Bachelor- and Master Seminar

Next Seminar on 06.11.2024

Written on 30.10.2024 18:50 by Xinyi Xu

Dear All,

The next seminar(s) will take place on 2024-11-06 at  14:00 (Session A) and 14:00 (Session B).

Session A: (14:00 - 14:30, 14:30 - 15:00, 15:00 - 15:30)

Syed Haider Ali Shah, Nirav Shenoy, Leonard Zitzmann

https://cispa-de.zoom.us/j/96786205841?pwd=M3FOQ3dSczRabDNLb3F1czVXVUpvdz09

Meeting-ID: 967 8620 5841

Password: BT!u5=

Session B: (14:00 - 14:30, 14:30 - 15:00, 15:00 - 15:30)

Majdi Maalej, Mitul Bipin, Pranav Shetty

https://cispa-de.zoom-x.de/j/66136901453?pwd=YVBSZU9peUpvUlk4bWp3MDR4cGlUUT09

Meeting-ID: 661 3690 1453

Password: sxHhzA004}

Session A

14:00 - 14:30

Speaker: Syed Haider Ali Shah

Advisor: Matthias Fassl, Katharina Krombholz

Research Area: RA6: Others

14:30 - 15:00

Speaker: Nirav Shenoy

Type of Talk: Master Intro

Advisor: Rebekka Burkholz

Title: Efficient Sparse Training: Combining Continuous Sparsification with Learning Rate Rewinding

Research Area: RA1: Trustworthy Information Processing

Abstract: Iterative pruning methods have been effective at creating state-of-the-art sparse networks that match the performance of dense models. These methods however require multiple training cycles and incur substantial computational costs due to their dense-to-sparse approach. We propose an efficient training framework that aims to reduce training iterations and computational cost per training iteration by beginning with random sparse models and employing continuous sparsification during training to achieve high accuracy at extremely high sparsities. Continuous sparsification can prune to high sparsities over far fewer epochs compared to more computationally expensive post-training pruning methods. Our approach utilizes Soft Threshold Reparameterization (STR) for its ability to induce non-uniform sparsity without relying on heuristics or predetermined sparsity budgets. We combine this with Learning Rate Rewinding (LRR), where each training iteration rewinds the learning rate schedule while maintaining the final weight values from the previous cycle. While STR effectively identifies masks in sparse-to-sparse scenarios, its sensitivity prevents weight revival once pruned. To address this limitation, we introduce a modified version of GraNet, a zero-cost neuroregeneration technique, to revive potentially useful weights at high sparsities.

15:00 - 15:30

Speaker: Leonard Zitzmann

Type of Talk: Bachelor Intro

Advisor: Lea Gröber

Title: Know Thyself: A Comparative Security Analysis of Self-Hosted and Cloud-Hosted WordPress Websites

Research Area: RA5: Empirical and Behavioural Security

Abstract: Cloud-hosted services continue to rise in popularity, while already being the predominant form of hosting environment on the internet. Although cloud-hosting is considered to be more “secure” by the public, there is little to no data available to support this belief. We aim to provide a comparative analysis of self-hosted and cloud-hosted web services on the example of WordPress, regarding commonly used security awareness indicators like HTTP headers.

Session B

14:00 - 14:30

Speaker: Majdi Maalej

Type of Talk: Master Intro

Advisor: Sebastian Stich

Title: Challenges and Benefits of Homomorphic Encryption on different Federated Learning Schemes

Research Area: RA1: Trustworthy Information Processing

Abstract: Over recent years, federated learning (FL) has become popular in the area of machine learning as a method for collaborative model deployment without sharing the data, since the data stays at the client devices. Nonetheless, models built using FL are subject to model inversion attacks, where the malicious servers attempt to retrieve sensitive client information. This paper addresses the issue of incorporating homomorphic encryption (HE), in particular the provision of the CKKS scheme, with both synchronous and asynchronous FL models to protect data at all times. HE enables encrypted parameter aggregation, thereby alleviating the possibility of data exposure, and provides safeguards against inference attacks. The study looks at major issues including computation overheads, effects of the encryption on model accuracy and performance differences caused between the FL schemes.

