@inproceedings{luh_penquest_2022, address = {Tunis, Tunisia}, title = {{PenQuest} {Reloaded}: {A} {Digital} {Cyber} {Defense} {Game} for {Technical} {Education}}, isbn = {978-1-66544-434-7}, shorttitle = {{PenQuest} {Reloaded}}, url = {https://ieeexplore.ieee.org/document/9766700/}, doi = {10.1109/EDUCON52537.2022.9766700}, abstract = {Today’s IT and OT infrastructure is threatened by a plethora of cyber-attacks conducted by actors with different motivations and means. Furthermore, the complexity of these exposed systems as well as the adversaries’ sophisticated technical arsenal makes it increasingly difficult to plan and implement an organization’s defense. Understanding the link between specific attacks and effective mitigating measures is particularly challenging – as is understanding the underlying information security concepts. To support the training of current, and more importantly, nascent security engineers, we propose PenQuest, a digital attack and defense game where an attacker attempts to compromise an abstracted IT infrastructure and the defender works to prevent or mitigate the threat. The game is based on MITRE ATT\&CK, D3FEND, and the NIST SP 800-53 security standard and incorporates a multitude of concepts such as cyber kill chains, attack vectors, network segmentation, and more. PenQuest is built to support security education and risk assessment and was evaluated with a class of engineering students as well as independent security experts. Initial results show a significant increase in knowledge retention and attest to the game’s feasibility for educational use.}, urldate = {2023-01-25}, booktitle = {2022 {IEEE} {Global} {Engineering} {Education} {Conference} ({EDUCON})}, publisher = {IEEE}, author = {Luh, Robert and Eresheim, Sebastian and Größbacher, Stefanie and Petelin, Thomas and Mayr, Florian and Tavolato, Paul and Schrittwieser, Sebastian}, month = mar, year = {2022}, note = {Projekt: PenQuest}, keywords = {Department Medien und Digitale Technologien, Education / Computers \& Technology, Forschungsgruppe Media Computing, Games, Institut für Creative Media Technologies, Paper, Security, Vortrag, best, peer-reviewed}, pages = {906--914}, } @misc{luh_penquest_2022-1, address = {Remote}, type = {Workshop and presentation}, title = {{PenQuest}: {A} {Digital} {Cyber} {Defense} {Game} for {Higher} {Education}}, abstract = {Today’s IT infrastructure is threatened by a plethora of attacks conducted by actors with different motivations and means. Understanding these threats as well as the link between specific attacks and effective mitigating measures is particularly challenging – as is comprehending the underlying information security concepts. This workshop introduces "PenQuest", a digital attack and defense game where an attacker attempts to compromise an abstracted IT infrastructure while the defender works to prevent or mitigate the threat. PenQuest uses a two-player adversarial approach to offer students a means to play through and dissect complex cyber-attacks. More importantly, it enables learners to discover appropriate countermeasures on a technical, organizational, and human level. With PenQuest, we aim to a) make it easier to understand IT vulnerabilities and threats; b) match attacks to appropriate security controls; and c) make it entertaining to explore such a complex topic and thereby motivate students to engage in the field. PenQuest has originally been built with bachelor-level MINT students in mind. However, it has proven to be an effective tool to introduce non-IT students to the topic of computer security and even teach company employees and managers about its importance, raising awareness in the process.}, language = {EN}, author = {Luh, Robert}, month = nov, year = {2022}, keywords = {FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, SP IT Sec System \& Application Security, Vortrag, Workshop}, } @inproceedings{boigner_wsl2_2022, address = {Vienna, Austria}, series = {{ARES} 2022}, title = {{WSL2} {Forensics}: {Detection}, {Analysis} \& {Revirtualization}}, copyright = {CC-BY}, doi = {https://doi.org/10.1145/3538969.3544439}, abstract = {The development and integration of the Windows Subsystem for Linux, version 2 (WSL2) into Microsoft’s operating systems has brought together two worlds that were, from a consumer’s perspective, previously disjunct. This comes with new challenges for incident handling and computer forensics in particular, since workflows rarely had to consider both ecosystems at time same time. With WSL2 now becoming an integral part of Windows 10 and 11, tools and techniques have to be revisited with the new environment in mind. In this paper, we look at the detection, acquisition and postmortem analysis of WSL2 instances. We explore through experimentation how WSL2 guests can be quickly identified and provide investigators with an easy means to automate the process. Since it can also be helpful to an investigation to revirtualize an acquired image, the process of getting up and running a WSL2 instance on another host is discussed as well. This is complemented by a surface analysis of the extracted data, where we assess whether current open-source suites are compatible with Microsoft’s take on Linux. Ultimately, this work provides a concise guide for investigators dealing with WSL2 instances and updates the current state-of-theart, which predominantly focuses on the first iteration of WSL.