András Gazdag
PhD student
agazdag (at) crysys.hu
web: www.crysys.hu/~agazdag/
twitter: @AndrisGazdag
office: I.E. 419
tel: +36 1 463 2047
Current courses | Student projects | Publications
Short Bio
Andras Gazdag was born in 1990 in Budapest. He received his BSc degree in Computer Science in 2013 and his MSc degree in Computer Science Engineering in 2015 from the Budapest University of Technology and Economics (BME). During his B.Sc. studies, András took part in a German speaking education between 2009-2012 (Deutschsprachige Ingenieurausbildung, DIA). He received a DAAD scholarship to the Karlsruhe Institute of Technology (KIT) in 2011-2012. Since 2011 he has been working in the Laboratory of Cryptography and System Security (CrySyS), Department of Networked Systems and Services (HIT), BME under the supervision of Prof. Levente Buttyán. He has done research on security of mobile platforms focusing on Android malwares. Currently, his research interests are in embedded systems security (a.k.a. security for Internet of Things) and embedded systems forensics.
Current Courses
IT Security (VIHIAC01)
This BSc course gives an overview of the different areas of IT security with the aim of increasing the security awareness of computer science students and shaping their attitude towards designing and using secure computing systems. The course prepares BSc students for security challenges that they may encounter during their professional carrier, and at the same time, it provides a basis for those students who want to continue their studies at MSc level (taking, for instance, our IT Security minor specialization). We put special emphasis on software security and the practical aspects of developing secure programs.
IT Security (in English) (VIHIAC01)
This BSc course gives an overview of the different areas of IT security with the aim of increasing the security awareness of computer science students and shaping their attitude towards designing and using secure computing systems. The course prepares BSc students for security challenges that they may encounter during their professional carrier, and at the same time, it provides a basis for those students who want to continue their studies at MSc level (taking, for instance, our IT Security minor specialization). We put special emphasis on software security and the practical aspects of developing secure programs.
IT Security Bootcamp (VIHIAL00)
This BSc course introduces problems related to general IT security.
Computer Security (VIHIMA06)
The course introduces security problems in computing systems, as well as the principles, practical mechanisms, and tools used to solve them. The term computer is interpreted in a broad sense, and it includes personal computers, servers, mobile devices, and embedded computers. The course covers physical security and OS level security of computers, software security issues at the application level, secure programming, and the problem of malicious software (malware).
IT Security Laboratory (VIHIMB01)
This laboratory extends and deepens the knowledge and skills obtained in the courses of the IT Security minor specialization by solving practical, hands-on exercises in real, or close-to-real environments.
Secure Software Development (VIHIAV33)
This course fills an important gap in the education of software engineers, - namely developing secure software applications. During this course, students will learn the most common mistakes in software development and how attackers exploit those mistakes (offensive security). Then, students get to know how to mitigate attacks and write secure software applications.
Computernetzwerke (in German) (VIHIAB01)
Das Ziel des Kurses ist einen umfassenden Überblick über die Design-Prinzipien von Computernetzwerke und die Protokolle, die die heutige Internet-Kommunikation ermöglichen. Wir analysieren die wichtigsten Komponenten des TCP/IP Protokoll-Stack und wir diskutieren weit verbreiteten Internet-Anwendungen. Das Kurssyllabus enthält zusätzliche wichtige Themen wie Multimedia-Kommunikation und Sicherheit.
Student Project Proposals
Forensics eljárások támogatása ICS/SCADA rendszerekben
Kritikus infrastruktúráink alapját sokszor ipari automatizálási és folyamatirányítási (ICS/SCADA) rendszerek
alkotják, melyek egyre nagyobb mértékben rendelkeznek külső hálózati kapcsolatokkal, esetleg Internet felőli
eléréssel, ezért ki vannak téve a kibertér felől érkező támadásoknak. A legerősebb védelmek esetén is
előfordulhat sikeres támadás. Ilyen esetekben fontos a történtek részletes kivizsgálása. A nyomozást jelentősen
tudja javítani, ha az elemzőknek nem kell minden rögzített adatot átfésülni, mivel ez jelentős mennyiségű adatot
és komoly időbefektetést igényel.
A projekt szorosan kapcsolódik ipari partnerünk, a MOL érdeklődési területeihez, és lehetőséget biztosít a MOL
kiberbiztonsági szakértőivel történő együttműködésre.
A hallgató feladatai:
- hálózati forgalom rögzítésének kidolgozása ICS/SCADA környezetben
- forgalom sajátosságainak azonosítása
- hatékony tömörítési és elemzési eljárások kidolgozása
Grafikus támadáselemző szoftver fejlesztése
Egyre több számítógépes hálózatot ér támadás, amire válaszul nem elég a megelőzésre koncentrálni, hanem fel kell
készülni az esetleges támadások utólagos elemzésére is. Ezt támogatandó érdemes a teljes hálózati forgalmat
lementeni, és egy ideig tárolni.
