The rise of the Internet of Things (IoT) has introduced levels of convenience never seen before, but also presents a significant cybersecurity challenge. Especially the insecure nature of many of these IoT devices fuels the emergence of advanced IoT botnets. The Gorilla botnet is a potent example of such IoT botnets and took the internet by surprise in September 2024. That month alone, Gorilla has been responsible for over 300,000 Distributed Denial-of-Service (DDoS) attacks across 100 countries. Although inspired by earlier botnets like Mirai and Gafgyt, Gorilla exhibits unique characteristics and attack strategies that remain largely unexplored.

This thesis conducts a detailed analysis of the Gorilla botnet, focusing on its communication patterns, infection strategies, and attack behaviors. By executing Gorilla’s malware samples in a controlled environment, the study captures insights into its command-and-control (C2) communication and attack strategies. Key findings include the identification of a flaw in Gorilla’s implementation, which could aid future detection efforts, and the discovery of its preference for UDP-based attacks targeting gaming-related services.

Through this work, we contribute a dataset and analysis framework that sheds light on Gorilla’s operations, highlighting its similarities to and deviations from the original Mirai botnet. The findings provide insightful observations, enabling improvements in defenses against IoT botnet threats.

In this research, we propose a new method for detecting slow, distributed port scanners by utilizing clustering techniques based on the behavioral characteristics of scan sources. Traditional methods often rely on identifying sources within the same subnet and using frequency-based algorithms; however, our method operates independently of source address correlations. We assign numeric features based on these characteristics to packet sources observed through our network telescope. These features are then processed using a clustering algorithm to identify distributed scans without depending on the origin of source addresses.

Our findings demonstrate the effectiveness of this method in accurately clustering and identifying slow scanners. We verified the results by comparing the detected scan clusters against the expected behavior derived from our simulations. This approach not only reveals complete distributed scans but also offers insight into different scanning strategies employed across the internet.

The implications of our research are significant for network security, enabling early detection and mitigation of potential cyber threats. Our methodology lays a foundation for further research and optimization, offering a valuable tool for both understanding and securing internet infrastructure against scanning techniques.

The inception of onion routing in the mid-1990s, evolving into Tor (The Onion Routing) and other anonymous networks, marked a pivotal moment in the quest for internet privacy. However, the emergence of the dark web, facilitated by these networks, has also increased cybercrime activities, necessitating a critical examination of its implications and challenges. Besides, the intricate security architecture of this hidden realm creates a persistent challenge in identifying and mitigating cyber threats, fostering a landscape that demands innovative methodologies for robust cybersecurity. This thesis addresses the research gap in the existing literature, predominantly focused on TOR v2, by investigating protocols and services operating within TOR v3 onion services. Moreover, it fills the void in the literature by proposing an optimized port-scanning methodology for comprehensive analysis. Unlike previous studies, which have only considered a small dataset of onions and a limited number of ports in their TOR v2 onion services analysis, this work proposes an optimized strategy for scanning all ports, thus providing a more thorough understanding of the network's dynamics. Our research uncovers several critical insights into the landscape of onion services. We identified many onion services operating on non-standard ports, escaping typical web crawlers and the Tor browser, which only display HTTPS/HTTP pages. Through a comprehensive port scan of 300,000 onion services, we discovered 196 unique ports, highlighting a broad spectrum of service configurations. We categorized these services into six main types: web, Bitcoin, remote access, chat, email, file transfer, and miscellaneous, with web services being the most prevalent. Additionally, we observed that a significant number of onion services discovered in 2019 remain active, suggesting durability within the dark web. Interestingly, some services exhibited extensive port usage, with up to 35 open ports reflecting diverse functionalities or potential security vulnerabilities. These findings provide a deeper understanding of the dark web's structure and the persistence of its services. The key findings of this research sheds light on the intricacies of the dark web's inner workings. By addressing key research questions and providing clear definitions and mechanisms, this study empowers stakeholders, such as security researchers, law enforcement, and cybersecurity professionals, to navigate the digital landscape with vigilance and develop robust defence mechanisms against emerging threats.

