An important research domain in the CrySyS Lab is security of cyber-physical systems with an emphasis on three application areas: security of industrial automation and control (ICS/SCADA) systems (including the Industry 4.0 domain), security of intelligent transport systems (including connected and autonomous vehicles), and security of Internet-of-Things (IoT) systems. We work on attacks on and protective measures for the CAN bus of vehicles, PLC honeypot development, automated reverse engineering of closed industrial protocols, and platform security for embedded IoT devices, including secure booting, secure remote firmware update, run-time integrity monitoring and remote attestation, and analysis and detection of IoT malware.
Our current research focuses on data privacy including the privacy and security issues of machine learning (Artificial Intelligence). Machine learning is increasingly used in security and safety critical applications to support, or replace human decision-making (self-driving cars, user authentication, profiling, incident and malware detection, etc.). However, it still has several, yet unsolved security and privacy problems which hinder its wider application. First, machine learning models can leak confidential information about their training data, and therefore they can also be subject to regulations (such as GDPR). Second, they can be easily deceived by specially crafted adversarial test examples which are undetectable by humans yet causes the model to make a wrong decision. Third, malicious participants can easily subvert learning by polluting their contributed training data, especially in distributed (federated) learning. Our aim is to warn and educate people about the possible privacy and security implications of emerging technologies, such as machine learning, and support the decision of data sharing with third parties. We develop attacks to demonstrate and measure unintended information leakage as well as design countermeasures often with provable guarantees (e.g., using differential privacy). We also work on the anonymization of large (training) datasets with several hundreds or thousands of attributes. Finally, we study the robustness of machine learning against both adversarial examples and data/model pollution.
Our current research in the economics of security and privacy is rooted in the fact that misaligned economic incentives of stakeholders can interrupt the intended operation of even technically sound systems. We currently have four active topics. First, we explore, analyze and mitigate interdependent privacy problems (when others' actions create privacy externalities for you) in networked ICT services such as online social networks, app platforms and the sharing economy. Second, we work on risk modelling, security training and information sharing mechanisms for both the IoT world and carrier grade networks. Third, we study the economic incentives behind cyber-warfare; specifically, the intricate interplay of attackers and defenders in cyber-physical systems. Finally, we address free-riding and fairness issues in federated machine learning scenarios.
The CrySyS Lab also has a strong competence in the analysis of malware used in targeted attacks. This competence has been gained during participation in projects where CrySyS Lab members analysed samples (of Duqu, Flame, MiniDuke, TeamSpy, Duqu 2.0, and many others) obtained from real incidents at high profile targets. The lab has the necessary infrastructure for analysing malware in an efficient and safe way. In addition, we leveraged our malware analysis experience in building competencies in related fields, such as malware detection, computer security incident response, and digital forensics.
In addition to the above topics, some members of the lab are interested in applied cryptography, cryptographic obfusctaion, and new methods for teaching IT security.
The laboratory has been involved in several successful EU FP6, FP7, Artemis, and EIT Digital projects, as well as in projects funded by Hungarian funding agencies.
PrOTectME is funded by EIT Digital in the area Digital Innovation Factory. The project creates a targeted start-up offering B2B cyber-risk management services to Medium Enterprises (ME). Exploiting the existing assets and knowledge of the project partners, this start-up will help MEs to measure, understand, improve and certify their cyber-posture for Operational Technologies (OT). Based on model-driven analysis, the start-up will support risk assessment (identifying vulnerabilities, most critical attack strategies, most dangerous threat actors), estimation of economic losses caused by cyber incidents, and decisions related to IT and OT security investments on hard and soft mitigation measures (awareness and training campaigns, cyber-insurance, security policies), as well as the compliance gap to security standards. Within the project, we lead the pilot and the training activities, and contribute to the applied cyber-risk management methodology.
The Artificial Intelligence National Laboratory Program (MILAB) is founded in 2020 as the coordinated national artificial intelligence umbrella for the collaboration of all major research centers, universities and large-scale national programs in Hungary. In addition the Thematic Excellence Program (TKP) supports research at knowledge centers and universities focusing on R&D and innovation.
Both programs are funded by the National Research Development and Innovation Office, Ministry of Innovation and Technology.
Within the context of MILAB and TKP, we work on two research topics. The first one is related to mitigate the security risks of IoT by (1) strengthening the security of IoT devices with secure booting and secure remote software update, (2) detecting malware on embedded IoT devices, and (3) analyzing IoT malware samples with machine learning.
