The current research focus of the CrySyS Lab is security of cyber-physical systems, including security of industrial automation and control systems (ICS and SCADA security) and security of modern vehicles. We consider these topics to be part of the more general domain of securing the Internet of Things (IoT security). As for specific topics, we are currently working on
The CrySyS Lab also has a strong competence in the analysis of malware used in targeted attacks. This competence has been gained during participation in projects where CrySyS Lab members analysed samples (of Duqu, Flame, MiniDuke, TeamSpy, Duqu 2.0, and many others) obtained from real incidents at high profile targets. The lab has the necessary infrastructure for analysing malware in an efficient and safe way. In addition, we leveraged our malware analysis experience in building competencies in related fields, such as malware detection, incident response, and forensic analysis.
In addition to the above topics, some members of the lab are interested in applied cryptography, cryptographic obfusctaion, and new methods for teaching IT security.
The laboratory has been involved in several successful EU FP6, FP7, Artemis, and EIT Digital projects, as well as in projects funded by Hungarian funding agencies.
The IntelliSec project develops an integrated security data analytics platform that reliably, fast and efficiently identifies advanced persistent threats against smart grids. This allows utilities to make the most out of their cyber security investments, to save on security related OPEX, while at the same time offers real-time situational awareness. Unlike other solutions, our solution integrates a wide range of public and private security information sources, and uses a real-time stream processing framework for event correlation and pattern search. The system is customizable through a GUI. The project implements missing technical features for the platform, develops business scenarios and business models for identifying the best go-to-market strategies for different market segments, and transfers the technology to the industrial partners Siemens, F-Secure, and a subgranted SME, evopro.
A possible formal approach towards obfuscation is called indistinguishability obfuscation (iO). Informally speaking, a compiler is an iO if it preserves the functionality of the program, causes only a polynomial slowdown, and the obfuscation of two functionally equivalent programs of similar size are indistinguishable from each other. The first candidate construction for general purpose iO was given in 2013 by Garg et al., which then became the center of interest with three main lines of research: to base its security on plausible assumptions, to improve its efficiency and to find applications. Within the possible cryptographic applications, we are interested in those which help to expand the capabilities of other primitives. We also envision the improvement of iO's efficiency by customizing it to specific tasks. Another direction of our research is to answer the question: how can we make use of iO outside the domain of cryptography? We work on connecting theoretical research with practical applications where the currently used obfuscation techniques cannot guarantee well defined security.
The SecSES project had two objectives. First, it implemented securtiy and privacy related features for an energy box in a smart home gateway, which is the interface between a HAN/BAN and the external network. Second, the project implemented attack detection schemes for targeted attacks against the IT infrastructures and for the software systems used in smart energy systems. Both host based and network based targeted attacks were considered. The CrySyS Lab used the security framework developed in the RADIR Project (see below) to the specific case of Smart Energy Systems, and it implemented a testbed and a prototype for honeypot based detection of targeted attacks on Smart Energy Systems.
The purpose of the RADIR Project was to develop a security framework for detection of targeted cyber attacks, incident handling, and forensic analysis with a focus on critical infrastructures. The framework is mainly based on special honeypots and heuristic anomaly detection algorithms, static and dynamic program analysis tools, techniques for anonymous information sharing for global incident handling, and tools for advanced forensic analysis.
The CHIRON Project combined state-of-the art technologies and innovative solutions into an integrated framework designed for an effective and person-centric health management system. Within the CHIRON project, the CrySyS Lab worked on security and privacy in Body Area Sensor Networks mounted on the patients body for the puspose of remote patient monitoring. In particular, we studied the problem of and proposed solutions to prevent traffic analysis attacks, and we developed a query auditing framework to provide privacy preserving remote access to aggregated patient data.
The goal of the WSAN4CIP project was to advance the technology of Wireless Sensor and Actuator Networks (WSANs) beyond the state of the art, in order to make them applicable in the protection of Critical Infrastructures (CIs). The project demonstrated how wireless sensor and actuator networks can be used in CI protection by designing and deploying a sensor network based monitoring solution in an electrical grid in Portugal and a drinking water supply system in Germany. Within the project, the CrySyS Lab led the work package on Dependable Networking, and developed secure routing, clustering, data aggregation, and transport protocols for sensor networks, as well as techniques to protect network coding based ditributed data storage schemes from pollution attacks.
UbiSec&Sens aimed at developing a comprehensive security toolbox for medium and large scale WSNs, such that the components of this toolbox enable the rapid development of trusted sensor network applications. We developed secure routing protocols and resilient data aggregation schemes for sensor networks in this project.
SeVeCom addressed security of future vehicle communication networks, including both the security and privacy of inter-vehicular and vehicle-infrastructure communication. Its objective was to define the security architecture of such networks, as well as to propose a roadmap for progressive deployment of security functions in these networks.
Most of European critical activities rely on highly interconnected information systems. The performance of such information systems could be jeopardized by incidents of various kinds. DESEREC aimed at developing countermeasures that respond both to attacks from the outside (e.g., aiming at Intrusion or Denial of Service), and to intrinsic failures of inner origin (hardware failure, software fault, environment).
Targeted malware attacks often use digitally signed components that appear to originate from legitimate software makers, although they do not. The specific problem that we addressed in our work is that standard signature verification procedures used in today’s PKI systems do not allow for detecting key compromise and fake certificates. Therefore, the objective of the work was to augment the standard signature verification workflow with checking of reputation information on signers and signed objects. For this purpose, we built a data collection framework and a data repository for signed software and code signing certificates, we implemented services that use the repository for providing reputation information for signed objects, such as when a given signed object has been first seen and how often it was looked up by users, and we also provide alert services for private key owners that help them detecting when their signing keys were illegitimately used. Our system, called Repository of Signed Code (ROSCO), is available for test purposes at rosco.crysys.hu.
We developed a PLC honeypot, a decoy system that looks like a PLC, but actually, it is a trap that attracts attackers and logs their activity. Our honeypot is a high interaction honeypot, which realizes almost all services of a Siemens ET 200S PLC. We customized the TCP/IP stack of Linux to create a stack almost identical to that of the PLC, and we integrated our services to an easy to use package, which can turn any Debian based Linux PC into a PLC honeypot. We keep track of the state of some internal variables such that when their values are set through one protocol (e.g., SNMP), they can be read back over another interface (e.g., HTTP). This makes our honepot hard to distinguish from a real PLC.
In the academic research community, the quality of research is often measured in terms of the number and quality of publications, as well as in terms of the number of independent citations. We are proud of our colleagues who have strong publication records and are outstanding according to the above measures. Most of our papers are available on-line on our publication page.
Smaller and less scientific results may still be interesting, so we publish them on our blog site.