National Interdisciplinary Center for Cyber Security
and Cyber Defense of Critical Infrastructures
Manindra Agarwal
Sandeep K. Shukla
Subhash Chandra Srivastava
ANNUAL REPORT 2017 – 2018
Submitted to the Science and Engineering Research Board (SERB)
National Interdisciplinary Center for Cyber Security
and Cyber Defense of Critical Infrastructures
C3i Center | Annual Report 2017 - 2018 2
Contents History ........................................................................................................................................................... 4
Objectives: .................................................................................................................................................... 6
Deliverables after 5 years: ............................................................................................................................ 7
VULNERABILITY AND PENETRATION TESTING RESULTS OF SCADA TESTBED ............................................... 8
C3I-GUARDIAN: AN INDIGENOUS SECURITY INCIDENT AND EVENT MANAGEMENT (SIEM) SOLUTION
DEVELOPED AT IIT KANPUR ..................................................................................................................... 9
A single solution for Cyber Security and Cyber Defense of Critical Infrastructures. ............................ 9
Milestones Achieved ..................................................................................................................................... 9
INVENTORY INTELLIGENCE SYSTEMS ..................................................................................................... 10
SCADA TEST BED PROGRESS ....................................................................................................................... 13
MALWARE DETECTION, CLASSIFICATION.................................................................................................... 17
Dataset: ............................................................................................................................................... 18
Features collected by only 4 seconds of malware execution: ............................................................ 18
Classification of Zero-day malwares: .................................................................................................. 20
Training and Testing: ........................................................................................................................... 22
Improvement over our Past Results ................................................................................................... 23
AUTOMATIC MALWARE DETECTION USING MEMORY FORENSICS ............................................................ 23
LINUX MALWARE DETECTION BY HYBRID ANALYSIS .................................................................................. 26
DEVELOPMENT OF HONEYPOTS FOR THREAT INTELLIGENCE .................................................................... 28
IOT HONEYPOTS DEPLOYED ........................................................................................................................ 30
CRYPTANALYSIS AND CRYPTO ENGINEERING ............................................................................................. 33
Cryptanalysis of 1-Round KECCAK ....................................................................................................... 33
Resource Efficient Implementation Crypto-primitives in Hardware .................................................. 33
VLSI ARCHITECTURES FOR CRYPTO PRIMITIVES ......................................................................................... 34
PUBLICATIONS - CONFERENCES .................................................................................................................. 37
TECHNICAL REPORTS ................................................................................................................................... 39
HUMAN RESOURCE DEVELOPMENT ........................................................................................................... 40
OUTREACH TO RAISE AWARENESS ABOUT CYBER SECURITY ..................................................................... 41
SUMMER INTERNSHIP PROGRAM .............................................................................................................. 44
Attacks in Android ............................................................................................................................... 44
SEMINARS ................................................................................................................................................... 46
Seminar's by Faculty: .............................................................................................................................. 46
C3i Center | Annual Report 2017 - 2018 3
Seminars and Events @ CSE, IITK: ........................................................................................................... 47
MEMORANDUM OF UNDERSTANDING ...................................................................................................... 48
Academic MOUs ...................................................................................................................................... 48
Industry MOUs ........................................................................................................................................ 49
TCG MOU ................................................................................................................................................ 49
Table of Figures:
Figure 1: Our Malware Classification Architecture ....................................................................................... 5
Figure 2: Honeypot with Dockers developed in our Lab ............................................................................... 5
Figure 3: Front End of our SIEM Solution ...................................................................................................... 9
Figure 4: Alert Generation Example ............................................................................................................ 10
Figure 5: Threat/Attack Statistics Console of Guardian to Help Security Engineers to find our attacks on
their system .............................................................................................................................................. 111
Figure 6: Inventory Intelligence Console Displaying Key points of the Cyber Assets Vulnerabilities ....... 122
Figure 7: Patch Information on Console ..................................................................................................... 12
Figure 8: Schematic of the Industrial Scale Cyber Security Test Bed under Procurement ....................... 133
Figure 9: Factory Automation Test Bed under Procurement ................................................................... 144
Figure 10: Malware Classification Architecture ........................................................................................ 177
Figure 11: Architecture of Classification System for Zero-Day Malware .................................................... 21
Figure 12: Process of detecting malware by using memory forensic. ..................................................... 255
Figure 13: The process to detect malware by hybrid analysis .................................................................. 278
Figure 14: A sample of Analytics on the attacks found on IIT Kanpur Network by our Honeypots ........... 31
Figure 15: Distinguishing Script Based Attacks and Manual Attacks based on inter-command Latency ... 34
Figure 16: : Operation of the proposed systolic parallel versatile non-vector GF (2^4) LSB first multiplier
.................................................................................................................................................................. 346
Figure 17: : (a) The circuit with synchronous pipeline, (b) Asynchronous pipeline with glitches due to
delay imbalance in the forward path, (c) Existing asynchronous pipeline without glitches (absence of
delay imbalance in the forward path), (d) Proposed glitch f .................................................................... 378
Figure 18: Block diagram of the AES/RS-BCH co-processor connected with 32-bit Microblaze using Xilinx
Vivado.........................................................................................................................................................39
C3i Center | Annual Report 2017 - 2018 4
History
In March 2016, SERB/DST sanctioned the establishment of the
Interdisciplinary center for Cyber Security and Cyber Defense of Critical
Infrastructure (C3i) center. An amount of 14.43 crores INR was
sanctioned over a five year period (March 2016 – Feb 2021), to establish
this center as a center of excellence in securing critical infrastructures of
the country. The idea is to build strong research programme in threat
modeling, threat discovery, mitigation techniques, and also developing
education, awareness of the need for protecting critical infrastructures
such as power grid, transportation systems, manufacturing systems, and
even banking networks from hackers, cyber-army of nation states, and
terrorist organizations.
One of the major objective of the center is to create an industry scale
test-bed that would rival large-scale cyber security test beds present in
the National Labs of the United States such as Sandia National Lab, or
Idaho National Lab. Such a testbed not only provides a research platform
for researchers at IIT Kanpur, but can be used by industry and utilities to
bring their hardware/software for hardware-in-the-loop and software-
in-the-loop testing and security validation. It can also be used to train
utility engineers and executives about cyber attack surfaces, threats, and
mitigation techniques to train them for real life cyber security crises in
their organizations.
The other objectives include building indigenous technology in the cyber
security of critical infrastructure arena, so that a large number of start
ups at IITK can be incubated and products can be launched so reduce
dependence on foreign security products. Dependence on foreign
products pose a supply-chain risk to the nation.
Finally, building manpower both through IITK degree programs, MOOC
courses in cyber security, and also summer internships at C3I center, and
training programs for utilities, and government sector will be part of the
mission of the center.
In this annual report, we briefly go over all the work that has been carried
out since March 2016 till April 2018.
C3i Center | Annual Report 2017 - 2018 5
Figure 1: Our Malware Classification Architecture
Figure 2: Honeypot with Dockers developed in our Lab
First let us look at the stated objectives and deliverables of the project to
put the reported work in context.
C3i Center | Annual Report 2017 - 2018 6
Objectives: 1. Build a SCADA test bed with power distribution and transmission systems,
manufacturing system for process control and discrete control with a
diversity of SCADA protocols to enable research and education in Cyber
Security of Critical Infrastructure -- in particular power infrastructure, and
Industrial Automation.
2. Build methods, techniques, and technology for making SCADA and
Industrial Control IT system insider attack-proof.
3. Develop Machine learning algorithms for on-going cyber-attack with
advanced persistent threats on power systems.
4. Build methodology and techniques for deploying honey pot and honey
nets to develop a malware repository and malware analysis and trend
forecasting capabilities.
5. Apply formal methods to develop effective algorithms for vulnerability
and malware detection in applications, systems, and firmware -- and
transfer such technology to a startup ecosystem.
6. Develop protocol reverse engineering tools and capabilities to detect
presence of botnets, trojans and other advanced persistent threats in
critical infrastructure.
