Roland Nagy

PhD student

roland.nagy (at) crysys.hu

office: I.E. 429
tel: +36 1 463 2063

Current courses | Publications

Short Bio

Roland Nagy was born in 1995 in Budapest. He achieved his MSc degree in 2021 at the Budapest Univeristy of Technology and Economics. He has been involved with the Laboratory of Cryptography and System Security (CrySyS Lab) since 2019.

Current Courses

Coding and IT Security (VIHIBB01)

This BProf course gives an overview of the different areas of IT security with the aim of increasing the security awareness of computer science students and shaping their attitude towards designing and using secure computing systems. The course also gives an introduction to source software security and channel coding.

Software Security (VIHIMA21)

This course introduces security problems in software development: students will learn the most common mistakes in software development and how attackers exploit those mistakes (offensive security). Then, students get to know how to mitigate attacks and write secure applications.

Software Security Laboratory (VIHIMA22)

This laboratory extends and deepens the knowledge and skills obtained in the Software Security course by solving practical, hands-on exercises in real, or close-to-real environments.

Computer and Network Security (VIHIMA23)

The course introduces security problems in computing and networked systems, as well as the principles, practical mechanisms, and tools used to solve them. The course covers physical security and OS level security of computers, and the problem of malicious software (malware). It also covers issues related to secure operation of networks in practice. Students get theoretical knowledge and practical skills to assess security risks, understand threats and vulnerabilities. The course also serves as a basis for obtaining skills in penetration testing and ethical hacking of networks.

Computer and Network Security Laboratory (VIHIMB07)

This laboratory extends and deepens the knowledge and skills obtained in the Computer and Network Security course by solving practical, hands-on exercises in real, or close-to-real environments.

Networking and Security Laboratory (VIHIBC01)

This laboratory extends and deepens the knowledge and skills obtained in the Network Security in Practise and Computer Security in Practise courses by solving practical, hands-on exercises in real, or close-to-real environments.

Publications

2023

A Practical Attack on the TLSH Similarity Digest Scheme

G. Fuchs and R. Nagy and L. Buttyán

ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and Security, 2023.

Bibtex | Abstract | PDF | Link

@inproceedings {
   author = {Gabor Fuchs and Roland Nagy and Levente Buttyán},
   title = {A Practical Attack on the TLSH Similarity Digest Scheme},
   booktitle = {ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and Security},
   year = {2023},
   howpublished = "\url{https://dl.acm.org/doi/10.1145/3600160.3600173}"
}

Keywords

Similarity digest schemes, locality sensitive hashing, TLSH, similarity- based malware detection

Abstract

Similarity digest schemes are used in various applications (e.g., digital forensics, spam filtering, malware clustering, and malware detection), which require them to be resistant to attacks aiming at generating semantically similar inputs that have very different similarity digest values. In this paper, we show that TLSH, a widely used similarity digest function, is not sufficiently robust against such attacks. More specifically, we propose an automated method for modifying executable files (binaries), such that the modified binary has the exact same functionality as the original one, it also remains syntactically similar to the original one, yet, the TLSH difference score between the original and the modified binaries be- comes high. We evaluate our method on a large data set containing malware binaries, and we also show that it can be used effectively to generate adversarial samples that evade detection by SIMBIoTA, a recently proposed similarity-based malware detection approach.

Increasing the Robustness of a Machine Learning-based IoT Malware Detection Method with Adversarial Training

J. Sandor and R. Nagy and L. Buttyán

WiseML'23: Proceedings of the 2023 ACM Workshop on Wireless Security and Machine Learning, 2023.

Bibtex | Abstract | PDF | Link

@inproceedings {
   author = {Jozsef Sandor and Roland Nagy and Levente Buttyán},
   title = {Increasing the Robustness of a Machine Learning-based IoT Malware Detection Method with Adversarial Training},
   booktitle = {WiseML'23: Proceedings of the 2023 ACM Workshop on Wireless Security and Machine Learning},
   year = {2023},
   howpublished = "\url{https://dl.acm.org/doi/10.1145/3586209.3591401}"
}

Keywords

Internet-of-Things; malware detection; machine learning; adversarial examples; adversarial training

Abstract

We study the robustness of SIMBIoTA-ML, a recently proposed machine learning-based IoT malware detection solution against adversarial samples. First, we propose two adversarial sample creation strategies that modify existing malware binaries by appending extra bytes to them such that those extra bytes are never executed, but they make the modified samples dissimilar to the original ones. We show that SIMBIoTA-ML is robust against the first strategy, but it can be misled by the second one. To overcome this problem, we propose to use adversarial training, i.e., to extend the training set of SIMBIoTA-ML with samples that are crafted by using the adversarial evasion strategies. We measure the detection accuracy of SIMBIoTA-ML trained on such an extended training set and show that it remains high both for the original malware samples and for the adversarial samples.