The second topic is related to privacy and machine learning. We evaluate privacy attacks for the purpose of auditing machine learning models, and develop privacy preserving and GDPR compliant methods such as the anonymization of training data, and robust learning algorithms. We also analyze the privacy and confidentiality problems of collaborative/federated learning, and we design mechanisms to incentivize cooperation among participants.
In this project, we study the security of critical energy distribution infrastructures. We experiment with implementing various attack scenarios in simulated environments as well as on real equipment used in the energy grid. We also work on countermeasures against the attacks. This work is also related to the Security of Control Systems (SeConSys) initiative.
In this project, we work on various aspects of safety and cybersecurity in embedded systems, including problems of software security and applied cryptography.
REWIRE gathers 12 education and training providers, 11 partners representing industry and certification, and two EU umbrella organisations for Vocational and Educational Training (VET) from 12 EU countries to work together for developing a new sectoral strategic approach to cooperate on cybersecurity skills, and support a better matching between skill needs of the market and skills provided by the relevant education and training organisations. This project aims to provide concrete recommendations and solutions that would lead to the reduction of skill gaps between industry requirements and sectoral training provision and contribute to support growth, innovation and competitiveness in the field of Cybersecurity. Within this project, we work on cyberranges that support the development of cybersecurity experts.
IoTAC is an EU-funded H2020 research and innovation project. It aims to deliver a novel, secure and privacy-friendly IoT architecture that will facilitate the development and operation of more resilient IoT service environments through (i) monitoring and evaluation of applications security throughout the broader software development lifecycle; (ii) the introduction of an advanced access control mechanism based on new interactions and workflow using chip card and PKI technology; (iii) the runtime monitoring of the system as well as provisioning of security countermeasures that are implemented both at hardware- and at software-level and (iv) associated platforms which will provide security certification of the produced applications and system, based on international security standards, best practices and the research results of the project. Within the project, we lead the task on designing a security baseline applicable for various IoT systems.
MELLODDY seeks to accelerate drug discovery and increase efficiencies using machine learning and pharma industry data. The project leverages the world’s largest collection of small molecules with known biochemical/cellular activity to enable more accurate and efficient drug discovery.
MELLODDY aims to train machine learning models across multi-partner datasets while ensuring privacy preservation of both the data and the models by developing a platform using federated learning. The data never leaves the owner’s infrastructure and only non-sensitive models are exchanged. The MELLODDY platform is designed to prevent the leakage of proprietary information from one data set to another or through one model to another while at the same time boosting the predictive performance and applicability domain of the models by leveraging all available data.
The MELLODDY consortium consists of 17 partners: 10 pharmaceutical companies: Amgen, Astellas, AstraZeneca, Bayer, Boehringer Ingelheim, GSK, Janssen Pharmaceutica NV, Merck KgaA, Novartis, and Institut de Recherches Servie; 2 academic universities: KU Leuven, Budapesti Muszaki es Gazdasagtudomanyi Egyetem (BME); 4 subject matter experts: Owkin, Substra Foundation, Loodse, Iktos; one AI computing company: NVIDIA
MELLODDY is an IMI funded project. IMI (Innovative Medicines Initiative) is a partnership between the European Union and the European pharmaceutical industry, represented by the European Federation of Pharmaceutical Industries and Associations (EFPIA).
The Internet has grown beyond a network of laptops, PCs, and large servers: it also connects millions of small embedded devices. This new trend is called the Internet of Things, or IoT in short, and it enables many new and exciting applications. At the same time, IoT also comes with a number of risks related to information security. In some IoT applications security failures may lead to substantial physical damage or monetary loss. In this project, we develop security enhancing technologies for IoT systems. We believe this will enable the use of IoT in a wider range of applications.
The project is led by BME (CrySyS Lab), and it has two other partners: University of Szeged and University of Debrecen. Our research in the project is related to the security of embedded IoT platforms. This is important, because compromising the computing platform enables an attacker to take full control over the embedded devices. An important platform security mechanism is called secured boot, which guarantees that after a reset, the device is put in a correct state. Hardening the OS, as a preventive step, and its continuous run-time integrity monitoring, as a detection measure, are equally important, just like attesting the current state of the device to a remote party, and providing secure means for remote OS/firmware update. We study all these problems in the project. In addition, we develop a penetration testing (ethical hacking) methodology customized for IoT systems, and we demonstrate its usage.
SECREDAS consortium – 69 partners from 16 European countries – has kicked-off the 50 MEuro ECSEL Joint Undertaking research and innovation project, to build a reference architecture for Secure and Safe Automated systems compliant with the new GDPR Regulation. The focus will be on automotive, rail and personal healthcare, all of which demand high security and safety, covering technologies such as radar, lidar, Vehicle-to-Infrastructure and in-vehicle networks.
