Laboratory of Information Systems Security

The Laboratory of Information Systems Security was founded in 2011 at Computational Mathematics and Cybernetics Faculty of Lomonosov Moscow State University (CMC MSU) on the basis of Information Systems in Education and Research Laboratory. Primary activities of the Laboratory are: 1) research and development in the area of cybersecurity and information systems security and 2) education.

Staff members:

• Petukhov Andrey, Researcher
• Kachalin Aleksey, Engineer
• Sapozhnikov Andrey, Engineer
• Noseevich Georgy, Engineer
• Levshina Maria, Engineer
• Nagradov Evgeny, Programmer
• Razdobarov Alexander, Programmer
• Kovriga Dmitry, Engineer

By 2015 there are 6 Ph.D. students and about 20 undergraduate students in ISS lab.

Educational activity

Special courses:

• Introduction to information security by Dr. Gamayunov, 24 lecture hours, Fall semester.
• Practical aspects of network security, by Dr. Gamayunov and Dr. Petukhov, 24 lecture hours, Spring semester.
• Modern crypto protocols, by Dr. Gamayunov, 16 lecture hours, Spring semester.

Student CTF Team

In 2010 ISS Lab members organized student CTF team named BUSHWHACKERS, which actively participates in infosecurity contests and capture-the-flag competitions, both international and Russian. Bushwhackers team provides security teaching and training for CMC MSU students within all-year long security seminar (http://secsem.ru/). This activity allows effectively give hads-on security experience to the students. By 2015 Bushwhackers team successfully participated in several well-known international security contests, for example:

• 1st place at RuCTFe 2014, qualified for DEF CON 23 CTF (summer 2015, USA)
• 1st place at iCTF 2013
• 2nd place at Deutsche Post Security Cup 2010

Main scientific directions

Main R&D directions of the Laboratory are:

• Network security
• Web application security
• Intrusion detection and prevention
• Mobile security

The Laboratory research is focused on a number of topics briefly described below.

1. Intrusion Detection and Prevention

We have developed our own Intrusion Detection System (IDS) “RedSecure”. In this system, a computer network is presented as a set of network objects with observable states. The distributed monitoring system (network and host sensors) provides information about current observable state of the network. A trace of the network (sequence of state changes) is analyzed against both 1) specified anomaly behavior and 2) specified normal behavior. The means of monitoring and behavior analysis developed for the IDS could be used to detect anomalies in behavior of user and applications in Distributed Computer System. The system is built upon special purpose analysis framework, which elaborates the domain-specific language AURA (AUtomata for Recognition and Analysis). The AURA language is based on alternating finite automata (AFA) and was designed to develop concurrent event-driven analyzers [GKS09]. Language runtime provides concurrency and SMP support for several modern architectures with AURA programs precompiled into LLVM bytecode.

Besides the general behavior-based approach to detecting intrusions we focus our research on shellcode detection in network traffic. For example, we proposed a combined static analysis with data mining method for detecting polymorphic NOP-sleds, and hybrid shellcode detection method for high-speed network channels. Currenly we are working on a multi-stage method for detecting a wide range of Intel 32-bit, 64-bit and ARM shellcodes, combining static analysis, emulation, and data mining.

Another intrusion detection research direction is adaptive security visualization, and also visualization of complex attacks and state of the controlled network under the influence of such attacks. The key issue addressed in this research direction is how to visualize modern distributed and multi-step attacks which may be simultaneously detected by the IDS sensors across the network.

2. Application behavior control

One of the active research directions is runtime monitoring of applications behavior at the host level. Using the automata-based formal model, we proposed a method for run-time control of applications behavior using control points within controlled application, security automaton (AFA), and dynamic SELinux policy switching, depending on real observed behavior of the given application. Security automata and SELinux policies are built automatically using set of application execution traces (dynamic analysis) and static analysis of application control flow graph. Current experimental implementation of this runtime monitoring method requires recent Linux kernel (2.6.32+) and application source code in C.

3. Network Traffic Analysis

For the means of analyzing network traffic, a research towards high-volume network traffic is conducted in our lab. A network sensor is embedded in OS kernel to achieve high-performance real-time operation. The core of the network sensor is the AURA language mentioned above and its concurrent runtime implementation. The major research directions here is automatic concurrency scaling for modern multi-core processors, and other real-time related tasks. Currently research goes towards parallel network analysis engine and identification of monitoring routines that could be implemented in FPGA to achieve even higher performance.

