Scenarios Changes and Results

Scenario 1 – Android App Reputation Assessment

(F-Secure, Arcada, Aalto, UH: WP2-01, WP2-03)

Changes to Scenario

The initial high-level goals remained valid. We haven’t been able to allocate work for embedded code analysis and for handling obfuscation techniques yet. A new high-priority item in the plan is to support near-real-time processing of unknown APK’s seen in user devices to minimize the time gap between appearance of new malicious or unwanted APK’s and the capability of detection / blocking of those by the protection software. This requires serious changes to the APK handling process and architecture. Another idea to be explored in 2018 is detection and analysis of outlier packages, in particular, for improving the training sets and for studying potentially new attack techniques (in collaboration between Arcada and FSC).


  • Several models of Data Intelligence Android package classifier (DI APK) have been built and tested. The architecture of the model is based on Stacking ensemble approach. The combiner approach is based on xgboost, node (also referred to as atomic) models are based either on xgboost or on the modified version of BernoulliNB.

  • Performance of the models in multiple AV-Test runs have been analyzed. While the FP rate is consistently very low, keeping the recall at acceptable levels seems to require frequent re-training.

  • There are several challenges with the architecture and infrastructure to implement the overall APK processing logic combining client-side submission, prioritization, feature extraction, rule-based detection, DI APK classification, and utilization of the processing results, especially due to the new goal of supporting near-real-time processing of unknown APK’s. FSC is in the process of hiring a Master thesis writer to start in Jan. 2018 to work on the integration architecture and logic.


[1] “A pragmatic android malware detection procedure”, Paolo Palumbo, Luiza Sayfullina, Dmitriy Komashinskiy, Emil Eirola, and Juha Karhunen. Accepted 27th of July 2017. In Computers & Security journal. (

Scenario 2 – Cloud Assisted Management for IoT

(Trustonic, Aalto: WP2-01, WP2-03)

Changes to Scenario

As part of the feasibility study, the Scenario 2 partners refined the scope of the scenario by identifying the essential roles in the IoT secure update ecosystem and performed a gap analysis to identify the how well state-of-the-art software update techniques (geared for different settings) meet security requirements under specific assumptions. The feasibility study identified limitations in current techniques that prevent them from meeting the operational and security requirements of all stakeholders of IoT deployments, and thus prevents existing techniques from being directly incorporated into large-scale IoT deployments. Here we summarize concrete requirements identified by the feasibility study that the software update architecture must meet. These requirements are consistent with the original considerations identified for Scenario 2.

  1. End-to-end Security and Update Authorization. Software signing can be used to ensure the integrity and authenticity of software update. However, updates must often be associated with policy decisions, e.g. decide on the correct version of software for the current platform/architecture, or decide when the update should be applied in order to minimize operational impact.

  2. Minimal Burden on Device. More powerful IoT devices capable of running general purpose operating systems (such as embedded flavors of Linux) can be expected to include a package manager, which can make such decision based on a pre-established configuration. However, resource constrained devices cannot be expected to perform computationally expensive validation or to evaluate complicated policy decisions autonomously.

  3. CDN-friendly Software Update Distribution. In order to benefit from cloud scalability, the Original Equipment Manufacturer (OEM) will often outsource update distribution to a software distributor, such as a third-party Content Delivery Network (CDN). To benefit from the improved scalability provided by CDNs, and accommodate device with several administrative authorities (e.g. the OEM and a local administrator). Devices cannot be expected to fully offload policy decisions to a trusted cloud components, and thus must provide the means of performing trustworthy computation to decide if a received update file should be installed or not.

  4. Attestation of Update Installation. The software state of a device must be externally verifiable by the administrator or a local controller. The attestation procedure may be performed either over local connectivity (e.g. Ethernet, Wifi, BLE etc.) or remote connectivity with a controlling entity in the cloud (e.g. during enrolment with a cloud service).

  5. Protection of Code & Secret Keys on Device. To ensure the integrity of code and the confidentiality of secret keys used in update and attestation processes the device architecture must provide the following features:

    1. Secure Boot to guarantee authenticity and integrity of trusted software at boot time. This generally requires a minimal hardware root-of-trust.

    2. Isolated Execution: to protect trusted, security critical operations on the device from being influenced by untrusted (potentially vulnerable or malicious) code.

    3. Secure Storage: to ensure that trust anchors used for firmware update validation and attestation are integrity-protected and only accessible by authorized trusted software at run-time.

These requirements can be satisfied by modern embedded device platforms that support either (1) a Trusted Execution Environment (TEE), e.g., TrustZone-M, or (2) a secure microkernel, e.g., seL4.

However, the widespread use of memory unsafe programming languages (e.g., C and C++) in embedded systems and the Internet of Things leaves many systems vulnerable to memory corruption attacks that undermine the trustworthiness of computations performed by victim devices. A variety of defenses have been proposed to mitigate attacks that exploit memory errors to hijack the control flow of the code at run-time, e.g., (fine-grained) ASLR or Control Flow Integrity (CFI). However, given the nature of IoT deployments, existing protection mechanisms for traditional computing environments (including CFI) need to be adapted to the IoT setting. In addition, recent work on data-oriented programming (DOP) demonstrated the possibility to construct highly-expressive (Turing-complete) attacks, even in the presence of these state-of-the-art defenses. Although multiple real-world DOP attacks have been demonstrated, no suitable defenses are yet available.


