% % This file was created by the TYPO3 extension % bib % --- Timezone: UTC % Creation date: 2025-02-17 % Creation time: 21-17-50 % --- Number of references % 8 % @Inproceedings { 2025-wolsing-geco, title = {GeCos Replacing Experts: Generalizable and Comprehensible Industrial Intrusion Detection}, year = {2025}, month = {8}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2025/2025-wolsing-geco.pdf}, booktitle = {Proceedings of the 34th USENIX Security Symposium (USENIX Sec)}, event_place = {Seattle, WA, USA}, event_name = {34th USENIX Security Symposium}, event_date = {August 13-15, 2025}, state = {accepted}, reviewed = {1}, author = {Wolsing, Konrad and Wagner, Eric and Lux, Luisa and Wehrle, Klaus and Henze, Martin} } @Inproceedings { 2025-wagner-caiba, title = {CAIBA: Multicast Source Authentication for CAN Through Reactive Bit Flipping}, year = {2025}, month = {6}, booktitle = {Proceedings of the 2025 IEEE 10th European Symposium on Security and Privacy (EuroS\&P)}, event_place = {Venice, Italy}, event_name = {10th European Symposium on Security and Privacy}, event_date = {June 30 - July 4, 2025}, state = {accepted}, reviewed = {1}, author = {Wagner, Eric and Basels, Frederik and Bauer, Jan and Zimmermann, Till and Wehrle, Klaus and Henze, Martin} } @Inproceedings { 2025-kunze-crq, title = {Congestion-Responsive Queuing for Internet Flows}, year = {2025}, month = {5}, abstract = {Internet congestion management is once again undergoing radical change: QUIC has ignited a cambrian explosion in congestion control (CC) implementations while the many versions of BBR alone have increased the diversity in algorithms used with TCP, both making the congestion landscape more complex. At the same time, the interplay of CC and AQM is also evolving but congestion unresponsiveness remains a threat. In particular, L4S crucially requires a fine-grained CC and AQM interaction to provide its benefits and suffers from unresponsive traffic. Overall, we need more responsive traffic on the Internet as well as mechanisms that can cope with unresponsiveness. We present Congestion-Responsive Queuing (CRQ), our L4S-inspired system which is designed to promote responsive CC, manage unresponsive traffic, and handle QUIC and TCP flows alike. Similar to L4S, CRQ uses two queues for flow isolation. Yet, in contrast to L4S, we isolate flows based on their actual congestion responsiveness, moving responsive flows to one queue and leaving the remaining flows in the other. Our evaluation with an eBPF prototype highlights the efficacy of our design and shows that CRQ can provide effective incentives for responsive CC.}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2025/2025-kunze-crq.pdf}, publisher = {IEEE}, booktitle = {Proceedings of the 2025 IEEE/IFIP Network Operations and Management Symposium (NOMS '25), May 12-16, 2025, Honolulu, HI, USA}, event_place = {Honolulu, HI, USA}, event_name = {2025 IEEE/IFIP Network Operations and Management Symposium}, event_date = {May 12-16, 2025}, state = {accepted}, reviewed = {1}, author = {Kunze, Ike and Sander, Constantin and Kosek, Mike and Tissen, Lars and Pennekamp, Jan and Wehrle, Klaus} } @Inproceedings { 2025-fink-mptcp, title = {Emulating and Evaluating Transport Layer Protocols for Resilient Communication in Smart Grids}, year = {2025}, month = {5}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2025/2025-fink-mptcp.pdf}, publisher = {IEEE}, booktitle = {Proceedings of the 2025 IEEE/IFIP Network Operations and Management Symposium (NOMS '25), May 12-16, 2025, Honolulu, HI, USA}, event_place = {Honolulu, HI, USA}, event_name = {2025 IEEE/IFIP Network Operations and Management Symposium}, event_date = {May 12-16, 2025}, state = {accepted}, reviewed = {1}, author = {Fink, Ina Berenice and Ferlemann, Lennart and Dahlmanns, Markus and Thimm, Christian and Wehrle, Klaus} } @Inproceedings { 2025-fink-hybridmon, title = {Advancing Network Monitoring with Packet-Level Records and Selective Flow Aggregation}, year = {2025}, month = {5}, abstract = {Due to its superior efficiency, network operators frequently prefer flow monitoring over full packet captures. However, packet-level information is crucial for the timely and reliable detection, investigation, and mitigation of security incidents. Currently, no solution effectively balances these two contradicting approaches, forcing network operators to compromise between efficiency and