ICDF2C 2021 - Two papers accepted and presented

22 Dezember 2021

The article Find my IoT Device -- An Efficient and Effective Approximate Matching Algorithm to Identify IoT Traffic Flows was accepted at ICDF2C. The paper was presented at the 12th EAI International Conference on Digital Forensics & Cyber Crime (ICDF2C) 2021 as a hybrid event in Singapur in December 2021.

Authors: Thomas Göbel, Frieder Uhlig, Harald Baier


Internet of Things (IoT) devices become more and more popular as they are limited in terms of resources, designed to serve only one specific purpose, and hence cheap. However, their profitableness comes with the difficulty to patch them. Moreover, the IoT topology is often not well documented, too. Thus IoT devices form a popular attack vector in networks. Due to the widespread missing documentation vulnerable IoT network components must be quickly identified and located during an incident and a network forensic response. In this paper, we present a novel approach to efficiently and effectively identify a specific IoT device by using approximate matching applied to network traffic captures. Our algorithm is called Cu-IoT and publicly available. Cu-IoT is superior to previous machine-learning approaches, because it does not require feature extraction and a learning phase. Furthermore, in case of 2 out of 3 datasets, Cu-IoT outperforms a hash-based competitor, too. We present an in-depth evaluation of Cu-IoT on different IoT datasets and achieve nearly 100% classification performance in terms of accuracy, recall, and precision, respectively, for the first dataset, and almost 99% accuracy and 84% precision and recall, respectively, for the second dataset, and almost 100% accuracy and 90% precision and recall, respectively, for the third dataset.


The article Towards Mitigation of Data Exfiltration Techniques using the MITRE ATT&CK Framework was accepted at ICDF2C, too. The paper was presented at the 12th EAI International Conference on Digital Forensics & Cyber Crime (ICDF2C) 2021 as a hybrid event in Singapur in December 2021.

Authors: Michael Mundt, Harald Baier


Network-based attacks and their mitigation are of increasing importance in our ever-connected world. Besides denial of service a major goal of today’s attackers is to gain access to the victim’s data (e.g. for espionage or blackmailing purposes). Hence the detection and prevention of data exfiltration is one of the major challenges of institutions
connected to the Internet. The cyber security community provides different standards and best-practices on both high and fine-granular level to handle this problem. In this paper we propose a conclusive process, which links Cyber Threat Intelligence (CTI) and Information Security Management Systems (ISMS) in a dynamic manner to reduce the risk of unwanted data loss through data exfiltration. While both CTI and ISMS are widespread in modern cyber security strategies, most often they are implemented concurrently. Our process, however, is based on the hypothesis that the mitigation of data loss is improved if both CTI and ISMS interact with one another and complement each other conclusively. Our concept makes use of the MITRE ATT&CK framework in order to enable (partial) automatic  execution of our process chain and to execute proactive simulations to measure the effectiveness of the implemented countermeasures and to identify any security gaps that may exist.