Participants
Publications
  Waldvogel, Marcel; Kollek, Jürgen (2014): SIEGE : Service-Independent Enterprise-GradE protection against password scans

SIEGE : Service-Independent Enterprise-GradE protection against password scans

×

Security is one of the main challenges today, complicated significantly by the heterogeneous and open academic networks with thousands of different applications. Botnet-based brute-force password scans are common security threat against the open academic networks. Common defenses are hard to maintain, error-prone and do not reliably discriminate between user error and coordinated attack. In this paper, we present a novel approach, which allows to secure many network services at once. By combining in-app tracking, local and global crowdsourcing, geographic information, and probabilistic user-bot distinction through differential password analysis, our PAM-based detection module can provide higher accuracy and faster blocking of botnets. In the future, we aim to make the mechanism even more generic and thus provide a distributed defense against one of the strongest threats against our infrastructure.

  Graf, Sebastian; Rain, Andreas; Scharon, Daniel; Waldvogel, Marcel (2013): Utilizing Cloud Storages for iSCSI : Is Security really expensive?

Utilizing Cloud Storages for iSCSI : Is Security really expensive?

×

Cloud storage promises unlimited, flexible and cheap storages, including alltime availability and accessibility with the help of various technologies. Free-of-charge o ffers for endusers allure customers the same way as professional, pay-as-you-go storages do. The delocalization of the data provokes security concerns especially regarding the con dentiality of the data. Even though encryption offers a straight-forward solution to this problem, the performance questions its applicability when it comes to the utilization of professional storage-approaches like iSCSI. In this white-paper, we propose a utilization of NoSQL-based cloudstorages like Amazon S3 or Microsoft Azure for iSCSI. We evaluate the costs of a direct, bucket-based encryption and show, that in complex systems like iSCSI, the distance to the cloud represents the bottleneck instead of the encryption. Performance-boosting techniques like prefetching and caching improve the access and result in no practical overhead within such an utilization. Based on our own developed fully Java-based iSCSI target (jSCSI) and jClouds, our prototype represents, to the best of our knowledge, the rst, free available, cloud-deployable iSCSI.

  Graf, Sebastian; Rain, Andreas; Waldvogel, Marcel (2013): "You can find my CV on LinkedIn ..." - Privacy-Aware Distributed Social Networking for Research Facilities

"You can find my CV on LinkedIn ..." - Privacy-Aware Distributed Social Networking for Research Facilities

×

Being a part of any social network becomes a necessity especially for the sake of self-presentation. Specialized social networks like LinkedIn are aware of these needs and offer tailored functionalities like referencing to relevant projects and topics including specific searching functionalities.
Since the social data stored within any centralized social network represents an alluring mass of information, security and privacy concerns come up within their utilization. As a consequence, guidelines for their usage are deployed within institutions to increase awareness related to these concerns. Unfortunately, the specific toolsets deployed within universities for presenting users and projects support neither the sharing of group-based or public information nor the ability to create social connections between users especially not over the borders of single institutions.
To combine the need of self-presentation with the ability of virtual social interaction, we present a prototype of a federated, distributed, social network tailored to the need of researchers. Our prototype is based on Diaspora, representing the largest distributed social platform nowadays. Enriched with automated, user-related profiles, our Diaspora-pod offers all members of the University of Konstanz the ability to interact in combination with automated university-profiles.
Tightly integrated in the existing infrastructure of the University of Konstanz and hosted on trusted infrastructure, the described prototype offers not only user-defined sharing of personal profiles in a federated way. It also leverages from the centralized handling of profiles and reduces as a consequence the administrative overhead of maintaining any personal information.
Based on its simple usage and the tight integration into the services of the University of Konstanz, our prototype has the potential to push university life to a new social level without generating concerns about security and privacy.

