Makan Pourzandi

• Ph.D. Computer Science
• Researcher at Ericsson

In this article, we present ThreatScout, an automated threat hunting solution leveraging machine reasoning. Our evaluation on five threat actors shows hunting rates up to 92%, demonstrating ThreatScout’s effectiveness in automating threat hunting and enhancing proactive threat identification.

Network Functions Virtualization (NFV) is a popular solution for providing multi-tenant network services on top of existing cloud infrastructures in an agile and cost-effective manner. However, as NFV employs multiple levels of virtualization, it also introduces novel security challenges, such as cloud-level security breaches that are invisible to...

Due to the complex nature of Advanced Persistent Threats (APTs) and their rapid evolvement, comprehensive datasets are needed to understand them. However, acquiring such datasets remains a challenge due to the lack of precise reports describing the attacks, realistic emulation, the extensive attack diversity, and concerns regarding data privacy. In...

Threat hunting stands out as a proactive practice applied to identify stealthy threats that evade traditional detection mechanisms. Although powerful, threat hunting demands significant investments in terms of knowledge, time, and resources to meticulously analyze massive amounts of logs, and formulate threat hypotheses. Particularly, real-time thr...

As technology advances swiftly and the Internet of Things undergoes significant growth, the world is experiencing a surge in data creation. This has resulted in the rapid emergence of novel applications, bringing forth a broader range of intricate and challenging threats that pose difficulties in detection. Therefore, a comprehensive and proactive...

Threat hunting is a proactive security defense line exercised to uncover attacks that could circumvent conventional detection mechanisms. It is based on an iterative approach to generate, inspect, and revise attack hypotheses. The quality of these hypotheses is essential to prove/refute the existence of an attack. Today, attack hypotheses are often...

With the emergence of 5G networks and their large scale applications such as IoT and autonomous vehicles, telecom operators are increasingly offloading the computation closer to customers (i.e., on the edge). Such edge-core environments usually involve multiple Kubernetes clusters potentially owned by different providers. Confidentiality concerns c...

In the ever-evolving landscape of cyber security, threat hunting has emerged as a proactive defense line to detect advanced threats. To evade detection, the attackers constantly change their techniques and tactics creating new attack variants. However, the manual creation and execution of testflows to test the attacks and their variants generated b...

5G network technology is being rapidly adopted in various critical infrastructures, mainly due to its unique benefits (e.g., higher throughput, lower latency, and better scalability). This wide-spread and fast adoption necessitates securing those critical services deployed over 5G technology. However, evaluating the security posture of a 5G network...

Container environments provide cloud native applications with scalability, flexibility, and portable support. As a popular container orchestrator, Kubernetes facilitates automatic deployment and maintenance of a large number of containerized applications. However, potential misconfigurations, vulnerabilities, or implementation flaws may empower att...

A large-scale cluster of containers managed with an orchestrator like Kubernetes are behind many cloud-native applications today. However, the weaker isolation provided by containers means attackers can potentially exploit a vulnerable container and then escape its isolation to cause more severe damages to the underlying infrastructure and its host...

The operational complexity and dynamicity of clouds highlight the importance of automated solutions for explaining the root cause of security incidents. Most existing works rely on human analysts to interpret provenance graphs for root causes of security incidents. However, navigating and understanding a large and complex cloud-scale provenance gra...

With the rapidly evolving technological landscape, the huge development of the Internet of Things, and the embracing of digital transformation, the world is witnessing an explosion in data generation and a rapid evolution of new applications that lead to new, wider, and more sophisticated threats that are complex and hard to be detected. Advanced p...

Data anonymization is a viable solution for data owners to mitigate their privacy concerns. However, existing data anonymization tools are inflexible to support various privacy and utility requirements of both data owners and data users. In most cases, this limitation is due to a lack of understanding of those requirements as well as the non-custom...

As one of the main technology pillars of 5G networks, Network Functions Virtualization (NFV) enables agile and cost-effective deployment of network services. However, the multi-level, multi-actor design of NFV may also allow for inconsistency between the different abstraction levels to be mistakenly or intentionally introduced, as shown in recent s...

