This work explores the feasibility of combining zero-knowledge proofs with SGX enclave protection technology, using the Hyperledger fabric, as the testing environment. The focus is on assessing the viability of this combination in real-world scenarios where post-quantum security is crucial. To this end, a new zero-knowledge proof, called Vesper, has been developed. This is a lattice-based zk-SNARK with a Regev commitment scheme. Vesper aims to provide a novel approach to developing lattice-based zero-knowledge proofs suitable for blockchain environments. Vesper features a proof size of 128 bytes, an average verification time of 0.14 ms, requires no trusted setup, while achieving at least 128-bit and 256-bit security. Only the proof geberation time increases when the LWE dimension increases. To analyze and explore the potential of combining Intel SGX with such a ZKP and Hyperledger Fabric, two projects have been developed: 1. Vesper Smart Contract: This project uses Vesper in combination with a lattice-based digital signing scheme that has been NIST-approved. The proof generation benefits from SGX enclave protection, while the verifier for Vesper is deployed in a permissioned blockchain as a smart contract. Middleware using Fabric Peer command line interface (CLI) tools facilitates commu- nication between the prover and verifier sides. 2. Vesper-FPC: This project explores the feasibility of protecting Hyperledger Fabric chaincode with an SGX enclave. It combines Vesper with a simplified lattice-based digital signing function to accommodate a restricted environment. Both the proof generation and the deployed verifier are SGX-protected. Communication is managed via custom peer CLI commands specifically de- signed to handle the interaction between the additional SGX protection layer and the blockchain infrastructure. The simplified digital signing scheme of Vesper-FPC has a fast average verification time of 1.46 ms and an even faster average signing time of 0.49 ms while achiving 128-bit security. This is quicker than the NIST-approved digital signing scheme of Vesper Smart Contract, which has average signing and verification times of approximately 76.52 ms and 13.25 ms, respectively. The simplified version features a private key size of 512 bytes, a signature size of 768 bytes, and a public key size of 48 KB. In contrast, the digital signing scheme of Vesper Smart Contract has a private key size of 2528 bytes, a signature size of 2420 bytes, and a public key size of 1312 bytes. The execution time of Vesper Smart Contract without SGX is on average approximately 2086.83 ms for a 128-bit security level. Adding SGX protection on the prover side increased the average execution time to 26339 ms. Vesper-FPC, with SGX protection for both the prover and the deployed verifier, has an average execution time of approximately 51229 ms.

The increasing number of malicious packages being deployed in open source package repositories like PyPI or npm prompted numerous works aiming to secure open source ecosys- tems. The increased availability and deployment of safeguards raises the question whether and how attackers evolved their tactics and techniques, and the possibility of improving the current detection methods.
In order to improve detection, an important step is to understand how attackers design malicious packages and if it has evolved over time as detection methods improved. We conducted a semi-automated analysis and labeling of approx. 4000 malicious packages in order (a) to identify and quantify the techniques used by malware authors, (b) to uncover malware campaigns through clustering the CodeBERT embeddings of malicious code, and (c) to contrast the results with previous studies.
To detect malicious packages, existing work all rely on a common classification pipeline: first a human-defined rule-based feature extraction mechanism then a trained classifier. We hypothesize that the feature extraction mechanism is a limiting factor to classifier perfor- mance, and an additional step that needs to be kept up to date. To address this problem, multiple models utilizing the freshly labeled dataset were trained and compared: 2 types of fine tuned CodeBERT models, 2 isolation forest models and 1 out of distribution model.
We learned that the number of attacks on legitimate packages dropped in comparison to name confusion attacks, e.g. typo-squatting or dependency confusion, which are conducted with increasing campaign sizes. At the same time, packages are taken down more swiftly, whereas the characteristics of the malicious code itself did not substantially change. There are shifts in regards to the use of obfuscation or the primary objective, but the malicious code stays generally very simple.
We found that CodeBERT fine tuned with a loss function utilizing the equivalent of scikit-learn’s 𝑐𝑙𝑎𝑠𝑠_𝑤𝑒𝑖𝑔h𝑡 =′ 𝑏𝑎𝑙𝑎𝑛𝑐𝑒𝑑′ equation (Bert-Balanced) performed best with a specificity of 98.2% and recall of 93.7%. In the real world scenario, we evaluated a total of 8734 unique packages in the updates feed and 2181 in the new packages feed, and found 4 unique malicious packages. Bert-Balanced was able to keep up with the volume of packages being uploaded to PyPI, with plenty of computational resources still available.