  • Secure software update mechanisms for embedded devices (within WP1 with Aalto University, with assistance from WP2 and WP4). In this area, the research output consists of:

    • ASSURED [1], a secure update framework for IoT. ASSURED includes all stakeholders in a typical IoT update ecosystem, while providing end-to-end security between manufacturers and devices.

  • Secure cloud-assisted management of devices and analytics of software and configuration deployments, as well in-field monitoring of device operation, integrity and anomaly detection. In this area, the research output is two-fold:

    • CaRE [2], the first interrupt-aware CFI scheme that addresses the challenges of enabling CFI on microcontroller (MCU) based IoT devices.

    • Run-time Scope Enforcement (RSE) [3], a novel approach designed to mitigate all currently known DOP attacks by enforcing compile-time memory safety constraints (e.g., variable visibility rules) at run-time. RSE is instantiated in HardScope, a proof-of-concept implementation of hardware-assisted RSE for the RISC-V open instruction set architecture.


[1] Norrathep Rattanavipanon, Thomas Nyman, N. Asokan, Ahmad-Reza Sadeghi, Gene Tsudik. ASSURED: Architecture for Secure Software Update of Realistic Embedded Devices submitted to DAC 2018

[2] Thomas Nyman, Jan-Erik Ekberg, Lucas Davi, N. Asokan, CFI CaRE: Hardware-Supported Call and Return Enforcement for Commercial Microcontrollers, RAID 2017, Atlanta, USA (open access technical report available at

[3] Thomas Nyman, Ghada Dessouky, Shaza Zeitouni, Aaro Lehikoinen, Andrew Paverd, N. Asokan, Ahmad-Reza Sadeghi. HardScope: Thwarting DOP with Hardware-assisted Run-time Scope Enforcement. (open access technical report available at

Scenario 3 – Cloud-Assisted Trust Relation Database

(SSH, UH: WP2-02)

Changes to Scenario

The use cases described in the original version assume a single owner of a trust relation database which at least in principle is allowed to see all trust relations. Of course, this does not mean that this owner can have access to the corresponding private keys.

We have extended the use cases to a situation where no single party can control, or even see, all trust relations. Instead, there are several parties each of which control their own part of the total database. For instance, we could have many subcontractors that work together for a big enterprise. It may be necessary that the subcontractors have access to each other’s networks. However, they do not want to expose their network completely to another subcontractor (who could even be their competitor). The subcontractors would work together with the help of the cloud and the enterprise to control the total trust relation landscape.


  • Demonstrate the computational requirements for privacy preserving operations over real world data and use cases. It is clear that there will be an increase in computational cost when introducing this technology. We need to characterize, measure and understand the practical impact and the possible options to reduce the overhead as much as possible.

    • Results so far: we have implemented the protocol mentioned in our paper “Privacy Preserving Queries on Directed Graph” that is submitted to NTMS'2018. In our protocol the owner of the database calculates the transitive closure of the graph corresponding to the trust relation database. He encrypts the resulting matrix and sends it to the cloud. The querier (that can be a different entity) uses a private information retrieval protocol to get the interesting bit from the cloud and then blindly decrypts it with the owner of the database. Our protocol works in reasonable time with realistic database size.

  • Based on the prototype built for the context of the abstract graph, industrial partner would build a lightweight standalone mock-up to replicate the academic results on the CloSer prototype for non-public industrial data. The mock-up is also integrated to emerging endpoints in existing products.

    • Results so far: we have access to anonymized data that corresponds to real life trust relation databases both in size and complexity. We have studied the properties of the data and also found out that our protocol is feasible with realistic input sizes.

Scenario 4 – DDoS Detection and Mitigation in Cloud Assisted Services (formely Fake Base Station Detection Using Cloud Services)

(Aalto, Nokia: WP2-03)

Changes to Scenario

This scenario was heavily changed, due to severe difficulties in achieving the initially proposed goals.

A feasibility study was initiated on the topic of modelling highly non-linear and non-differentiable functions, with the additional constraint of having a specific set of inputs for the models (in the form of topological and construction data). This did not yield any results, and no appropriate approach was found to address this problem.

The problem of highly accurate path loss estimation was thus left, and changed into pursuing the problem of Distributed Denial of Service detection and mitigation from within a network or cloud, without having to redirect the traffic to external entities.

The following goals are the ones that have been investigated, along with the results they have yielded.


  • Improved detection rate and mitigation rate of Distributed Denial of Service attacks (DDoS) on mission-critical Cloud Assisted Services (here for industrial IoT applications): latency and bandwidth preservation in cases of massive network overload attacks.

  • New algorithm uses modeling of probability density functions for network flow statistics.