}, booktitle = {The 17th {International} {Conference} on {Availability}, {Reliability} and {Security}}, publisher = {Association for Computing Machinery}, author = {Boigner, Philipp and Luh, Robert}, year = {2022}, keywords = {FH SP Cyber Security, Institut für IT Sicherheitsforschung, Konferenz-Paper, Open Access, Vortrag, best, peer-reviewed, ⚠️ Invalid DOI}, } @misc{luh_penquest_2022-2, address = {Fokus N'Cyan, St. Jakob}, type = {Workshop and presentation}, title = {{PenQuest}: {Ein} {Cyber}-{Abwehr} {Spiel}}, abstract = {IT-Systeme sind tagtäglich mit einer Vielzahl digitaler Bedrohungen konfrontiert. Gleichzeitig ist die Planung passender Gegenmaßnahmen aufgrund der hohen Komplexität gerade für kleinere Unternehmen ein oftmals schwieriges Unterfangen. Das Lehr- und Planspiel „PenQuest“ bietet ein Rahmenwerk für die Simulation realer Hacking-Szenarien und setzt sich zum Ziel, das komplexe Zusammenspiel zwischen Angriff und Abwehr anschaulich zu modellieren. Im Zuge einer Partie treten zwei Spieler:innen auf dem Feld einer vereinfachten Netzwerklandschaft gegeneinander an und versuchen, die Oberhand zu gewinnen. Zugleich kann PenQuest herangezogen werden, um die Auswirkungen von möglichen Angriffen zu studieren und zu testen, welche Abwehrmaßnahmen besonders wirksam sind. In diesem Workshop bekommen die Teilnehmer:innen die Gelegenheit, PenQuest selbst auszuprobieren und mehrere Angriffsszenarien zu erkunden. Des Weiteren wird das Modell und die Prinzipien hinter dem Spiel vorgestellt und praktische Tipps gegeben, wie sich Unternehmen besser auf reale Bedrohungen vorbereiten können.}, language = {DE}, author = {Luh, Robert}, month = may, year = {2022}, keywords = {FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, SP IT Sec System \& Application Security, Vortrag, Workshop}, } @inproceedings{wagner_problem_2014, address = {Paris}, title = {Problem {Characterization} and {Abstraction} for {Visual} {Analytics} in {Behavior}-{Based} {Malware} {Pattern} {Analysis}}, url = {https://ifs.tuwien.ac.at/~rind/preprint/wagner_2014_VizSec_problem.pdf}, doi = {10/cv8p}, abstract = {Behavior-based analysis of emerging malware families involves finding suspicious patterns in large collections of execution traces. This activity cannot be automated for previously unknown malware families and thus malware analysts would benefit greatly from integrating visual analytics methods in their process. However existing approaches are limited to fairly static representations of data and there is no systematic characterization and abstraction of this problem domain. Therefore we performed a systematic literature study, conducted a focus group as well as semi-structured interviews with 10 malware analysts to elicit a problem abstraction along the lines of data, users, and tasks. The requirements emerging from this work can serve as basis for future design proposals to visual analytics-supported malware pattern analysis.}, booktitle = {Proceedings of the {Eleventh} {Workshop} on {Visualization} for {Cyber} {Security}}, publisher = {ACM}, author = {Wagner, Markus and Aigner, Wolfgang and Rind, Alexander and Dornhackl, Hermann and Kadletz, Konstantin and Luh, Robert and Tavolato, Paul}, editor = {Harrison, Lane}, month = nov, year = {2014}, note = {Projekt: TARGET Projekt: KAVA-Time}, keywords = {2014, Creative Industries, Department Technologie, FH SP Cyber Security, Forschungsgruppe Digital Technologies, Forschungsgruppe Media Computing, Forschungsgruppe Secure Societies, Institut für Creative Media Technologies, Institut für IT Sicherheitsforschung, KAVA-Time, Publikationstyp Präsentation, Publikationstyp Schriftpublikation, Visual analytics, best, best-lbwagnerm, evaluation, malicious software, malware analysis, peer-reviewed, problem characterization and abstraction, user centered design, visualization}, pages = {9 -- 16}, } @misc{luh_penquest_2021, address = {University of Luxembourg (remote)}, title = {{PenQuest}: {An} adversarial cyber security game for education and threat assessment (ext.)}, language = {EN}, author = {Luh, Robert}, month = jul, year = {2021}, keywords = {FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, SP IT Sec System \& Application Security, Vortrag}, } @misc{luh_penquest_2021-1, address = {Massachusetts Institute of Technology (remote)}, title = {{PenQuest}: {An} adversarial cyber security game for education and threat assessment}, url = {https://calendar.csail.mit.edu/events/235459}, language = {EN}, author = {Luh, Robert}, month = may, year = {2021}, keywords = {FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, SP IT Sec System \& Application Security, Vortrag}, } @article{luh_advanced_2019, title = {Advanced threat intelligence: detection and classification of anomalous behavior in system processes}, volume = {Springer}, abstract = {With the advent of Advanced Persistent Threats (APTs), it has become increasingly difficult to identify and understand attacks on computer systems. This paper presents a system capable of explaining anomalous behavior within network-enabled user sessions by describing and interpreting kernel event anomalies detected by their deviation from normal behavior. The prototype has been developed at the Josef Ressel Center for Unified Threat Intelligence on Targeted Attacks (TARGET) at St. Pölten University of Applied Sciences.