% % This file was created by the TYPO3 extension % bib % --- Timezone: UTC % Creation date: 2024-12-06 % Creation time: 01-42-05 % --- Number of references % 4 % @Inproceedings { 2025_vansloun_ransomwareio, title = {Detecting Ransomware Despite I/O Overhead: A Practical Multi-Staged Approach}, year = {2025}, month = {2}, abstract = {Ransomware attacks have become one of the most widely feared cyber attacks for businesses and home users. Since attacks are evolving and use advanced phishing campaigns and zero-day exploits, everyone is at risk, ranging from novice users to experts. As a result, much research has focused on preventing and detecting ransomware attacks, with real-time monitoring of I/O activity being the most prominent approach for detection. These approaches have in common that they inject code into the execution of the operating system’s I/O stack, a more and more optimized system. However, they seemingly do not consider the impact the integration of such mechanisms would have on system performance or only consider slow storage mediums, such as rotational hard disk drives. This paper analyzes the impact of monitoring different features of relevant I/O operations for Windows and Linux. We find that even simple features, such as the entropy of a buffer, can increase execution time by 350\% and reduce SSD performance by up to 75\%. To combat this degradation, we propose adjusting the number of monitored features based on a process’s behavior in real-time. To this end, we design and implement a multi-staged IDS that can adjust overhead by moving a process between stages that monitor different numbers of features. By moving seemingly benign processes to stages with fewer features and less overhead while moving suspicious processes to stages with more features to confirm the suspicion, the average time a system requires to perform I/O operations can be reduced drastically. We evaluate the effectiveness of our design by combining actual I/O behavior from a public dataset with the measurements we gathered for each I/O operation and found that a multi-staged design can reduce the overhead to I/O operations by an order of magnitude while maintaining similar detection accuracy of traditional single- staged approaches. As a result, real-time behavior monitoring for ransomware detection becomes feasible despite its inherent overhead impacts.}, publisher = {Internet Society}, booktitle = {Proceedings of the 22nd Annual Network and Distributed System Security Symposium (NDSS '25), February 24–28, 2025, San Diego, CA, USA}, event_place = {San Diego, CA, USA}, event_name = {Network and Distributed System Security Symposium}, event_date = {February 24–28, 2025}, state = {accepted}, ISBN = {979-8-9894372-8-3}, DOI = {10.14722/ndss.2025.240764}, reviewed = {1}, author = {van Sloun, Christian and Woeste, Vincent and Wolsing, Konrad and Pennekamp, Jan and Wehrle, Klaus} } @Inproceedings { 2023_sloun_accessibility, title = {Poster: Vulcan - Repurposing Accessibility Features for Behavior-based Intrusion Detection Dataset Generation}, year = {2023}, month = {11}, day = {27}, pages = {3543-3545}, abstract = {The generation of datasets is one of the most promising approaches to collecting the necessary behavior data to train machine learning models for host-based intrusion detection. While various dataset generation methods have been proposed, they are often limited and either only generate network traffic or are restricted to a narrow subset of applications. We present Vulcan, a preliminary framework that uses accessibility features to generate datasets by simulating user interactions for an extendable set of applications. It uses behavior profiles that define realistic user behavior and facilitate dataset updates upon changes in software versions, thus reducing the effort required to keep a dataset relevant. Preliminary results show that using accessibility features presents a promising approach to improving the quality of datasets in the HIDS domain.}, keywords = {Intrusion Detection, Dataset Generation, Accessibility Features}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2023/2023-sloun-vulcan-accessibility.pdf}, publisher = {ACM}, booktitle = {Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (CCS '23), November 26-30, 2023, Copenhagen, Denmark}, event_place = {Copenhagen, Denmark}, event_date = {November 26-30, 2023}, ISBN = {979-8-4007-0050-7/23/11}, DOI = {10.1145/3576915.3624404}, reviewed = {1}, author = {van Sloun, Christian and Wehrle, Klaus} } @Proceedings { 2022-wolsing-radarsec, title = {Network Attacks Against Marine Radar Systems: A Taxonomy, Simulation Environment, and Dataset}, year = {2022}, month = {9}, tags = {rfc}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-wolsing-radar.pdf}, publisher = {IEEE}, event_place = {Edmonton, Canada}, event_name = {47th IEEE Conference on Local Computer Networks (LCN)}, event_date = {September 26-29, 2022}, DOI = {10.1109/LCN53696.2022.9843801}, reviewed = {1}, author = {Wolsing, Konrad and Saillard, Antoine and Bauer, Jan and Wagner, Eric and van Sloun, Christian and Fink, Ina Berenice and Schmidt, Mari and Wehrle, Klaus and Henze, Martin} } @Inproceedings { 2022-wolsing-simple, title = {Can Industrial Intrusion Detection Be SIMPLE?}, year = {2022}, month = {9}, volume = {978-3-031-17143-7}, pages = {574--594}, abstract = {Cyberattacks against industrial control systems pose a serious risk to the safety of humans and the environment. Industrial intrusion detection systems oppose this threat by continuously monitoring industrial processes and alerting any deviations from learned normal behavior. To this end, various streams of research rely on advanced and complex approaches, i.e., artificial neural networks, thus achieving allegedly high detection rates. However, as we show in an analysis of 70 approaches from related work, their inherent complexity comes with undesired properties. For example, they exhibit incomprehensible alarms and models only specialized personnel can understand, thus limiting their broad applicability in a heterogeneous industrial domain. Consequentially, we ask whether industrial intrusion detection indeed has to be complex or can be SIMPLE instead, i.e., Sufficient to detect most attacks, Independent of hyperparameters to dial-in, Meaningful in model and alerts, Portable to other industrial domains, Local to a part of the physical process, and computationally Efficient. To answer this question, we propose our design of four SIMPLE industrial intrusion detection systems, such as simple tests for the minima and maxima of process values or the rate at which process values change. Our evaluation of these SIMPLE approaches on four state-of-the-art industrial security datasets reveals that SIMPLE approaches can perform on par with existing complex approaches from related work while simultaneously being comprehensible and easily portable to other scenarios. Thus, it is indeed justified to raise the question of whether industrial intrusion detection needs to be inherently complex.}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2022/2022-wolsing-simple.pdf}, editor = {Atluri, Vijayalakshmi and Di Pietro, Roberto and Jensen, Christian D. and Meng, Weizhi}, publisher = {Springer Nature Switzerland}, booktitle = {Proceedings of the 27th European Symposium on Research in Computer Security (ESORICS '22), September 26-30, 2022, Copenhagen, Denmark}, event_place = {Copenhagen, Denmark}, event_name = {27th European Symposium on Research in Computer Security (ESORICS)}, event_date = {September 26-30, 2022}, DOI = {10.1007/978-3-031-17143-7_28}, reviewed = {1}, author = {Wolsing, Konrad and Thiemt, Lea and van Sloun, Christian and Wagner, Eric and Wehrle, Klaus and Henze, Martin} }