  • Solution allows for on site (in cloud) implementation, without third party service or traffic exfiltration.

  • Possibility to extend detection and mitigation to a specific range of other attack patterns.


[1] Anomaly-Based Intrusion Detection using Extreme Learning Machine and Aggregation of Network Traffic Statistics in Probability Space, Buse Gul Atli, Yoan Miche, Aapo Kalliola, Ian Oliver, Silke Holtmanns and Amaury Lendasse, in International Symposium on Extreme Learning Machines 2017, accepted, presented, and resubmitted as extended version in [2].

[2] ] Anomaly-Based Intrusion Detection using Extreme Learning Machine and Aggregation of Network Traffic Statistics in Probability Space, Buse Gul Atli, Yoan Miche, Aapo Kalliola, Ian Oliver, Silke Holtmanns and Amaury Lendasse, in Cognitive Computation, under review (submitted Oct. 2017).

Scenario 5 – Differential Anomaly Detection

(Nokia, Arcada, F-Secure, Aalto, UH: WP2-03)

Changes to Scenario

In the anomaly detection for RDS (detection of advanced attacks on endpoints), the focus has been on predicting false positives generated by the detection rules. In particular, endpoint clustering based on observed launches of executables has been explored for identifying unreliable rule-based detections. We haven’t been able to pursue the privacy-preserving favors of detection techniques yet due to high challenges with RDS detection precision.

A new method has been proposed for protecting integrity of the local RDS store and generalized for other important security functions in the endpoints.


  • A method for ranking RDS detections based on the globally observed events submitted by the RDS sensors has been developed. The work is currently under way to address the problem of “training set poisoning”, e.g., for cases when penetration testing exercises in some of the endpoints result in very low ranking values of actual attack events in other customer systems.

  • A logistic regression classifier for RDS detection rules and endpoint clustering methods have been developed and tested for improving the RDS attack detection precision.

  • The Arcada researchers have started work in the FSC premises to closely collaborate with the FSC Data Science team on endpoint profiling and modeling as a part of the RDS anomaly detection plan.

  • An efficient approach for protecting integrity of the local RDS store has been proposed (UH and FSC) and is currently being further refined by the partners. Another important security use case for the approach has been identified.

  • Paper on optimization and performance evaluation of differential anomaly detection model for SDN enabled networks [1] [2]

  • Demo on application of differential anomaly detection model to SDN enabled networks [2] [3]. This demo was presented also in CloSer workshop on 20th April 2017.

  • Paper on optimization and performance evaluation of differential anomaly detection for IoT robot security use case [2] [4]


[1] Monshizadeh, Mehrnoosh; Khatri, Vikramajeet; and Kantola, Raimo. “Detection as a service: An SDN application”. In 19th International Conference on Advanced Communication Technology (ICACT), Bongpyeong, pp. 285-290, 2017.

[2] Book Chapter: Monshizadeh, Mehrnoosh; and Khatri, Vikramajeet. “Mobile Virtual Network Operators (MVNO) Security”. In Comprehensive Guide to 5G Security, Wiley Publishers, pp. 323-346, ISBN 978-1-119-29304-0, 2017.

[3] Monshizadeh, Mehrnoosh; Khatri, Vikramajeet; and Kantola, Raimo. “An adaptive detection and prevention architecture for unsafe traffic in SDN enabled mobile networks”. In IFIP/IEEE Symposium on Integrated Network and Service Management (IM), Lisbon, pp. 883-884, 2017.

[4] Monshizadeh, Mehrnoosh; Khatri, Vikramajeet; Kantola, Raimo; and Yan, Zheng. “An Orchestrated Security Platform for Internet of Robots”. In proceedings of 12th International Conference, Green, Pervasive, and Cloud Computing (GPC), Cetara, Italy, pp. 298-312, 2017

Scenario 6 – Web Content Analysis for Security Applications

(F-Secure, Arcada, Aalto, UH)

Changes to Scenario

More emphasis in 2018 will be on detection of phishing and malicious web sites. Also we will have high on the list near-real-time processing of unknown URL’s visited by the users to minimize the time gap between submission of new malicious or unwanted URL’s and the capability of detection / blocking of those by the protection software.


  • The work is under way at FSC to enable integration and validation of the image analysis method developed by Arcada, both for identifying inappropriate image content and for utilizing image analysis results for categorizing web pages (in particular, those with very small amounts of text or with text in Asian languages).
  • A prototype of phishing site detection implemented by Aalto has been validated by FSC. The key issue at the moment is that the prototype uses several features available only at the client side, while the FSC architecture supports content analysis logic only in the backend. The partners are exploring ways of overcoming this issue.
  • Topic modeling based approaches have been implemented for identifying web resources inappropriate for children. By mapping extracted topics to pre-defined “inappropriate content” categories, good results have been obtained for detecting web pages that belong to a number of such categories, and several topic models are running in the FSC production. At the same time, the use of those models has revealed some further problems with the available training sets, to be tackled in 2018.

  • No labels