}, journal = {e {\textbackslash}\& i Elektrotechnik und Informationstechnik}, author = {Luh, Robert and Schrittwieser, Sebastian}, month = dec, year = {2019}, note = {Projekt: TARGET}, keywords = {FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, SP IT Sec Applied Security \& Data Science, best, peer-reviewed, ⛔ No DOI found}, pages = {1--7}, } @inproceedings{luh_robert_apt_2018, title = {{APT} {RPG}: {Design} of a {Gamified} {Attacker}/{Defender} {Meta} {Model}}, booktitle = {International {Workshop} on {FORmal} methods for {Security} {Engineering}}, author = {{Luh, Robert} and Temper, Marlies and Tjoa, Simon and Schrittwieser, Sebastian}, year = {2018}, note = {Projekt: TARGET}, keywords = {Department Technologie, FH SP Cyber Security, Forschungsgruppe Data Intelligence, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, Josef Ressel Zentrum TARGET, Publikationstyp Schriftpublikation, peer-reviewed, ⛔ No DOI found}, } @inproceedings{luh_design_2017, address = {Madeira, Portugal}, title = {Design of an {Anomaly}-based {Threat} {Detection} \& {Explication} {System}}, doi = {10/gnd7mx}, author = {Luh, Robert and Schrittwieser, Sebastian and Janicke, Helge and Marschalek, Stefan}, year = {2017}, note = {Projekt: TARGET}, keywords = {Department Technologie, FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, Josef Ressel Zentrum TARGET, Publikationstyp Schriftpublikation, peer-reviewed}, } @inproceedings{marschalek_empirical_2016, title = {Empirical {Malware} {Research} through {Observation} of {System} {Behaviour}}, doi = {10/gnt2tx}, booktitle = {First {Workshop} on {Empirical} {Research} {Methods} in {Information} {Security}}, publisher = {ACM}, author = {Marschalek, Stefan and Kaiser, Manfred and Luh, Robert and Schrittwieser, Sebastian}, year = {2016}, note = {Projekt: TARGET}, keywords = {Department Technologie, FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, Josef Ressel Zentrum TARGET, Publikationstyp Schriftpublikation, peer-reviewed}, pages = {467--469}, } @inproceedings{marschalek_endpoint_2017, address = {Altoona, PA}, title = {Endpoint {Data} {Classification} {Using} {Markov} {Chains}}, isbn = {978-1-5386-4808-7}, url = {https://ieeexplore.ieee.org/document/8392618/}, doi = {10/gnt2tz}, urldate = {2019-01-24}, booktitle = {2017 {International} {Conference} on {Software} {Security} and {Assurance} ({ICSSA})}, publisher = {IEEE}, author = {Marschalek, Stefan and Luh, Robert and Schrittwieser, Sebastian}, month = jul, year = {2017}, keywords = {FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, SP IT Sec System \& Application Security, peer-reviewed}, pages = {56--59}, } @inproceedings{luh_design_2017-1, title = {Design of an {Anomaly}-based {Threat} {Detection} \& {Explication} {System}}, doi = {10/gnd63p}, publisher = {ACM}, author = {Luh, Robert and Schrittwieser, Sebastian and Marschalek, Stefan and Janicke, Helge and Weippl, Edgar}, year = {2017}, keywords = {Department Technologie, FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, Josef Ressel Zentrum TARGET, Publikationstyp Schriftpublikation, peer-reviewed}, } @inproceedings{luh_taon_2016, title = {{TAON}: {An} {Ontology}-based {Approach} to {Mitigating} {Targeted} {Attacks}}, doi = {10/gnt2tw}, publisher = {ACM}, author = {Luh, Robert and Schrittwieser, Sebastian and Marschalek, Stefan}, year = {2016}, note = {Projekt: TARGET}, keywords = {Department Technologie, FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, Josef Ressel Zentrum TARGET, Publikationstyp Schriftpublikation, peer-reviewed}, } @inproceedings{galhuber_time_2021, address = {New York, NY, USA}, series = {{ARES} 2021}, title = {Time for {Truth}: {Forensic} {Analysis} of {NTFS} {Timestamps}}, copyright = {All rights reserved}, url = {http://eprints.cs.univie.ac.at/7091/}, doi = {10/gnhmbb}, abstract = {Timeline forgery a widely employed technique in computer anti-forensics. Numerous freely available and easy-to-use tampering tools make it difficult for forensic scientists to collect legally valid evidence and reconstruct a credible timeline. At the same time, the large number of possible file operations performed by a genuine user can result in a wide variety of timestamp patterns that pose a challenge when reconstructing a chain of events, especially since application-specific discrepancies are often disregarded. In this paper, we investigate timestamp patterns resulting from common user operations in NTFS, providing a much needed update to the Windows time rules derived from older experiments. We show that specific applications can cause deviations from expected behavior and provide analysts with a comprehensive set of behavioral rules for all permissible NTFS file operations. Finally, we analyze the effect and efficacy of 7 third party timestamp forgery tools as well as a custom PowerShell solution, and highlight forensic artifacts pointing at data falsification.