Fifth Generation (5G) networks are designed to bring enhanced network operational efficiencies to serve a wide range of emerging services. Towards this purpose, 5G adopts a Service Based Architecture (SBA) that features web-based technologies such as the Hypertext Transfer Protocol version 2 (HTTP/2) used for signalling and Application Programming...

By virtualizing proprietary physical devices, Network Functions Virtualization (NFV) enables agile and cost-effective deployment of network services on top of a cloud infrastructure. However, the added complexity also increases the chance of incorrect or inconsistent configurations that could leave the services or infrastructure vulnerable to secur...

Outsourcing anomaly detection to third-parties can allow data owners to overcome resource constraints (e.g., in lightweight IoT devices), facilitate collaborative analysis (e.g., under distributed or multi-party scenarios), and benefit from lower costs and specialized expertise (e.g., of Managed Security Service Providers). Despite such benefits, a...

By providing lightweight and portable support for cloud native applications, container environments have gained significant momentum lately. A container orchestrator such as Kubernetes can enable the automatic deployment and maintenance of a large number of containerized applications. However, due to its critical role, a container orchestrator also...

Application-layer protocols are widely adopted for signaling in telecommunication networks such as the 5G networks. However, they can be subject to application-layer attacks that are hardly detected by existing traditional network-based security tools that often do not support telecommunication-specific applications. To address this issue, we propo...

Fifth Generation (5G) networks aim at providing value-added services with advanced performance such as low-latency communications, high reliability, high data rates and capacity to support an increasing number of connected devices. 5G networks are enabled by an automated and flexible provisioning and management of resources and services deployed ov...

The multi-tenancy in a cloud along with its dynamic and self-service nature could cause severe security concerns. To mitigate such concerns and ensure the accountability and transparency of the cloud providers towards their tenants, security auditing is a promising solution. However, the existing security auditing solutions for clouds suffer from s...

As network security monitoring grows more sophisticated, there is an increasing need for outsourcing such tasks to third-party analysts. However, organizations are usually reluctant to share their network traces due to privacy concerns over sensitive information, e.g., network and system configuration, which may potentially be exploited for attacks...

This book constitutes the refereed proceedings of the 11th International Conference on Digital Forensics and Cyber Crime, ICDF2C 2020, held in Boston, MA, in October 2020. Due to COVID-19 pandemic the conference was held virtually. The 11 reviewed full papers and 4 short papers were selected from 35 submissions and are grouped in topical sections o...

Network Functions Virtualization (NFV) leverages from clouds to simplify and automate the creation and deployment of network services on the fly in a multi-tenant environment. However, clouds may also bring issues leading to tenants' concerns over possible breaches violating the isolation of their deployments. Verifying such network isolation breac...

What is it about? Optimizing the randomization mechanism of Di erential privacy w.r.t. the application/query of interest (an adaptive approach which incorporate both data owners and DP query results recipient). Why is it important? Methodology of R2DP is a novel stochastic optimization approach using two fold PDFs (compound pdf). Objective of R2DP...

Differential privacy (DP) has emerged as a de facto standard privacy notion for a wide range of applications. Since the meaning of data utility in different applications may vastly differ, a key challenge is to find the optimal randomization mechanism, i.e., the distribution and its parameters, for a given utility metric. Existing works have identi...

The dynamicity and complexity of clouds highlight the importance of automated root cause analysis solutions for explaining what might have caused a security incident. Most existing works focus on either locating malfunctioning clouds components, e.g., switches, or tracing changes at lower abstraction levels, e.g., system calls. On the other hand, a...

Security auditing allows cloud tenants to verify the compliance of cloud infrastructure with respect to desirable security properties, e.g., whether a tenant's virtual network is properly isolated from other tenants' networks. However, the input to such an auditing task, such as the detailed topology of the underlying cloud infrastructure, typicall...

Security verification plays a vital role in providing users the needed security assurance in many applications. However, applying existing verification tools for runtime security enforcement may suffer from a common limitation, i.e., causing significant delay to user requests. The key reason to this limitation is that these tools are not specifical...

This book provides a comprehensive review of the most up to date research related to cloud security auditing and discusses auditing the cloud infrastructure from the structural point of view, while focusing on virtualization-related security properties and consistency between multiple control layers. It presents an off-line automated framework for...