A feladat egy olyan eszköz fejlesztése, ami az utólagos elemzést támogatja speciális környezetben is. A
fejlesztés során a saját eszközök mellett más kész eszközök (pl Moloch, Wireshark LuaAPI) felhasználhatók,
kiegészítendők. Az elkészülő eszközök segíthetik az érdekes csomagok kikeresését, vagy akár a forgalom
visszajátszását is.
Jármű műszerfal fejlesztése mobilra
A járművek egyes vezérlő elemei (ECU) egymással egy decentralizált hálózaton keresztül kommunikálnak (CAN). Az
autó paraméterei, és a vezető tájékoztatáshoz használt minden információ megszerezhető erről a hálózatról. Egy
hálózati megfigyelésre alkalmas eszköz segítségével lehetőség van a műszerek által mért adatokat más formában
is megjeleníteni, sőt kiegészíteni olyan plusz információkkal, amelyek a hagyományos műszerfalakon nem
szerepelnek.
A hallgató feladatai:
- a járművekben használt kommunikációs technológia megismerése
- a CAN hálózat lehallgatásához használható eszköz megismerése és fejlesztése
- a kinyert információ megjelenítése egy mobil alkalmazásban (iOS és/vagy Android)
Járművek mozgásának nyomkövetése
A járművek minden vezérlő egysége belső hálózaton (CAN) keresztül kommunikál. Ezen a hálózaton található meg a
legtöbb vezérlőjel, és a szenzorok általál mért paraméterek értéke is. Ha egy lehallgató képes folyamatosan
megfigyelni az autó mozgásához kapcsolodó paramétereket, akkor képes lehet az autó nyomkövetésére is.
A hallgató feladatai:
- a járművekben használt kommunikációs technológia megismerése
- a CAN hálózat lehallgatásához használható eszköz megismerése és fejlesztése
- a kinyert adatok értelmezése a szükséges szintig
- az adatok alapján a jármű mozgásának a rekonstrukciója
Publications
2018
Vehicular Can Traffic Based Microtracking for Accident Reconstruction
A. Gazdag, T. Holczer, L. Buttyán, Zs. Szalay
Vehicle and Automotive Engineering 2, Lecture Notes in Mechanical Engineering, University of Miskolc, Miskolc, Hungary, 2018.
@inproceedings {
author = {András Gazdag, Tamas Holczer, Levente BUTTYÁN, Zsolt Szalay},
title = {Vehicular Can Traffic Based Microtracking for Accident Reconstruction},
booktitle = {Vehicle and Automotive Engineering 2, Lecture Notes in Mechanical Engineering},
publisher = {University of Miskolc, Miskolc, Hungary},
year = {2018}
}
Keywords
Digital forensics, CAN networkAbstract
Accident reconstruction is the process of reliably discovering what has happened before a serious event. We show how the most widely used intra vehicular network (namely the Controller Area Network, CAN) can be used in this process. We show how the actual velocity and steering wheel position transmitted on the CAN network can be used to reconstruct the trajectory of a vehicle. This trajectory is an essential input in the reconstruction process. In this paper, we show how the CAN traffic of an actual vehicle can be used to recon- struct the trajectory of the vehicle, and we evaluate our approach in several real life experiments including normal and pre-accident situations.2017
CAN compression based IDS
A. Gazdag
IT-SECX 2017, 2017, FH St. Pölten.
@conference {
author = {András Gazdag},
title = {CAN compression based IDS},
booktitle = {IT-SECX 2017},
year = {2017},
publisher = {FH St. Pölten}
}
Abstract
Modern vehicles are mainly controlled by ECUs (Electric Control Units). They are small programmable computers responsible for single tasks. New smart features of vehicles showed demand for Internet connectivity rendering these previously isolated computer networks reachable for malicious attacks. Detecting cyber-attacks requires a continuous network traffic logging for online and offline analysis. This generates a huge amount of data which is a challenge to store and to analyze, as well. In this presentation, we show a proposed semantic compression mechanism that is capable of representing the original data in a lossless form while using a fraction of the space. The introduced algorithm understands properties of the CAN traffic log. This is a powerful foundation for compression and for intrusion detection. The compressed traffic log can be directly used as an input for a machine learning based IDS, which is then capable to effectively recognize malicious attack patterns.Efficient Lossless Compression of CAN Traffic Logs
A. Gazdag, L. Buttyán, Zs. Szalay
IEEE Conference on Software, Telecommunications and Computer Networks (SoftCom), IEEE, 2017.