Cyber attacks have become increasingly more prominent and the associated cost to society is by several estimates reaching trillions of US dollars. A typical cyber attack goes
through the several consecutive phases of the cyber kill chain. As a precursor for any attack, the malicious actor performs network reconnaissance in order to identify potential
entry points through exploitable services connected to the internet. Therefore, early detection of reconnaissance by scanners can mitigate or entirely prevent future attacks. Modern
intrusion detection systems are capable of blocking some scan attempts. However, more sophisticated and resourceful attackers are suspected to distribute their efforts over a large number of sources. This allows them to lower the individual scanrate while achieving the same throughput. Slow scanners are harder to detect, because they differentiate little from baseline noise levels. Additionally, a threat is severely underestimated if a large number collaborating scanners is not treated as a single entity. Therefore, the aim of this thesis is to infer such a coordinated relationship between scanners controlled by a single initiator.

We analyse the data from a network telescope with an observation of one year, much longer than previous work. Initial analysis led to the discovery of similar long-term activity patterns present in distributed scanners. These patterns can be used to uniquely identify a group which formed the basis for the correlation algorithm. We were successfully able to detect a large number of clusters employing various strategies in terms of size, scanrate and targeted services. Due to the absence of ground truth additional effort has been spent to validate potential clusters through other characteristics. We also demonstrate the utility of transforming the raw telescope data for cluster analysis through a case study of very slow scanners.

In this research, we propose a new method for detecting slow, distributed port scanners by utilizing clustering techniques based on the behavioral characteristics of scan sources. Traditional methods often rely on identifying sources within the same subnet and using frequency-based algorithms; however, our method operates independently of source address correlations. We assign numeric features based on these characteristics to packet sources observed through our network telescope. These features are then processed using a clustering algorithm to identify distributed scans without depending on the origin of source addresses.

Our findings demonstrate the effectiveness of this method in accurately clustering and identifying slow scanners. We verified the results by comparing the detected scan clusters against the expected behavior derived from our simulations. This approach not only reveals complete distributed scans but also offers insight into different scanning strategies employed across the internet.

The implications of our research are significant for network security, enabling early detection and mitigation of potential cyber threats. Our methodology lays a foundation for further research and optimization, offering a valuable tool for both understanding and securing internet infrastructure against scanning techniques.

In the digital age, the proliferation of personal data within databases has made them prime targets for cyberattacks. As the volume of data increases, so does the frequency and sophistication of these attacks. This thesis investigates database security threats by deploying open source database honeypots to gather threat intelligence. We utilized five different honeypots at various interaction levels, deploying a total of 275 low-interaction, 50 medium-interaction, and 8 high-interaction honeypots over 20 to 23 days to collect a wide range of adversarial data. Through this deployment, we gathered 37, 618, 111 log entries from 8, 786 IPs.
Our analysis of these logs indicate that databases exposed to the internet are most likely to be dis-covered within an hour of deployment due to pervasive internet scanning. Additionally, we found that adversaries exhibit preferences for attacking certain database management systems, engage in irregular attack frequencies marked by short bursts, utilize diverse tools, and exploit both cloud service providers and infected machines. The findings also provide a high-level overview and analysis of observed attacks, including remote code execution, worms, botnets, data theft, and cryptojacking.

Web Vulnerability Assessment and Penetration Testing (Web VAPT) is an important cybersecurity practice that thoroughly examines web applications to uncover possible vulnerabilities. These vulnerabilities represent potential security gaps that could severely compromise the web applications' integrity and functionality if exploited by malicious entities.
One of the attacks employed in the Web VAPT process is the Directory Brute-Forcing Attack. This attack aims to identify hidden directories and files not adequately secured in a web application that contain sensitive information or critical functionalities. The attack methodology involves sending many requests of possible directories or files to the target web application, where brute-force generation of requests is performed using a wordlist. Due to its brute-force nature, this attack methodology often results in enormous quantities of requests sent for a small amount of successful discoveries.
With AI's quick progress and diffusion, the paradigm of Offensive AI emerges, where AI-based technologies are employed in traditional cyber attacks to make them more sophisticated and effective.
This research explores whether AI can enhance the standard directory enumeration process. We propose two novel attack methodologies for performing directory brute-forcing attacks that leverage probability and Language Models (LM).
Our experiments - conducted on a testbed consisting of around 1 million URLs from various domains of web applications (academic institutions, hospitals, government agencies, and business corporations) - demonstrate the superiority of our approaches over the standard brute-force attacks.
In particular, the LM-based attack results in an average discoveries increase of 969%, and the probabilistic attack is more efficient at sending successful requests in the early stages of attacks in more than 94% of cases.

