Newspaper interviews
Der Faktor Mensch wird in Unternehmen bei Sicherheitsfragen nach wie vor unterschätzt, Netzguide, April 2010, Language: Deutsch
Ekaterina will alle Schweizer heiraten, 20min, 20. April 2010, Language: Deutsch
Firmen müssen auch Backups geschützt lagern, 20min, 2. Februar 2010, Language: Deutsch
Rechtshilfe gegen Kriminalität im Internet, NZZ am Sonntag, 25. Oktober 2009, Language: Deutsch
Wettrüsten gegen die Unterwelt, Schweizer Bank, Dezember 2008, Language: Deutsch
Riesige Lecks bei Informationssicherheit, Handelszeitung, 27. August 2008, Language: Deutsch

Papers
Making Privacy a Fundamental Component of Web Resources (Slides), Thomas Duebendorfer (Google Switzerland GmbH), Christoph Renner (Google Switzerland GmbH/ETH Zurich), Tyrone Grandison (IBM), Michael Maximilien (IBM), Mark Weitzel (IBM), W3C Workshop on Privacy for Advanced Web APIs, London, UK, July 12/13, 2010
Abstract: We present a social network inspired and access control list based sharing model for web resources. We have specified it as an extension for OpenSocial 1.0 and implemented a proof of concept in Orkut as well as a mobile social photo sharing application using it. The paper explains important design decisions and how the model can be leveraged to make privacy a core component and enabler for sharing resources on the web and beyond using capabilities of mobile devices.
Language: English, Pages: 5, Keywords: Open Social, Access Control Lists, Social Networks, Privacy, Sharing, Web Resources

Ist Ihr Webbrowser sicher?, Thomas Dübendorfer, Netzguide, April 2010
Abstract: Wer Sicherheitsupdates für seinen Webbrowser nicht sofort installiert, kann leicht Opfer eines Drive-by-Downloads werden. Unsere weltweiten Messungen belegen, dass der verwendete Updatemechanismus die Internetsicherheit wesentlich mitbestimmt.
Language: Deutsch, Pages: 3, Keywords: Web browser update effectiveness, update, browser, security, effectiveness, measurement

Why Silent Updates Boost Security, Thomas Dübendorfer [Google], Stefan Frei [ETH], ETH Tech Report TIK 302, May 2009
Abstract: Security fixes and feature improvements don't benefit the end user of software if the update mechanism and strategy is not effective. In this paper we analyze the effectiveness of different Web browsers update mechanisms; from Google Chrome's silent update mechanism to Opera's update requiring a full re-installation. We use anonymized logs from Google's world wide distributed Web servers. An analysis of the logged HTTP user-agent strings that Web browsers report when requesting any Web page is used to measure the daily browser version shares in active use. To the best of our knowledge, this is the first global scale measurement of Web browser update effectiveness comparing four different Web browser update strategies including Google Chrome. Our measurements prove that silent updates and little dependency on the underlying operating system are most effective to get users of Web browsers to surf the Web with the latest browser version. However, there is still room for improvement as we found. Google Chrome's advantageous silent update mechanism has been open sourced in April 2009. We recommend any software vendor to seriously consider deploying silent updates as this benefits both the vendor and the user, especially for widely used attack-exposed applications like Web browsers and browser plug-ins.
Language: English, Pages: 9, Keywords: Web browser update effectiveness, update, browser, security, effectiveness, measurement, Reference: bibtex

Firefox (In) security update dynamics exposed, Stefan Frei [ETH], Thomas Dübendorfer [Google], Bernhard Plattner [ETH], ACM SIGCOMM Computer Communication Review, January 2009
Abstract: Although there is an increasing trend for attacks against popular Web browsers, only little is known about the actual patch level of daily used Web browsers on a global scale. We conjecture that users in large part do not actually patch their Web browsers based on recommendations, perceived threats, or any security warnings. Based on HTTP user-agent header information stored in anonymized logs from Google's web servers, we measured the patch dynamics of about 75% of the world's Internet users for over a year. Our focus was on the Web browsers Firefox and Opera. We found that the patch level achieved is mainly determined by the ergonomics and default settings of built-in auto-update mechanisms. Firefox' auto-update is very effective: most users installed a new version within three days. However, the maximum share of the latest, most secure version never exceeded 80% for Firefox users and 46% for Opera users at any day in 2007. This makes about 50 million Firefox users with outdated browsers an easy target for attacks. Our study is the result of the first global scale measurement of the patch dynamics of a popular browser.
Language: English, Pages: 6, Keywords: Firefox, Browser, Security, Update, Drive-By Download, Reference: bibtex

