The current research focus of the CrySyS Lab is security of cyber-physical systems with an emphasis on two application areas: security of industrial automation and control (ICS/SCADA) systems (including the Industry 4.0 domain) and security of intelligent transport systems (including connected and autonomous vehicles). We consider these domains to be part of the more general area of the Internet of Things (IoT) security. As for specific topics, we are currently working on the followings:
Our current research focuses on the privacy issues of machine learning and the development of transparency-enhancing techniques. Our aim is to warn and educate people about the possible privacy implications of emerging technologies, and support the decision of data sharing with third parties. We also study the privacy issues of vehicular systems which includes driver fingerprinting using vehicular in-network data. We apply machine learning techniques to automatize privacy risk analyses, which currently requires extensive human labour and expertise. Finally, we also work on the anonymization of large datasets with several hundreds or thousands of attributes.
Our current research in the economics of security and privacy of networked systems has three focus points. First, we study the economic incentives behind cyber-warfare; specifically the investment and timing decisions with regard to the vulnerability exploitation life-cycle. Second, we work on security risk modeling and information sharing mechanisms focusing on both the IoT world and 5G operator networks. Finally, we explore, analyze and propose solutions for interdependent privacy problems (when others' actions create privacy externalities for you) in networked information services such as online social networks, fintech solutions and the sharing economy.
The CrySyS Lab also has a strong competence in the analysis of malware used in targeted attacks. This competence has been gained during participation in projects where CrySyS Lab members analysed samples (of Duqu, Flame, MiniDuke, TeamSpy, Duqu 2.0, and many others) obtained from real incidents at high profile targets. The lab has the necessary infrastructure for analysing malware in an efficient and safe way. In addition, we leveraged our malware analysis experience in building competencies in related fields, such as malware detection, computer security incident response, and digital forensics.
In addition to the above topics, some members of the lab are interested in applied cryptography, cryptographic obfusctaion, and new methods for teaching IT security.
The laboratory has been involved in several successful EU FP6, FP7, Artemis, and EIT Digital projects, as well as in projects funded by Hungarian funding agencies.
The SOC4CI project develops a security operations centre for critical infrastructures. It aims at providing a customized detection and response service against Advanced Persistent Threats (APT) by integrating a wide range of public and private security information sources, and using a real-time stream processing framework for event correlation and anomaly detection. SOC4CI allows utilities to make the most out of their security investment, while at the same time it offers real-time situational awareness. Project partners: Engineering, F-Secure, and KTH Royal Institute of Technology.
The VCG project develops security measures for protecting modern vehicles from cyber attacks. Within the project, CrySyS Lab members work on forensic tools and methods for uncovering traces of cyber attacks on vehicles, including anomaly detection in the CAN traffic. We also work on determining the privacy risks of CAN data collection and on new privacy enhancing technologies that mitigate the identified risks. We also work, in collaboration with project partners, on a secure gateway platform that provides secure remote access to vehicles. Project partners: Evopro Innovation, Inventure.
In this IAEA funded project, we aim at establishing a realistic ICS test environment relevant for the nuclear domain and developing methods and tools for computer security incident response in nuclear facilities. The PIRAMID test bed consists of a set of PLCs (multiple brands) controlling simulations of physical processes, and VMs for servers and engineering workstations used in a typical industry environment. We use this unique test bed for validating our research results in application of honeypot technologies as incident detection systems, and in development of data acquisition, fusion, correlation, and analysis methods and tools for forensic investigation support in nuclear facilities.
The objective of the DIGMAN project is to build a framework that allows SMEs to upload manufacturing jobs via the network to a modern factory and have their designs realized. The project builds a proof-of-concept prototype of such a framework. CrySyS Lab is involved in making the framework secure. More specifically, we develop technologies that can be used for security monitoring and event handling in an industrial SOC environment. Project partners: Evopro Engineering, GraphIT, Ecomatic, BME Manufacturing Technologies Dept.
In this project, we work on securing IoT systems by developing a secure IoT gateway platform, cryptographic protocols for securing communications between the IoT gateway and a central data repository, and cryptographic coding techniques for secure storage of and access to the data in the central repository. This work complements the work of other project partners (NETvisor, CS-PROCESS, BME Automation and Applied Informatics Dept.) focusing on building the IoT system itself.
ISSES is a capacity building project in higher education led by Serbian universities with the goal of developing their new information security education program. The CrySyS Lab provides help to the Serbian partners in setting up laboratory exercises for critical infrastructure security, and delivers training sessions to project partners. Project partners: University of Novi Sad, University of Nis, University of Belgrad, Subotica Tech, Schneider Electric DMS NS, Unicom-Telecom, University of Zagrab, Politechnical University of Milano.
A possible formal approach towards obfuscation is called indistinguishability obfuscation (iO). Informally speaking, a compiler is an iO if it preserves the functionality of the program, causes only a polynomial slowdown, and the obfuscation of two functionally equivalent programs of similar size are indistinguishable from each other. The first candidate construction for general purpose iO was given in 2013 by Garg et al., which then became the center of interest with three main lines of research: to base its security on plausible assumptions, to improve its efficiency and to find applications. Within the possible cryptographic applications, we are interested in those which help to expand the capabilities of other primitives. We also envision the improvement of iO's efficiency by customizing it to specific tasks. Another direction of our research is to answer the question: how can we make use of iO outside the domain of cryptography? We work on connecting theoretical research with practical applications where the currently used obfuscation techniques cannot guarantee well defined security.
