Εκπαίδευση - Σπουδές

  • Διδακτορικό Δίπλωμα στην Ασφάλεια Πληροφοριακών και Επικοινωνιακών Συστημάτων, 2019
  • Μεταπτυχιακό Δίπλωμα Ειδίκευσης στην Ασφάλεια Πληροφοριακών και Επικοινωνιακών Συστημάτων, 2013
  • Δίπλωμα Μηχανικού Πληροφοριακών και Επικοινωνιακών Συστημάτων, 2011

Ερευνητικά Ενδιαφέροντα

  • Συστήματα ανίχνευσης και πρόληψης εισβολών
  • Ασφάλεια και ιδιωτικότητα στο SIP

Διδασκαλία

Δημοσιεύσεις σε Διεθνή Περιοδικά (Journals)


Copyright Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or mass reproduced without the explicit permission of the copyright holder.


Z. Tsiatsikas, G. Kambourakis, D. Geneiatakis, H. Wang, The devil is in the detail: SDP-driven malformed message attacks and mitigation in SIP ecosystems, IEEE Access, Vol. 7, pp. 2401-2417, 2018, IEEE Press, https://ieeexplore.ieee.org/abstrac..., indexed in SCI-E, IF = TBD before next July
 

Abstract
VoIP services in general, and Session Initiation Protocol (SIP) ones in particular, continue to grow at a fast pace and have already become a key component of Next Generation Networks (NGN). Despite this proliferation, SIP-based services expose a large attack surface for perpetrators and especially those who seek to cause Denial of Service (DoS). While so far a plethora of works in the literature have been devoted to the detection of DoS attacks in SIP ecosystems, the focus is on those which exploit SIP headers neglecting the message body. In an effort to fill this gap, the work at hand concentrates on the detection of DoS attacks which instead capitalize on the Session Description Protocol (SDP) part of SIP requests. To this end, we not only scrutinize this ilk of attacks and demonstrate their effect against the end-user, but also develop an open source extensible SDP parser module capable of detecting intentionally or unintentionally crafted SDP segments parasitizing in SIP requests. Following a firewall-based logic,currently, the parser incorporates 100 different rules organized in 4 categories (policies) based on the corresponding RFC [1]. Through extensive experimentation, we show that our scheme induces negligible overhead in terms of processing time when working as a software module in either the SIP proxy or a separate machine in front of the latter.

Z. Tsiatsikas, D. Geneiatakis, G. Kambourakis, A. Keromytis, An efficient and easily deployable method for dealing with DoS in SIP services, Computer Communications, Vol. 57, pp. 50-63, 2015, Elsevier, http://www.journals.elsevier.com/co..., indexed in SCI-E, IF = 2.099
 

Abstract
Voice over IP (VoIP) architecture and services consist of different software and hardware components that may be susceptible to a plethora of attacks. Among them, Denial of Service (DoS) is perhaps the most powerful one, as it aims to drain the underlying resources of a service and make it inaccessible to the legitimate users. So far, various detection and prevention schemes have been deployed to detect, deter and eliminate DoS occurrences. However, none of them seems to be complete in assessing in both realtime and offline modes if a system remains free of such types of attacks. To this end, in the context of this paper, we assert that audit trails in VoIP can be a rich source of information toward flushing out DoS incidents and evaluating the security level of a given system. Specifically, we introduce a privacy-friendly service to assess whether or not a SIP service provider suffers a DoS by examining either the recorded audit trails (in a forensic-like manner) or the realtime traffic. Our solution relies solely on the already received network logistic files, making it simple, easy to deploy, and fully compatible with existing SIP installations. It also allows for the exchange of log files between different providers for cross-analysis or its submission to a single analysis center (as an outsourced service) in an opt-in basis. Through extensive evaluation involving both offline and online executions and a variety of DoS scenarios, it is argued that our detection scheme is efficient enough, while its realtime operation introduces negligible overhead.