Understanding the Web browser threat: Examination of vulnerable online Web browser populations and the "insecurity iceberg", Stefan Frei [ETH], Thomas Dübendorfer [Google], Gunter Ollmann [IBM ISS], Martin May [ETH], DefCon 16 2008, Aug 10, 2008, Las Vegas, USA; ETH Tech Report 288, July 2008
Abstract: Based on an analysis of the Web browser versions seen on Google websites, the study estimates that there are worldwide 637 million (or 45.2%) Internet users, which don't use a latest and hence most secure Web browser. Further more, the study has found that only 83.3% of Firefox users, 65.3% of Safari users, 56.1% of Opera users and 47.6% of Internet Explorer users worldwide surf the Web with the latest and fully patched version of their browser. To increase the number of up-to-date web browsers in daily use, a "best used before date" is proposed as a visual warning message in the browser or on websites that tells how many updates and patches a user's Web browser is missing.
Language: English, Pages: 10, Keywords: Browser, Security, Update, Drive-By Download

Unterwegs im World Wild Web, Thomas Dübendorfer, DIGMA Zeitschrift für Datenrecht und Informationssicherheit, Heft 1, März, 2008
Abstract: Auch wenn das Einbinden von Fremdinhalten in eigene Webseiten sehr verlockend sein mag, sollte immer erst die Vertrauenswürdigkeit des Anbieters überprüft werden. Ansonsten zählt die eigene Webseite möglicherweise schon bald zu den mehr als drei Millionen Webseiten-URLs, welche auf den Rechnern ihrer Besucher mit einem unauffälligen Drive-by Download durch Ausnutzen einer Schwachstelle im Webbrowser Trojaner oder Adware installieren.
Language: Deutsch, Pages: 2, Keywords: Trojan, AdWare, Malicious Websites

Flow-Based Identification of P2P Heavy-Hitters, Arno Wagner, Thomas Dübendorfer, Lukas Hämmerle, Bernhard Plattner, Proceedings of the IEEE International Conference on Internet Surveillance and Protection (ICISP 2006), 27-29 August, 2006, Côte d'Azur, France
Abstract: One major new and often not welcome source of Internet traffic is P2P filesharing traffic. Banning P2P usage is not always possible or enforcible, especially in a university environment. A more restrained approach allows P2P usage, but limits the available bandwidth. This approach fails when users start to use non-default ports for the client software. We have developed the PeerTracker algorithm that allows detection of running P2P clients from NetFlow data in near real-time. The algorithm is especially suitable to identify clients that generate large amounts of traffic and can easily be used to find P2P heavy-hitters. A prototype system based on the PeerTracker algorithm is currently used by the network operations staff at the Swiss Federal Institute of Technology Zurich. We present measurements done on a medium sized Internet backbone and discuss accuracy issues, as well as possibilities and results from validation of the detection algorithm by direct polling in real-time.
Language: English, Pages: 6, Keywords: P2P, heavy-hitters, PeerTracker, filesharing, non-defaut ports, NetFlow

A fast worm scan detection tool for VPN congestion avoidance, Arno Wagner, Thomas Dübendorfer, Roman Hiestand, Christoph Göldi and Bernhard Plattner, Proceedings of DIMVA 2006, Springer's Lecture Notes in Computer Science (LNCS), GI SIG SIDAR Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2006), July 13-14, 2006, Berlin, Germany
Abstract: Finding the cause for congested virtual private network (VPN) links that connect an office network over the Internet to remote subsidiaries can be a hassle. Scan traffic of worm infected hosts is one important possible cause. We developed a scan detection tool, which continuously monitors network traffic on VPN gateway(s) and that reliably detects and reports worm infected hosts by tracking anomalous TCP, UDP and ICMP traffic. Our tool is not sensitive to most P2P software and was successfully tested on real production traffic as well as with traces of captured real and simulated worm traffic. Our various tests demonstrated a low false positive rate and a high detection rate. Our open source tool is an extension to the free intrusion detection system Bro. It was developed jointly by ETH Zurich and Open Systems, a company offering managed security services, one of which is based on the presented worm scan detection tool. Language: English, Pages: 9, Keywords: VPN, congestion, scan detection, worm