accuracy. In this paper, we thus propose HybridMon, a hybrid solution that combines condensed packet-level monitoring with selective flow-based aggregation to strike a new balance between efficiency and accuracy. Operating on the data plane of P4-programmable switches, HybridMon enables fine-grained, practical, and flexible network monitoring at Tbps speeds. We validate the effectiveness of HybridMon through extensive evaluations using Internet backbone and university campus traffic traces, demonstrating its reliability and performance in network forensics and intrusion detection contexts. Our results show that HybridMon reliably monitors all flows while reducing the output bandwidth to 12 \% to 20 \% compared to packet monitoring when exporting standard features.}, keywords = {Security Services; Control and Data Plane Programmability; Monitoring and Measurements}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2025/2025-fink-hybridmon.pdf}, publisher = {IEEE}, booktitle = {Proceedings of the 2025 IEEE/IFIP Network Operations and Management Symposium (NOMS '25), May 12-16, 2025, Honolulu, HI, USA}, event_place = {Honolulu, HI, USA}, event_name = {2025 IEEE/IFIP Network Operations and Management Symposium}, event_date = {May 12-16, 2025}, state = {accepted}, reviewed = {1}, author = {Fink, Ina Berenice and Kunze, Ike and Hein, Pascal and Pennekamp, Jan and Standaert, Benjamin and Wehrle, Klaus and R{\"u}th, Jan} } @Inproceedings { 2025_pennekamp_mapxchange, title = {MapXchange: Designing a Confidentiality-Preserving Platform for Exchanging Technology Parameter Maps}, year = {2025}, month = {4}, abstract = {Technology parameter maps summarize experiences with specific parameters in production processes, e.g., milling, and significantly help in designing new or improving existing production processes. Businesses could greatly benefit from globally exchanging such existing knowledge across organizations to optimize their processes. Unfortunately, confidentiality concerns and the lack of appropriate designs in existing data space frameworks—both in academia and industry—greatly impair respective actions in practice. To address this research gap, we propose MapXchange, our homomorphic encryption-based approach to combine technology parameters from different organizations into technology parameter maps while accounting for the confidentiality needs of involved businesses. Central to our design is that it allows for local modifications (updates) of these maps directly at the exchange platform. Moreover, data consumers can query them, without involving data providers, to eventually improve their setups. By evaluating a real-world use case in the domain of milling, we further underline MapXchange's performance, security, and utility for businesses.}, keywords = {secure industrial collaboration; homomorphic encryption; data sharing; exchange platform; process planning; Internet of Production}, tags = {internet-of-production}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2025/2025-pennekamp-mapxchange.pdf}, publisher = {ACM}, booktitle = {Proceedings of the 40th ACM/SIGAPP Symposium on Applied Computing (SAC '25), March 31-April 4, 2025, Catania, Italy}, event_place = {Catania, Italy}, event_name = {ACM/SIGAPP Symposium on Applied Computing}, event_date = {March 31-April 4, 2025}, state = {accepted}, ISBN = {979-8-4007-0629-5/25/03}, DOI = {10.1145/3672608.3707734}, reviewed = {1}, author = {Pennekamp, Jan and Leisten, Joseph and Weiler, Paul and Dahlmanns, Markus and Fey, Marcel and Brecher, Chrstian and Geisler, Sandra and Wehrle, Klaus} } @Inproceedings { 2025_berninger_ratings, title = {Privacy-Aware Supply Chain Ratings: Interdisciplinary Research On Collaborative Supply Chain Management}, year = {2025}, month = {3}, abstract = {The establishment, expansion, and operation of reliable value-creation networks present an increasing challenge for manufacturing companies, given the growing volatility of the market environment in which they operate. For example, the development of new business areas, mass customization, or the disruption of supply chains frequently necessitates the establishment of partnerships with new suppliers, both short- and long-term. The utilization of supplier key performance indicators (KPIs) can facilitate the selection of new business partners, as they provide a quick and objective indication of their reliability. Nevertheless, access