Mathias Fischer

Mathias Fischer
University of Hamburg | UHH · Department of Informatics

Prof. Dr.-Ing.

About

106
Publications
27,648
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
1,192
Citations
Additional affiliations
February 2012 - November 2014
Technische Universität Darmstadt
Position
  • PostDoc Position
February 2008 - January 2012
Technische Universität Ilmenau
Position
  • PhD Student

Publications

Publications (106)
Article
Full-text available
The dependency of our society on networked computers has become frightening: In the economy, all-digital networks have turned from facilitators to drivers; as cyber-physical systems are coming of age, computer networks are now becoming the central nervous systems of our physical world—even of highly critical infrastructures such as the power grid....
Conference Paper
Full-text available
The emerging trend of highly-resilient Peer-to-Peer (P2P) botnets poses a huge security threat to our modern society. Carefully designed countermeasures as applied in sophisticated P2P botnets such as P2P Zeus impede botnet monitoring and successive takedown. These countermeasures reduce the accuracy of the monitored data, such that an exact recons...
Article
Limiting the knowledge of individual nodes is a major concern for the design of distributed algorithms. With the LOCAL model, theoretical research already established a common model of locality that has gained little practical relevance. As a result, practical research de facto lacks any common locality model. The only common denominator among prac...
Preprint
User tracking on the Internet can come in various forms, e.g., via cookies or by fingerprinting web browsers. A technique that got less attention so far is user tracking based on TLS and specifically based on the TLS session resumption mechanism. To the best of our knowledge, we are the first that investigate the applicability of TLS session resump...
Conference Paper
Monitoring tools like Intrusion Detection Systems (IDS), Firewalls, or Honeypots are a second line of defense in the face of an increasing number of distributed, increasingly sophisticated, and targeted attacks. A huge amount of security alerts needs to be analysed and correlated to gather the complete picture of an attack. However, most convention...
Preprint
IEEE 802.1 Time-sensitive Networking (TSN) protocols have recently been proposed to replace legacy networking technologies across different mission-critical systems (MCSs). Design, configuration, and maintenance of TSN within MCSs require advanced methods to tackle the highly complex and interconnected nature of those systems. Accordingly, artifici...
Preprint
Mission-critical systems (MCSs) have embraced new design paradigms such as service-oriented architecture (SOA) and IEEE 802.1 Time-sensitive Networking (TSN). These approaches tackle the static and closed-loop design and configuration of MCSs to address their strict performance and resilience requirements. While SOA enables the dynamic placement of...
Preprint
IEEE 802.1 Time-sensitive Networking~(TSN) standards are envisioned to replace legacy network protocols in critical domains to ensure reliable and deterministic communication over off-the-shelf Ethernet equipment. However, they lack security countermeasures and can even impose new attack vectors that may lead to hazardous consequences. This paper p...
Preprint
Modern mission-critical systems (MCS) are increasingly softwarized and interconnected. As a result, their complexity increased, and so their vulnerability against cyber-attacks. The current adoption of virtualization and service-oriented architectures (SOA) in MCSs provides additional flexibility that can be leveraged to withstand and mitigate atta...
Chapter
Unwanted automation of network services by web robots (bots) increases the operation costs, and affects the satisfaction of human users, e.g., in online games or social media. Bots impact the revenue of service providers and can damage society by spreading false information. While few bots are usually not a problem, a large number is. Thus, we focu...
Chapter
More and more Internet traffic is encrypted. While this protects the confidentiality and integrity of communication, it prevents network monitoring systems (NMS) from effectively analyzing the now encrypted payloads. Many enterprise networks have deployed man-in-the-middle (MitM) proxies that intercept TLS connections at the network border to exami...
Preprint
Full-text available
New types of malware are emerging at concerning rates. However, analyzing malware via reverse engineering is still a time-consuming and mostly manual task. For this reason, it is necessary to develop techniques that automate parts of the reverse engineering process and that can evade the built-in countermeasures of modern malware. The main contribu...