}, booktitle = {The 16th {International} {Conference} on {Availability}, {Reliability} and {Security}}, publisher = {Association for Computing Machinery}, author = {Galhuber, Michael and Luh, Robert}, year = {2021}, keywords = {FH SP Cyber Security, Institut für IT Sicherheitsforschung, Konferenz-Paper, Vortrag, best, peer-reviewed}, } @techreport{luh_advanced_2019-1, type = {Dissertation}, title = {Advanced {Threat} {Intelligence}: {Interpretation} of {Anomalous} {Behavior} in {Ubiquitous} {Kernel} {Processes}}, url = {https://dora.dmu.ac.uk/handle/2086/18527}, abstract = {Targeted attacks on digital infrastructures are a rising threat against the confidentiality, integrity, and availability of both IT systems and sensitive data. With the emergence of advanced persistent threats (APTs), identifying and understanding such attacks has become an increasingly difficult task. Current signature-based systems are heavily reliant on fixed patterns that struggle with unknown or evasive applications, while behavior-based solutions usually leave most of the interpretative work to a human analyst. This thesis presents a multi-stage system able to detect and classify anomalous behavior within a user session by observing and analyzing ubiquitous kernel processes. Application candidates suitable for monitoring are initially selected through an adapted sentiment mining process using a score based on the log likelihood ratio (LLR). For transparent anomaly detection within a corpus of associated events, the author utilizes star structures, a bipartite representation designed to approximate the edit distance between graphs. Templates describing nominal behavior are generated automatically and are used for the computation of both an anomaly score and a report containing all deviating events. The extracted anomalies are classified using the Random Forest (RF) and Support Vector Machine (SVM) algorithms. Ultimately, the newly labeled patterns are mapped to a dedicated APT attacker–defender model that considers objectives, actions, actors, as well as assets, thereby bridging the gap between attack indicators and detailed threat semantics. This enables both risk assessment and decision support for mitigating targeted attacks. Results show that the prototype system is capable of identifying 99.8\% of all star structure anomalies as benign or malicious. In multi-class scenarios that seek to associate each anomaly with a distinct attack pattern belonging to a particular APT stage we achieve a solid accuracy of 95.7\%. Furthermore, we demonstrate that 88.3\% of observed attacks could be identified by analyzing and classifying a single ubiquitous Windows process for a mere 10 seconds, thereby eliminating the necessity to monitor each and every (unknown) application running on a system. With its semantic take on threat detection and classification, the proposed system offers a formal as well as technical solution to an information security challenge of great significance.}, institution = {De Monfort University Leicester}, author = {Luh, Robert}, month = jul, year = {2019}, note = {Projekt: TARGET}, keywords = {FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, Josef Ressel Zentrum TARGET, PhD, SP IT Sec Security Management \& Privacy, best rluh}, } @article{luh_penquest_2019, title = {{PenQuest}: a gamified attacker/defender meta model for cyber security assessment and education}, issn = {2263-8733}, url = {https://doi.org/10.1007/s11416-019-00342-x}, doi = {10/gh378z}, abstract = {Attacks on IT systems are a rising threat against the confidentiality, integrity, and availability of critical information and infrastructures. At the same time, the complex interplay of attack techniques and possible countermeasures makes it difficult to appropriately plan, implement, and evaluate an organization’s defense. More often than not, the worlds of technical threats and organizational controls remain disjunct. In this article, we introduce PenQuest, a meta model designed to present a complete view on information system attacks and their mitigation while providing a tool for both semantic data enrichment and security education. PenQuest simulates time-enabled attacker/defender behavior as part of a dynamic, imperfect information multi-player game that derives significant parts of its ruleset from established information security sources such as STIX, CAPEC, CVE/CWE and NIST SP 800-53. Attack patterns, vulnerabilities, and mitigating controls are mapped to counterpart strategies and concrete actions through practical, data-centric mechanisms. The gamified model considers and defines a wide range of actors, assets, and actions, thereby enabling the assessment of cyber risks while giving technical experts the opportunity to explore specific attack scenarios in the context of an abstracted IT infrastructure. We implemented PenQuest as a physical serious game prototype and successfully tested it in a higher education environment. Additional expert interviews helped evaluate the model’s applicability to information security scenarios.}, journal = {Journal of Computer Virology and Hacking Techniques}, author = {Luh, Robert and Temper, Marlies and Tjoa, Simon and Schrittwieser, Sebastian and Janicke, Helge}, month = nov, year = {2019}, keywords = {FH SP Cyber Security, Forschungsgruppe Data Intelligence, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, Paper, SP IT Sec Security Management \& Privacy, peer-reviewed}, } @article{luh_automatische_2011, title = {Automatische verhaltensbasierte {Malware}-{Analyse}}, language = {Deutsch}, number = {11}, journal = {Hackin9}, author = {Luh, Robert and Tavolato, Paul}, year = {2011}, note = {Projekt: TARGET}, keywords = {Department Technologie, FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, Publikationstyp Schriftpublikation}, } @inproceedings{luh_behavior-based_2012, address = {Graz, Österreich}, title = {Behavior-{Based} {Malware} {Recognition}}, isbn = {3-902103-37-X}, booktitle = {6. {Forschungsforum} der Österreichischen {Fachhochschulen} - {Tagungsband} 1 {Informationstechnologie} als {Produktionsfaktor}}, publisher = {Eigenverlag FH Joanneum GmbH}, author = {Luh, Robert and Tavolato, Paul}, year = {2012}, note = {Projekt: MalwareDef}, keywords = {Department Technologie, FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, Publikationstyp Schriftpublikation, peer-reviewed}, pages = {79--84}, } @incollection{wagner_visual_2017, title = {Visual {Analytics}: {Foundations} and {Experiences} in {Malware} {Analysis}}, isbn = {978-1-4987-7641-7}, abstract = {This chapter starts by providing some background in behavior-based malware analysis. Subsequently, it introduces VA and its main components based on the knowledge generation model for VA (Sacha et al., 2014). Then, it demonstrates the applicability of VA in in this subfield of software security with three projects that illustrate practical experience of VA methods: MalwareVis (Zhuo et al., 2012) supports network forensics and malware analysis by visually assessing TCP and DNS network streams. SEEM (Gove et al., 2014) allows visual comparison of multiple large attribute sets of malware samples, thereby enabling bulk classification. KAMAS (Wagner et al. 2017) is a knowledge-assisted visualization system for behavior-based malware forensics enabled by API calls and system call traces. Future directions in visual analytics for malware analysis conclude the chapter.}, booktitle = {Empirical {Research} for {Software} {Security}: {Foundations} and {Experience}}, publisher = {CRC/Taylor and Francis}, author = {Wagner, Markus and Sacha, Dominik and Rind, Alexander and Fischer, Fabian and Luh, Robert and Schrittwieser, Sebastian and Keim, Daniel A and Aigner, Wolfgang}, editor = {Othmane, Lotfi Ben and Jaatun, Martin Gilje and Weippl, Edgar}, year = {2017}, note = {Projekt: KAVA-Time}, keywords = {FH SP Cyber Security, FH SP Data Analytics \& Visual Computing, Forschungsgruppe Digital Technologies, Forschungsgruppe Media Computing, Institut für Creative Media Technologies, Publikationstyp Schriftpublikation, Visual Computing, Visual analytics, Wiss. Beitrag, best, best-lbwagnerm, data, interaction, knowledge generation, malware analysis, model, peer-reviewed, visualization}, pages = {139--171}, } @inproceedings{wagner_survey_2015, address = {Cagliari, Italy}, title = {A {Survey} of {Visualization} {Systems} for {Malware} {Analysis}}, url = {http://mc.fhstp.ac.at/supp/EuroVisStar2015}, doi = {10/cwc4}, abstract = {Due to the increasing threat from malicious software (malware), monitoring of vulnerable systems is becoming increasingly important. The need to log and analyze activity encompasses networks, individual computers, as well as mobile devices. While there are various automatic approaches and techniques available to detect, identify, or capture malware, the actual analysis of the ever-increasing number of suspicious samples is a time-consuming process for malware analysts. The use of visualization and highly interactive visual analytics systems can help to support this analysis process with respect to investigation, comparison, and summarization of malware samples. Currently, there is no survey available that reviews available visualization systems supporting this important and emerging field. We provide a systematic overview and categorization of malware visualization systems from the perspective of visual analytics. Additionally, we identify and evaluate data providers and commercial tools that produce meaningful input data for the reviewed malware visualization systems. This helps to reveal data types that are currently underrepresented, enabling new research opportunities in the visualization community.}, booktitle = {Eurographics {Conference} on {Visualization} ({EuroVis}) - {STARs}}, publisher = {The Eurographics Association}, author = {Wagner, Markus and Fischer, Fabian and Luh, Robert and Haberson, Andrea and Rind, Alexander and Keim, Daniel A. and Aigner, Wolfgang}, editor = {Borgo, Rita and Ganovelli, Fabio and Viola, Ivan}, year = {2015}, note = {Projekt: TARGET Projekt: KAVA-Time}, keywords = {Creative Industries, FH SP Cyber Security, FH SP Data Analytics \& Visual Computing, Forschungsgruppe Digital Technologies, Forschungsgruppe Media Computing, Forschungsgruppe Secure Societies, Institut für Creative Media Technologies, Institut für IT Sicherheitsforschung, Josef Ressel Zentrum TARGET, KAVA-Time, Model/Taxonomy, Publikationstyp Präsentation, Publikationstyp Schriftpublikation, Time-Oriented Data, Visual Computing, Visual analytics, Vortrag, Wiss. Beitrag, best, best-lbaigner, best-lbwagnerm, best-rluh, information visualization, interdisziplinär, malicious software, malware, peer-reviewed, survey, taxonomy, visualization}, pages = {105--125}, } @article{luh_aidis_2019, title = {{AIDIS}: {Detecting} and classifying anomalous behavior in ubiquitous kernel processes}, issn = {0167-4048}, url = {http://www.sciencedirect.com/science/article/pii/S0167404818314457}, doi = {10/gh38cc}, abstract = {Targeted attacks on IT systems are a rising threat against the confidentiality, integrity, and availability of critical information and infrastructures. With the rising prominence of advanced persistent threats (APTs), identifying and understanding such attacks has become increasingly important. Current signature-based systems are heavily reliant on fixed patterns that struggle with unknown or evasive applications, while behavior-based solutions usually leave most of the interpretative work to a human analyst. In this article we propose AIDIS, an Advanced Intrusion Detection and Interpretation System capable to explain anomalous behavior within a network-enabled user session by considering kernel event anomalies identified through their deviation from a set of baseline process graphs. For this purpose we adapt star structures, a bipartite representation used to approximate the edit distance between two graphs. Baseline templates are generated automatically and adapt to the nature of the respective operating system process. We prototypically implemented smart anomaly classification through a set of competency questions applied to graph template deviations and evaluated the approach using both Random Forest and linear kernel support vector machines. The determined attack classes are ultimately mapped to a dedicated APT attacker/defender meta model that considers actions, actors, as well as assets and mitigating controls, thereby enabling decision support and contextual interpretation of ongoing attacks.}, number = {84}, journal = {Computers \& Security}, author = {Luh, Robert and Janicke, Helge and Schrittwieser, Sebastian}, month = jul, year = {2019}, note = {Projekt: TARGET}, keywords = {FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, SP IT Sec System \& Application Security, best, best-rluh, peer-reviewed}, pages = {120--147}, } @article{luh_sequin_2018, title = {{SEQUIN}: a grammar inference framework for analyzing malicious system behavior}, url = {http://mc.fhstp.ac.at/sites/default/files/publications/Luh_2018_SEQUIN.pdf}, doi = {10/cwdf}, abstract = {Targeted attacks on IT systems are a rising threat to the confidentiality of sensitive data and the availability of critical systems. The emergence of Advanced Persistent Threats (APTs) made it paramount to fully understand the particulars of such attacks in order to improve or devise effective defense mechanisms. Grammar inference paired with visual analytics (VA) techniques offers a powerful foundation for the automated extraction of behavioral patterns from sequential event traces. To facilitate the interpretation and analysis of APTs, we present SEQUIN, a grammar inference system based on the Sequitur compression algorithm that constructs a context-free grammar (CFG) from string-based input data. In addition to recursive rule extraction, we expanded the procedure through automated assessment routines capable of dealing with multiple input sources and types. This automated assessment enables the accurate identification of interesting frequent or anomalous patterns in sequential corpora of arbitrary quantity and origin. On the formal side, we extended the CFG with attributes that help describe the extracted (malicious) actions. Discovery-focused pattern visualization of the output is provided by our dedicated KAMAS VA prototype.}, journal = {Journal of Computer Virology and Hacking Techniques}, author = {Luh, Robert and Schramm, Gregor and Wagner, Markus and Janicke, Helge and Schrittwieser, Sebastian}, year = {2018}, note = {Projekt: TARGET Projekt: KAVA-Time}, keywords = {FH SP Cyber Security, Forschungsgruppe Digital Technologies, Forschungsgruppe Media Computing, Forschungsgruppe Secure Societies, Institut für Creative Media Technologies, Institut für IT Sicherheitsforschung, Josef Ressel Zentrum TARGET, Visual analytics, Wiss. Beitrag, attribute grammar, best, best-lbwagner, best-rluh, knowledge generation, malware analysis, peer-reviewed, system behavior}, pages = {01 -- 21}, } @inproceedings{marschalek_classifying_2015, title = {Classifying {Malicious} {System} {Behavior} using {Event} {Propagation} {Trees}}, doi = {10/gh378f}, booktitle = {Proceedings of the 17th {International} {Con}- ference on {Information} {Integration} and {Web}-based {Applications} {Services} ({iiWAS2015})}, author = {Marschalek, Stefan and Luh, Robert and Kaiser, Manfred and Schrittwieser, Sebastian}, year = {2015}, note = {Projekt: TARGET}, keywords = {Department Technologie, FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, Josef Ressel Zentrum TARGET, Publikationstyp Schriftpublikation, SP IT Sec System \& Application Security, peer-reviewed}, } @inproceedings{luh_sequitur-based_2017, title = {Sequitur-based {Inference} and {Analysis} {Framework} for {Malicious} {System} {Behavior}}, doi = {10/cwdb}, author = {Luh, Robert and Schramm, Georg and Wagner, Markus and Schrittwieser, Sebastian}, year = {2017}, note = {Projekt: TARGET Projekt: KAVA-Time}, keywords = {2017, Department Medien und Digitale Technologien, Department Technologie, FH SP Cyber Security, Forschungsgruppe Digital Technologies, Forschungsgruppe Media Computing, Forschungsgruppe Secure Societies, Institut für Creative Media Technologies, Institut für IT Sicherheitsforschung, Josef Ressel Zentrum TARGET, Publikationstyp Präsentation, Publikationstyp Schriftpublikation, peer-reviewed}, } @inproceedings{rauchberger_other_2018, address = {Hamburg, Deutschland}, title = {The {Other} {Side} of the {Coin}: {A} {Framework} for {Detecting} and {Analyzing} {Web}-based {Cryptocurrency} {Mining} {Campaigns}}, doi = {10/gh373c}, booktitle = {Proceedings of the 13th {International} {Conference} on {Availability}, {Reliability} and {Security}}, publisher = {ACM}, author = {Rauchberger, Julian and Schrittwieser, Sebastian and Dam, Tobias and Luh, Robert and Buhov, Damjan and Pötzelsberger, Gehard and Kim, Hyoungshick}, year = {2018}, keywords = {Department Technologie, FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, Josef Ressel Zentrum TARGET, Publikationstyp Schriftpublikation, SP IT Sec System \& Application Security, best, peer-reviewed}, } @inproceedings{rauchberger_longkit_2017, address = {Madeira, Portugal}, title = {Longkit - {A} {Universal} {Framework} for {BIOS}/{UEFI} {Rootkits} in {System} {Management} {Mode}}, doi = {10/gh3729}, author = {Rauchberger, Julian and Luh, Robert and Schrittwieser, Sebastian}, year = {2017}, note = {Projekt: TARGET}, keywords = {Department Technologie, FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, Josef Ressel Zentrum TARGET, Publikationstyp Schriftpublikation, SP IT Sec System \& Application Security, best, peer-reviewed}, } @inproceedings{luh_llr-based_2017, title = {{LLR}-based {Sentiment} {Analysis} for {Kernel} {Event} {Sequences}}, doi = {10/gh3728}, publisher = {IEEE}, author = {Luh, Robert and Schrittwieser, Sebastian and Marschalek, Stefan}, year = {2017}, note = {Projekt: TARGET}, keywords = {Department Technologie, FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, Josef Ressel Zentrum TARGET, Publikationstyp Schriftpublikation, best, peer-reviewed}, } @article{eresheim_evolution_2017, title = {The {Evolution} of {Process} {Hiding} {Techniques} in {Malware} – {Current} {Threats} and {Possible} {Countermeasures}}, doi = {10/gh3722}, journal = {Journal of Information Processing}, author = {Eresheim, Sebastian and Luh, Robert and Schrittwieser, Sebastian}, year = {2017}, note = {Projekt: TARGET}, keywords = {Department Technologie, FH SP Cyber Security, Forschungsgruppe Data Intelligence, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, Josef Ressel Zentrum TARGET, Publikationstyp Schriftpublikation, peer-reviewed}, } @article{luh_semantics-aware_2016, title = {Semantics-aware detection of targeted attacks – {A} survey}, url = {http://link.springer.com/article/10.1007/s11416-016-0273-3}, doi = {10/gh372z}, journal = {Journal of Computer Virology and Hacking Techniques}, author = {Luh, Robert and Marschalek, Stefan and Kaiser, Manfred and Janicke, H and Schrittwieser, Sebastian}, year = {2016}, note = {Projekt: TARGET}, keywords = {Department Technologie, FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, Josef Ressel Zentrum TARGET, Publikationstyp Schriftpublikation, best, peer-reviewed}, pages = {1--39}, } @misc{luh_google_2019, address = {FH St. Pölten}, title = {Google {Hacking}}, author = {Luh, Robert and Eigner, Oliver}, month = jan, year = {2019}, keywords = {FH SP Cyber Security, Forschungsgruppe Data Intelligence, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, SP IT Sec System \& Application Security}, } @inproceedings{thur_big2-kamas:_2017, address = {Phoenix, Arizona, USA}, title = {{BiG2}-{KAMAS}: {Supporting} {Knowledge}-{Assisted} {Malware} {Analysis} with {Bi}-{Gram} {Based} {Valuation}}, url = {http://mc.fhstp.ac.at/sites/default/files/publications/vizsec-poster-2017%20%281%29.pdf}, abstract = {Malicious software, short malware, refers to software programs that are designed to cause damage or to perform unwanted actions on the infected computer system. The behavior-based analysis of malware typically utilizes tools that produce lengthy traces of observed events, which have to be analyzed manually or by means of individual scripts. Due to the growing amount of data extracted from malware samples, analysts are in need of an interactive tool that supports them in their exploration efforts. In this respect, the use of visual analytics methods and stored expert knowledge helps the user to speed up the exploration process and, furthermore, to improve the quality of the outcome. In this paper, the previously developed KAMAS concept is extended with components such as a bi-gram based valuation approach to cover further malware analysts’ needs. The components have been integrated a new prototype which was evaluated by two domain experts in a detailed user study.}, booktitle = {Poster of the 14th {Workshop} on {Visualization} for {Cyber} {Security} ({VizSec})}, author = {Thür, Niklas and Wagner, Markus and Schick, Johannes and Niederer, Christina and Eckel, Jürgen and Luh, Robert and Aigner, Wolfgang}, month = oct, year = {2017}, note = {Projekt: KAVA-Time}, keywords = {2017, Forschungsgruppe Digital Technologies, Forschungsgruppe Media Computing, Institut für Creative Media Technologies, Knowledge-assisted Visualization, Publikationstyp Präsentation, Publikationstyp Schriftpublikation, User-Centered Design, Visual analytics, explicit knowledge, information visualization}, } @inproceedings{thur_bigram_2017, address = {St. Pölten}, title = {A {Bigram} {Supported} {Generic} {Knowledge}-{Assisted} {Malware} {Analysis} {System}: {BiG2}-{KAMAS}}, url = {http://mc.fhstp.ac.at/sites/default/files/publications/Thuer_B2KAMAS_2017.pdf}, abstract = {Malicious software, short "malware", refers to software programs that are designed to cause damage or to perform unwanted actions on the infected computer system. Behavior-based analysis of malware typically utilizes tools that produce lengthy traces of observed events, which have to be analyzed manually or by means of individual scripts. Due to the growing amount of data extracted from malware samples, analysts are in need of an interactive tool that supports them in their exploration efforts. In this respect, the use of visual analytics methods and stored expert knowledge helps the user to speed up the exploration process and, furthermore, to improve the quality of the outcome. In this paper, the previously developed KAMAS prototype is extended with additional features such as the integration of a bi-gram based valuation approach to cover further malware analysts’ needs. The result is a new prototype which was evaluated by two domain experts in a detailed user study.}, booktitle = {Proceedings of the 10th {Forum} {Media} {Technology} 2017}, publisher = {CEUR-WS}, author = {Thür, Niklas and Wagner, Markus and Schick, Johannes and Niederer, Christina and Eckel, Jürgen and Luh, Robert and Aigner, Wolfgang}, month = nov, year = {2017}, note = {Projekt: KAVA-Time}, keywords = {2017, Design Study, Forschungsgruppe Digital Technologies, Forschungsgruppe Media Computing, Institut für Creative Media Technologies, Publikationstyp Präsentation, Publikationstyp Schriftpublikation, Visual analytics, behavior-based, interactive, knowledge generation, malicious software, malware analysis, peer-reviewed, prototype, visualization}, pages = {107--115}, } @misc{haslinger_alltagsspuren_2015, title = {Alltagsspuren von dir und mir}, author = {Haslinger, Daniel and Luh, Robert}, month = sep, year = {2015}, keywords = {Department Technologie, FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, Publikationstyp Präsentation, SP IT Sec System \& Application Security}, } @article{luh_fragen_2018, title = {Fragen an die {Wissenschaft}: {Warum} werden {Datenbestände} immer größer?}, journal = {Niederösterreichische Nachrichten}, author = {Luh, Robert}, month = oct, year = {2018}, keywords = {FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, SP IT Sec System \& Application Security}, } @misc{luh_mord_2018, address = {VHS Wien}, title = {Mord auf der {Festplatte}: {Ein} {Ausflug} in die digitale {Forensik}}, author = {Luh, Robert}, month = jan, year = {2018}, keywords = {FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, SP IT Sec System \& Application Security, Vortrag}, } @misc{luh_murder_2018, address = {FH Kiel}, title = {From murder to malware: {Digital} forensics for treasure hunters}, author = {Luh, Robert}, month = jan, year = {2018}, keywords = {FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, SP IT Sec System \& Application Security, Vortrag}, } @misc{luh_malware_2018, address = {De Montfort University Leicester}, title = {Malware {Analysis}}, author = {Luh, Robert}, month = jan, year = {2018}, keywords = {FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, SP IT Sec System \& Application Security, Vortrag}, } @misc{luh_penquest:_2018, address = {Fachhochschule St. Pölten}, title = {{PenQuest}: {Attacker}/{Defender} {Educational} {Game}}, author = {Luh, Robert}, month = jun, year = {2018}, keywords = {FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, SP IT Sec System \& Application Security, Vortrag}, } @misc{luh_google_2018, address = {FH St. Pölten}, title = {Google {Hacking}}, author = {Luh, Robert and Eresheim, Sebastian}, month = jan, year = {2018}, keywords = {FH SP Cyber Security, Forschungsgruppe Data Intelligence, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, SP IT Sec System \& Application Security, Vortrag}, } @misc{schrittwieser_mord_2018, address = {Wien}, title = {Mord im {Planetarium} - {Ein} {Ausflug} in die {Welt} der {Digitalen} {Forensik}}, author = {Schrittwieser, Sebastian and Luh, Robert}, month = apr, year = {2018}, keywords = {FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, Vortrag}, }