Today’s data owners usually resort to data anonymization tools to ease their privacy and confidentiality concerns. However, those tools are typically ready-made and inflexible, leaving a gap both between the data owner and data users’ requirements, and between those requirements and a tool’s anonymization capabilities. In this paper, we propose an...

Security verification plays a vital role in providing users the needed security assurance in many applications. However, applying existing verification tools for runtime security enforcement may suffer from a common limitation, i.e., causing significant delay to user requests. The key reason to this limitation is that these tools are not specifical...

This chapter presents a security auditing approach for the cloud virtualized environment. More precisely, we focus primarily on virtual resources isolation based on structural properties (e.g., assignment of instances to physical hosts and the proper configuration of virtualization mechanisms), and consistency of the configurations in different lay...

In this chapter, we present an efficient user-level runtime security auditing framework in a multi-domain cloud environment. The multi-tenancy and ever-changing nature of clouds usually implies significant design and operational complexity, which may prepare the floor for misconfigurations and vulnerabilities leading to violations of security prope...

The ever-changing and self-service nature of clouds bring the necessity to audit the cloud to ensure security compliance, which is essential for cloud providers’ accountability and transparency towards their tenants. To this end, there exist three types of cloud-specific security auditing approaches: retroactive, intercept-and-check, and proactive....

In this chapter, we present an automated learning-based proactive auditing system, namely LeaPS, which automatically learns probabilistic dependencies, and hence, addresses the inefficiencies of existing solutions. To this end, we describe a log processor, which processes (as discussed later) real-world cloud logs and prepares them for different le...

In this chapter, we explain the design and implementation of a middleware, namely PERMON, to apply the proactive approach to OpenStack (OpenStack open-source cloud computing software (2015). http://www.openstack.org. Accessed 14 Feb, 2018), which is one of the most popular cloud platforms. The middleware is designed to intercept the attributes of u...

In this chapter, taking into account the complexity factor and multi-layered nature of the cloud, we present an automated cross-layer approach that tackles the above issues for auditing isolation requirements between virtual networks in a multi-tenant cloud. We focus on isolation at layer 2 virtual networks and overlay, namely topology isolation, w...

Cloud computing is emerging as a promising IT solution for enabling ubiquitous, convenient, and on-demand accesses to a shared pool of configurable computing resources. However, the widespread adoption of cloud is still being hindered by security and privacy concerns. Various cloud security and privacy issues have been addressed in the literature....

Security compliance auditing is a viable solution to ensure the accountability and transparency of a cloud provider to its tenants. However, the sheer size of a cloud, coupled with the high operational complexity implied by the multi-tenancy and self-service nature, can easily render existing runtime auditing techniques too expensive and non-scalab...

This book provides a comprehensive review of the most up to date research related to cloud security auditing and discusses auditing the cloud infrastructure from the structural point of view, while focusing on virtualization-related security properties and consistency between multiple control layers. It presents an off-line automated framework for...

Cloud computing has seen a lot of interests and adoption lately. Nonetheless, the widespread adoption of cloud is still being hindered by the lack of transparency and accountability, which has traditionally been ensured through security compliance auditing techniques. In this paper, we conducted a survey on the existing cloud security auditing appr...

As network security monitoring grows more sophisticated, there is an increasing need for outsourcing such tasks to third-party analysts. However, organizations are usually reluctant to share their network traces due to privacy concerns over sensitive information, e.g., network and system configuration, which may potentially be exploited for attacks...

As network security monitoring grows more sophisticated, there is an increasing need for outsourcing such tasks to third-party analysts. However, organizations are usually reluctant to share their network traces due to privacy concerns over sensitive information, e.g., network and system configuration, which may potentially be exploited for attacks...

Multi-tenancy in the cloud is a double-edged sword. While it enables cost-e ective resource sharing, it increases security risks for the hosted applications. Indeed, multiplexing virtual resources belonging to different tenants on the same physical substrate may lead to critical security concerns such as cross-tenants data leakage and denial of ser...

Since a key advantage of Software Defined Networks (SDN) is providing a logically centralized view of the network topology, the correctness of such a view becomes critical for SDN applications to make the right management decisions. However, recently discovered vulnerabilities in OpenFlow Discovery Protocol (OFDP) show that malicious hosts and swit...