Conference Paper
Full-text available
The use of public Wi-Fi networks can reveal sensitive data to both operators and bystanders. A VPN can prevent this. However, a machine that initiates a connection to a VPN server might already leak sensitive data before the VPN tunnel is fully established. Furthermore, it might not be immediately possible to establish a VPN connection if the netwo...
Preprint
Internet traffic is increasingly encrypted. While this protects the confidentiality and integrity of communication, it prevents network monitoring systems (NMS) and intrusion detection systems (IDSs) from effectively analyzing the now encrypted payloads. Therefore, many enterprise networks have deployed man-in-the-middle (MitM) proxies that interce...
Preprint
Today, human security analysts collapse under the sheer volume of alerts they have to triage during investigations. The inability to cope with this load, coupled with a high false positive rate of alerts, creates alert fatigue. This results in failure to detect complex attacks, such as advanced persistent threats (APTs), because they manifest over...
Preprint
The convergence of IT and OT technologies results in the need for efficient network management solutions for automotive and industrial automation environments. However, configuring real-time Ethernet networks while maintaining the desired QoS is challenging due to the dynamic nature of OT networks and the high configuration parameters. This paper i...
Article
Full-text available
Mission-critical networks, which for example can be found in autonomous cars and avionics, are complex systems with a multitude of interconnected embedded nodes and various service demands. Their resilience against failures and attacks is a crucial property and has to be already considered in their design phase. In this paper, we introduce a novel...
Chapter
Intrusion Detection Systems (IDSs) can analyze network traffic for signs of attacks and intrusions. However, encrypted communication limits their visibility and sophisticated attackers additionally try to evade their detection. To overcome these limitations, we extend the scope of Network IDSs (NIDSs) with additional data from the hosts. For that,...
Preprint
In the factory of the future traditional and formerly isolated Operational Technology (OT) hardware will become connected with all kinds of networks. This leads to more complex security challenges during design, deployment and use of industrial control systems. As it is infeasible to perform security tests on production hardware and it is expensive...
Article
Full-text available
Small TCP flows make up the majority of web flows. For them, the TCP three-way handshake induces significant delay overhead. The TCP Fast Open (TFO) protocol can significantly decrease this delay via zero round-trip time (0-RTT) handshakes for all TCP handshakes that follow a full initial handshake to the same host. However, this comes at the cost...
Preprint
Full-text available
Public networks are exposed to port scans from the Internet. Attackers search for vulnerable services they can exploit. In large scan campaigns, attackers often utilize different machines to perform distributed scans, which impedes their detection and might also camouflage the actual goal of the scanning campaign. In this paper, we present a correl...
Preprint
Full-text available
Intrusion Detection Systems (IDSs) can analyze network traffic for signs of attacks and intrusions. However, encrypted communication limits their visibility and sophisticated attackers additionally try to evade their detection. To overcome these limitations, we extend the scope of Network IDSs (NIDSs) with additional data from the hosts. For that,...
Conference Paper
Organization and government networks are a target of Advanced Persistent Threats (APTs), i.e., stealthy attackers that infiltrate networks slowly and usually stay undetected for long periods of time. After an attack has been discovered, security administrators have to manually determine which hosts were compromised to clean and restore them. For th...
Article
Full-text available
QUIC has been developed by Google to improve the transport performance of HTTPS traffic. It currently accounts for approx. 7% of the global Internet traffic. In this work, we investigate the feasibility of user tracking via QUIC from the perspective of an online service. Our analysis reveals that the protocol design contains violations of privacy b...
Preprint
Full-text available
An Intrusion Detection System (IDS) to secure computer networks reports indicators for an attack as alerts. However, every attack can result in a multitude of IDS alerts that need to be correlated to see the full picture of the attack. In this paper, we present a correlation approach that transforms clusters of alerts into a graph structure on whic...
Preprint
Small TCP flows make up the majority of web flows. For them, the TCP three-way handshake represents a significant delay overhead. The TCP Fast Open (TFO) protocol provides zero round-trip time (0-RTT) handshakes for subsequent TCP connections to the same host. In this paper, we present real-world privacy and performance limitations of TFO. We inves...