The IntelliSec project develops an integrated security data analytics platform that reliably, fast and efficiently identifies advanced persistent threats against smart grids. This allows utilities to make the most out of their cyber security investments, to save on security related OPEX, while at the same time offers real-time situational awareness. Unlike other solutions, our solution integrates a wide range of public and private security information sources, and uses a real-time stream processing framework for event correlation and pattern search. The system is customizable through a GUI. The project implements missing technical features for the platform, develops business scenarios and business models for identifying the best go-to-market strategies for different market segments, and transfers the technology to the industrial partners Siemens, F-Secure, and a subgranted SME, evopro.
The SecSES project had two objectives. First, it implemented securtiy and privacy related features for an energy box in a smart home gateway, which is the interface between a HAN/BAN and the external network. Second, the project implemented attack detection schemes for targeted attacks against the IT infrastructures and for the software systems used in smart energy systems. Both host based and network based targeted attacks were considered. The CrySyS Lab used the security framework developed in the RADIR Project (see below) to the specific case of Smart Energy Systems, and it implemented a testbed and a prototype for honeypot based detection of targeted attacks on Smart Energy Systems.
The purpose of the RADIR Project was to develop a security framework for detection of targeted cyber attacks, incident handling, and forensic analysis with a focus on critical infrastructures. The framework is mainly based on special honeypots and heuristic anomaly detection algorithms, static and dynamic program analysis tools, techniques for anonymous information sharing for global incident handling, and tools for advanced forensic analysis.
The CHIRON Project combined state-of-the art technologies and innovative solutions into an integrated framework designed for an effective and person-centric health management system. Within the CHIRON project, the CrySyS Lab worked on security and privacy in Body Area Sensor Networks mounted on the patients body for the puspose of remote patient monitoring. In particular, we studied the problem of and proposed solutions to prevent traffic analysis attacks, and we developed a query auditing framework to provide privacy preserving remote access to aggregated patient data.
The goal of the WSAN4CIP project was to advance the technology of Wireless Sensor and Actuator Networks (WSANs) beyond the state of the art, in order to make them applicable in the protection of Critical Infrastructures (CIs). The project demonstrated how wireless sensor and actuator networks can be used in CI protection by designing and deploying a sensor network based monitoring solution in an electrical grid in Portugal and a drinking water supply system in Germany. Within the project, the CrySyS Lab led the work package on Dependable Networking, and developed secure routing, clustering, data aggregation, and transport protocols for sensor networks, as well as techniques to protect network coding based ditributed data storage schemes from pollution attacks.
UbiSec&Sens aimed at developing a comprehensive security toolbox for medium and large scale WSNs, such that the components of this toolbox enable the rapid development of trusted sensor network applications. We developed secure routing protocols and resilient data aggregation schemes for sensor networks in this project.
SeVeCom addressed security of future vehicle communication networks, including both the security and privacy of inter-vehicular and vehicle-infrastructure communication. Its objective was to define the security architecture of such networks, as well as to propose a roadmap for progressive deployment of security functions in these networks.
Most of European critical activities rely on highly interconnected information systems. The performance of such information systems could be jeopardized by incidents of various kinds. DESEREC aimed at developing countermeasures that respond both to attacks from the outside (e.g., aiming at Intrusion or Denial of Service), and to intrinsic failures of inner origin (hardware failure, software fault, environment).
Targeted malware attacks often use digitally signed components that appear to originate from legitimate software makers, although they do not. The specific problem that we addressed in our work is that standard signature verification procedures used in today’s PKI systems do not allow for detecting key compromise and fake certificates. Therefore, the objective of the work was to augment the standard signature verification workflow with checking of reputation information on signers and signed objects. For this purpose, we built a data collection framework and a data repository for signed software and code signing certificates, we implemented services that use the repository for providing reputation information for signed objects, such as when a given signed object has been first seen and how often it was looked up by users, and we also provide alert services for private key owners that help them detecting when their signing keys were illegitimately used. Our system, called Repository of Signed Code (ROSCO), is available for test purposes at rosco.crysys.hu.
We developed a PLC honeypot, a decoy system that looks like a PLC, but actually, it is a trap that attracts attackers and logs their activity. Our honeypot is a high interaction honeypot, which realizes almost all services of a Siemens ET 200S PLC. We customized the TCP/IP stack of Linux to create a stack almost identical to that of the PLC, and we integrated our services to an easy to use package, which can turn any Debian based Linux PC into a PLC honeypot. We keep track of the state of some internal variables such that when their values are set through one protocol (e.g., SNMP), they can be read back over another interface (e.g., HTTP). This makes our honepot hard to distinguish from a real PLC.
We developed an IoT test bed for educational purposes featuring a small hydro-powerstation, a data center, wired and wireless sensors, and PLCs controlling the operation of actuators in the powerstation and in the data center. The test bed is used in a laboratory exercise where students have to attack the system in various ways, including falsifying wireless transmissions from sensors and reprogramming PLCs. Some of the attacks have physical consequences (overflowing watertank, overheating data center), which are nicely observable by the students on the test bed.
In the academic research community, the quality of research is often measured in terms of the number and quality of publications, as well as in terms of the number of independent citations. We are proud of our colleagues who have strong publication records and are outstanding according to the above measures. Most of our papers are available on-line on our publication page.
Smaller and less scientific results may still be interesting, so we publish them on our blog site.