  Graf, Sebastian; Miller, Wolfgang; Waldvogel, Marcel (2013): Utilizing Photo Sharing Websites for Cloud Storage Backends

Utilizing Photo Sharing Websites for Cloud Storage Backends

×

Cloud Storages combine high availability with the unences- sity to maintain any own infrastructure and all-time availability. A wide field of different providers offer a flexible portfolio for any technical need and financial possibility. Yet, the possibilities of different cloud storage providers have all one issue in common: Basic storage is cheap whereas the costs increase with the storage consumed adhering the pay-as-you- go paradigm. Photo sharing websites such as Facebook, Picasa-Web, and Flickr leverage from own cloud infrastructure and offer unlimited storage for less or no charge. Obviously pictures can be used to store information in, which has been used for steganography and watermarking at low data rates. We propose a general framework for storing large amounts of data, its data density and error-correcting mechanisms tunable to the properties of the photo sharing website of your choice. Our cost- performance-analysis shows that photo sharing websites compare favorably to professional cloud storage services such as Amazon S3. Thanks to the integration of our software as a backend to the widely-used jClouds framework, everyone can now use photo sharing websites as one component for low-cost purposes, including archival.

  Graf, Sebastian; Lang, Patrick; Hohenadel, Stefan; Waldvogel, Marcel (2012): Versatile Key Management for Secure Cloud Storage 2012 IEEE 31st Symposium on Reliable Distributed Systems. IEEE, 2012, pp. 469-474. ISBN 978-1-4673-2397-0. Available under: doi: 10.1109/SRDS.2012.80

Versatile Key Management for Secure Cloud Storage

×

Not only does storing data in the cloud utilize specialized infrastructures facilitating immense scalability and high availability, but it also offers a convenient way to share any information with user-defined third-parties. However, storing data on the infrastructure of commercial third party providers, demands trust and confidence. Simple approaches, like merely encrypting the data by providing encryption keys, which at most consist of a shared secret supporting rudimentary data sharing, do not support evolving sets of accessing clients to common data. Based on approaches from the area of stream-encryption, we propose an adaption for enabling scalable and flexible key management within heterogeneous environments like cloud scenarios. Representing access-rights as a graph, we distinguish between the keys used for encrypting hierarchical data and the encrypted updates on the keys enabling flexible join-/leave-operations of clients. This distinction allows us to utilize the high availability of the cloud as updating mechanism without harming confidentiality. Our graph-based key management results in an adaption of nodes related to the changed key. The updates on the keys again continuously create an overhead related to the number of these updated nodes. The proposed scalable approach utilizes cloud-based infrastructures for confidential data and key sharing in collaborative workflows supporting variable client-sets.

  Graf, Sebastian; Lang, Patrick; Hohenadel, Stefan; Waldvogel, Marcel (2012): Versatile key management for secure cloud storage

Versatile key management for secure cloud storage

×

Not only does storing data in the cloud utilize specialized infrastructures facilitating immense scalability and high availability, but it also offers a convenient way to share any information with user-defined third-parties. However, storing data on the infrastructure of commercial third party providers, demands trust and confidence. Simple approaches, like merely encrypting the data by providing encryption keys, which at most consist of a shared secret supporting rudimentary data sharing, do not support evolving sets of accessing clients to common data. Based on approaches from the area of stream-encryption, we propose an adaption for enabling scalable and flexible key management within heterogeneous environments like cloud scenarios. Representing access-rights as a graph, we distinguish between the keys used for encrypting hierarchical data and the encrypted updates on the keys enabling flexible join-/leave- operations of clients. This distinction allows us to utilize the high availability of the cloud as updating mechanism without harming confidentiality. Our graph-based key management results in an adaption of nodes related to the changed key. The updates on the keys again continuously create an overhead related to the number of these updated nodes. The proposed scalable approach utilizes cloud-based infrastructures for confidential data and key sharing in collaborative workflows supporting variable client-sets.

  Graf, Sebastian; Eisele, Jörg; Waldvogel, Marcel; Strittmatter, Marc (2012): A legal and technical perspective on secure cloud storage MÜLLER, Paul, ed. and others. 5. DFN-Forum Kommunikationstechnologien : Verteilte Systeme im Wissenschaftsbereich ; 21.05.-22.05.2012 in Regensburg ; [Beiträge der Fachtagung]. Bonn: Ges. für Informatik, 2012, pp. 63-72. ISBN 978-3-88579-297-0