Conference Paper
Responding to network security incidents requires interference with ongoing attacks to restore the security of services running on production systems. This approach prevents damage, but drastically impedes the collection of threat intelligence and the analysis of vulnerabilities, exploits, and attack strategies. We propose the live confinement of s...
Conference Paper
Network Function Virtualization (NFV) and Software-defined Networking (SDN) enable flexible and scalable placement of Virtual Network Functions (VNFs). Existing approaches for optimal VNF selection, placement, and traffic routing use link-based approaches. In this paper, we introduce a path-based mathematical optimization model for the NFV Resource...
Preprint
QUIC is a secure transport protocol and aims to improve the performance of HTTPS traffic. It is a design goal of QUIC to reduce the delay overhead of its connection establishment. However, an initial handshake enforcing strict validation of the client's source address still requires two round-trips. QUIC provides address validation tokens which all...
Article
Monitoring tools like Intrusion Detection Systems (IDS), Firewalls, or Honeypots are a second line of defense in the face of an increasing number of distributed, increasingly sophisticated, and targeted attacks. A huge amount of security alerts needs to be analyzed and correlated to gather the complete picture of an attack. However, most convention...
Preprint
TLS can resume previous connections via abbreviated resumption handshakes that significantly decrease the delay and save expensive cryptographic operations. For that, cryptographic TLS state from previous connections is reused. TLS version 1.3 recommends to avoid resumption handshakes, and thus the reuse of cryptographic state, when connecting to a...
Article
Nowadays, hosting services of multiple customers on the same hardware via virtualiation techniques is very common. Memory deduplication allows to save physical memory by merging identical memory pages of multiple Virtual Machines (VMs) running on the same host. However, this mechanism can leak information on memory pages to other. In this paper, we...
Conference Paper
User tracking on the Internet can come in various forms, e.g., via cookies or by fingerprinting web browsers. A technique that got less attention so far is user tracking based on TLS and specifically based on the TLS session resumption mechanism. To the best of our knowledge, we are the first that investigate the applicability of TLS session resump...
Chapter
Memory deduplication opens a side-channel that enables attackers to detect if there is a second copy of a memory page on a host their Virtual Machine (VM) is running on, and thus to gain information about co-resident VMs. In former work, we presented a practical side-channel attack that can even detect which specific versions of applications are be...
Conference Paper
Virtualization offers the possibility of hosting services of multiple customers on shared hardware. When more than one Virtual Machine (VM) run on the same host, memory deduplication can save physical memory by merging identical pages of the VMs. However, this comes at the cost of leaking information between VMs. Based on that, we propose a novel t...
Article
Computer networks fundamentally changed the way we communicate and interact with each other. In fact, they now form the backbone of our modern societies. While early networks were merely a mechanism for exchanging data between end-hosts, current computer and telecommunication networks are way more than that. Compared to the early days of the networ...
Conference Paper
The ever-growing number of cyber attacks originating from botnets has made them one of the biggest threat to the Internet ecosystem. Especially P2P-based botnets like ZeroAccess and Sality require special attention as they have been proven to be very resilient against takedown attempts. To identify weaknesses and to prepare takedowns more carefully...
Conference Paper
P2P botnets represent another escalation level in the race of arms between criminals and the research community. By utilizing a distributed P2P architecture they are resilient against random failures and attacks and overcome the limitations of a central command and control server. For this reason, it is important to monitor them to gather informati...
Conference Paper
Recently, several privacy-enhancing technologies for smart grids have been proposed. However, most of these solutions presume the cooperation of all smart grid participants. Hence, the privacy protection of consumers depends on the willingness of the suppliers to deploy privacy-enhancing technologies. Since electrical energy is essential for our mo...
Conference Paper
Full-text available
The ever-growing number of cyber attacks from botnets has made them one of the biggest threats on the Internet. Thus, it is crucial to study and analyze botnets, to take them down. For this, an extensive monitoring is a pre-requisite for preparing a botnet takedown, e.g., via a sinkholing attack. However, every new monitoring mechanism developed fo...