We focus on two main aspects within SECREDAS. First, we design and develop technologies securing the communication inside the vehicle (CAN bus) and between vehicle and other entities (V2X). Second, we analyze the privacy requirements of technological design patters used across SECREDAS system levels, and design a privacy-preserving external data release mechanism for various sensor data.
The objective of the DIGMAN project is to build a framework that allows SMEs to upload manufacturing jobs via the network to a modern factory and have their designs realized. The project builds a proof-of-concept prototype of such a framework. CrySyS Lab is involved in making the framework secure. More specifically, we develop technologies that can be used for security monitoring and event handling in an industrial SOC environment. Project partners: Evopro Engineering, GraphIT, Ecomatic, BME Manufacturing Technologies Dept.
ISSES is a capacity building project in higher education led by Serbian universities with the goal of developing their new information security education program. The CrySyS Lab provides help to the Serbian partners in setting up laboratory exercises for critical infrastructure security, and delivers training sessions to project partners. Project partners: University of Novi Sad, University of Nis, University of Belgrad, Subotica Tech, Schneider Electric DMS NS, Unicom-Telecom, University of Zagrab, Politechnical University of Milano.
In this IAEA funded project, we aim at establishing a realistic ICS test environment relevant for the nuclear domain and developing methods and tools for computer security incident response in nuclear facilities. The PIRAMID test bed consists of a set of PLCs (multiple brands) controlling simulations of physical processes, and VMs for servers and engineering workstations used in a typical industry environment. We use this unique test bed for validating our research results in application of honeypot technologies as incident detection systems, and in development of data acquisition, fusion, correlation, and analysis methods and tools for forensic investigation support in nuclear facilities.
A possible formal approach towards obfuscation is called indistinguishability obfuscation (iO). Informally speaking, a compiler is an iO if it preserves the functionality of the program, causes only a polynomial slowdown, and the obfuscation of two functionally equivalent programs of similar size are indistinguishable from each other. The first candidate construction for general purpose iO was given in 2013 by Garg et al., which then became the center of interest with three main lines of research: to base its security on plausible assumptions, to improve its efficiency and to find applications. Within the possible cryptographic applications, we are interested in those which help to expand the capabilities of other primitives. We also envision the improvement of iO's efficiency by customizing it to specific tasks. Another direction of our research is to answer the question: how can we make use of iO outside the domain of cryptography? We work on connecting theoretical research with practical applications where the currently used obfuscation techniques cannot guarantee well defined security.
In this project, we work on securing IoT systems by developing a secure IoT gateway platform, cryptographic protocols for securing communications between the IoT gateway and a central data repository, and cryptographic coding techniques for secure storage of and access to the data in the central repository. This work complements the work of other project partners (NETvisor, CS-PROCESS, BME Automation and Applied Informatics Dept.) focusing on building the IoT system itself.
The SOC4CI project develops a security operations centre for critical infrastructures. It aims at providing a customized detection and response service against Advanced Persistent Threats (APT) by integrating a wide range of public and private security information sources, and using a real-time stream processing framework for event correlation and anomaly detection. SOC4CI allows utilities to make the most out of their security investment, while at the same time it offers real-time situational awareness. Project partners: Engineering, F-Secure, and KTH Royal Institute of Technology.
The VCG project develops security measures for protecting modern vehicles from cyber attacks. Within the project, CrySyS Lab members work on forensic tools and methods for uncovering traces of cyber attacks on vehicles, including anomaly detection in the CAN traffic. We also work on determining the privacy risks of CAN data collection and on new privacy enhancing technologies that mitigate the identified risks. We also work, in collaboration with project partners, on a secure gateway platform that provides secure remote access to vehicles. Project partners: Evopro Innovation, Inventure.
The IntelliSec project develops an integrated security data analytics platform that reliably, fast and efficiently identifies advanced persistent threats against smart grids. This allows utilities to make the most out of their cyber security investments, to save on security related OPEX, while at the same time offers real-time situational awareness. Unlike other solutions, our solution integrates a wide range of public and private security information sources, and uses a real-time stream processing framework for event correlation and pattern search. The system is customizable through a GUI. The project implements missing technical features for the platform, develops business scenarios and business models for identifying the best go-to-market strategies for different market segments, and transfers the technology to the industrial partners Siemens, F-Secure, and a subgranted SME, evopro.