Small embedded devices are becoming more prevalent in the world with each passing year to improve our quality of life. However, as more devices are created, an increasing number of older devices are declared obsolete despite still being used. This results in an increasing amount of devices being vulnerable to exploitation due to a lack of security updates. Identifying these vulnerabilities manually without any system knowledge is an arduous task, and current state-of-the-art technologies do not perform generalized analysis in RTOS-based firmware. In this work, we present PinDown, an analysis framework that enables the automated identification of application code in RTOS-based firmware without requiring partial system knowledge. By identifying functions that modify the heap, we can identify RTOS components that can be leveraged to locate memory regions that host application code.

CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) have been in use for a long time on the web to block bots from accessing services. Many Different types of CAPTCHAs exist in various shapes and forms. As traditional CAPTCHAs became increasingly susceptible to attacks, mainly with the rise of artificial intelligence, there were efforts to enhance their complexity. As a side effect, this also increased the difficulty for legitimate users. Then attackers improved their methods, and the CAPTCHAs were broken once again, while the regular user keeps getting harder challenges. Over the years, this cycle has continued, leading to today’s CAPTCHAs, which are not only insecure but also difficult to solve for regular users, defeating the purpose of having a CAPTCHA in the first place. What makes AI attacks so successful in CAPTHCA systems is their ability to perform the given task with high accuracy. AI bots are now faster and more successful in solving CAPTCHAs than humans.

In this paper, we propose SHAPECAP (Shape Analysis and Precision Exploiting CAPTCHA), a novel interactive CAPTCHA system that aims for a user-friendly solution that is also secure against AI-backed attackers. The design of our solution involves a canvas on which shapes are moving randomly. The user can choose a specific shape at the start of the challenge and use the mouse pointer to follow it. There will be small variations of the chosen shape in order to confuse the user. If the user follows the correct shape, they will complete the challenge faster, while following the variation shapes will take longer. Based on the mouse movement data collected throughout the challenge, we can confirm whether the user is a human or a bot. Our aim is to find a pattern that shows humans are more likely to follow irregular shapes. We exploit the precision of machines and use it against them while capitalising on the natural tendency of humans to make errors.

Searchable symmetric encryption (SSE) is an encryption scheme that allows a single user to perform searches over an encrypted dataset. The advent of dynamic SSE has further enhanced this scheme by enabling updates to the encrypted dataset, such as insertions and deletions. In dynamic SSE, attackers have employed file injection attacks, initially proposed by Cash et al. (CCS 2015), to obtain sensitive information. These attacks have shown impressive performance with 100% accuracy and no prior knowledge requirement. However, they fail to recover queries with underlying keywords not present in the injected files. To address these limitations, our research introduces a novel attack strategy that incorporates the idea of inference attacks relying on uniqueness in leakage patterns. The goal is to achieve an amplified effect in query recovery. Additionally, we propose a keyword classification based on their access patterns, which helps identify the current limitation of query recovery in reference attacks. With our proposed attack, we demonstrate a minimum query recovery rate of 1.3 queries per injected keyword with a 10% data leakage of real-life datasets. Furthermore, our findings initiate further research to overcome challenges associated with non-distinctive keywords faced by inference attacks.

Privacy is a human right, yet, people’s behavior on the web is constantly tracked. Tor, an anonymity network, is an effective defence against tracking. However, Tor’s multiplexing of logically independent data streams into a single TCP connection causes issues. Tor with QUIC has been implemented as an alternative with better performance but it has not been studied whether and by how much QUIC increases the vulnerability to timing-based attacks.
The most threatening attacks are website fingerprinting attacks, which can track a Tor user by only controlling the guard node, first of the relays that forward traffic in Tor. In this work, Tor with QUIC is evaluated against website fingerprinting attacks with various levels of defences active. Without defences, Tor is vulnerable to website fingerprinting for both TCP and QUIC but the attacks are more effective on QUIC. On the positive side, defences against website fingerprinting remain effective for QUIC in that they decrease the effectiveness of the attack by a
similar fraction as for TCP.

