Student research projects

If you are interested in doing a Masters project with a strong security component you can contact me. Some project ideas are described below but there may be other opportunities as well. You can also check the SEC group master project links page for more examples of possible projects.

Ransomware detection project

Ransomware is malware that restricts user access, for example by encrypting stored data. The user is extorted to pay a ransom to remove the restriction. The ransomware threat is a currently a major concern (see for example http://www.bbc.com/news/technology-36275537). This project aims to establish feasibility of detecting such malware. To this end we setup a multiphase approach. In the first we study the behaviour of ransomware in a virtual, isolated environment and based on this develop detection rules that are deployed on a live system.

Phase 1 (Capita Selecta security for a team of ~5 students, or alternatively as a master thesis project)

The student will setup a testbed with several (virtual) machines, find, install and run some sample ransomware while monitoring the activities of the virtual machine and network. Based on the result detection rules for ransomware are created and tested. For example, the ransomware will likely write back encrypted versions to server. One can try to detect encrypted content. This by itself will not be sufficient as normal content may look like encrypted content. Thus one also need to link this to other actions (for example looking for a repeated pattern of read file, write back encrypted content). Rules are validated on their ability to differentiate between (additional) ransomware and some simulated normal usage scenarios.

Equipment used:
- Machine to set up an isolated virtual environment (with at least one infected client, one file server and a detection box (eg Silent Defense))

Phase 2 (TU/e PhD student from the SEC group)

The detection rules are put in place in a live production environment. Alerts raised are investigated by the PhD student, with feedback from the to determine whether they are false positives or real attacks. The rules are tweaked to help eliminate false positives. Once the false positive rate is sufficiently reduced the tweaked rules are left to run for longer time (eg 6 months) to detect ransomware attacks.

Equipment used:
- Sensor (eg a VM with silent defense) for passive monitoring of plain text network traffic as close as possible to the file server. (Access to plain text is essential for deep packet intrusion detection.)
- Occasional access to experts from ICT services for feedback on found suspicious traces.

Protection of internal web services project (master thesis project)

Detection of unknown attacks on the internet is a notoriously hard problem. Anomaly based intrusion detection methods can detect unknown attacks. However, the large variety of traffic leads to too many false attacks making these methods unpractical. Internal web services, on the other hand, are likely to have more structure in their traffic. The question is whether the added structure can be exploited to create feasible intrusion detection. In this project the student will, in collaboration with the ICT services of the TU/e look at monitoring solutions for main TU/e internal applications. Existing intrusion detection systems (such as Silent Defense) will be applied to evaluate traffic with main web applications and if needed and possible improvements to the detection mechanisms will be proposed. More invasive host based solutions such as BitSensor may be considered and compared to other solutions.

Equipement Used:
- Sensor (eg a vm with silent defense) for passive monitoring of plain text network traffic as close as possible to the web service. (Access to plain text is essential for deep packet intrusion detection.)
- ICT administrator/developer support for placing host based sensors. (e.g. likely half a day for configuring BitSensor on the server).
- Occasional access to experts from ICT services for feedback on found suspicious activity.

Jerry den Hartog, Master thesis projects / revised May 2016 / Security group / Mathematics and Computer Science Faculty / Technische Universiteit Eindhoven