Validating Inter-Domain SLAs with a Programmable Traffic Control System, Elisa Boschi, Matthias Bossardt, Thomas Dübendorfer, Proceedings of the Seventh Annual International Working Conference on Active and Programmable Networks (IWAN 2005), 21-23 November, 2005, Sophia Antipolis, Nice, France
Abstract: For network users and service providers it is important to validate the compliance of network services to the guarantees given in Service Level Agreements (SLAs). This is particularly challenging in inter-domain environments. In this paper, we propose a novel solution for inter-domain SLA validation, based on programmable traffic processing devices that are attached to routers and located in several autonomous systems. Using our service management infrastructure, the measurement logic is deployed on the traffic processing devices in a flexible and secure way. We safely delegate partial network management capability from network operators to network users, which are enabled to configure service logic on the traffic processing devices. At the same time, the management infrastructure guarantees against negative influence of the network user's configuration on network stability or other user's traffic. Via the flexible configuration of service logic, our system gives network users powerful means to observe quality of service parameters agreed upon in SLAs. We present a detailed scenario of the SLA validation service and its deployment across several administrative domains.
Language: English, Pages: 12, Keywords: inter-domain measurement, programmable networks, SLA validation, network service, management delegation

A Framework for Real-Time Worm Attack Detection and Backbone Monitoring, Thomas Dübendorfer, Arno Wagner, Bernhard Plattner, Proceedings of First IEEE International Workshop on Critical Infrastructure Protection (IWCIP 2005), Darmstadt, Germany, 3-4 November, 2005
Abstract: We developed an open source Internet backbone monitoring and traffic analysis framework named UPFrame. It captures UDP NetFlow packets, buffers it in shared memory and feeds it to customised plug-ins. UPFrame is highly tolerant to misbehaving plug-ins and provides a watchdog mechanism for restarting crashed plug-ins. This makes UPFrame an ideal platform for experiments. It also features a traffic shaper for smoothing incoming traffic bursts. Using this framework, we have investigated IDS-like anomaly detection possibilities for high-speed Internet backbone networks. We have implemented several plug-ins for host behaviour classification, traffic activity pattern recognition, and traffic monitoring. We successfully detected the recent Blaster, Nachi and Witty worm outbreaks in a medium-sized Swiss Internet backbone (AS559) using border router Net- Flow data captured in the DDoSVax project. The framework is efficient and robust and can complement traditional intrusion detection systems.
Language: English, Pages: 10, Keywords: framework, UPFrame, plug-in, NetFlow, worm outbreak, anomaly detection, online analysis, Host behaviour, Blaster, Nachi,Witty, backbone

Enhanced Internet Security by a Distributed Traffic Control Service Based on Traffic Ownership, Matthias Bossardt, Thomas Dübendorfer, Bernhard Plattner, Elsevier Journal of Network and Computer Applications (JNCA): Special Issue on DDoS and Intrusion Detection, 2005
Abstract: Frequency and intensity of Internet attacks are rising at an alarming pace. Several technologies and concepts were proposed for fighting disributed denial of service (DDoS) attacks: traceback, pushback, i3, SOS and Mayday. This paper shows that in the case of DDoS reflector attacks they are either ineffective or even counterproductive. We then propose the novel concept of traffic ownership and describe a system that extends the control over network traffic by network users to the Internet using adaptive traffic processing devices. We safely delegate partial network management capabilities from network operators to network users. All network packets with a source or destination address "owned" by a network user can now also be controlled within the Internet instead of only at the network user's Internet uplink. By limiting the traffic control features and by restricting the realm of contol to the "owner" of the traffic, we can rule out misuse of this system. Applications of our system are manifold: prevention of source address spoofing, DDoS attack mitigation, distributed firewall-like filtering, new ways of collecting traffic statistics, service level agreement validation, traceback, distributed network debugging, support for forensic analyses and many more. A use case illustrates how our system enables network users to prevent and react to DDoS attacks.
Language: English, Pages: 16, Keywords: traffic control, network management, network services, mitigation, distributed denial of service attack

Flow-level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone, Thomas Dübendorfer, Arno Wagner, Theus Hossmann, Bernhard Plattner, Proceedings of DIMVA 2005, Springer's Lecture Notes in Computer Science (LNCS), GI SIG SIDAR Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2005), Vienna, Austria, July 7-8, 2005
Abstract: We present an extensive flow-level traffic analysis of the network worm Blaster.A and of the e-mail worm Sobig.F. Based on packet-level measurements with these worms in a testbed we defined flow-level filters. We then extracted the flows that carried malicious worm traffic from AS559 (SWITCH) border router backbone traffic that we had captured in the DDoSVax project. We discuss characteristics and anomalies detected during the outbreak phases, and present an in-depth analysis of partially and completely successful Blaster infections. Detailed flow-level traffic plots of the outbreaks are given. We found a short network test of a Blaster pre-release, significant changes of various traffic parameters, backscatter effects due to non-existent hosts, ineffectiveness of certain temporary port blocking countermeasures, and a surprisingly low frequency of successful worm code transmissions due to Blaster's multi-stage nature. Finally, we detected many TCP packet retransmissions due to Sobig.F's far too greedy spreading algorithm.
Language: English, Pages: 20, Keywords: Blaster, Sobig, worm, analysis, backbone, DDoSVax
Talk: Talk as PDF

