this end, we propose CAINE — Context-Aware Information-centric Network Ecosystem — which enables context-based operations to be intrinsically supported by the underlying ICN routing and resolution functions. Our approach has been designed to maintain the location-independence philosophy of ICNs by associating context information directly to content rather than to the physical entities such as servers and network elements in the content ecosystem, while ensuring scalability. Through simulation, we show that based on such location-independent context information, CAINE is able to facilitate traffic engineering in the network, while not posing a significant control signalling burden on the network.

ABSTRACT In-network content caching has recently emerged in the context of Information-Centric Networking (ICN), which allows content objects to be cached at the content router side. In this paper, we specifically focus on in-network caching of Peer-to-Peer (P2P) content objects for improving both service and operation efficiencies. We propose an intelligent in-network caching scheme of P2P content chunks, aiming to reduce P2Pbased content traffic load and also to achieve improved content distribution performance. Towards this end, the proposed holistic decision-making logic takes into account context information on the P2P characteristics such as chunk availability. In addition, we also analyse the benefit of coordination between neighbouring content routers when making caching decisions in order to avoid duplicated P2P chunk caching nearby. An analytical modelling framework is developed to quantitatively evaluate the efficiency of the proposed in-network caching scheme.