@inproceedings {
author = {András Gazdag, Levente BUTTYÁN, Zsolt Szalay},
title = {Efficient Lossless Compression of CAN Traffic Logs},
booktitle = {IEEE Conference on Software, Telecommunications and Computer Networks (SoftCom)},
publisher = {IEEE},
year = {2017}
}
Abstract
In this paper, we propose a compression method that allows for the efficient storage of large amounts of CAN traffic data, which is needed for the forensic investigations of accidents caused by cyber attacks on vehicles. Compression of recorded CAN traffic also reduces the time (or bandwidth) needed to off-load that data from the vehicle. In addition, our compression method allows analysts to perform log analysis on the compressed data, therefore, it contributes to reduced analysis time and effort. We achieve this by performing semantic compression on the CAN traffic logs, rather than simple syntactic compression. Our compression method is lossless, thus preserving all information for later analysis. Besides all the above advantages, the compression ratio that we achieve is better than the compression ratio of state-of-the-art syntactic compression methods, such as gzip.Forensics aware lossless compression of CAN traffic logs
A. Gazdag, L. Buttyán, Zs. Szalay
Scientific Letters of the University of Zilina, 2017.
@article {
author = {András Gazdag, Levente BUTTYÁN, Zsolt Szalay},
title = {Forensics aware lossless compression of CAN traffic logs},
journal = {Scientific Letters of the University of Zilina},
year = {2017}
}
Abstract
Towards Efficient Compression of CAN Traffic Logs
A. Gazdag, L. Buttyán, Zs. Szalay
Balázs Vehovszky, Krisztián Bán, János Takács, 34th International Colloquium on Advanced Manufacturing and Repairing Technologies in Vehicle Industry: 17-19 May 2017, Visegrád, Hungary. 190 p., Budapest University of Technology and Economics, 2017.
@inproceedings {
author = {András Gazdag, Levente BUTTYÁN, Zsolt Szalay},
title = {Towards Efficient Compression of CAN Traffic Logs},
editor = {Balázs Vehovszky, Krisztián Bán, János Takács},
booktitle = {34th International Colloquium on Advanced Manufacturing and Repairing Technologies in Vehicle Industry: 17-19 May 2017, Visegrád, Hungary. 190 p.},
publisher = {Budapest University of Technology and Economics},
year = {2017}
}
Keywords
CAN, network traffic capture, semantic compression, forensic analysisAbstract
2016
Intrusion detection in Cyber Physical Systems Based on Process Modelling
A. Gazdag, T. Holczer, Gy. Miru
Proceedings of 16th European Conference on Cyber Warfare & Security, Academic conferences, 2016.
@inproceedings {
author = {András Gazdag, Tamas Holczer, Gyorgy Miru},
title = {Intrusion detection in Cyber Physical Systems Based on Process Modelling},
booktitle = {Proceedings of 16th European Conference on Cyber Warfare & Security},
publisher = {Academic conferences},
year = {2016}
}
Abstract
Cyber physical systems (CPS) are used to control chemical processes, and can be found in manufacturing, civil infrastructure, energy industry, transportation and in many more places. There is one common characteristic in these areas, their operation is critical as a malfunction can potential be life-threatening. In the past, an attack against the cyber part of the systems can lead to physical consequences. The first well known attack against a CPS was Stuxnet in 2010. It is challenging to develop countermeasures in this field without endangering the normal operation of the underlying system. In our research, our goal was to detect attacks without interfering with the cyber physical systems in any way. This can be realized by an anomaly detection system using passive network monitoring. Our approach is based on analysing the state of the physical process by interpreting the communication between the control system and the supervisory system. This state can be compared to a model based prediction of the system, which can serve as a solid base for intrusion detection. In order to realize our intrusion detection system, a testbed was built based on widely used Siemens PLCs. Our implementation consists of three main parts. The first task is to understand the network communication in order to gain information about the controlled process. This was realized by analysing and deeply understanding the publicly undocumented Siemens management protocol. The resulting protocol parser was integrated into the widely-used Bro network security monitoring framework. Gathering information about the process state for a prolonged time creates time series. With these time series, as the second step, statistical models of the physical process can be built to predict future states. As the final step, the new states of the physical process can be compared with the predicted states. Significant differences can be considered as an indicator of compromise.2014
Android Malware Analysis Based On Memory Forensics
A. Gazdag, L. Buttyán
Annual Scientific Conference of the Hungarian National Coordinating Center for Infocommunications (NIKK) 2014, Veszprém, Springer, 2014.
@inproceedings {
author = {András Gazdag, Levente BUTTYÁN},
title = {Android Malware Analysis Based On Memory Forensics},
booktitle = {Annual Scientific Conference of the Hungarian National Coordinating Center for Infocommunications (NIKK) 2014, Veszprém},
publisher = {Springer},
year = {2014}
}
Abstract
Android Memory Forensics Hello Workshop
A. Gazdag
Hacktivity 2014., 2014.
@conference {
author = {András Gazdag},
title = {Android Memory Forensics Hello Workshop},
booktitle = {Hacktivity 2014.},
year = {2014}
}