A legal and technical perspective on secure cloud storage

×

Public cloud infrastructures represent alluring storage platforms supporting easy and flexible, location-independent access to the hosted information without any hassle for maintaining own infrastructures.
Already widely established and utilized by end-users as well as by institutions, the hosting of data on untrusted platforms, containing private and confidential information, generates concerns about the security. Technical measures establishing security rely thereby on the technical applicability. As a consequence, legal regulations must be applied to cover those measures even beyond this technical applicability.
This paper provides an evaluation of technical measures combined with legal aspects representing a guideline for secure cloud storage for end-users as well as for institutions. Based upon current approaches providing secure data storage on a technical level, german laws are applied and discussed to give an overview about correct treatment of even confidential data stored securely in the cloud.
As a result, a set of technical possibilities applied on fixed defined security requirements is presented and discussed. These technical measures are extended by legal aspects which must be provided from the site of the hosting Cloud Service Provider.
The presented combination of the technical and the legal perspective on secure cloud storage enables end-users as well as hosting institutions to store their data securely in the cloud in an accountable and transparent way.

    Maier, Daniel; Haase, Oliver; Wäsch, Jürgen; Waldvogel, Marcel (2011): NAT Hole Punching Revisited 2011 IEEE 36th Conference on Local Computer Networks. IEEE, 2011, pp. 147-150. ISBN 978-1-61284-926-3. Available under: doi: 10.1109/LCN.2011.6115173

NAT Hole Punching Revisited

×

Setting up connections to hosts behind Network Address Translation (NAT) equipment has last been the subject of research debates half a decade ago when NAT technology was still immature. This paper fills this gap and provides a solid comparison of two essential TCP hole punching approaches: sequential and parallel TCP hole punching. The comparison features current conditions and thoroughly compares setup delay, implementation complexity, resource usage, and effectuality of the two approaches. The result is a list of recommendations and a portable, effectual, and open-source Java implementation.

    Graf, Sebastian; Zholudev, Vyacheslav; Lewandowski, Lukas; Waldvogel, Marcel (2011): Hecate, Managing Authorization with RESTful XML Proceedings of the Second International Workshop on RESTful Design - WS-REST '11. New York, New York, USA: ACM Press, 2011, pp. 51-58. ISBN 978-1-4503-0623-2. Available under: doi: 10.1145/1967428.1967442

Hecate, Managing Authorization with RESTful XML

×

The potentials of REST offers new ways for communications between louse coupled entities featured through the Web of Things [12]. The binding of the disjunct components of this architecture creates security issues, such as the centralized authorization techniques respecting the independence of the underlying entities. This results in the question how authorization is performed respecting the flexibility of REST without any knowledge about the underlying resources. Nevertheless, possible knowledge about these resources should enable the authorization workflow to offer finer-granular permissions on substructures of the resources. With our new approach - we named Hecate- we offer a framework to assure simplified handling while keeping the potentials and flexibility of REST . We have designed an architecture based on XML with a flexible authorization mechanism on the one hand and optional resource-awareness on the other hand. The flexibility within the authorization work-flow bases on permission sets respecting the HTTP- verbs. Additional in-depth knowledge of the entity option- ally extends these permissions with resource-aware filters. Hecate offers not only great benefits because of its flexibility, but also because of the optional extensibility proved within the two reference implementations. With Hecate, we show that a centralized authorization mechanism combining independence and optional resource-based filtering extends the flexibility of REST rather than restricting it.

  Maier, Daniel; Haase, Oliver; Wäsch, Jürgen; Waldvogel, Marcel (2011): A comparative analysis of nat hole punching HTWG FORUM - Das Forschungsmagazin der HTWG Konstanz, pp. 40-48

A comparative analysis of nat hole punching

×

IPv4’s address space is getting exhausted any day now. However, IPv6 is still only scarcely supported. Instead, the use of Network Address Translation (NAT) boxes to hide entire networks behind a single IPv4 address is the dominant solution. Increasingly interactive Internet applications prefer direct contacts, where a central server would only increase latency, limit throughput, or become a single point of failure. Direct connections are essential to such distinct applications ranging from interactive games and peer-to-peer applications to VoIP or file transfers among instant messaging partners.



NAT Hole punching is one technique to traverse NAT boxes. It has the advantage of not requiring any user configuration and establishes direct connections between two peers without the need for additional relay servers. Hole punching is suitable for UDP and TCP. For TCP, two main options exist, namely sequential and parallel hole punching. These are the main targets of our analysis. We compare them according to various criteria in different scenarios.