The rapid advancement of artificial intelligence technologies has significantly increased the complexity of polymorphic and metamorphic malware, presenting new challenges to cybersecurity defenses. Our study introduces a novel bioinformatics-inspired approach, leveraging deep learning and phylogenetic analysis to understand the evolutionary dynamics of such malware. By analyzing a dataset of 103,883 malware samples, we transformed extracted features using pseudo-static, dynamic, and image analyses into embeddings with deep learning techniques, combining them into what we refer to as the "genome" of malware. These combined embeddings were used to construct phylogenetic trees employing the Unweighted Pair Group Method with Arithmetic Mean (UPGMA) and the Neighbor-Joining (NJ) method.We were the first to utilize OpenAI's state-of-the-art embeddings for converting pseudo-static and dynamic features into embeddings. In addition, we discovered that transfer learning with ResNet-50 is highly effective compared to traditional CNNs, producing better image embeddings that outperform others in terms of classification accuracy.

We also introduced new validation techniques for phylogenetic trees, making use of VirusTotal timestamps and embedding drift analysis. These methods confirmed that the NJ method was more accurate. Furthermore, we developed techniques to simplify the analysis of these extensive phylogenetic trees, enabling efficient derivation of relationships within and between malware families. The insights from our NJ-built phylogenetic trees closely align with public data and lay a foundation for generating evolutionary-informed signatures that enhance tailored detection strategies. Our method has significantly expedited the process of identifying connections among 538 malware families by dramatically reducing the timeframe from months or years to just weeks much faster than traditional reverse engineering approaches for tracing malware evolution.

Open source software (OSS) vulnerabilities form a real threat to the security of software that employs them.
Efforts to mitigate these risks exist in the form of dependency check tools, however these often suffer from imprecise warnings due to the utilization of only metadata.
This thesis investigates the use of CVEs in a more code-centric approach and the effect this has on the detection of vulnerability reachability in OSS dependencies.
This paper proposes an automated approach to enrich CVEs with preciser code-level information by leveraging references such as patches, repositories, and vulnerability databases.
This thesis then heads out to investigate the impact on accuracy of various (novel) approaches in terms of granularity (packages, classes, methods) and in terms of source for the patch information (link to a commit, PR of commits, or binary diff).
Our experimental results show that these code-centric approaches significantly improve vulnerability detection, achieving higher precision compared to traditional dependency checkers.
Additionally, we present the trade-offs between the different methods, highlighting their strengths and weaknesses.
Through this work, we show how utilizing code information into dependency analysis can substantially enhance the detection of vulnerable code paths, offering more accurate risk assessments in software ecosystems.

The border gateway protocol (BGP) is what holds the internet together by making data routing possible between various points on the internet. It is used to exchange routing information between and within networks on the internet with the use of special BGP routers. This routing information consists of a network path and its destination (IP prefix), and is stored in the routers' local routing tables.

Once a pair of BGP routers have been set up, they implicitly trust routes that are shared amongst them. This implicit trust system poses a problem called BGP hijacking: a malicious actor that takes over control of a BGP router, can simply start announcing IP prefixes they do not own. This can lead to different routing paths and thus redirected network traffic, possibly to the infrastructure of the attacker.

In 2017 there were a total of 13,935 routing incidents, consisting of both inadvertent misconfigurations and deliberate IP prefix hijacks. Over 10% (6,000) of all autonomous systems (AS) were affected and about 5% (3,106) of all AS's were a victim at least once. Despite numerous possibilities that do exist in terms of securing BGP, these numbers show that BGP hijacks are still prevalent. As such, there is a lot of room for improvement in terms of preventing hijacks and mitigating their impact.

The aim of this research project was to provide a proof-of-concept framework to aid in performing threat intelligence. A methodology was developed in which the hijacked IP prefixes from BGP hijacks are used as a foundation to gather information about what domains lie in the scope of the impact. Features were determined and extracted from the data, to say something about what domains are more likely to have been targeted. The methodology could also be used as a framework for a real-time detection and response system, by maintaining a live dataset of the different indicators.

Reports of BGP hijacks were analyzed to identify hijacked prefixes. These were referenced against DNS servers to determine what DNS traffic was redirected. The NS records of those servers were then used to identify what domain queries were redirected. Multiple indicators were devised to indicate if domains might have been redirected. This included SSL certificates, DNS records, IP prefix resolutions, as well as the hosting AS's.

We believe this framework serves as a tool to be used for threat intelligence. It uses the basic ideas of BGP hijack detection to look deeper into the impact of such incidents. Instead of only looking at the hijacked prefixes themselves, the DNS servers and domains that are within the scope of the hijack are also considered along with what indicators they might present. If a BGP hijack takes place, it often takes multiple hours to get resolved. Afterwards, the incident is analysed and it is determined what happened. One of the reasons for this long winded process is that only a relatively small part of the internet is usually affected, so it takes a while before things get noticed. This framework could also be used as a foundation for a detection and response system, such that domains that might be targeted and redirected during such a hijack can act in time.

One important limitation of this research is the incompleteness of the available data. This could be solved by using more data sources and tracking data over time. Another issue in a real-time detection and response system would be the sparse visibility of BGP sensors. Adding other sensor networks could increase the covered surface area of the internet. Each indicator of compromise could be refined further, to better indicate malicious activity.

There is increasingly more expensive maintenance that needs to be performed on the Dutch railway network. Good maintenance schedules reduce costs, minimise hindrance to passenger and freight travel, and follow restrictions imposed by available resources, legislation and other agreements. The railway maintainer has modelled this maintenance scheduling problem, among others, on an annual level. This problem definition is very precise with different conflicting non-linear constraints and cost parts. The demands of the solving method depend on the phase of the scheduling process. In early phases, low runtime is most important, whereas best solution quality outweighs this runtime when the maintenance work is more finalised. In 2019, a simple greedy algorithm found good solutions fast, and a hybrid greedy-evolutionary algorithm was developed that resulted in the best schedules. However, since then, the problem definition has been made more realistic and thus complex. Therefore, this hybrid greedy-evolutionary algorithm is no longer feasible, and creating a maintenance schedule takes significantly longer than before. Research is necessary to better understand the impact of the more realistic model, and to once more have a good trade-off between solving time and solution quality available for the schedulers. In this thesis, we aim to achieve this by improving different aspects of the problem and solving methods. Most experiments were done with the maintenance schedule of 2024, and results were verified on the years of 2023 and 2025. First, general problem analysis and implementation improvements reduced the runtime from around twenty-four hours to three hours with the greedy algorithm. Then, approximations were applied in the passenger hinder to further reduce the runtime by around half with a negligible negative impact on the solution quality. Due to these speed-ups, it was possible to use more elaborate solving methods. New experimental results showed that the greedy algorithm still finds solutions fast. The hybrid greedy-evolutionary algorithm found better quality schedules, but required more runtime. Furthermore, a novel solving method with look-aheads was proposed, which showed some potential for cost reductions, but was dominated by the hybrid algorithm. Every algorithm uses the greedy heuristic as a subroutine. Results showed the importance of finding the right order for greedily scheduling the requests. A proposed new order function improved the quality of the resulting maintenance schedules even further. To conclude, the increase in complexity of the problem definition in recent years has made solving more difficult. To still find good solutions in a similar time, a better performing greedy heuristic was necessary. By applying different runtime optimisations to the objective evaluation and improving the solution quality of the greedy heuristic, a good trade-off between runtime and solution quality, using different solving methods, was realised for creating annual maintenance schedules for the Dutch railway network.