Non-Euclidean spaces are spaces that do not satisfy all of Euclid’s postulates. An example of such a space is hyperbolic space. In this paper, a method is discussed to draw a tessellation of hyperbolic space in a manner that fits with the virtual reality game "Holonomy", a game which takes place in hyperbolic space. The main result shows that the new approach is better in terms of simplicity than the old approach and is able to draw the game world more faithfully than the old approach. The features of the new approach could still be significantly expanded upon.

Navigation is a core aspect of exploring virtual environments. To assist players, a mini-map is a commonly used navigational tool. Navigation in an unknown space can be difficult. This difficulty is only increased when a player finds themselves in a non-Euclidean space. This paper explores the effect the mini-map's positioning has on the player's navigational performance in Virtual Reality using hyperbolic space. For this two positions are used: the first mini-map is positioned on the Heads-Up Display and the second is positioned on the player's right hand. Two player groups are randomly created to take part in a player experiment. Players get to read an information sheet and complete a small tutorial before having to complete 3 levels. Players are measured on how much time and how many steps it takes them to complete each level, how much their time and steps improve over the levels, their total time, and their total amount of steps. Combined these results indicate that there is no clear effect on the player's performance navigating a hyperbolic space in Virtual Reality.

It is possible to use a different representation of space in a Virtual Reality (VR) game, instead of using the euclidean representation we are used to. The reason why that is interesting is that it opens up the possibility of traversing infinitely far in the virtual space while being confined to a relatively limited space in the real world. But for this to be a useful use case, people will need the ability to traverse this new space in an intuitive or at least competent way. One way to help people with navigation in such a space would be to show the person what the fastest path from point A to point B is. This paper researches the possible ways to calculate this path so it can be used to help people while they are traversing this different type of space. Concluding that a trade-off needs to be made between the speed and accuracy of the result depending on the situation, and that no algorithm exists which is the best in both speed and accuracy. Meaning that the context determines what algorithm should be used.

Virtual Reality allows for the ultimate immersion in environments not naturally encountered. Still, hyperbolic environments are extremely difficult to get used to. This paper explores whether immersion in virtual hyperbolic environments can be enhanced by introducing a procedurally generated world. We propose a Wave Function Collapse (WFC) algorithm that can divide the hyperbolic plane into distinct areas and populate the space with dynamically generated objects. This can assist players in recognising areas visited prior, which can create an intuitive feel for how hyperbolic space operates. Although 5-order square tiling is used in this paper, the proposed algorithm can be extended to other tiling approaches. Evidence suggests players in a populated hyperbolic environment need on average fewer steps to reach their objective compared to a control group with an empty environment, although the time taken for both groups is roughly the same. From this and a qualitative analysis we infer that players feel more immersed in the environment when it is procedurally generated instead of mostly empty.

Blockchain technology has revolutionized the way data is stored, managed, and shared across various industries. Its decentralized nature and immutability make it highly attractive in use cases that require transparency, integrity, and accountability. However, some applications demand confidentiality, necessitating the development of permissioned/consortium blockchains that try to strike a balance between transparency and privacy. Hyperledger Fabric is a permissioned blockchain that has gained popularity due to its modular architecture, performance, and scalability. Despite its strengths, the current set of privacy-enhancing features leaves room for improvement.

Therefore, this master thesis aims to explore the potential of introducing various privacy-enhancing technologies to Hyperledger Fabric, including Dynamic Searchable Symmetric Encryption (DSSE), Multi Authority Attribute-based Encryption (MA-ABE), and Trusted Execution Environments (TEE). Based on the promising results of our study, we decided to implement DSSE and MA-ABE. The combination of blockchain technology with TEE was ruled out after the thorough analysis of two research papers on the subject.

Our main result is the first implementation of a provable secure DSSE scheme in the context of consortium blockchains. Moreover, we developed a blockchain-enabled MA-ABE system that utilizes a novel and generic approach to foreign function invocation. Finally, the thesis discusses unexplored challenges in the field of logistics related to electronic consignment notes used in road transport. To address these issues, we designed a blockchain architecture that incorporates our developed privacy-enhanced technologies.