  Maier, Daniel; Haase, Oliver; Wäsch, Jürgen; Waldvogel, Marcel (2011): NAT Hole Punching Revisited

NAT Hole Punching Revisited

×

Setting up connections to hosts behind Network Address Translation (NAT) equipment has last been the subject of research debates half a decade ago when NAT technology was still immature. This paper fills this gap and provides solid, comparative insights into the current state of technology. The result is threefold: (1) understanding the NAT and operating system issues involved in hole punching, (2) overview over the main hole punching technologies, (3) a comparison of these technologies. The comparison features current conditions and thoroughly compares setup delay, implementation complexity, resource usage, and effectuality of the two main approaches. The result is a list of recommendations and a portable, effectual, and open-source Java implementation.

  Graf, Sebastian; Kramis, Marc; Waldvogel, Marcel (2011): Treetank, Designing A Versioned XML Storage XML Prague '11. 2011

Treetank, Designing A Versioned XML Storage

×

XML underlies the same constant modification scenarios like any other resource especially in flexible environments like the WWW. Therefor intelligent handlings of versioned XML are mandatory. Due to the structural nature of XML, the efficient storage of changes in the data and therefor in the tree needs new paradigms regarding efficient storage and effective retrieval operations. We present a node granular XML versioning approach which relies on the independence of the storage and the versioning system. Different layers which have the ability to satisfy specific aspects of a node-granular versioning storage guarantee this independence. Results prove that our architecture offers efficient handling of consecutive changes within all modification scenarios while not restricting XML regarding its usage. Hence, our prototype system handles even huge XML instances while ensuring equal access to each revision of the data.

  Zink, Thomas; Waldvogel, Marcel (2010): Analysis and efficient classification of P2P file sharing traffic

Analysis and efficient classification of P2P file sharing traffic

×

Since the advent of P2P networks they have grown to be the biggest source of internet traffic, superseding HTTP and FTP. For service providers P2P traffic results in increased costs for both infrastructure and transportation. Interest is high to reliably identify the type of service to ensure quality of service. In this document we analyze P2P network architectures and give an overview of existing identification mechanisms. In addition we devise a simple identification scheme suitable for implementation in resources restricted environments with limited computational power and memory. The scheme is based on behavior analysis and as such is not prone to traffic obfuscation techniques.

  Graf, Sebastian; Lewandowski, Lukas; Waldvogel, Marcel (2010): Integrity Assurance for RESTful XML Paper for the Seventh International Workshop on Web Information Systems Modeling. 2010

Integrity Assurance for RESTful XML

×

The REpresentational State Transfer (REST) represents an extensible, easy and elegant architecture for accessing web-based re- sources. REST alone and in combination with XML is fast gaining mo- mentum in a diverse set of web applications. REST is stateless, as is HTTP on which it is built. For many applications, this not enough, es- pecially in the context of concurrent access and the increasing need for auditing and accountability. We present a lightweight mechanism which allows the application to control the integrity of the underlying resources in a simple, yet flexible manner. Based on an opportunistic locking ap- proach, we show in this paper that XML does not only act as an exten- sible and direct accessible backend that ensures easy modifications due to the allocation of nodes, but also gives scalable possibilities to perform on-the-fly integrity verification based on the tree structure.

  Mansmann, Florian; Fischer, Fabian; Keim, Daniel A.; Pietzko, Stephan; Waldvogel, Marcel (2009): Interactive Analysis of NetFlows for Misuse Detection in Large IP Networks MÜLLER, Paul, ed.. 2. DFN-Forum Kommunikationstechnik : Verteilte Systeme im Wissenschaftsbereich ; 27.05. - 28.05.2009 in München. Bonn: Gesellschaft für Informatik, 2009, pp. 115-124. GI-Edition - Lecture Notes in Informatics. 149. ISBN 978-3-88579-243-7

Interactive Analysis of NetFlows for Misuse Detection in Large IP Networks

×

While more and more applications require higher network bandwidth, there is also a tendency that large portions of this bandwidth are misused for dubious purposes, such as unauthorized VoIP, file sharing, or criminal botnet activity. Automatic intrusion detection methods can detect a large portion of such misuse, but novel patterns can only be detected by humans. Moreover, interpretation of large amounts of alerts imposes new challenges on the analysts. The goal of this paper is to present the visual analysis system NFlowVis to interactively detect unwanted usage of the network infrastructure either by pivoting NetFlows using lDS a1erts or by specifying usage patterns, such as sets of suspicious port numbers. Thereby, our work focuses on providing a scalable approach to store and retrieve large quantities of NetFlows by means of a database management system.