7. Develop light weight cryptography and block chain-based authentication,
identity management and key management schemes for network of
devices (IoT and M2M).
8. Develop cryptographic co-processors and side-channel proofing
techniques for cryptographic hardware, and software systems.
9. Develop security architecture, perimeter defense, network and Cloud
security for critical infrastructure, and inform the policy formulation and
best practices guidance for NCIIPC.
10. Field testing security techniques, architectures, and protocols on the IITK
smart city project.
C3i Center | Annual Report 2017 - 2018 7
Deliverables after 5 years: 1. A national scale SCADA test bed for research, training, and
hardware/software in-the-loop testing by vendors at IIT Kanpur.
2. Tools and techniques for malware collection and bench mark creation for
malware analysis and trending
3. Tools and techniques for application software vulnerability detection
4. Tools and techniques for Insider threat-proofing critical infrastructure IT
system
5. Work with a power utility or smart grid corporation to experimentally use
our PMU data analytics-based tools for detecting advanced persistent
threats
6. Create at least one start up with IIT Kanpur incubation enterprise in the
cyber security of critical infrastructure space by licensing IP in
vulnerability detection, protocol reverse engineering, malware detection
etc.
7. Creation of malware for exploitation of criminal information systems and
mobiles for cyber espionage.
C3i Center | Annual Report 2017 - 2018 8
VULNERABILITY AND PENETRATION TESTING RESULTS OF
SCADA TESTBED
Communication protocol vulnerability: Advance man-in-the-middle demonstrated and mitigation techniques tested.
SCADA Application software vulnerability: Privilege escalation, credential dumping in memory have been demonstrated and mitigation techniques tested.
Embedded Web Server Vulnerability: Cross site request forgery demonstrated, and mitigation techniques tested.
Vulnerabilities in the Network devices: Privilege escalation demonstrated, reported to CERT-IN and to NCSC office.
FTP server vulnerability: Hardcoded credentials demonstrated and tested.
The above work demonstrated is on the industrial automation systems deployed in many industrial control systems, water treatment plants (one in Kanpur), and some power distribution systems are vulnerable in multiple ways, and the vendors of SCADA systems, PLCs, Relays and other instrumentation are irresponsible in selling such products in India – leaving our critical infrastructure wide open to attacks.
C3i Center | Annual Report 2017 - 2018 9
C3I-GUARDIAN: AN INDIGENOUS SECURITY INCIDENT AND EVENT MANAGEMENT (SIEM) SOLUTION DEVELOPED AT IIT KANPUR
A single solution for Cyber Security and Cyber Defense of Critical Infrastructures.
Many smaller utilities and rural/cooperative banks cannot afford SIEM solutions from vendors such as IBM, Fire eye and other multi-national companies because of the cost, and licensing of the platform technologies. Our solution is built with open source software and can be used freely by such small/medium businesses
Threat Intelligence and Security information and event generation
• Near real time centralized monitoring of both insider and external cyber-attacks on cyber assets of critical infrastructure.
• Design and Development of a centralized security information and event management application.
• Design and deployment of Threat intelligence and SIEM is in process.
Milestones Achieved
Figure 3: Front End of our SIEM Solution
C3i Center | Annual Report 2017 - 2018 10
INVENTORY INTELLIGENCE SYSTEMS
Patch management of existing critical cyber assets is extremely important as all software running on an enterprise’s cyber assets often get hit by zero-day exploits and immediate patching is required. Not having a centralized console to know of the latest vulnerabilities, and patch information, the system administrators have to go by Internet news articles to figure out the need for patching. With our system of Inventory intelligence – system admins register all cyber assets with their latest firmware, O/S, and applications with the latest patch versions. The system automatically mines the National Vulnerability Database (NVD) and on the console color codes all assets based on criticality of the patch requirements. As patches get applied, the color code is changed to green. Next step is to put the patch history into block chain, so no insider attack can apply unauthorized patches or replace a software with a malicious one. This is targeted for CISOs, and Security engineers for small/medium utilities and enterprises.
The features of this inventory intelligence system are:
• Centralized inventory management of cyber assets of critical infrastructure.
• Near real time monitoring and notification generation of related vulnerabilities to concerned person to keep the cyber assets patched and updated.
Figure 4: Alert Generation Example
C3i Center | Annual Report 2017 - 2018 11
Design and Development of a standalone application with potential user as System Administrator/Security Operations Centre (SOC)
Providing Patch information on the console, and details of the vulnerability
mined from NVD database helps system administrators to educate themselves
before applying a patch.
Figure 5: Threat/Attack Statistics Console of Guardian to Help Security Engineers to find our attacks on their system
C3i Center | Annual Report 2017 - 2018 12
Figure 7: Patch Information on Console
Figure 6: Inventory Intelligence Console Displaying Key points of the Cyber Assets Vulnerabilities
C3i Center | Annual Report 2017 - 2018 13
SCADA TEST BED PROGRESS Currently the testbed in our center is a power distribution system automation
along with PLC control, Relay management, and SCADA system. However, a new
Cyber Security building is being constructed (slated to be completed on July 31st)
and an industry scale testbed with power generation, transmission and
distribution, industrial automation, water treatment plant, process automation,
and home automation will be established. The procurement process is currently
taking place. This will be completed by mid-2019. The procurement has been
delayed due to the construction of the building. Here is the procurement schedule
is available in Table 1.
Figure 8: Schematic of the Industrial Scale Cyber Security Test Bed under Procurement
C3i Center | Annual Report 2017 - 2018 14
Table 1: Procurement Schedule
Description Procurement Phase Proposed
Requisition Date
Binary Ninja Delivered at site
Ida Pro Delivered at site
Maintenance Kit comprising ofScrew Driver Set + Pliers + Hammer + Hack Saw + Utility Knife + Drill bit + Allen key + inch tape + adjustable spanner + emergency torch
Delivered at site
Acrylic Cluster Case For Raspberry Pi
Delivered at site
Crimping Tool With Rj45/11 Lan Tester, Krone Tool And 100 Pcs Connectors
Delivered at site
Network Devices and Server Request for Bidding 26 / 04 / 18
Server
Router
MES
MIS
AM ERP PLM
INTERNET
VPN TUNNEL
SCADA
PLC DB
SERVER
FIREWALL
WEB SERVER
SUPPLY CHAIN
LOGISTICS USER
CLOUD SERVICES INFRASTRUCTURE
PROCESS AUTOMATION TESTBED
DCS DB
SERVER WIFI, WIMAX,
OPERATORS
SCADA
DISCRETE AUTOMATION TESTBED
EXTERNAL FIREWALL INTERNAL FIREWALL ETHERNET SWITCH ROUTER
LEGENDS:
Figure 9: Factory Automation Test Bed under Procurement
C3i Center | Annual Report 2017 - 2018 15
Firewall
L3 Ethernet Switch
L2 Ethernet Switch
Access Points
Network Rack
Console Server
Mounting Arrangement Bidding document is ready 26 / 05 / 18
Aluminum composite segment
Panel Accessories and Mounting
arrangement
Printer & Online UPS Bidding document is ready 26 / 05 / 18
Printer
Online UPS
Software Request for Bidding 30 / 04 / 18
SCADA Software along with MIS and MES
Antivirus
Operating System
Power Testbed Bidding document is ready 26 / 05 / 18
Diesel Generator
Transformer
Synchronization system
Process Testbed Bidding document is ready 31 / 05 / 18
Water Tank
Filterbed
Pump
Valve
Field instruments
Discrete Testbed Bidding document is ready 30 / 06 / 18
Feeding Station
Inspection Station
Buffer Station
Processing Station
C3i Center | Annual Report 2017 - 2018 16
Sorting Station
PLC Hardware Bidding document is ready 31 / 05 / 18
CPU
Analog module
Digital Module
Backplane with power supply
RTU Hardware Bidding document is ready 30 / 06 / 18
CPU
Analog module
Digital Module
Backplane with power supply
Power Protection Hardware Bidding document is ready 10 / 06 / 18
Transformer Protection device
Distance Protection device
Feeder Protection device
Industrial Wireless Bidding document under
preparation
10 / 08 / 18
VSAT communication
Radio communication
PDC and PMU Hardware Bidding document is ready 10 / 06 / 18
PMU
PDC
DCS Hardware and Software Bidding document under
preparation
15 / 07 / 18
Controller
Software
Solar Power Plant Started: 26 / 10 / 18 Started: 26 / 10 / 18
C3i Center | Annual Report 2017 - 2018 17
MALWARE DETECTION, CLASSIFICATION
One of our objectives is to build machine learning based tools for malware
detection and classification to protect systems against malware. Currently we are
dependent mostly on foreign malware detection tools sold by
Symantec, McKafee, Kaspersky, Sophos etc. Recently, the United States has
banned use of Kaspersky tools for all government offices due to concern about
backdoors, and Trojans in such foreign tools which could exfiltrate data. So, our
goal has been to build tools to classify malware so that we have indigenous
product soon. In the past one and half years, we have extensively worked on this
problem, and here we give a snapshot of one latest work which allowed us to use
dynamic behavior profiling, feature extraction and classification of malware into
distinct classes, and to classify previously unseen malware using zero-shot
learning.
Figure 10: Malware Classification Architecture
C3i Center | Annual Report 2017 - 2018 18
Dataset:
Our dataset comprises of around 29550 Win32 malwarefrom 8 malware types
and 15 malware families. Table 2 provides the details of the dataset used for
learning.
Table 2: The Dataset for our Malware Analysis
MalwareType MalwareFamily NumberofSamples TrojanDropper Sventore.C 1,577
Sventore.A 1,347
TrojanDownloader Renos 1,985 Small 1,316
Tugspay 3,417
Worm
Yuner 3,794 Allaple 4,258
VB 2,418
Trojan Startpage 1,565
Comame!gmb 1,830
Virus Luder 1,967 Virtool VBInject 1202
PWS OnlineGames 1041
Backdoor Agent 1,020 RBot 817
Total 29,554
Features collected by only 4 seconds of malware execution:
Set of 433 signatures (specific to windows and networks), extracted 25 frequent
signatures(binary feature), for example:
Whether it allocates read-write-execute memory (usually to unpack itself)
Whether it installs itself for autorun at Windows startup
Whether it steals private information from local Internet browsers
Whether it queries the disk size, checks amount of memory in system, checks
adapter addresses etc.
API bins - divided API calls into 16 categories instead of ngram technique which is
very common in the past literature
C3i Center | Annual Report 2017 - 2018 19
Netapi, certificate, notification, network, services, exception, crypto, ole,
resource, UI, synchronization, misc, process, file, system, registry
31 network features (IP Entropy, HTTP Information, Protocol Information, Dead
Hosts, Domains, Ratio of Public and Private IP addresses)
No of processes created (child and new) and No of dropped files(No of files
downloaded by sample or created at the beginning while unpacking)
We have used classifiers such as Simple Neural network, XGBoost and KNN to
evaluate our technique. Below table shows the results for applying these
classifiers on the testing set (comprises of 20% of dataset) on all the features
discussed in previous section. Evaluation metrics used are True Positive Rate,
False Positive Rate, Precision and FScore.
We achieved a comparable accuracy of 98.02% with just 4 seconds of the
behavioral data. There is always a tradeoff between achieving good accuracy and
performing classification in short time. Our work has taken care of both the above
things.
Table 3: Results of Various Classification Methods Applied to Malware Data Set
Class
XG-Boost KNN SimpleNeuralNet TPR FPR Pr FM TPR FPR Pr FM TPR FPR Pr FM
Backdoor
PWSTroja
nTrojDow
nTrojDro
pVirtoolV
irusWor
ms
0.96
0.955
0.923
0.986
0.996
0.992
0.977
0.993
0.003
0.0005
0.0006
0.008
0.0001
0.001
0.0047
0.0041
0.90
0.98
0.99
0.97
0.99
0.96
0.93
0.99
0.929
0.964
0.953
0.974
0.99
0.974
0.949
0.99
0.955
0.91
0.921
0.905
0.985
0.836
0.770
0.992
0.007
0.002
0.004
0.015
0.0009
0.003
0.011
0.036
0.823
0.919
0.965
0.949
0.991
0.924
0.832
0.937
0.884
0.914
0.942
0.926
0.987
0.877
0.799
0.963
0.955
0.945
0.905
0.968
0.992
0.944
0.910
0.992
0.006
0.001
0.001
0.014
0.0009
0.002
0.004
0.009
0.834
0.964
0.99
0.953
0.991
0.947
0.934
0.982
0.89
0.954
0.945
0.960
0.991
0.945
0.921
0.986
C3i Center | Annual Report 2017 - 2018 20
Classification of Zero-day malwares:
Using the above models, we can classifythe malware accurately 98% of times
But what happens if the malware authors develop completely new malware
family by exploiting some zero-day vulnerability? For such malware classification,
we need to be able to classify malwares which have not been seen in the wild (in
this case our dataset) into its type with only 4 seconds of behavioral information.
Table 4: Dataset used for Zero-Day Malware Classification
Types Training Testing
WormsVirusTrojan 7587 3794 TrojanDropper 5417 645 TrojanDownloader 4288 1565 Backdoor 3326 1347 Total 31766 10356
Table 5: the dataset after SMOTE which performed best among these techniques
Types Training Testing
Worms Allaple,VB,Vobfus, Mydoom Yuner Virus luder,Expiro,Virut,Ramnit,Parite,Mabezat,Patchload Krepper Trojan Bulta!rfn,Comame!gmb,BHO,Koutodoor,Alureon
Vundo,Agent,Toga!rfn,VB,Bagsu!rfn,Rimecud Startpage
TrojanDropper Agent,Lamechi,Small,Sirefef Sventore.A TrojanDownloader Small,Tugspay,Agent,Banload,Delf,Adload,Wintrim Renos Backdoor Rbot,Zegost,Hupigon,IRCbot,Delf
Cycbot,Sdbot,VB,Bifrose Agent
C3i Center | Annual Report 2017 - 2018 21
Figure 11: Architecture of Classification System for Zero-Day Malware
We observed that our dataset is highly imbalanced i.e. one family in a type with
more samples dominating other families which have less samples. Thus, we
applied various resampling techniques such as SMOTE, SMOTENN, SMOTETomek
etc. which are basically oversampling techniques.
Table 6: Training Set Sample Sizes for Different classes
Types Samples in Training Set
Worms, Virus, Tojan 7587
TrojanDropper 13776 TrojanDownloader 20627 Backdoor 3326 Total 64362
C3i Center | Annual Report 2017 - 2018 22
Training and Testing:
For classifying unknown samples, a different approach was adopted since the
basic classifiers did not perform well on the dataset. 6 binary classifiers were
created one for each type and trained using One vs All approach, i.e. if a classifier
of type Trojan is being trained, then one class will contain all the trojans and the
other class will contain samples from rest of the types. Since feature set consists
of 4 categories namely network, process, bins and signatures, various
combinations of these categories were tried to find the best feature set for a
binary classifier.
Also, several experiments were performed where top n features (which are
ranked based on their importance, measured using Fscore) were selected as
feature set for the classifiers. Here n varies from 5 to 50. Finally, that feature set
is selected for each classifier which gave minimum misclassification error on the
validation set. Then for any test sample, the probability of it belonging to each
type is calculated using these classifiers and then it is assigned to the type with
maximum probability.
Table 7: The Accuracy and False Positive Rate Scores of Our Classifier
Types Accuracy FPR
Worms 78.30% 0.008
Virus 73.79%
0.065
Trojan 61.85% 0.166
TrojanDropper 91.98%
0.02
TrojanDownloader 34.55% 0.101 Backdoor 69.31% 0.013
From Table 7, we can see the accuracy of each type, Trojandownloader performed
relatively poor than other types but since our classifier is classifying it in its parent
family (Trojan), our classifier seems effective.
C3i Center | Annual Report 2017 - 2018 23
Improvement over our Past Results
In our most recent work on malware detection, we did not have classification
performed during detection. In this previous work we used hybrid approach,
containing features from both static and dynamic data.Static features included
COFF file and Optional header attributes, histograms related to string length and
entropy-based feature for packed malwares. Dynamic features include file
system, mutex and registry related features. Also, our past dataset was smaller
in size (~12587 malwares and 1800 benignwares) which could be improved upon
by the recent work as we have collected much larger set of malware in the recent
past. Even though we achieved the detection accuracy of 98.62 %, we did not do
any classification of types and families of malware.
In another related work in the recent past, classification of malware into malware
classes was attempted by us. In that work, we converted the malicious executable
to image files and used ResNEt and CNN to perform classification. We achieved
an accuracy of 98.22%. This work used a larger dataset of 44935 samples
comprising of both Win32 and Win64 executables. However, in the most recent
work reported here, classification into a larger number of malware classes has
been achieved. We are now able to classify into types Virtool and PassWord
Stealer(PWS) which was not included in the previous dataset. Also, no attempt
was made on zero-day malware classification.
Currently, we are in the process of combining all these different classification and
detectionmodels into a single framework – which will consist of a set of tools for
detection and classification, and any malware found can then be submitted to all
the tools simultaneously and the results will be combined to give better accuracy.
AUTOMATIC MALWARE DETECTION USING MEMORY FORENSICS
Detection of a malware when a new binary is downloaded, to distinguish it from
‘benign-ware’ is an important part of computer security. There exist various
techniques proposed by researchers using both static and dynamic analyses to
detect malware. But day by day, malware authors have improved its evasion
C3i Center | Annual Report 2017 - 2018 24
capability using non-persistence and volatile payloads that operate only in
memory. Also malware authors are using obfuscation techniques to make the
reverse engineering process of binary tougher and hence now, malware analysis
is not only limited to static and dynamic analysis, researchers are investigating
other approaches also to bifurcate malware and benign more effectively.
Memory forensics techniques is a comprehensive view of the actions of the
malicious executables. Hence in this work, we analyze binaries of WINDOWS 32-
bit OS using memory forensic on generated memory dumps to detect malware
effectively as shown in Figure 12: Process of detecting malware by using memory
forensic.Figure 12. To understand the typical behavior of malware, we have used
interval-based approach to take the memory dumps.
These memory dumps are generated by the cuckoo sandbox and then the
features are extracted from each of them such as registry bindings, suspicious
DLLs, hidden processes, orphan threads, code injection, injected DLLs, file system
etc. For the detection of malware,we selected the features for the classifier
models by info gain index. The obtained features are used to investigate the XG-
Boost, KNN and Decision Tree classifier using k-fold cross-validation to avoid
over-fitting. We found that XG-Boost classifier outperformed among other
classifiers with 99.09% accuracy to detect malware.
We compared our work with others researchers(R. Mosli et. el.,
ChathurangaRathnayaka et. al. and M. Aghaeikheirabady et al.) works and found
that, our approach outperformed as illustrated in Table 8: Comparison of our
work with other researchers work.
Table 8: Comparison of our work with other researchers work.
Authors Accuracy No of samples Used Features Used
R. Mosli et. al. 96% 400 malware 100 Benign
Registry Keys,
DLLs,API Mr. ChathurangaRathnayaka et. al.
90% 200 Malware 200 Benign
Kernel memory, kernel objects, registry, Api,strings, File Systems
C3i Center | Annual Report 2017 - 2018 25
M. Aghaeikheirabady et. al.
98% 350 Malware 200 Benign
Registry changes, function calls etc.
Ours approach 99.09% 1730 Malware 1571 Benign
259 features {registry, suspicious DLLs, process dump, kernel dump , code injection, File System etc.}
Figure 12: Process of detecting malware by using memory forensic.
In future we will be working to reduce the false positive rate to zero for the
detection of malware. And this workuses memory dump of system, after every
10 sec intervalsand deposited a huge amount of data hence,in future we will
reduce these number of memory dump needed to parse for a sample. The
memory dump can be taken only when any malicious activity is recorded in guest
machine such asabsurd increase in CPU usage, unknown access to
registry,increasein traffic on the network, etc. Based on this information we can
reduce the size of our parsed memory dump. The work can be extended to build
a tool for Windows operating system for continuously monitoring the system and
whenever something is malicious activity in memory it will inform the user which
process may harm your personal computers.
C3i Center | Annual Report 2017 - 2018 26
LINUX MALWARE DETECTION BY HYBRID ANALYSIS
Over the past two decades, cyber-security research community has been working
on detecting malicious programs for the Windows-based operating system.
However, the recent exponential growth in popularity of IoT (Internet of Things)
devices is causing the malware landscape to change rapidly. This so-called 'IoT
Revolution' has fueled the interests of malware authors which has led to an
exponential growth in Linux malware. The increasing number of malware is
becoming a serious threat to data privacy as well as to the expensive computer
resources. Manual malware analysis is not effective due to the large number of
such cases. Furthermore, the malware authors are using various obfuscation
techniques to impede the detection of traditional signature-based anti-virus
system. As a result, automated yet robust malware analysis is much needed
As we see in the earlier sections that both static and dynamic have some
limitation. Static analysis can be thwarted once some encryption algorithm is
used while Dynamic analysis is suffering from low code coverage problem. But
what if we combine the feature set of both approaches. The dynamic can be
handy to get full insights when static analysis gets thwarted by obfuscation, on
the other hand, static analysis can cover the full overview of the executable when
dynamic suffers the code coverage issue. This shows that both can act a
complementary to each other. Malware authors use packers, obfuscation
techniques, Polymorphism/Metamorphism techniques to bypass file format
based analysis or signature-based analysis. They can make the malware to do
some random stuff like a randomly accessing file, call a random system call, etc.
to bypass dynamic analysis. But bypassing both the technique at once will be a
tougher job for them. In this work, wedevelop a hybrid approach by integrating
both static features as well as dynamic features of a malware, to detect it
efficiently as shown in Figure 13. We performed static and dynamic analysis on
7717 malware and 2265 benign files and extracted static features and dynamic
feature of executables separately. Then these obtained features are integrated
to construct machine learning model using KNN, Decision Tree and Random
Forest classifiers separately. Among the selected models we found that the
C3i Center | Annual Report 2017 - 2018 27
Random Forest outperformed others with highly promising detection accuracy of
99.14%.
Table 9: Comparison of our work with other researchers work.
Authors Features Accuracy Dataset Type of feature
Shahzad et. al. 383 99% 709 Benign 709 Malware
Static: ELF structure
Jinrong et. al. 100 98% 756 Benign 763 Malware
Static: Symbol Table
Shahzad et. al.(another work)
16 96% 105 Benign 114 Malware
Dynamic: Process control block
Ours 115 + 260 99.14% 2265 Benign 7717 Malware
Static: ELF Header +Strings Dynamic: System calls + File Systems + Shell Command
Table 9. shows the comparison of accuracy attained by other works, which were
performed on a very small dataset. In this work, we have used a large corpus of
Figure 13: The process to detect malware by hybrid analysis
C3i Center | Annual Report 2017 - 2018 28
both malware and benign files to make our model robust. Shahzad et. al. has
performed analysis using fields of ELF static structure with a 99% detection
accuracy but since this approach is static based they have rejected some of the
samples which have forged headers. Ashmita et. al. has used the dynamic
approach in which they have analyzed system calls. They got a great detection
accuracy of 99.40 %, but the dataset they used had only 226 malware, and the
number of features was also very less. Our model has got a comparable average
detection accuracy of 99.14%, and the strength of our dataset is also pretty
good compared to other works (Table. 3), which makes our model robust.
All prior work on Linux malware analysis used less than 1000 malware, and hence
the accuracy numbers reported by them are not completely validated. Our work
improves over prior work in two ways: substantial enhancement in the dataset,
and hybrid analysis based on both static and dynamic features.
This work focuses on ELF file format, but there exists other malware with
different types, like Perl script,Python script, Shell script, Bash script,PHP script
etc. to perform malicious activity.In future we will add different modules in our
model to generate more comprehensive anti-malware systems.
DEVELOPMENT OF HONEYPOTS FOR THREAT INTELLIGENCE
• We deployed honeypots related to services such as SSH, FTP, SMB, Telnet,
SQLi, Web, CWMP
• Honeypots were deployed at different geographical locations such as San
Francisco,London, Toronto , India , France and New York for more than a
month. All the honeypots collectively received a total of 57075 attacks.
• HoneySMB was deployed for around 25 days received a total of 1147 attack
from 867 unique IPs. HoneySMB has downloaded 21 different malicious
files from which 13 are for Windows OS and remaining are for Linux OS.
Table 10: Unique IPs in Percentage attacking various Service Honeypots
Protocol Number of Unique IPs which attacked(in %)
C3i Center | Annual Report 2017 - 2018 29
Telnet 25.06 SSH 20.52 WEB-SQLi 16.32 Web 5.61 SMB 6.31 CWMP 9.33 FTP 7.63 DB 9.18
C3i Center | Annual Report 2017 - 2018 30
Figure 14: A sample of Analytics on the attacks found on IIT Kanpur Network by our Honeypots
• HoneyWEB-SQLi was deployed for around one month of time on various
location in the world with cloned www.cse.iitk.ac.in website, It received
around 3682 attacks from 771 different IPs. Different types of attack
observed on this honeypot include shell request, beast attack,
phpMyAdmin interface exploit, scanners and crawlers, wrong request and
DNS attack.
• HoneyDB was deployed over a period of 25 days in various countries
around the globe. Honeypot was deployed under two scenarios with two
different username and password. It obtained a total of 18435 attack from
1261 unique IPs. In scenario 1 with username and password both as
‘admin’ only 1561 connection requests came out of which only 3 IPs
managed to do something with database. In scenario 2 with username and
password as ‘root’ 12290 connection requestscame, many attacks were
observed with 4 of them able to create new user via backdoor.
References-
HoneyFARM - https://github.com/r0hi7/HoneySSH
Augmented ssh client - https://github.com/r0hi7/ssh4honeypot
HoneyFTP - https://github.com/nishitm/HoneyFTP
HoneyWEB - https://github.com/r0hi7/HoneyWEB
IOT HONEYPOTS DEPLOYED
• We aggregated MQTT protocol (a protocol commonly used by IoT devices)
which received various CVE(Common Vulnerabilities and Exposures) in
2017.
• We placed MQTT Broker inside SSH honeypot and made it interact with the
simulated IoT devices
• The honeypots were deployed in different locations such as India,
Amsterdam, and Canada cloud servers for more than a month and received
attacks from a total of 2576 unique hosts.
C3i Center | Annual Report 2017 - 2018 31
• Username ‘root’ and password ‘root’ were most common in the list of
usernames and passwords used in the connect packet sent in attempt to
brute force MQTT broker.
• Connect Packet Flooding, SYN packet flooding, Privilege escalation by
setting client id to ‘#’, Tampering of IoT devices data by manipulating data
of topic on which they were subscribed were some of the common attacks
observed.
Table 11: Attack Statistics from IPs belonging to various Countries on our IoT Honeypots
Country Number of Unique Hosts attacked
China 28.44 USA 26.21 Korea 5.94 Brazil 5.65 Russia 5.01 Vietnam 4.38 France 4.38 India 3.82 Others 16.17
:
Figure 14: Distinguishing Script Based Attacks and Manual Attacks based on inter-command Latency
C3i Center | Annual Report 2017 - 2018 32
References-
SSH Honeypot- https://github.com/shbhmsingh72/wetland
MQTT Broker- https://github.com/shbhmsingh72/hbmqtt
C3i Center | Annual Report 2017 - 2018 33
CRYPTANALYSIS AND CRYPTO ENGINEERING
One objective of the center is to find mathematical attacks on recent Hash
functions as hash functions are now gaining more importance due to their
pervasive use in Block chains and crypto-currency. Some interesting results
obtained by the researchers at the center are as follows:
Cryptanalysis of 1-Round KECCAK
KECCAK was designed by Guido Bertoni, Joan Daemen, Michal Peeters, and Gilles
Van Assche and was selected as the winner of the competition and in 2015, it was
standardized as a “Secure Hash Algorithm 3”. Due to its vast applications, a lot of
security analysis is being performed on the KECCAK hash family.
In our recent work, we give the first preimage attack against 1-round KECCAK-512
hash function, which works for all variants of 1-round KECCAK. The only
computation required in this attack is solving 384 linear equations. It is based on
exploiting the degree of freedom in the equations between hash values and
message bits and converting these equations to simple assignments of values to
message variables. Using this method, we can find a message of length less than
1024 bits corresponding to every hash value. Also, the time complexity of this
attack is constant.
The above preimage attack was implemented in C++ using the NTL library from
Victor Shoup. The code was executed on a laptop with Intel Core i5-7200
processor and 16GB RAM giving the preimage in less than 0.005 seconds.
This result was presented at AFRICACRYPT 2018 which was held at Marrakesh,
Morocco on May 7-9, 2018.
Resource Efficient Implementation Crypto-primitives in Hardware
For implementation of modern network protocols such as IPSec, one needs to
encrypt, decrypt and hash at the line-speed. This implies that we need efficient,
low-power hardware implementation of cryptographic algorithms. Below, we
give a summary of our work in last one year in this area.
C3i Center | Annual Report 2017 - 2018 34
VLSI ARCHITECTURES FOR CRYPTO PRIMITIVES
In this work, we consider the hardware implementations of a number of
cryptographic primitives and present a number of optimizations. Here, the
following areas are focused.
(1) High Throughput Galois Field (GF) Multipliers - Vector GF(2^m) and m-
bits GF(p) multipliers are proposed to perform multiple GF(2^{m/2}) and
GF(2^{m/4}) multiplications using one GF(2m) multiplier. Similarly, Vector m-bits
GF(p) multipliers are proposed to perform m/2-bits GF(p) and m/4-bits GF(p)
multiplications using one m-bits GF(p) multiplier, where m=log2 p. Also, this
paper proposes non-vector flexible GF(2^m) and m-bit GF(p) multipliers, where
the m can be varied from 2 to the maximum allowable value.The proposed
systolic vector parallel GF(2^{16}) multiplier achieves 95.8% of improvement in
throughput over reconfigurable bit serial design using 45nm CMIOS technology
with Cadence Genus/Innovus 15.20. Figure 14 shows the operation of the
proposed systolic parallel versatile non-vector GF (2^4) LSB first multiplier, where
GF(2^3) and GF(2^3) multiplications can be done using GF(2^4) multiplier.
(2)
Low Power Asynchronous Crypto Primitives - The GF multipliers,
multiplicative inverse, exponentiation, 128-bit AES, and affine co-ordinate based
Figure 15: : Operation of the proposed systolic parallel versatile non-vector GF (2^4) LSB first multiplier
C3i Center | Annual Report 2017 - 2018 35
GF(2^{163}) ECC are designed in asynchronous way, where the hardware is
repeatedly reused for a number of iterations without synchronous registers using
a asynchronous completion detection logic. This reduces the power dissipations
as compared with various existing techniques. For example, the proposed
asynchronous GF(2^{16}) multiplier design achieves 99.6% of improvement in
switching power reduction than scalable Montgomery based multiplier using
45nm CMOS technology with Cadence Genus/Innovus 15.20. Figure 15(d) shows
the proposed asynchronous design, where the recharge stage uses the FSM to get
the inputs from the input ports or from the previous output. The COMBO is to
perform the operation and CTL (control logic) is to find whether the present
operation is completed or not. It the operation is completed, then done signal
will be high. Now, the FSM will take this output as the input for next operation.
(3) Low Power Network Packet Processing Elements - This research work
involves the various hardware optimizations on payload matching, packet
classification, and backplane switchinterconnects by allowing architectural
changes in the existing designs. Here, asynchronous Bloom filter-based payload
matching, look up/decision tree based packet classification with clock gating, and
multiplexer based buffered cross-bar backplane are used to achieve low power
dissipations. For example, the proposed asynchronous Bloom filter-based
payload match architecture achieves 94.9% of reduction in PDP over Cuckoo
design using 45nm CMOS technology with Cadence Genus/Innovus 15.20.
(4) Flexible LFSR based Dividers for BCH and RS Error Correction
Encoders - This work proposes the LFSR based serial/parallel flexible and vector
divider architectures used in the BCH and Reed Solomon (RS) ECCs. Also, this work
elaborates the versatile hardware implementations of BCH and RS based Turbo
product codes (TPCs) using the serial flexible/vector dividers. The proposed
flexible architectures are used to perform the division operation with variable
length of generator polynomial in BCH and RS based ECCs. The proposed vector
architectures are used to perform multiple division operations in parallel to
improve the throughput. The synthesis results using 45nm CMOS technology
show that the proposed designs achieve significant improvement over the
existing designs. For example, the LFSR based proposed serial vector dividers
C3i Center | Annual Report 2017 - 2018 36
achieve 47.1% and 83.3% of improvement in throughput as compared with the
conventional designs for BCH encoder with a length of generator polynomial 65
and RS encoder with a length of generator polynomial 17 respectively with
Cadence Genus/Innovus 15.20.
(5) Efficient Hardware-Software Codesigns of AES Encryptor and RS-BCH
Encoder - This work proposes efficient hardware-software codesigns for AES
encryptor and RS-BCH concatenated encoder, where the latency and hardware
cost lie in between the fully hardware and software based designs. In the
proposed AES folded codesign, we do not use the synchronous registers. In the
proposed RS-BCH concatenated encoder, the entire design is partitioned into
two, the less intensive task with the software and the heavy intensive task with
the hardware. The synthesis results show that our proposed hardware-software
codesigns of 128-bit AES and RS(255,239)-BCH(2184,2040) serial concatenated
error correction encoder achieve 85% and 40% of reduction in switching power
dissipation over the conventional folded 128-bit AES folded design and fully
hardware based RS-BCH concatenated encoder design using Artix-7 FPGA
implementation respectively. Figure 16 shows the block diagram of the AES/RS-
BCH co-processor connected with 32-bit Microblaze using Xilinx Vivado.
C3i Center | Annual Report 2017 - 2018 37
Figure 18: Block diagram of the AES/RS-BCH co-processor connected with 32-bit Microblaze using Xilinx Vivado
Tools/Equipments Used:
(1) Artix-7 Nexys-4 FPGA (XC7A100T-CSG324) Evaluation Board using Xilinx
Vivado
(2) Cadence Genus/Innouvs 15.20 with 45nm CMOS technology library (gsclib045
-- fast_vdd1v0_basicCells.lib)
PUBLICATIONS – CONFERENCES/JOURNALS
1. Mohamed Asan Basiri M and Sandeep K. Shukla, “Efficient Hardware-
Software Codesigns of AES Encryptor and RS-BCH Encoder”, International
Symposium on VLSI Design and Test (VDAT), 2018 (accepted for oral
presentation).
2. J. G. Sreenath, S. Mangalwedekar, A. Meghwani, S. Chakrabarti, K. Rajawat,
and S. C. Srivastava, "Impact of GPS Spoofing on Synchrophasor Assisted
Load Shedding", PES general meeting in Portland, Oregon, Aug 5-9 2018
(Accepted).
Figure 16: : (a) The circuit with synchronous pipeline, (b) Asynchronous pipeline with glitches due to delay imbalance in the forward path, (c) Existing asynchronous pipeline without glitches
(absence of delay imbalance in the forward path), (d) Proposed glitch f
C3i Center | Annual Report 2017 - 2018 38
3. Rajendra Kumar,Mahesh Sreekumar Rajasree and Hoda AlKhzaim,
"Cryptanalysis of 1-Round KECCAK", Springer International Publishing AG,
part of Springer Nature 2018.
4. Mohamed Asan Basiri M and Sandeep K. Shukla, “Flexible Composite Galois
Field GF ((2^m)^2) Multiplier Designs”, International Symposium on VLSI
Design and Test (VDAT), Communications in Computer and Information
Science, Springer, vol. 711, pp. 3-14, June 2017, India.
5. Mohamed Asan Basiri M and Sandeep K. Shukla, "Low Power Hardware
Implementations for Network Packet Processing Elements", Integration,
the VLSI Journal, vol. 62, pp. 170-181, June 2018 .
6. Debleena Das, Ansuman Banerjee, Sandeep K. Shukla, "An automata
theoretic framework for detecting schedulability attacks on cyber-physical
systems", EAIT 2018 : Fifth International Conference on Emerging
Applications of Information Technology, 2018 .
7. Shubham Sharma, Rahul Gupta, Shubham Sahai Srivastava and Sandeep K.
Shukla, "Detecting Insider Attacks on Databases using Blockchains",
ACMSIGSAC Conference on Computer and Communications Security, 2017.
8. S.Venkatesan, Shubham Sahai Srivastava and Sandeep Kumar Shukla,
"Decentralized Authentication of IoT devices using Blockchain", 2nd
Advanced Workshop on Blockchain: Technology, Applications, Challenges ;
IIT Bombay, 2017.
9. Mohamed Asan Basiri M and Sandeep K. Shukla, "Flexible VLSI
Architectures for Galois Field Multipliers", Integration, the VLSI Journal,
vol. 59, pp. 109-124, 2017.
10. Prachi Joshi, S. S. Ravi, Soheil Samii, Unmesh Bordoloi, Sandeep Shukla,
Haibo Zeng, "Offset Assignment to Signals for Improving Frame Packing in
CAN-FD", accepted for IEEE Real-Time Systems Symposium (RTSS 2017).
Paris, France, December 2017, 2017.
C3i Center | Annual Report 2017 - 2018 39
11. Rourab Paul and Sandeep Kumar Shukla, "A High Speed KECCAK
Coprocessor for Partitioned NSP Architecture on FPGA Platform", VDAT
2017: 21st International Symposium on VLSI Design and Test, 2017.
12. Sandeep K Shukla, "Editorial: Distributed Public Ledgers and Block Chains—
What Good Are They for Embedded Systems?", ACM Transactions on
Embedded Computing Systems (TECS), 2017.
TECHNICAL REPORTS
1. Detecting Insider Attacks on Databases using Blockchains
Shubham Sharma, Rahul Gupta, Shubham Sahai Srivastava and Sandeep K.
Shukla
2. Flexible VLSI Architectures for Galois Field Multipliers
Mohamed Asan Basiri M and Sandeep K Shukla
3. Hardware Optimizations for Crypto Implementations
Mohamed Asan Basiri M and Sandeep K Shukla
4. Flexible Composite Galois Field GF((2^m)^2) Multiplier Designs
Mohamed Asan Basiri M and Sandeep K Shukla
5. A High Speed KECCAK Coprocessor for Partitioned NSP Architecture on
FPGA Platform
Rourab Paul, Sandeep K Shukla
6. A SCADA test bed For Cyber Security Education & Research
Rohit Negi, Abhay Kumar, Saurabh Kumar, Sandeep K Shukla, Avik Dayal
C3i Center | Annual Report 2017 - 2018 40
HUMAN RESOURCE DEVELOPMENT
PhD Theses(On going)
Student Name Thesis Topic
Abhay Kumar Cyber Security of Software Define Networks
Saurabh Kumar A Framework for Sandboxing and Dynamical Analysis for Android
Malware
Shubham Sahai
Srivastava
Formal Analysis and Verification of Security Protocols and Block
Chain Protocols
Rajendra Kumar Hardness of Lattice problems
Mahesh Sreekumar
Rajasree
Algorithms for lattice Problems and Lattice based Cryptography
Gufran Siddique Mobile Agents based Cyber Defense Immune System
M. S. Thesis (On going)
Student Name Thesis Topic
Rohit Negi SCADA Security, SCADA Test Bed Design and Vulnerability/Threat
Intelligence
Aneet Dutta Intrusion Detection in Cyber Physical Systems with Anomaly
Detection
M. Tech Thesis (Completed)
Student Name Thesis Topic
Amit Kumar PeerClear: Peer-to-Peer Botnet Detection
Shubham Singh Cloud Based IoT Honeypot for MQTT Protocol
Anmol Kumar
Shrivastava
Linux Malware Detection by Hybrid Analysis
Gaurav Kumar Automatic malware detection using memory forensics
Mugdha Gupta Early Stage Malware Classification using Behavior Analysis
Vineet Purswani Clustering for hybrid malware analysis and multi-path execution
Ajay Singh Malware Classification using Image Representation
Pranjul Ahuja Robust Malware Detection using Integrated Static and Dynamic
Analysis
Saptarshi Gan An IoT simulator in NS3 and a key-based authentication architecture
for IoT devices using blockchain
C3i Center | Annual Report 2017 - 2018 41
Rohit Sehgal Tracing Cyber Threats with Honey-systems
Nishit Majithia Honey-System: Design, Implementation & Attack Analysis
Krishnaprasad P Capturing attacks on IoT devices with a multi-purpose IoT honeypot
UGP Projects (Completed)
Student Name Thesis Topic
Prakhar Agrawal Exploiting Media Projection Vulnerability in Android 7 and below.
Nilesh Vasita Verifiable billing in Electric Vehicle charging infrastructure using
blockchain
Arham Chopra Lightweight Security in SCADA Systems
Dhruv Kumar Secure Authentication in Content Management System (CMS)
Saksham Sharma Study and Implementation in Haskell
Shikhar Mahajan Enegiota: A scalable and feeless billing DApp on Tangle
OUTREACH TO RAISE AWARENESS ABOUT CYBER SECURITY
CSAW 2017
Cyber Security Awareness Week (CSAW), was successfully introduced to India in
2016 by IIT Kanpur, Dept. of CSE in partnership with NYU, Tandon School of
Engineering, its second edition commenced in 2017 (9th -11th November). The
event was co-hosted at four locations i.e. North America, Europe, India and
Middle-east.
C3i Center | Annual Report 2017 - 2018 42
In its second year, the
cyber security
competition has
expanded significantly,
evident from the
increased participation
and performance of the
students. Raising the
total number of
participants for CSAW
finals from 44 in 2016 to
64 in 2017. To expand its outreach, a new category of Professional team was
introduced this year under Capture the Flag, which is a 36 hour around the clock
software hacking contest.
The three-day event witnessed participation of over 52 students, research
scholars and 12 professionals on PAN India basis. Out of which total 14 teams (10
teams under the student category and 4 teams under professional category) from
India anticipated in Capture the Flag, 2 teams from IIT Kharagpur and Madras in
Embedded Security Challenge, 1 team from BHU Law School in Law & Policy
Competition and 8 paper presentations for the Applied Research Competition.
On the day one of CSAW’17 a series of invited talks was arranged, considering it
as a knowledge exchange platform benefitting students in return. Speakers
invited represented academia (Indian Statistical Institute, Kolkata; IIT
Kharagpur), industry (Nivetti Systems), entrepreneurs/start-ups (Gratia
Technology) and professional hackers (Bugs Bounty Hunters) working in the cyber
security arena.
Under the multiple competitions being hosted at CSAW, Capture the Flag (CTF) is
the flagship event, inviting hackers to compete and showcase their skills globally.
Finalists under CTF included participants from BITS Pilani, Amrita University
Amritapuri, IIIT Allahabad, NIT Kurukshetra, IIT Roorkee, IIIT Delhi and IIT Indore.
Based on performance, their global ranking was remarkable, under student
C3i Center | Annual Report 2017 - 2018 43
category winning team ‘InfosecIITR’ (IIT Roorkee) stood 10th in the world ranking
while the first runner up team ‘Pirates from the Kernel’ (IIT Indore) and the
second runner up team ‘D4rkcode’ (IIIT Delhi) stood 16th and 19th in the world
ranking, respectively.
In the professional category, winning team ‘pwnpeiii’ stood 14th in the world
ranking while the runner’s up team ‘Bytebandits’ stood at the 15th position.
Embedded Security Challenge is a hardware hacking challenge, wherein
participants were required to hack into a target system designed by NYU Tandon.
In India, the finalist teams were from IIT Madras and Kharagpur. They competed
with each otherthrough power-point presentations followed by poster
presentations. IIT Madras won over IIT Kharagpur in this challenge.
Applied Research competition primarily encourages young researchers to
present their papers along with posters. This
competition received 14 paper submissions
from various institutes e.g., IIT Indore, IIT
Kharagpur, IIIT Delhi and IIT Madras. Out of
these 14 papers, 8 papers were shortlisted
and invited for 20-minute presentations.
The first position was secured by a team from
IIT Kharagpur while the second and third positions went to teams from IIT Madras
and IIT Kharagpur respectively.
team from Law School, BHU participated in Law & Policy competition, wherein
participants must develop a policy paper on a given prompt. This year’s prompt
given by IIT Kanpur was: “Policy interventions to solve fake news endemic”.
These competitions were judged by cyber security experts from IIT Kharagpur, IIT
Ropar, VECC, Kolkata, Industry (Nivetti Systems), CDAC-Mohali, and IIT Kanpur
except the CTF which was played online on a global CTF platform. CSAW brings
the C3I centre of the Computer Science department, IIT Kanpur at par with the
Cyber Security centre at NYU in terms of outreach for creating awareness on
Cyber Security.
C3i Center | Annual Report 2017 - 2018 44
CSAW’18 is scheduled to be held on 8-11 November, 2018 simultaneously at four
international locations. This year, CSAW will come up with a new integrated
website for all the regional partners. This site will act as one source of information
for worldwide participants/audience, bringing all the regional partners together
and transparent. September 14-16, 2018 are the dates finalized for CTF prelims
round, registration for the same will be open in a day or two.
This year with the hope of expansion, CSAW-India plans to modify Embedded
Security Challenge competition and bring it on more of a CTF platform to
approach dedicated hardware security personnel. Under the Applied Research
Competition this year aim is to set up a scrutinizing committee comprising of
academicians and professionals for a fairer game and engagement of experts.
Industries/C3I partners are also aimed to be approached for setting up industry
fair and to address students and participants. With the number of CSAW-India
Facebook page followers reaching to 423 we expect more countrywide
participation of cyber security students and professionals in making to enhance
their skills through this platform.
SUMMER INTERNSHIP PROGRAM
Year: 2017
Student Name College/University Topic
Subhasis
Mukhopadhyay
West Bengal University of
Technology Attacks in Android
Akshat Aggarwal Indian Institute of
Information Technology,
Allahabad
Cyber Threat Intelligence Analysis
Mazhar Imam Khan Indian Institute of
Engineering Science &
Technology, Shibpur
Telpot - Capturing Cyber Attacks
with generic Telnet Based Honeypot
Aditya Srivastava University of Petroleum &
Energy Studies
Detection of Cyber Attacks In
Industrial Control Systems Using
Neural Networks
Sagar Sharma KNIT, Sultanpur Application Vulnerabilities, Issues
and Mitigation
C3i Center | Annual Report 2017 - 2018 45
Shubham Pandey Lucknow University Malware Analysis
Shobhit Rastogi IIT Kanpur SMTP by Public Key Cryptography
Dipanwita Mukherjee West Bengal State University A browser add-on for Alerting users
against Phishing Site Accesses
Jayadeep Reddy Ganta National Institute of
Technology, Tiruchirapalli
Implementation of ZUC Algorithm
on FPGA
Utsava Verma Manipal Institute of
Technology, Manipal
Malware Analysis with Machine
Learning
Ashish Gahlot Govt. Engineering College,
Ajmer
Vulnerability Assessment of Industrial Control System
Amodini Vardhan Manipal Institute of
Technology, Karnataka
Design and Implementation of a
Web-based Scalable, Secure and
attributional grade management
system
Mugdha Jadhao IIT Roorkee Designing coprocessor for
implementing crypto-algorithm
'Snow3g'
Mohit Sharma Ashoka University Malware Analysis with Machine
Learning
Year: 2018
Student Name College/University
Shyam Sunder Tiwari Institute of Engineering and Technology, Lucknow
Shankhadip Mallick University of Engineering & Management, Jaipur
R. Akashraj MIT, Manipal
Akhil P Cochin University of Science and Technology, Kerala
Saubhagya Srivastava University of Petroleum & Energy Studies
Gowtham Chitipolu IIT Gandhinagar
Chamandeep Singh NIT Tiruchirappalli
Shivanshu Singh IIT Kanpur
Raghul M Amrita University
Ashwin Sekhari National Institute of Technology, Rourkela
Satish Sripadam National Institute Of Technology, Tiruchirappalli
Rishav Chatterjee KIIT University
Mohammed Israil Gandhi Engineering College, Odisha
C3i Center | Annual Report 2017 - 2018 46
AKTU Interns 2018
Student Name Topic
Pratishtha Saxena Deep Packet Inspection (DPI) in Network.
ParulGahelot Deep Packet Inspection (DPI) in Network.
Monika Detection of loopholes in web application
Anam Fatima Android app for detection of malicious Apps on the device
Areeba Irshad Classification of malware analysis and preventing the attacks
Ankita Detection of Malware in Advance Android Apps By using the Static
Analysis
Kumar Shanu Singh Cloud based IOT Honeypot
Shikha Malware analysis, Security monitoring tool.
Vishal Choudhary A Runtime analysis to detect malware
Arvind Goutam Practice various webapp based attacks and detect the vulnerability
Nitesh Kumar A hybrid approach to detect advanced malware at large scale
SEMINARS
Seminar's by the Center Faculty:
1. Prof. Sandeep Shukla is an invited speaker on "Blockchain for E-
Governance" at the Workshop on Blockchain at the Indian Statistical
Institute Kolkata in November 2018.
2. Prof. Sandeep Shukla is an invited speaker on "Cyber Security of Digital
Financial System" at RBI Lucknow for their cyber security awareness
campaign week in October 2018.
3. Prof. Sandeep Shukla was an inaugural speaker at the launching of the ACM
student chapter at the Indian Institute of Information Technology,
Allahabad, in Feb 2018.
4. Prof. Sandeep Shukla was an invited speaker and panel moderator at the
2nd Cyber Security Conference organized in Hyderabad in December 2017.
C3i Center | Annual Report 2017 - 2018 47
5. Prof. Sandeep K. Shukla was a keynote speaker at the International Forum
on Design Languages (FDL 2017) on "Do Design and Specification Languages
have any role to Play in Cyber Security?" held in Verona, Italy during
September 18-20, 2017.
6. Prof. Sandeep K. Shukla was an invited speaker at the Cyber Security Week
organized by the Blavatnik Interdisciplinary Center for Cyber Security at Tel
Aviv, Israel on June 28, 2017 on academic perspective of cyber security.
7. Prof. Sandeep Shukla was a keynote speaker at the 23rd IEEE International
Conference on Embedded and Real-Time Computing Systems and
Applications (RTCSA'17) on "Cyber Security of Cyber Physical Critical
Infrastructures: A Case for a Schizoid Design Approach" to be held during
August 16-18, 2017 in Taiwan.
8. Prof. Sandeep K. Shukla was an invited speaker at inauguration of RBI
Kanpur Information Security Awareness Campaign, May 2017.
9. Prof. Sandeep K. Shukla was an invited on membership in the subgroup on
mobile banking & security, and subgroup on card based payments &
security formed by Reserve Bank of India's standing committee on Cyber
Security.
10. Prof. Sandeep K. Shukla delivered an invited talk on How Safe are our
Critical Infrastructures from Cyber Attacks held at IIIT Delhi on 11th Feb,
2017.
Seminars and Events Organized at the Center
Topic Speaker's Name Date
Walking the edge between structure and
randomness: New constructions for
Obfuscation and Functional Encryption
Prof. Shweta Agrawal,
IIT Madras
Thu, 05/10/2018
C3i Center | Annual Report 2017 - 2018 48
Smart Living: The Next Frontier Prof. Sajal K. Das, IEEE
Fellow, Daniel St. Clair
Endowed Chair, Missouri
University of Science
and Technology, USA
Fri, 01/12/2018
Planar Graph Perfect Matching is in NC Vijay V. Vazirani,
University of California,
Irvine
Wed, 01/03/2018
Taming Timing Uncertainties for New
Generation of Cyber-Physical Systems and
Applications
Rajesh K. Gupta, UCSD Fri, 12/29/2017
Towards Secure and Privacy-aware Cyber-
Physical Systems and IoT
Mani Srivastava, UCLA Fri, 12/29/2017
Introduction to Biochip Security Ramesh Karri (New York
University, New York)
Tue, 08/22/2017
Cyber-Security: Analog Side Channels of
Embedded Cyber-Physical Systems
Farshad Khorrami (New
York University, New
York)
Tue, 08/22/2017
Cryptanalysis of Selected Symmetric
Ciphers: Lightweight Choices for Secure
Hardware
Hoda A. Alkhzaimi, New
York University Abu
Dhabi
Tue, 08/22/2017
Do You Trust Your Chip? Ozgur Sinanoglu (New
York University at Abu
Dhabi)
Tue, 08/22/2017
Invited Talk by Sujoy Sinha Roy Sujoy Sinha Roy Fri, 07/07/2017
MEMORANDUM OF UNDERSTANDING
Academic MOUs
IIT Kanpur, Gujarat State Forensic University, and New York University has
entered into a tri-partite MoU to collaborate on Cyber Forensics, Cyber Threat
Intelligence, developing MOOC courses, etc.
C3i Center | Annual Report 2017 - 2018 49
The IITK- Center for Cybersecurity for Critical Infrastructure (IITK-CCS) and the
NYU Tandon School of Engineering - Center for Cyber Security (CCS) (NYU-CCS)
and the Gujarat Forensic Sciences University (Institute of Forensic Science and
Institute of R&D) missions have a lot in common. In order to better fulfill their
respective missions, representatives from the institutes have exchanges views on
establishing relationships and a program of cooperation among the Institutes.
Major Objectives to collaborative activities in the academic areas of mutual
interest, on a basis of equality and reciprocity are:
i. Student and Faculty Exchanges among the Institutes;
ii. Creating joint MOOC courses together;
iii. Going for government and industrial funding together in the areas as
mentioned in
iv. Explore possibility of joint degree programs in the future;
v. Developing Intellectual Property together.
Industry MOUs
C3I center signed an MoU with InfoSec Ventures -- an India based company
focused on Cyber Security solutions, to cooperate on "crowd-sourcing" based
information security techniques to enhance resilience of human layer in cyber
and information security, automation of digital resilience techniques, and
current/future challenges. More information on InfoSec Ventures can be found
at https://www.zaubacorp.com/company/INFOSEC-VENTURES-PRIVATE-
LIMITED/U74140DL2011PTC219378 .
TCG MOU
IIT Kanpur and TCG Digital, a pioneer in setting up the first commercially available
cyber range in India, have signed an MOU to jointly offer hands on technical
training and consultancy services in the cyber security domain. These services are
primarily based on a state of the art Cyber Range capable of modeling hyper real
C3i Center | Annual Report 2017 - 2018 50
cyber-attacks and complex networked environments to serve Security Agencies,
Defense Establishments, Government Departments and enterprises in the Public
and Private Sectors. The Cyber Range offers a pragmatic and sustainable strategy
for arming organizations to assess, educate, and certify a national force of Cyber
Warriors to carry out information assurance (IA), information operations (IO),
and mission assurance (MA) duties. The services would assist to train the people,
validate processes and optimize the technology solutions deployed and thus
reorient the People, Process and Technology triad for the real world cyber
security scenarios by allowing them to “train as they fight”. Under the MOU
signed between Computer Science Department of IIT Kanpur and TCG Digital
Solutions Pvt Ltd, high end customized technical training, consultancy projects,
seminars and workshops would be offered to help security and IT staff of an
organization sharpen their skills and enhance their experience that is necessary
to combat modern cyber threats.