Επιστημονικά Συνέδρια (Conferences)


Copyright Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or mass reproduced without the explicit permission of the copyright holder.


V. Cozza, Z. Tsiatsikas, M. Conti, G. Kambourakis, Why Snoopy loves online services: An Analysis of (lack of) Privacy in Online Services (ICISSP 2017), The 3rd International Conference on Information Systems Security and Privacy, Feb, 2017, Porto, Portugal, SCITEPRESS, http://www.icissp.org/
 

Abstract
Over the last decade online services have penetrated the market and for many of us became an integral part of our software portfolio. On the one hand online services offer flexibility in every sector of the social web, but on the other hand these pros do not come without a cost in terms of privacy. This work focuses on online services, and in particular on the possible inherent design errors which make these services an easy target for privacy invaders. We demonstrate the previous fact using a handful of real-world cases pertaining to popular online web services. More specifically, we show that despite the progress made in raising security/privacy awareness amongst all the stakeholders (developers, admins, users) and the existence of mature security/privacy standards and practices, there still exist a plethora of poor implementations that may put user’s privacy at risk. We particularly concentrate on cases where a breach can happen even if the aggressor has limited knowledge about their target and/or the attack can be completed with limited resources. In this context, the main contribution of the paper at hand revolves around the demonstration of effortlessly exploiting privacy leaks existing in widely-known online services due to software development errors.

Z. Tsiatsikas, D. Geneiatakis, G. Kambourakis, S. Gritzalis, Realtime DDoS detection in SIP Ecosystems: Machine Learning tools of the trade, NSS 2016 The 10th International Conference on Network and System Security, M. Yung et al., (eds), Sep, 2016, Taipei, Taiwan, Springer LNCS Lecture Notes in Computer Science, http://nsclab.org/nss2016/
 

Abstract
Over the last decade, VoIP services and more especially the SIP-based ones, have gained much attention due to the low-cost and simple models they offer. Nevertheless, their inherently insecure design make them prone to a plethora of attacks. This work concentrates on the detection of resource consumption attacks targeting SIP ecosystems. While this topic has been addressed in the literature to a great extent, only a handful of works examine the potential of Machine Learning (ML) techniques to detect DoS and even fewer do so in realtime. Spurred by this fact, the work at hand assesses the potential of 5 different ML-driven methods in nipping SIP-powered DDoS attacks in the bud. Our experiments involving 17 realistically simulated (D)DoS scenarios of varied attack volume in terms of calls/sec and user population, suggest that some of the classifiers show promising detection accuracy even in low-rate DDoS incidents. We also show that the performance of ML-based detection in terms of classification time overhead does not exceed 3.5 ms in average with a mean standard deviation of 7.7 ms.

Z. Tsiatsikas, M. Anagnostopoulos, G. Kambourakis, S. Lambrou, D. Geneiatakis, Hidden in plain sight. SDP-based covert channel for Botnet communication, 12th International Conference on Trust, Privacy & Security in Digital Business (TrustBus 2015), Sep, 2015, Valencia, Spain, Springer, http://www.ds.unipi.gr/trustbus15/
 

Abstract
Covert channels pose a significant threat for networking systems. In this paper, we examine the exploitation of Session Description Protocol (SDP) information residing in Session Initiation Protocol (SIP)requests with the aim to hide data in plain sight.While a significant mass of works in the literature cope with covert communication channels, only a very limited number of them rely on SIP to realize its goals. Also, none of them concentrates on SDP data contained in SIP messages to implement and evaluate such a hidden communication channel. Motivated by this fact, the work at hand proposes and demonstrates the feasibility of a simple but very effective in terms of stealthiness and simplicity SIP-based covert channel for botnet Command and Control (C&C). As a side contribution, we assess the soundness and the impact of such a deployment at the victim's side via the use of two different types of flooding attacks.