The SecSES project had two objectives. First, it implemented securtiy and privacy related features for an energy box in a smart home gateway, which is the interface between a HAN/BAN and the external network. Second, the project implemented attack detection schemes for targeted attacks against the IT infrastructures and for the software systems used in smart energy systems. Both host based and network based targeted attacks were considered. The CrySyS Lab used the security framework developed in the RADIR Project (see below) to the specific case of Smart Energy Systems, and it implemented a testbed and a prototype for honeypot based detection of targeted attacks on Smart Energy Systems.
The purpose of the RADIR Project was to develop a security framework for detection of targeted cyber attacks, incident handling, and forensic analysis with a focus on critical infrastructures. The framework is mainly based on special honeypots and heuristic anomaly detection algorithms, static and dynamic program analysis tools, techniques for anonymous information sharing for global incident handling, and tools for advanced forensic analysis.
The CHIRON Project combined state-of-the art technologies and innovative solutions into an integrated framework designed for an effective and person-centric health management system. Within the CHIRON project, the CrySyS Lab worked on security and privacy in Body Area Sensor Networks mounted on the patients body for the puspose of remote patient monitoring. In particular, we studied the problem of and proposed solutions to prevent traffic analysis attacks, and we developed a query auditing framework to provide privacy preserving remote access to aggregated patient data.
The goal of the WSAN4CIP project was to advance the technology of Wireless Sensor and Actuator Networks (WSANs) beyond the state of the art, in order to make them applicable in the protection of Critical Infrastructures (CIs). The project demonstrated how wireless sensor and actuator networks can be used in CI protection by designing and deploying a sensor network based monitoring solution in an electrical grid in Portugal and a drinking water supply system in Germany. Within the project, the CrySyS Lab led the work package on Dependable Networking, and developed secure routing, clustering, data aggregation, and transport protocols for sensor networks, as well as techniques to protect network coding based ditributed data storage schemes from pollution attacks.
UbiSec&Sens aimed at developing a comprehensive security toolbox for medium and large scale WSNs, such that the components of this toolbox enable the rapid development of trusted sensor network applications. We developed secure routing protocols and resilient data aggregation schemes for sensor networks in this project.
SeVeCom addressed security of future vehicle communication networks, including both the security and privacy of inter-vehicular and vehicle-infrastructure communication. Its objective was to define the security architecture of such networks, as well as to propose a roadmap for progressive deployment of security functions in these networks.
Most of European critical activities rely on highly interconnected information systems. The performance of such information systems could be jeopardized by incidents of various kinds. DESEREC aimed at developing countermeasures that respond both to attacks from the outside (e.g., aiming at Intrusion or Denial of Service), and to intrinsic failures of inner origin (hardware failure, software fault, environment).
Targeted malware attacks often use digitally signed components that appear to originate from legitimate software makers, although they do not. The specific problem that we addressed in our work is that standard signature verification procedures used in today’s PKI systems do not allow for detecting key compromise and fake certificates. Therefore, the objective of the work was to augment the standard signature verification workflow with checking of reputation information on signers and signed objects. For this purpose, we built a data collection framework and a data repository for signed software and code signing certificates, we implemented services that use the repository for providing reputation information for signed objects, such as when a given signed object has been first seen and how often it was looked up by users, and we also provide alert services for private key owners that help them detecting when their signing keys were illegitimately used. Our system, called Repository of Signed Code (ROSCO), is available for test purposes at rosco.crysys.hu.
We developed a PLC honeypot, a decoy system that looks like a PLC, but actually, it is a trap that attracts attackers and logs their activity. Our honeypot is a high interaction honeypot, which realizes almost all services of a Siemens ET 200S PLC. We customized the TCP/IP stack of Linux to create a stack almost identical to that of the PLC, and we integrated our services to an easy to use package, which can turn any Debian based Linux PC into a PLC honeypot. We keep track of the state of some internal variables such that when their values are set through one protocol (e.g., SNMP), they can be read back over another interface (e.g., HTTP). This makes our honepot hard to distinguish from a real PLC.
We developed an IoT test bed for educational purposes featuring a small hydro-powerstation, a data center, wired and wireless sensors, and PLCs controlling the operation of actuators in the powerstation and in the data center. The test bed is used in a laboratory exercise where students have to attack the system in various ways, including falsifying wireless transmissions from sensors and reprogramming PLCs. Some of the attacks have physical consequences (overflowing watertank, overheating data center), which are nicely observable by the students on the test bed.
In the academic research community, the quality of research is often measured in terms of the number and quality of publications, as well as in terms of the number of independent citations. We are proud of our colleagues who have strong publication records and are outstanding according to the above measures. Most of our papers are available on-line on our publication page.
Smaller and less scientific results may still be interesting, so we publish them on our blog site.