Crowd events or flash crowds are meant to be a voluminous access to media or web assets due to a popular event. Even though the crowd event accesses are benign, the problem of distinguishing them from Distributed Denial of Service (DDoS) attacks is difficult by nature as both events look alike. In contrast to the rich literature about how to profil...

A Content Delivery Network (CDN) employs edge-servers caching content close to end-users to provide high Quality of Service (QoS) in serving digital content. Attacks against edge-servers are known to cause QoS degradation and disruption in serving end-users. Protecting edge-servers is vital but represents a complex task. Not only must the attack mi...

Content Delivery Networks (CDNs) aim to provide high Quality of Service (QoS) in serving digital content. To achieve high QoS, CDNs employ edge-servers that cache content in the vicinity of end-users. Edge-servers are vulnerable to attacks that degrade the QoS of end-users. Protecting edge-servers against these threats is vital and complex. The att...

Network function virtualization opens a new era for security, allowing on-demand instantiation of defense appliances via technologies such as SDN (Software Defined Networking) and Service Function Chaining (SFC). Taking full advantage of such capabilities, however, requires collaboration among Security Service Functions (SSFs) distributed throughou...

Cloud computing is emerging as a promising IT solution for enabling ubiquitous, convenient, and on-demand accesses to a shared pool of configurable computing resources. However, the widespread adoption of cloud is still being hindered by the lack of transparency and accountability, which has traditionally been ensured through security auditing tech...

Cloud services provide clients with highly scalable network, storage, and computational resources. However, these service come with the challenge of guaranteeing the confidentiality of the data stored on the cloud. Rather than attempting to prevent adversaries from compromising the cloud server, we aim in this paper to propose a protocol for secure...

Cloud security auditing assures the transparency and accountability of a cloud provider to its tenants. However, the high operational complexity implied by the multi-tenancy and self-service nature, coupled with the sheer size of a cloud, imply that security auditing in the cloud can become quite expensive and non-scalable. Therefore, a proactive a...

Cloud security auditing assures the transparency and accountability of a cloud provider to its tenants. However, the high operational complexity implied by the multi-tenancy and self-service nature, coupled with the sheer size of a cloud, imply that security auditing in the cloud can become quite expensive and non-scalable. Therefore, a proactive a...

Return Oriented programming was surfaced first a decade ago, and was built to overcome the buffer exploit defense mechanisms like ASLR, DEP (or W^ X) by method of reusing the system code in the form of gadgets which are stitched together to make a Turing complete attack. And to perform Turing complete attack would require greater efforts which are...

Collaboration among Security Service Functions (SSF) is expected to become as essential to SECaaS (SECurity as a Service) systems as elasticity is to IaaS (Infrastructure as a Service). The virtualization opens new era in network security as new security appliances can be created on demand in appropriate places in the network. At the same time, the...

In this white paper, we provide key insights into the current status of audit and compliance verification in the Cloud by discussing the challenges and solutions for such solutions in the cloud.

Multi-tenancy in the cloud usually leads to security concerns over network isolation around each cloud tenant’s virtual resources. However, verifying network isolation in cloud virtual networks poses several unique challenges. The sheer size of virtual networks implies a prohibitive complexity, whereas the constant changes in virtual resources dema...

The affordability of cloud data storage has made it simpler for users to store and access data online from any location or operating system. These services may be used by users to store sensitive data, such as personal health records or financial data. Many service providers offer features such as analyzing the users’ private data to generate usefu...

More and more companies are moving their applications and data to the cloud, and many have started offering cloud services to their customers as well. But how can they ensure that their cloud solutions are secure?

Network functions virtualization intertwined with software-defined networking opens up great opportunities for flexible provisioning and composition of network functions, known as network service chaining. In the cloud, this allows providers to create service chains tuned to each application type while optimizing resources’ utilization. This is par...

The verification of security compliance with respect to security standards and policies is desirable to both cloud providers and users. However, the sheer size of a cloud implies a major challenge to be scalability and in particular response time. Most existing approaches are either after the fact or incur prohibitive delay in processing user reque...

Providing a threat analysis for Software Defined Network architectures.

Cloud service providers typically adopt the multi-tenancy model to optimize resources usage and achieve the promised cost-effectiveness. Sharing resources between different tenants and the underlying complex technology increase the necessity of transparency and accountability. In this regard, auditing security compliance of the provider's infrastru...