PATRIoTA: A Similarity-based IoT Malware Detection Method Robust Against Adversarial Samples

J. Sandor and R. Nagy and L. Buttyán

IEEE International Conference on Edge Computing and Communications (EDGE), 2023.

Bibtex | Abstract | PDF | Link

@inproceedings {
   author = {Jozsef Sandor and Roland Nagy and Levente Buttyán},
   title = {PATRIoTA: A Similarity-based IoT Malware Detection Method Robust Against Adversarial Samples},
   booktitle = {IEEE International Conference on Edge Computing and Communications (EDGE)},
   year = {2023},
   howpublished = "\url{https://ieeexplore.ieee.org/document/10234259}"
}

Keywords

Internet-of-Things; malware detection; binary similarity; locality-sensitive hashing; robustness against adver- sarial samples.

Abstract

Detecting malware targeting IoT devices has became an important challenge with the recent emergence of IoT botnets. Gateways at the edge between the Internet and IoT devices deployed in the field are particularly well-positioned for the task of malware detection, as malware typically spreads over the Internet and resource-constrained field devices may not have the means to protect themselves. Hence, we believe that, among other things, edge intelligence should also include effective and efficient IoT malware detection. A recently proposed similarity- based IoT malware detection method, called SIMBIoTA, would be suitable in this context, but its robustness against adversarial malware samples has been shown to be rather weak. In this paper, we propose PATRIoTA, a similarity-based IoT malware detection method inspired by SIMBIoTA, but being significantly more robust than SIMBIoTA is. We describe the operation of PATRIoTA, and compare its malware detection performance and robustness against adversarial samples to that of SIMBIoTA. We show that PATRIoTA outperforms SIMBIoTA with respect to both measures.

2022

SIMBIoTA++: Improved Similarity-based IoT Malware Detection

L. Buttyán and R. Nagy and D. Papp

IEEE 2nd Conference on Information Technology and Data Science (CITDS), 2022.

Bibtex | Abstract | PDF | Link

@inproceedings {
   author = {Levente Buttyán and Roland Nagy and Dorottya Papp},
   title = {SIMBIoTA++: Improved Similarity-based IoT Malware Detection},
   booktitle = {IEEE 2nd Conference on Information Technology and Data Science (CITDS)},
   year = {2022},
   howpublished = "\url{https://ieeexplore.ieee.org/abstract/document/9914145}"
}

Keywords

Internet of Things, malware detection, similarity hashing, graph theory, dominating set algorithm

Abstract

The Internet of Things is quickly developing and it enables exciting new applications, but at the same time, it also brings new security risks. In particular, embedded IoT devices may be subject to malware infection, undermining the trustworthiness of IoT systems. Malware detection on IoT devices is challenging due to their resource constraints, and antivirus tools developed for desktop PCs and servers are not directly applicable for them. In an earlier paper, we proposed a lightweight antivirus solution for IoT devices, called SIMBIoTA. In this paper, we propose SIMBIoTA++, an improvement on SIMBIoTA in terms of resource requirements. We also present a graph theory and measurement-based argument for selecting an appropriate similarity threshold, which is a key parameter in both SIMBIoTA and SIMBIoTA++.

SIMBIoTA-ML: Light-weight, Machine Learning-based Malware Detection for Embedded IoT Devices

D. Papp and G. Ács and R. Nagy and L. Buttyán

International Conference on Internet of Things, Big Data and Security (IoTBDS), 2022.