Host Behaviour Based Early Detection of Worm Outbreaks in Internet Backbones, Thomas Dübendorfer, Bernhard Plattner, 14th IEEE International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises (WET ICE 2005); STCA security workshop, Linköping, Sweden, June, 2005
Abstract: We propose a novel near real-time method for early detection of worm outbreaks in high-speed Internet backbones. Our method attributes several behavioural properties to individual hosts like ratio of outgoing to incoming traffic, responsiveness and number of connections. These properties are used to group hosts into distinct behaviour classes. We use flow-level (Cisco NetFlow) information exported by the border routers of a Swiss Internet backbone provider (AS559/SWITCH). By tracking the cardinality of each class over time and alarming on fast increases and other significant changes, we can early and reliably detect worm outbreaks. We successfully validated our method with archived flow-level traces of recent major Internet email based worms such as MyDoom.A and Sobig.F, and fast spreading network worms like Witty and Blaster. Our method is generic in the sense that it does not require any previous knowledge about the exploits and scanning method used by the worms. It can give a set of suspicious hosts in near real-time that have recently and drastically changed their network behaviour and hence are highly likely to be infected.
Language: English, Pages: 6, Keywords: worm, detection, host behaviour, Blaster, Witty, MyDoom.A, Sobig.F, NetFlow

Adaptive Distributed Traffic Control Service for DDoS Attack Mitigation, Thomas Dübendorfer, Matthias Bossardt, Bernhard Plattner, 1st International Workshop on Security in Systems and Networks (SSN 2005), hold in conjunction with IEEE IPDPS 2005 Conference, 19th International Parallel & Distributed Processing Symposium, April 4-8, 2005 in Denver, Colorado
Language: English, Pages: 8, Keywords: traffic control, network management, network services, mitigation, distributed denial of service attack
Note: An extended version of this paper was published in Elsevier Journal of Network and Computer Applications (JNCA).

An Economic Damage Model for Large-Scale Internet Attacks, Thomas Dübendorfer, Arno Wagner, Bernhard Plattner, 13th IEEE International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises (WET ICE 2004); Workshop on Enterprise Security, Modena, Italy, 2004
Abstract: Companies that rely on the Internet for their daily business are challenged by uncontrolled massive worm spreadings and the lurking threat potential of large-scale distributed denial of service attacks in the Internet. In this paper we present a new model and methodology, which allows a company to qualitatively and quantitatively estimate possible financial losses due to partial or complete interruption of Internet connectivity. Our approach is based on an in-depth analysis of the Internet-dependence of different types of companies, a flexible model for qualitative loss characteristics, and on interviews with Swiss backbone and Internet service providers. Our method is illustrated by a discussion of some sample scenarios.
Language: English, Pages: 6, Keywords: economic, model, damage, distributed denial of service, DDoS attack

Experiences with Worm Propagation Simulations, Arno Wagner, Thomas Dübendorfer, Roman Hiestand, Bernhard Plattner, 1st Workshop on Rapid Malcode WORM 2003, Washington, USA, October 2003
Abstract: Fast Internet worms are a relatively new threat to Internet infrastructure and hosts. We discuss motivation and possibilities to study the behaviour of such worms and degrees of freedom that worm writers have. To facilitate the study of fast worms we have designed a simulator. We describe the design of this simulator and discuss practical experiences we have made with it and compare observation of past worms with simulated behaviour. One specific feature of the simulator is that the Internet model used can represent network bandwidth and latency constraints.
Language: English, Page: 8, Keywords: Internet Worms, Simulation, Bandwidth, Latency

Smart Identification Frameworks for Ubiquitous Computing Applications, Kay Römer, Thomas Schoch, Friedemann Mattern, Thomas Dübendorfer, Proceedings of PerCom 2003 (IEEE International Conference on Pervasive Computing and Communications), Forth Worth/Texas, March 2003
Abstract: We present our results in the conceptual design and the implementation of ubiquitous computing applications using smart identification technologies. First, we describe such technologies and their potential application areas, followed by an overview of some applications we have developed. Based on the experiences we gained from the development of these systems, we point out design concepts that we find useful for structuring and implementing such applications. Building upon these concepts, we have created two frameworks based on Jini (i.e., distributed Java objects) and Web Services to support the development of ubiquitous computing applications that make use of smart identification technology. We describe our prototype frameworks, discuss the underlying concepts and present some lessons learned.
Language: English, Pages: 10, Keywords: ubiquitous computing, Jini, .NET Web Services, virtual counterparts, RFID, radio tags
[Cache:  (PDF, 542 KB)]