14:30 - 15:00

Speaker: Mitul Bipin

Type of Talk: Master Final

Advisor: Masudul Hasan Masud Bhuyian

Title: Comparative Analysis of Defenses Against ReDoS-based Attacks

Research Area: RA3: Threat Detection and Defenses

Abstract: In the current development landscape, developers rely on regular expressions for several operations, e.g.,validation, filtering. Sometimes, these regular expressions might contain ambiguity, i.e., cases where the regular expression allows the possibility of taking multiple paths to reach perform the same match. When an attacker sends a specially crafted input string that exploits the ambiguity, it can exhaust server resources and cause a Denial of Service (DoS) attack. We call them Regular Expression Denial of Service (ReDoS) attacks. ReDoS attacks could be avoided by ensuring the regular expression does not contain ambiguities. However, in some cases, a complex regular expression might cause the developer to overlook an ambiguity, or an imported library might contain a regular expression that contains an ambiguity. There exist several researches to identify and prevent such vulnerable regular expressions, but we do not have any conclusive evidence to determine the most effective technique. Several cloud providers offer mitigation techniques, such as deploying a web application firewall, to prevent traditional DoS attacks. However, we do not have any conclusive evidence whether they can prevent Denial-of-Service caused by regular expressions. To address the aforementioned gaps, the thesis delivers a comparative analysis to determine the most effective method to mitigate ReDoS attacks in a web application configured with various ReDoS mitigation techniques. In addition to that, we deploy the same web application in the cloud and setup traditional DoS mitigation techiques to evaluate whether they could also prevent ReDoS attacks. We import known ReDoS vulnerabilities identified by a CVE number into web applications and fix the vulnerability using different mitigation techniques. We simulate a naive DoS attack scenario where we simulate benign HTTP requests for a pre-defined duration and intermittently inject malicious HTTP requests throughout the period. We repeat the experiment for every mitigation technique and document the latency and throughput of the benign HTTP requests obtained during the experiment. The results indicate that a given vulnerable regular expression fixed using a nonbacktracking regex engine and an alternate logic (custom parser which replicates the regular expression) process a higher throughput rates and yields a lower latency rate. Other mitigation techniques, such as a timeout mechanism and repairing a regular expression using an automatic repair algorithm failed to consistently process high throughput rates. Some of the cloud-based mitigation techniques, such as web application firewalls and issuing JavaScript challenges to HTTP requests can partially prevent a ReDoS attack. The rate-limiting mechanism failed to prevent a ReDoS attack.

15:00 - 15:30

Speaker: Pranav Shetty

Type of Talk: Master Intro

Advisor: Nils Ole Tippenhauer, Ankush Meshram

Title: Adversarial Attacks and Defenses on Network-based Intrusion Detection Systems in Industrial Networks

Research Area: RA3: Threat Detection and Defenses

Abstract: Industrial Control Systems (ICS) and other components of Industrial Networks that are critical for the functioning of essential services and manufacturing processes, are increasingly becoming the targets for cyber-attacks. These components are responsible for controlling and managing everything from power grids and water treatment facilities to factory automation systems. Any disruption or compromise of these systems can have severe consequences, including economic loss, safety hazards, and threats to public health. Network Intrusion Detection Systems (NIDS) are crucial for identifying and mitigating cyber threats in these environments. However, with the rise of Adversarial Machine Learning, attackers can develop techniques to evade the detection by NIDS. Hence, there is a need to inspect the vulnerability of NIDS models against such Adversarial Attacks. This research aims to address the challenge of developing effective Adversarial Attacks capable of bypassing the NIDS in Industrial Networks and designing Robust Defense Mechanisms to counter these attacks.