Conference Paper
Anonymity can protect from political repression in Online Social Networks (OSNs) as well as from undesired profiling, e.g., by advertisement companies, in todays’ Internet. P2P-based anonymous publish-subscribe (pub-sub) is a highly- scalable approach to protect anonymity while enabling efficient many-to-many communication between services and user...
Conference Paper
Full-text available
Due to the increasing quantity and sophistication of cyber-attacks, Intrusion Detection Systems (IDSs) are nowadays considered mandatory security mechanisms for protecting critical networks. Research on cyber-security is moving from such isolated IDSs towards Collaborative IDSs (CIDSs) in order to protect large-scale networks. In CIDSs, a number of...
Article
Publish-subscribe is an increasingly popular messaging pattern for distributed systems, supporting scalable and extensible programming, and optimal spatial, temporal, and control-flow decoupling of distributed components. Publish- subscribe middleware and methods were extended towards supporting security, in particular confidentiality, and increase...
Conference Paper
Full-text available
The IT infrastructure of today needs to be ready to defend against massive cyber-attacks which often originate from distributed attackers such as Botnets. Most Intrusion Detection Systems (IDSs), nonetheless, are still working in isolation and cannot effectively detect distributed attacks. Collaborative IDSs (CIDSs) have been proposed as a collabor...
Conference Paper
Full-text available
Privacy, in particular anonymity, is desirable in Online Social Networks (OSNs) like Twitter, especially when considering the threat of political repression and censorship. P2P-based publish-subscribe is a well suited paradigm for OSN scenarios as users can publish and follow topics of interest. However, anonymity in P2P-based publish-subscribe (pu...
Conference Paper
Full-text available
Privacy, in particular anonymity, is required to increase the acceptance of users for the Internet of Things (IoT). The IoT is built upon sensors that encompass us in each step we take. Hence, they can collect sensitive, privacy-invading data that can be used to establish complete user profiles. For this reason, sensing in the IoT needs to provide...
Conference Paper
Full-text available
The continuous growth of the number of cyber attacks along with the massive increase of mobile devices creates a highly heterogeneous landscape in terms of security challenges. We argue that in order for security researchers to cope with both the massive amount and the complexity of attacks, a more pro-active approach has to be taken into account....
Conference Paper
The robustness of pull-based streaming systems to node failure and churn has been extensively analyzed. Their resistance to sabotage, however, is not well understood, so far. Recent measurement studies on a large deployed pull-based system have discovered stable source-to-peer paths and the convergence of the content dissemination to rather static...
Conference Paper
Botnets are a serious threat to Internet-based services and end users. The recent paradigm shift from centralized to more sophisticated Peer-to-Peer (P2P)-based botnets introduces new challenges for security researchers. Centralized botnets can be easily monitored, and once their command and control server is identified, easily be taken down. Howev...
Article
Application Layer Multicast (ALM) represents a cost-efficient way to disseminate content in large scale. However, as it relies on end-systems in content distribution, it can be easily attacked and thus requires specific measures to increase its resilience against attacks. Besides attacks on end-users, few attention has been paid to attacks on the u...
Conference Paper
Full-text available
In recent years, the number of attacks on mobile devices has increased rapidly. Users connect to a wireless network without knowledge of its trustworthiness. They are not aware of whether the network is secure or infected with malware that propagates within, actively. As no system can be seen as totally secure this also applies to mobile devices’ o...
Conference Paper
Full-text available
The ongoing convergence of Industrial Control Systems (ICSs) with the Internet introduces many challenges from security perspective. Particularly, the smart energy grid as large ICS and critical infrastructure, requires especial protection as the consequences of its failure can be severe. However, even a careful system design cannot prevent all att...
Article
Full-text available
Overlay streaming systems have recently been favored by the academic community as a viable approach for IPTV. Over the last years, a multitude of different overlay streaming approaches have been proposed. Most of them, however, have been evaluated individually. The lack of a common simulation framework makes it difficult to compare the properties o...