  Graf, Sebastian; Brend amour, Patrice; Waldvogel, Marcel (2009): jSCSI 2.0 : Multithreaded Low-Level Distributed Block Access

jSCSI 2.0 : Multithreaded Low-Level Distributed Block Access

×

In 2007 we introduced jSCSI 1.0 to the public. The use case was to access block-patterns directly from Java without any third party JNI invoked software. In the last 2 years we explored the capabilities to assimilate multithreading in jSCSI. The goal was to leverage the outstanding features of the new Java multithreading extension introduced with Java5/Java6 and incorporate them into our proven block-level accessing framework. Today, we present the next incarnation of jSCSI 1.0, jSCSI 2.0 which yields significant performance improvements by utilizing Java s advanced multithreading capabilities. We show that our Java based implementation of a low-level architecture is not only a proposing alternative in terms of performance but also in the ease-of-use compared to common JNI-invoked system calls. Therefore, we argue that jSCSI 2.0 is not only a platform independent implementation of the iSCSI protocol, but
also a fast and robust proof for implementing low-level applications in Java.

  Graf, Sebastian; Kramis, Marc; Waldvogel, Marcel (2008): Distributing XML with focus on parallel evaluation Databases, Information Systems, and Peer-to-Peer Computing, Sixth International Workshops, DBISP2P 2008, Auckland, New Zealand, August 23, 2008. 2008

Distributing XML with focus on parallel evaluation

×

In contrast to relational databases the distribution of document-centric XML is not well researched. While there are some suggestions on how to split and distribute large XML documents, these approaches do not consider the parallel query evaluation. In this paper, we present and compare five different algorithms to search after suitable split nodes in a large XML document. We then describe how to distribute extractable sub-structures over a fixed number of peers and how to query these peers in parallel to retrieve the final result. In addition, we analyse the impact of our splitting algorithms with respect to scalability for two different XPath expression classes on three well-known XML data sets. We conclude this paper with an outlook on future work, including result ordering during parallel query execution and dynamic re-distribution of XML fragments to new peers due to updates.

  Waldvogel, Marcel; Muncan, Michael; Patidar, Mahak (2006): Stealth DoS IEEE, IST Workshop on "Monitoring, Attack Detection and Mitigation" Thursday 28 - Friday 29 September, 2006 Tübingen, Germany. 2006

Stealth DoS

×

Users and providers increasingly disagree on what Denial of Service (DoS) is. For example, an ISP might consider large multimedia downloads an attack to overload its infrastructure or have it pay high interconnection fees. On the other hand, a user will certainly consider selective bandwidth reduction that is used by ISPs as a countermea- sure, as a DoS measure. Given the nature of their business relationship, neither side is likely to openly admit that they are fighting each other. In this paper we attempt to formalise the concept of Stealth DoS, including listing mechanisms that may be used at high speed. We concentrate on mechanisms that might be used in one particular area, voice over IP (VoIP). We start evaluating them under the different aspects, including their cost, political suitability and the likelihood for countermea- sures to succeed. We expect that this will give both sides better insight on their options and plea for peace, hopefully in an attempt to avoid and open war.

  Waldvogel, Marcel (2006): Shifting the interests in high-speed DoS prevention

Shifting the interests in high-speed DoS prevention

×

In early 2000, the Internet world was shocked: Several resource-rich commercial sites were unreachable for several hours, probably due to the actions of a single individual who previously had gained control over many thousand computers world-wide. This shock resulted in a series of proposals how to prevent future disasters. Six years have passed, there is still no consensus on how to improve the situation. In this paper, we propose a new mechanism which also shifts the interests: Involve different stakeholders, which might actually be interested in solving the prob- lem; provide more immediate return-on-investment; focus on end-to-end mechanisms with minimal network involvement; and the absence of a modifications to a large installed base of network equipment characterise our new approach.

Further information
Period: