publications

@inproceedings{Leite2023chains,
  title = {Automated Cyber Threat Intelligence Generation on Multi-Host Network Incidents},
  author = {Leite, Cristoffer and den Hartog, Jerry and Santos, Daniel Dos and Costante, Elisa},
  booktitle = {2023 {IEEE} {International} {Conference} on {Big} {Data} ({IEEE-BigData})},
  abbr = {BigData},
  year = {2023}
}

The lack of automation is one of the main issues hindering the broad usage of high-level Cyber Threat Intelligence (CTI). Creating and using such information by capturing Tactics, Techniques and Procedures (TTPs) is currently an arduous manual task for Cyber Security Incident Response Teams (CSIRT). For CSIRTs, a Network Intrusion Detection System (NIDS) automates the detection of cyber threats. It provides relevant information about alerts to the analysts. This information could generate CTI reports to help others better protect themselves from similar attacks. Due to the demanding work involved in manually creating high-level CTI reports for multi-host incidents, automating this process has become increasingly important. In this paper, a solution is presented to automate the creation of verifiable high-level cyber threat intelligence reports by mapping chains of alerts to TTPs. The solution enables visualisation of attack chains and tactics used, but also manual analysis and validation of the reports created. The proposed approach is evaluated by comparing generating reports with existing CTI, validating any additional TTPs found. The evaluation shows that, not only it was able to match existing reports, but it was also able to improve the knowledge about these threats.

@inproceedings{Leite2023lattice,
  author = {Leite, Cristoffer and den Hartog, Jerry and Koster, Paul},
  title = {A Framework for Privacy-Preserving White-Box Anomaly Detection Using a Lattice-Based Access Control},
  abbr = {SACMAT},
  year = {2023},
  isbn = {9798400701733},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3589608.3593831},
  doi = {10.1145/3589608.3593831},
  booktitle = {Proceedings of the 28th ACM Symposium on Access Control Models and Technologies},
  pages = {7-18},
  numpages = {12},
  keywords = {anomaly detection, pets, access control, white-box, lattice, privacy},
  location = {Trento, Italy}
}

Privacy concerns are amongst the core issues that will constrain the adoption of distributed anomaly detection. Indeed, when outsourcing anomaly detection, i.e. with a party other than the data owner running the detection, confidential or private aspects of the observed data may need protection. Some privacy-enhancing function is usually employed. Because of the impact that this restriction causes in the creation of explainable alerts, finding mechanisms to balance the trade-off between privacy and usefulness has become increasingly important. Due to this motivation, in this paper, a privacy-preserving white-box anomaly detection framework is presented to facilitate matching the compatibility between service requirements and privacy restrictions of an user by using an access control based on a lattice of privacy protection levels. Our framework allows entities to verify these trade-offs by specifying required protection at the level of features. We evaluate the framework in a real-world scenario within the e-health setting. The results point out that it can generate interpretable alerts while protecting the confidentiality of the data.

@inproceedings{Leite2023actionable,
  title = {Actionable Cyber Threat Intelligence for Automated Incident Response},
  author = {Leite, Cristoffer and den Hartog, Jerry and Santos, Daniel Dos and Costante, Elisa},
  booktitle = {Secure IT Systems: 27th Nordic Conference, NordSec 2022, Proceedings},
  abbr = {NordSec},
  year = {2022},
  volume = {13700},
  pages = {368-385},
  doi = {10.1007/978-3-031-22295-5_20}
}

Applying Cyber Threat Intelligence for active cyber defence, while potentially very beneficial, is currently limited to predominantly manual use. In this paper, we propose an automated approach for using Cyber Threat Intelligence during incident response by gathering Tactics, Techniques and Procedures available on intelligence reports, mapping them to network incidents, and then using this map to create attack patterns for specific threats. We consider our method actionable because it provides the operator with contextualised Cyber Threat Intelligence related to observed network incidents in the form of a ranked list of potential related threats, all based on patterns matched with the incidents. We evaluate our approach with publicly available samples of different malware families. Our analysis of the results shows that our method can reliably match network incidents with intelligence reports and relate them to these threats. The approach allows increasing the automation of its use, thus addressing one of the major limiting factors of effective use of suitable Cyber Threat Intelligence.

@inproceedings{Dupont2021similarity,
  title = {Similarity-Based Clustering For IoT Device Classification},
  author = {Dupont, Guillaume and Leite, Cristoffer and Santos, Daniel Dos and Costante, Elisa and Hartog, Jerry Den and Etalle, Sandro},
  booktitle = {2021 IEEE International Conference on Omni-layer Intelligent systems},
  abbr = {COINS},
  year = {2021}
}

Classifying devices connected to an enterprise network is a fundamental security control that is nevertheless challenging due to the limitations of fingerprint-based classification and black-box machine learning. In this paper, we address such limitations by proposing a similarity-based clustering method. We evaluate our solution and compare it to a state-of-the-art fingerprint-based classification engine using data from 20,000 devices. The results show that we can successfully classify around half of the unclassified devices with a high accuracy. We also validate our approach with domain experts to demonstrate its usability in producing new fingerprinting rules.

@inproceedings{Leite2020Proposta5G,
  title = {Uma Proposta para Avaliação da Virtualização de Funções de Rede em 5G},
  author = {Leite, Cristoffer and Barreto, Priscila S. and Caetano, Marcos F. and Alchieri, Eduardo and Almeida, Rafael},
  booktitle = {XXV Workshop de Gerência e Operação de Redes e Serviços},
  abbr = {WGRS},
  year = {2020},
  url = {https://sol.sbc.org.br/index.php/wgrs/article/view/12466},
  doi = {10.5753/wgrs.2020.12466}
}

No 5G, a virtualização de componentes de rede é considerada uma das principais tecnologias que compoem a evolução da arquitetura para prover serviços flexíveis, organizados em fatias e de baixo custo. A abstração do hardware subjacente e suas vantagens em termos de custo e portabilidade motivam fortemente o uso de funções virtualizadas. Entretanto, o desenvolvimento desses ambientes para arquiteturas complexas e de varias camadas ainda é uma tarefa desafiadora, que requer um trabalho contínuo na definição de padrões e plataformas de teste para validação. Neste trabalho foi projetada, implementada e avaliada uma infraestrutura experimental de rede movel virtualizada que define duas funções de avaliação na arquitetura 5G. A proposta se diferencia de outros estudos ao trabalhar com funções integradas à arquitetura 5G que podem avaliar o trafego de controle dos recursos virtualizados. A proposta foi validada de forma bem sucedida em um cenario padrão do 5G, com resultados que permitem avaliar o comportamento do ambiente virtualizado e mostram o potencial da integração da proposta à arquitetura 5G como elemento de suporte à otimização da infraestrutura virtualizada.

@inproceedings{Leite2020Framework5G,
  title = {A Framework for Performance Evaluation of Network Function Virtualization in 5G Networks},
  author = {Leite, Cristoffer and Barreto, Priscila S. and Caetano, Marcos F. and Almeida, Rafael},
  booktitle = {2020 XLVI Latin American Computing Conference},
  abbr = {CLEI},
  year = {2020}
}

Fifth Generation of Mobile Communication (5G) integrates the use of telecommunication and computer systems. As virtualisation eases the deployment of new functionalities demanded by many industrial and social use cases, also show many research challenges regarding performance and resource optimisation. In the 5G architecture, while mobile networks are already trying to implement a full virtualisation of hardware resources, the core itself lacks of an integrated performance evaluation proposal. In this paper we propose a performance evaluation framework, based on an evaluation function and an assortment of distributed observation functions acting as monitors for compute nodes in a virtualised infrastructure.The framework, unlike previous proposals, is designed to be integrated into 5G as a native service. The framework was evaluated in a Ultra-Reliable and Low Latency Communications(URLLC) scenario and the results show success in monitoring and analysing a Network Function Virtualisation (NFV) environment with a standard 5G NFV implementation.