4. Malware and botnet detection

One of the greatest modern threats on the Internet are botnets. There is a number of ongoing research projects towards detection of botnets on different stages of their lifecycle: distribution of malware, communication and control, and implementing distributed attacks. There are prospective approaches proposed in 2008-2012 for this task. However, virtually all research in that direction lacks assessment of performance, real-time capability and scalability of the proposed techniques, as well as large-scale real-world experimental datasets.

5. Web application security

By 2015 several static analysis tools were developed in the ISS Lab. The aim of these tools is to find security vulnerabilities in web applications using black box testing, and static analysis. The first tool is a static analyzer for web applications written in the Python language which is able to find a rich set of security vulnerabilities using data-flow analysis.

The second project is a security analysis workbench based on static analysis augmented with OWASP learning. The workbench allows a security analyst to teach the static analysis tool about the web application. Static analysis tool (extension to FindBugs) uses this information to help the analyst verify that the application has the appropriate security mechanisms and that they are used properly in all the right patterns.

The third in-progress tool is AcCoRuTe access control rule tester, aimed at black-box automated detection of access control flaws in web applications. This tool is available as open-source at https://code.google.com/p/accorute/.

Main research achievements

• Formal grammar based application behavior analysis method for intrusion detection.
• Algorithms for vulnerability detection in Web applications using black-box testing techniques, as well as static web application code analysis.
• High performance event driven formal grammar based traffic analysis platform for multi-core SMP systems. This platform was used in several research projects for traffic analysis and filtering, and is currently the core of REDSecure IDS (http://www.redsecure.ru/).
• Formal grammar based fine-grained application privilege control method for Linux operating system as an extension of SELinux kernel subsystem.
• Algorithms for malicious code (shellcode) detection in network traffic, capable of early detection of binary malware propagation in global networks.

Main publications

1. Yelizarov, A., and Gamayunov, D. Adaptive visualization interface that manages user’s cognitive load based on interaction characteristics. In Proceedings of the 7th International Symposium on Visual Information Communication and Interaction (2014), VINCI ’14, ACM New York, NY, USA, pp. 1:1–1:8.
2. Gamayunov, D. Falsifiability of network security research: The good, the bad, and the ugly. In Proceedings of the 1st ACM SIGPLAN Workshop on Reproducible Research Methodologies and New Publication Models in Computer Engineering (2014), TRUST ’14, ACM New York, NY, USA, pp. 4:1–4:3.
3. Noseevich, G., Petukhov, A., and Gamayunov, D. You can be anything you want to be: Bypassing "certified" crypto in banking apps. HITB Magazine, 10 (2014), 9–15.
4. Noseevich, G., and Petukhov, A. Detecting insufficient access control in web applications. In SysSec Workshop (SysSec), 2011 First (2011), IEEE Computer Society Amsterdam, pp. 11–18.
5. D. Gamayunov, Towards malware-resistant networking environment // In Proc. 1st SysSec Workshop, DIMVA 2011, Amsterdam, 2011.
6. D. Gamayunov, Nguyen Thoi Minh Quan, F.Sakharov and Ed.Toroshchin, Racewalk: fast instruction frequency analysis and classification for shellcode detection in network flow // Proceedings of 5th European Conference on Computer Network Defense (EC2ND 2009), IEEE Computer Society, Italy, Milan, November 2009.
7. Petukhov, A., and Kozlov, D. Detecting security vulnerabilities in web applications using dynamic analysis with penetration testing. Proceedings of the Application Security Conference. 2008.
8. D.Y.Gamayunov and R.L.Smelyanskii, A model of the behavior of network objects in distributed computer systems // Program. Comput. Softw., vol. 33, no. 4 (Jul. 2007), pp. 195-203, 2007.
9. D.Yu.Gamayunov, Intrusion detection based on network object analysis // Ph.D. Thesis, Moscow State University, Moscow, 2007 (manuscript, In Russian).
10. D.Kazachkin and D.Y.Gamayunov, Network traffic analysis optimization at signature-based intrusion detection systems // Proceedings of the First Spring Young Researchers' Colloquium on Software Engineering (SYRCoSE'2008), St. Petersburg, St. Petersburg State University, vol. 1, pp. 27-32, 2008.
11. Yelizarov and D.Gamayunov, Visualization of Complex Attacks and State of Attacked Network // Proceedings of 6th International Workshop on Visualization for Cyber Security, IEEE VizWeek’09, USA, Atlantic City, New Jersey, pp. 1-9, 2009, October 11.