RWTH open-sourced results

The research group IT-Security published  EXPLAIN as part of SAPPAN works.
It is 
a classification system and library using random forests to perform multiclass classification of malware families that utilize domain generation algorithms (DGAs).
Furthermore, they open-sourced the phishing certificate classification pipeline here.

Joint SOCCRATES-SAPPAN webinar: Detecting DGA related threats

28/09/2021 15.30-17.00 CEST

To sustain their criminal activity, operators of botnets often employ so called Domain Generation Algorithms (DGAs) that rotate Command and Control (C2) domains at great pace. Blocking or seizing such dynamic and random looking C2 domains is a major challenge for defenders and law enforcement. In this joint theme session, EU research projects SAPPAN and SOCCRATES will explain the nature and magnitude of the DGA problem and present some of the novel techniques that they are pursuing to combat DGAs more effectively. The session will include a demonstration of the “DGA Detective” solution that was developed by the SOCCRATES project and an overview of both academic and operational (real life) impact that the projects have achieved to date.

Session program:
1. Welcome and introduction
2. Brief introduction to SAPPAN and SOCCRATES projects
3. Understanding Domain Generation Algorithms (DGAs)
4. DGA detection and classification with the DGA Detective
5. SAPPAN innovation in DGA detection
6. Impact achieved in combating DGAs
7. Q&A

To register go here and select Theme session: Detecting DGA related threats.

Agenda of the NG-SOC 2021 workshop

NG-SOC workshop 2021 is jointly organized by SAPPAN and Soccrates H2020 EU projects. The workshop will be held on August 17 in conjunction with the 16th International Conference on Availability, Reliability and Security. The detailed program is available here: https://www.ares-conference.eu/conference-2021/detailed-program/

Also, you can download the NG-SOC 2021 workshop Agenda here: NG-SOC-2021_Agenda

To attend the workshop, registration for the ARES conference is required: https://www.ares-conference.eu/registration-all-digital-conference/

SECRYPT 2021 conference

At the beginning of July, the SECRYPT 2021 conference took place, which we were pleased to attend. We revealed there our current research on network traffic analysis using a graph database and discussed our future plans. SECRYPT is an annual international conference covering research in information and communication security. The 18th International Conference on Security and Cryptography (SECRYPT 2021) has submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of data protection, privacy, security, and cryptography. The conference also included research papers describing the application of security technology, systems implementation, advanced prototypes, and lessons learned.

Milan Cermak from Masaryk University presented the paper GRANEF: Utilization of a Graph Database for Network Forensics. This article described the new network traffic analysis toolkit that eases understanding the information in captured network traffic, extraction of the necessary data, and incident investigations. To allow this, we store network events in a graph database as associations. This approach follows the typical way of human thinking and perception of the characteristics of the surrounding world. The main advantage is the connection of exploratory analysis of network traffic data with results visualization allowing analysts to easily go through the acquired knowledge and visually identify interesting network traffic.

If you are interested in this topic, check the paper or the attached poster. You can also check out the short presentation where we summarized the paper and our results.

SAPPAN at 63rd TF-CSIRT Meeting

SAPPAN has joined the TF-CSIRT community again at the 63rd TF-CSIRT online meeting. Having presented the project ideas and concepts almost two years ago when the project started, we could now show the SAPPAN’s host profiling and host profile visual analysis results.

We received several feedbacks that confirmed that our research aims in the right direction. We promoted the website to stay in contact with the community and provide a teaser for our next planned talk on Incident response automation at the next TF-CSIRT meeting.

TF-CSIRT is a task force that promotes collaboration and coordination between CSIRTs in Europe and neighbouring regions, whilst liaising with relevant organisations at the global level and in other regions. These facts make the TF-CSIRT’s community potential target users of the SAPPAN platform.

Deadline extended for Workshop on Next Generation Security Operations Centers (NG-SOC 2021)

The deadline for submissions for the NG-SOC 2021 workshop, jointly organized by SAPPAN and SOCCRATES in conjunction with the 16th International Conference on Availability, Reliability and Security (ARES 2021) has been extended to May 7, 2021!