@inproceedings{Leite2019PhishingNCA,
  title = {Waste Flooding: A Phishing Retaliation Tool},
  author = {Leite, Cristoffer and Gondim, João J. C. and Barreto, Priscila S. and Alchieri, Eduardo},
  booktitle = {2019 IEEE 18th International Symposium on Network Computing and Applications},
  abbr = {NCA},
  year = {2019},
  url = {https://ieeexplore.ieee.org/document/8935018},
  code = {https://github.com/imperador/WasteFlooding},
  doi = {10.1109/NCA.2019.8935018}
}

Phishing is a well known attack technique that is still a growing threat in the security area. The Internet popularity and the always connected users increased phishing possibilities by giving attackers new instruments and allowing closer contact to their focus. By applying social engineering methods, phishing thrives on misinformation and because of this, current main phishing response methods focus only on educating users or blocking phishing attempts, without any response to derail the already implemented attacks. These conditions may leave targeted users unprotected, as any leaked information can not be tracked to determine which person suffered from phishing and compromised data that can not be saved or easily detected. In this paper, we present, analyse and evaluate a new response tool that aims to furtively retaliate these attacks by automatic detecting phishing forms and using them to clutter phishing databases with useless information and conceal user data. The evaluation shows that the tool may be useful as a detectionresistant solution and gives a fair response to phishing attempts by flooding the phishing databases

@inproceedings{Leite2019PhishingSBSEG,
  title = {Waste Flooding: Ferramenta de Retaliação de Phishing},
  author = {Leite, Cristoffer and Gondim, João J. C. and Barreto, Priscila S. and Alchieri, Eduardo},
  booktitle = {XIX Brazilian Symposium on Information and Computational Systems Security},
  abbr = {SBSeg},
  year = {2019},
  url = {https://www.researchgate.net/publication/337679980_Waste_Flooding_Ferramenta_para_Retaliacao_de_Phishing},
  code = {https://github.com/imperador/WasteFlooding},
  award = {Best Tool}
}

O phishing é um tipo de ataque bem conhecido, mas que ainda é uma ameaça crescente. A popularidade da Internet potencializou as possibilidades de phishing, dando aos atacantes um grupo de novos instrumentos e permitindo um contato mais próximo ao seu foco, que é o usuário. Ao aplicar métodos de engenharia social, o phishing prospera pela desinformação. É por isso que atualmente os principais métodos de resposta a phishing se concentram apenas em educar os usuários ou bloquear tentativas de phishing, sem nenhuma resposta para atrapalhar os ataques já implementados. Essas condições podem deixar os usuários desprotegidos, pois qualquer informação previamente vazada não pode ser rastreada para determinar quem sofreu phishing, deixando os dados comprometidos sem possibilidade de serem salvos ou facilmente detectados. Neste artigo, apresentamos e discutimos uma nova ferramenta de resposta que visa retaliar furtivamente, detectando automaticamente os formulários de phishing e os usando para confundir os bancos de dados de phishing.

@inproceedings{Leite2019Pentest,
  title = {Pentest on Internet of Things Devices},
  author = {Leite, Cristoffer and Gondim, João J. C. and Barreto, Priscila S. and Caetano, Marcos F. and Alchieri, Eduardo},
  booktitle = {2019 XLV Latin American Computing Conference},
  abbr = {CLEI},
  year = {2019},
  url = {https://ieeexplore.ieee.org/abstract/document/9073985},
  code = {https://github.com/imperador/ragnar},
  doi = {10.1109/CLEI47609.2019.235111}
}

Internet of Things (IoT) is one of the key enabling technologies for an always-connected world and also a main enabler for generating information of interest in various application domains. A growing problem in recent years in this technology is security, as power-constrained devices that are typical of IoT applications may not always provide these implementations properly. These conditions can compromise entire environments and allow malicious agents to take control and perform malicious activities. In this article, we provide a summary of the principal vulnerabilities reported for IoT devices based on the OWASP Internet of Things Project, classified by test routine groups. Using models based on standard architectures to define and detail reproducible verification routines for each test, a selection of independent analyzes of each identified category was performed to ensure more comprehensive and accurate testing. Finally, the proposed routines are performed in a test environment to exemplify and ensure their operation, thus contributing to meeting the demand in the area for more accurate information and to assist in understanding the most common vulnerabilities