Z. Tsiatsikas, A. Fakis, D. Papamartzivanos, D. Geneiatakis, G. Kambourakis, C. Kolias, Battling against DDoS in SIP. Is machine learning-based detection an effective weapon?, The 12th International Conference on Security and Cryptography (SECRYPT 2015) , Jul, 2015, Colmar, France, SCITEPRESS, http://www.secrypt.icete.org/
 

Abstract
This paper focuses on network anomaly-detection and especially the effectiveness of Machine Learning (ML) techniques in detecting Denial of Service (DoS) in SIP-based VoIP ecosystems. It is true that until now several works in the literature have been devoted to this topic, but only a small fraction of them have done so in an elaborate way. Even more, none of them takes into account high and low-rate Distributed DoS (DDoS) when assessing the efficacy of such techniques in SIP intrusion detection. To provide a more complete estimation of this potential, we conduct extensive experimentations involving 5 different classifiers and a plethora of realistically simulated attack scenarios representing a variety of (D)DoS incidents. Moreover, for DDoS ones, we compare our results with those produced by two other anomaly-based detection methods, namely Entropy and Hellinger Distance. Our results show that ML-powered detection scores a promising false alarm rate in the general case, and seems to outperform similar methods when it comes to DDoS.

Z. Tsiatsikas, G. Kambourakis, D. Geneiatakis, Exposing Resource Consumption Attacks in Internet Multimedia Services, The 14th IEEE International Symposium on Signal Processing and Information Technology (ISSPIT 2014) - Security Track, Dec, 2014, Noida, India, IEEE Press, http://www.isspit.org/isspit/2014/
 

Abstract
Attackers always find ways to elude the employed security mechanisms of a system, no matter how strong they are. Nevertheless, audit trails - which as a rule of thumb are kept by any service provider - store all the events pertaining to the service of interest. Therefore, audit trail data can be a valuable ally when it comes to the certification of the security level of a given service. This stands especially true for critical realtime services such as multimedia ones, which nowadays are on the rise. This work proposes a practical, simple to implement yet powerful solution based on the Hellinger Distance metric for conducting audit trail analysis destined to expose security incidents. Our solution relies on a set of different features existing in the app layer protocol for session handling in order to classify the analyzed traffic as intrusive or not. Taking the well-known Session Initiation Protocol (SIP) as an example, we thoroughly evaluate the effectiveness of the proposed detection scheme in terms of accuracy under various realistic scenarios. The outcomes reveal competitive detection rates in terms of false positives and negatives and can be used as a reference for future works in the field.

Z. Tsiatsikas, D. Geneiatakis, G. Kambourakis, A. Keromytis, Privacy-Preserving Entropy-Driven Framework for Tracing DoS Attacks in VoIP, The 8th International Conference on Availability, Reliability and Security (ARES 2013), pp. 224-229, Sep, 2013, Regensburg, Germany, IEEE Press, http://ieeexplore.ieee.org/xpl/logi...
 

Abstract
Network audit trails, especially those composed of application layer data, can be a valuable source of information regarding the investigation of attack incidents. Nevertheless, the analysis of log files of large volume is usually both complex (slow) and privacy-neglecting. Especially, when it comes to VoIP, the literature on how audit trails can be exploited to identify attacks remains scarce. This paper provides an entropy-driven, privacy-preserving, and practical framework for detecting resource consumption attacks in VoIP ecosystems. We extensively evaluate our framework under various attack scenarios involving single and multiple assailants. The results obtained show that the proposed scheme is capable of identifying malicious traffic with a false positive alarm rate up to 3.5%.

Βιβλία


Copyright Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or mass reproduced without the explicit permission of the copyright holder.


Κεφάλαια σε Βιβλία


Copyright Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or mass reproduced without the explicit permission of the copyright holder.


Επιμέλεια Πρακτικών Διεθνών Συνεδρίων


Copyright Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or mass reproduced without the explicit permission of the copyright holder.