Bibtex | Abstract | PDF

@conference {
   author = {Dorottya Papp and Gergely Ács and Roland Nagy and Levente Buttyán},
   title = {SIMBIoTA-ML: Light-weight, Machine Learning-based Malware Detection for Embedded IoT Devices},
   booktitle = {International Conference on Internet of Things, Big Data and Security (IoTBDS)},
   year = {2022}
}

Keywords

IoT, embedded systems, malware detection, machine learning

Abstract

Embedded devices are increasingly connected to the Internet to provide new and innovative applications in many domains. However, these devices can also contain security vulnerabilities, which allow attackers to compromise them using malware. In this paper, we present SIMBIoTA-ML, a light-weight antivirus solution that enables embedded IoT devices to take advantage of machine learning-based malware detection. We show that SIMBIoTA-ML can respect the resource constraints of embedded IoT devices, and it has a true positive malware detection rate of ca. 95%, while having a low false positive detection rate at the same time. In addition, the detection process of SIMBIoTA-ML has a near-constant running time, which allows IoT developers to better estimate the delay introduced by scanning a file for malware, a property that is advantageous in real-time applications, notably in the domain of cyber-physical systems.

2021

Rootkit Detection on Embedded IoT Devices

R. Nagy and K. Németh and D. Papp and L. Buttyán

Acta Cybernetica, 2021.

Bibtex | Abstract | PDF

@article {
   author = {Roland Nagy and Krisztián Németh and Dorottya Papp and Levente Buttyán},
   title = {Rootkit Detection on Embedded IoT Devices},
   journal = {Acta Cybernetica},
   year = {2021}
}

Keywords

embedded systems, Internet of Things, security, malware

Abstract

IoT systems are subject to cyber attacks, including infecting embedded IoT devices with rootkits. Rootkits are malicious software that typically run with elevated privileges, which makes their detection challenging. In this paper, we address this challenge: we propose a rootkit detection approach for embedded IoT devices that takes advantage of a trusted execution environ- ment (TEE), which is often supported on popular IoT platforms, such as ARM based embedded boards. The TEE provides an isolated environment for our rootkit detection algorithms, and prevents the rootkit from interfering with their execution even if the rootkit has root privileges on the untrusted part of the IoT device. Our rootkit detection algorithms identify modifications made by the rootkit to the code of the operating system kernel, to system pro- grams, and to data influencing the control flow (e.g., hooking system calls), as well as inconsistencies created by the rootkit in certain kernel data struc- tures (e.g., those responsible to handle process related information). We also propose algorithms to detect rootkit components in the persistent storage of the device. Besides describing our approach and algorithms in details, we also report on a prototype implementation and on the evaluation of our design and implementation, which is based on testing our prototype with rootkits that we developed for this purpose.

T-RAID: TEE-based Remote Attestation for IoT Devices

R. Nagy and M. Bak and D. Papp and L. Buttyán

Euro-CYBERSEC, Nice, France, 2021.

Bibtex | Abstract | PDF

@conference {
   author = {Roland Nagy and Marton Bak and Dorottya Papp and Levente Buttyán},
   title = {T-RAID: TEE-based Remote Attestation for IoT Devices},
   booktitle = {Euro-CYBERSEC, Nice, France},
   year = {2021}
}

Keywords

Internet of Things, embedded systems, malware, remote attestation, Trusted Execution Environment

Abstract

The Internet of Things (IoT) consists of network-connected embedded devices that enable a multitude of new applications, but also create new risks. In particular, embedded IoT devices can be infected by malware. Operators of IoT systems not only need malware detection tools, but also scalable methods to reliably and remotely verify malware freedom of their IoT devices. In this paper, we address this problem by proposing T-RAID, a remote attestation scheme for IoT devices that takes advantage of the security guarantees provided by a Trusted Execution Environment running on each device.

2020

Rootkit Detection on Embedded IoT Devices

R. Nagy and L. Buttyán

Conference of PhD Students in Computer Science (CSCS), 2020.

Bibtex | Abstract | PDF

@conference {
   author = {Roland Nagy and Levente Buttyán},
   title = {Rootkit Detection on Embedded IoT Devices},
   booktitle = {Conference of PhD Students in Computer Science (CSCS)},
   year = {2020}
}

Abstract

Rootkits are malicious programs that try to maintain their presence on infected computers while remaining invisible. They have been used to attack traditional computers (PCs and servers), but they may also target embedded IoT devices. In this work, we propose a rootkit detection approach for such embedded IoT devices, where the detection mechanism is executed in an isolated execution environment that protects it from manipulation by the rootkit. Our rootkit detection approach is focused on detecting Direct Kernel Object Manipu- lation (DKOM) and it is based on detecting inconsistencies caused by the presence of a rootkit in various Linux kernel data structures such as the process list, the process tree, and different scheduling queues. We also report on the current status of our implementation using OP-TEE, an open source Trusted Execution Environment.