The updated important dates:

– Submission Deadline May 7, 2021

– Author Notification May 31, 2021

– Proceedings Version June 13, 2021

– ARES EU Symposium August 17, 2021

– Conference August 17 – August 20, 2021


The submission guidelines valid for the workshop are the same as for the ARES conference. 

Girls Day 2021 Event

Girls’ Day 2021 took place in Germany on April 22nd 2021. The University of Stuttgart was there with a workshop offered to encourage female students to look at information technology courses of study and professions.

Franziska Becker and Robert Rapp from the SAPPAN project, therefore, wanted to convey the important content on data protection and encryption. The event “Hacked? Learn about password and secret languages!” was offered by the two. 13 schoolgirls from all over Germany took part in this online event.

The online event had an interactive structure and offered the schoolgirls a varied mix of information, discussions and games. After a short introduction, the participants were allowed to take part in a small warm-up game. As an introduction to the topic, the first mini-challenge “Who Am I” was to be carried out in three small working groups. Each team was asked to compile the information they could find about Robert on the Internet. Afterwards, Robert started with the first informal part, why data is collected on the Internet in the first place and what information can be compiled from the collected data. Afterwards, the students were shown how to find hidden trackers in their smartphone apps. With the explanation of “cookies” and the “cookie notification”, there was also a small insight into the German Data Protection Regulation (DSGVO). The next topic area also started with a small mini-challenge called “Password please”. The students tried to create the most secure password possible from the given one. In the resolution of the challenge, Robert showed an online tool for password verification. To wrap up the topic, the girls learned more about strong passwords, password managers, and two-factor authentication and were able to ask questions about them. After the lunch break, the session continued with a discussion session about “hacking”. For the students, hacking was no longer a new term and they already knew hackers from movies or even had an idea what the goal of a hack attack is. Franziska then explained the origin of the word hacking and the various forms of hackers. To ensure that the participants are better protected against hackers of all kinds in the future, Franziska showed them a quiz that can be used to raise awareness of a widespread hacking attack called “phishing”. She also presented an online tool that can be used to check files and URLs for viruses and Trojans. In the mini-challenge “A Different Kind of Secret Language”, the schoolgirls were able to playfully encrypt their own text. Working in small groups, the girls created their own encryption method and used it to encrypt the message. Afterwards, the encrypted message was passed on to another group and they tried to decode it. This revealed some really clever ideas for encrypting content, and individual words were also converted back into legible text during decryption. Afterwards, the students mentioned that this challenge in particular had been a lot of fun for them.

After the practical exercise, the students were very curious about the presentation of different encryption methods. The principle of “end-to-end encryption” (E2EE) was explained in a small messenger comparison. After the content part, the students still had enough time to ask all kinds of questions. As a conclusion, the students received a two-part handout.

Full Agenda:
  1. (G) "Who Am I": Find information about a specific person online.
  2. (D,I): Why is data collected on the Internet in the first?
  3. (G) Find hidden trackers in smartphone apps.
  4. (I) What are cookeis and what is the GDPR?
  5. (G) "Password please": create the most secure password possible from a given password.
  6. (D,I) What are strong passwords, password managers, and two-factor authentication?
  7. (I,D) What is hacking?
  8. (G) Quiz about phishig.
  9. (G) A Different Kind of Secret Language": Working in small groups, the girls created their own encryption method and used it to encrypt the message. Afterwards, the encrypted message was passed on to another group and they tried to decode it.
  10. (I) The principle of "end-to-end encryption" (E2EE) was explained in a small messenger comparison.
  11. (D) Questions
Guide: Information (I); Discussions (D); Games (G)

Protecting organizations and people from phishing threats

The latest attack landscape study (Attack Landscape H1 2021) performed by F-Secure found an increase in spam and phishing emails. One factor contributing to the increase is the global pandemic, because some of the attacks are exploiting the fear and confusion in the public.
Thus, it is more relevant than ever to protect against these kinds of attacks.
Therefore, one of the key objectives in SAPPAN is to protect organizations and people from these phishing threats.

Generally, the idea is to build and test machine learning models that try to identify phishing URLS and public-key certificates used by known malicious parties.
To learn more specifics, visit the F-secure website.