to potentially sensitive KPIs, such as a supplier's on-time delivery performance, is currently mainly limited to existing supplier relationships and not made available to other companies. This paper presents a coordinated approach for supplier rating systems, thereby enabling the privacy-aware exchange of supplier KPIs across organizations and exemplifies it using an application in the ''Internet of Production''. Specifically, we conduct interdisciplinary research by formulating the requirements from a business perspective (supply chain design, trust in data sharing, and business models) and evaluating promising solutions from a technical perspective (information security, data quality, data sovereignty, and collaboration). This approach enables the combination of state-of-the-art technology with the evolving requirements of stakeholders, thus creating new paths for exploiting inter-organizational supply chain rating.}, keywords = {supply chain management; privacy awareness; data sharing; collaboration; Internet of Production}, tags = {internet-of-production}, publisher = {publish-Ing.}, booktitle = {Proceedings of the 7h Conference on Production Systems and Logistics (CPSL '25), March 18-21, 2025, Lima, Peru}, event_place = {Lima, Peru}, event_name = {Conference on Production Systems and Logistics}, event_date = {March 18-21, 2025}, state = {accepted}, ISSN = {2701-6277}, reviewed = {1}, author = {Berninger, Stefanie and Kim, Soo-Yon and Piel, Joana and Perau, Martin and Geisler, Sandra and Piller, Frank and Wehrle, Klaus and Pennekamp, Jan} } @Inproceedings { 2025_vansloun_ransomwareio, title = {Detecting Ransomware Despite I/O Overhead: A Practical Multi-Staged Approach}, year = {2025}, month = {2}, day = {27}, abstract = {Ransomware attacks have become one of the most widely feared cyber attacks for businesses and home users. Since attacks are evolving and use advanced phishing campaigns and zero-day exploits, everyone is at risk, ranging from novice users to experts. As a result, much research has focused on preventing and detecting ransomware attacks, with real-time monitoring of I/O activity being the most prominent approach for detection. These approaches have in common that they inject code into the execution of the operating system’s I/O stack, a more and more optimized system. However, they seemingly do not consider the impact the integration of such mechanisms would have on system performance or only consider slow storage mediums, such as rotational hard disk drives. This paper analyzes the impact of monitoring different features of relevant I/O operations for Windows and Linux. We find that even simple features, such as the entropy of a buffer, can increase execution time by 350\% and reduce SSD performance by up to 75\%. To combat this degradation, we propose adjusting the number of monitored features based on a process’s behavior in real-time. To this end, we design and implement a multi-staged IDS that can adjust overhead by moving a process between stages that monitor different numbers of features. By moving seemingly benign processes to stages with fewer features and less overhead while moving suspicious processes to stages with more features to confirm the suspicion, the average time a system requires to perform I/O operations can be reduced drastically. We evaluate the effectiveness of our design by combining actual I/O behavior from a public dataset with the measurements we gathered for each I/O operation and found that a multi-staged design can reduce the overhead to I/O operations by an order of magnitude while maintaining similar detection accuracy of traditional single- staged approaches. As a result, real-time behavior monitoring for ransomware detection becomes feasible despite its inherent overhead impacts.}, url = {https://www.comsys.rwth-aachen.de/fileadmin/papers/2025/2025-sloun-multi-staged-ids.pdf}, publisher = {Internet Society}, booktitle = {Proceedings of the 22nd Annual Network and Distributed System Security Symposium (NDSS '25), February 24–28, 2025, San Diego, CA, USA}, event_place = {San Diego, CA, USA}, event_name = {Network and Distributed System Security Symposium}, event_date = {February 24–28, 2025}, state = {accepted}, ISBN = {979-8-9894372-8-3}, DOI = {10.14722/ndss.2025.240764}, reviewed = {1}, author = {van Sloun, Christian and Woeste, Vincent and Wolsing, Konrad and Pennekamp, Jan and Wehrle, Klaus} }