In recent years, more and more emphasis has been put on the importance of good preventative cyber security and vulnerability management techniques such as "Patch Tuesday".
Despite the increased importance, not all organisations have the same resources and knowledge when it comes to securing their networks against cyber adversaries.

This research tries to examine the vulnerability posture of Dutch municipal ICT networks.
To accomplish this a network ranges dataset was curated using open source intelligence techniques.
These networks, related to current and previous Dutch municipalities, have been used to collect network data scans and observe the changes in software products and versions.
Based on the data collected we can observe the software update moments for different organisations and analyse how often software products are kept up to date.
Using this network scan data and a subset of open-source products, we were able to construct a case study analysis about the general trends of vulnerability management and the influencing factors thereof.
This was done through timeline analysis, involving also software update releases, security advisories, and publicly disclosed vulnerability exploits.
Our findings show uncoordinated strategies within the different organisations and rare proactive security behaviour.

Another contribution of this study is in the sphere of reconnaissance and open source intelligence gathering, showing that publicly available information alone is a time-consuming procedure that renders very few useful data points.
These later findings have implications for both adversaries as well as security organisations, as reliable data could only be obtained through direct contact with the underlying municipality.

Research has shown that the Border Gateway Protocol (BGP) is vulnerable to a new attack that exploits the community attribute. These community attacks can influence BGP routing in unintended ways. Currently, there are no effective mitigations against these attacks which do not limit the normal usage of BGP communities or offer cryptographic authorization of community values. In this thesis, we are the first to design and evaluate a new Resource Public Key Infrastructure (RPKI) object that provides these properties, called a Route Community Authorization (RCA). Autonomous Systems (ASes) can sign and upload an RCA that includes which communities are authorized to be used and under which conditions to reduce the attack surface. The approach does not alter BGP itself and ASes that deploy the security solution can verify if route announcements with community values are allowed to use those communities. With the RPKI construction of our solution, cryptographic operations are offloaded from the router to a separate server. This is because most BGP routers deployed on the internet are not capable yet of performing cryptographic operations on every announcement.

We simulate attack scenarios and evaluate the developed solution to see if it is a viable option to be deployed on the internet. The results show that the developed solution can block the community attacks, on the condition that ASes have properly configured the RCA and at least the target, or an AS between the attacker and the target, deploys the solution. If ASes configure the RCAs too broad, then there is still room for an attacker to abuse the community values. We show that the performance of the solution using properly configured RCAs can keep up with the rate of announcements seen on the internet. Since experiments were performed in simulations, additional experiments are needed in the future on hardware routers and by ASes on the internet to see if the results are the same. The biggest issue for the developed solution is the initial adoption by ASes since security benefits are low in the beginning, but increase once more ASes participate.

Once deployed BGP routers can handle cryptographic operations on every announcement, we suggest using BGPsec and extending it to include the community attribute. Using a BGPsec approach will improve security and provide integrity of the community attribute, which RCA does not provide.

Interpreted applications are often vulnerable to remote code execution attacks. To protect interpreted applications, we should reduce the tools available to the attackers. In this thesis, we investigate the possibilities for the automation of policy generation for interpreted applications in terms of system call arguments. These policies are used for system call argument interposition. We compare two approaches working on the interpreter to find if any of these two can provide meaningful policies. The first is dynamic analysis, and the second is static analysis, which uses symbolic execution.

The symbolic execution was least effective as it provides policies only for a small portion of the system call arguments, less than ten per cent, and hinders normal execution of applications with these policies. The dynamic analysis solution fares better, providing a restriction for about forty per cent of the system call arguments. We conclude that automatic policy generation of system call arguments for interpreted applications is a meaningful endeavour.

Extrapolation of the learning curve provides an estimation of how much data is needed to achieve the desired performance. It can be beneficial when gathering data is complex, or computation resource is limited. One of the essential processes of learning curve extrapolation is curve fitting. This research first analyses the behaviour of existing curve fitting methods such as Newton, Levenberg-Marquardt and Evolutionary algorithms when fitting different function models on learning curves. Furthermore, it also illustrates a few techniques to improve the learning curve fitting and extrapolation procedure.