Infrastructure for Virtual Counterparts of Real World Objects, Kay Römer, Friedemann Mattern, Thomas Dübendorfer, Jürg Senn, April 2002.
Abstract: Fundamental mechanisms and core abstractions for structuring and implementing tag-based ubiquitous computing applications are identified. The concepts are illustrated by presenting some prototypical applications. Simple but powerful means of bridging the gap between the physical and the virtual world that were implemented in our infrastructure are discussed. A central feature of our infrastructure are virtual counterparts. They form augmented representations of real world objects and encapsulate their state and behavior.
Language: English, Pages: 17, Keywords: ubiquitous computing, infrastructure, virtual counterparts, RFID, radio tags
[Cache:  (PDF, 345 KB)]

Master's Thesis
An extensible infrastructure and a representation scheme for distributed smart proxies of real world objects, Thomas Dübendorfer, Master's thesis, ETH Zürich, Institute of Information Systems, ETH Technical Report 359, April 2001.
Abstract: An extensible infrastructure and a representation scheme for distributed smart virtual proxies of real world objects as presented in this Master's Thesis could be a foundation to make the environment smart by enhancing simple objects with smart virtual counterparts. Design, implementation and deployment issues of concepts such as virtual counterparts (Virtual Objects), proximity (Virtual Location), meta objects (Virtual Meta Objects and Locations), lifecycle of virtual counterparts (Virtual Object Manager) and a queriable persistent Artifact Memory are discussed.
Language: English, Pages: 85, Keywords: ubiquitous computing, smart things, infrastructure, virtual objects, virtual locations, virtual object manager, jini, virtual meta objects, artifact memory, virtual object repository, smart environment
[Cache:  (PDF, 900 KB)  (PS.GZ, 1445 KB)]

Semester Projects
Processing Natural Visual Stimuli Using Neural Networks, Thomas Dübendorfer, Kai Jauslin, Institute of Neuroinformatics (INI) at University of Zürich, 24th March 2000
Abstract: We collected representative natural visual stimuli, digitized the material, investigated various algorithms for preprocessing the images, calculated extensive statistics on the data, built a generic NVS (natural visual stimuli) framework with MATLAB (© MathWorks) to support interactive processing of the images and feeding them to a configurable neural network and finally adopted the unsupervised learning rule "learning with two sites of synaptic integration" that was developed at the Institute of Neuroinformatics at the University/ETH of Zürich by Konrad Körding and Dr. Peter König.
Supervisors: Dr. Peter König (INI Uni ZH), Konrad Körding (INI Uni ZH), Dr. Jakob Bernasconi (ETH Zürich)
Language: English, Pages: 60

"RespiG" - Messumgebung für Atemmuster, Thomas Dübendorfer, Institut für Hygiene unf Arbeitsphysiologie IHA, ETH Zürich, Juli 1999
Supervisors: Dr. Brigitta Danuser, Urs Meile
Abstract: Programmierung einer Messumgebung zur Aufzeichnung und Analyse von Atembewegungen des Menschen mit MATLAB (© MathWorks) und LabView (© National Instruments). Entwicklung von Algorithmen zur zuverlässigen Detektion von Atemzügen in einem verrauschten analogen Signal. Kalibrierung der relativen Messungen von Respitrace PLUS (Bauch- und Thoraxband zur Messung relativer Lungenvolumenänderungen) mittels linearer Regression auf absolute Flusswerte eines nur in der Kalibrierungsphase benötigten Pneumotachographen (Atemflussmessung mittels Atemrohr).
Language: Deutsch, Pages: 15 (Technische Dokumentation), 17 (Bedienungsanleitung)

Messen, Steuern, Regeln mit dem Computer, Thomas Dübendorfer, Kantonsschule Zürich-Oerlikon (KSOE), August 1993
Supervisor: Physiklehrer Herr Peter Ebersold
Abstract: Programmierung einer universellen I/O-Karte für den ISA Bus eines 80286 PCs in GWBASIC. Design, Bau und Programmierung einer Ampelsteuerung, eines LED Zufallswürfels und einer 220 Volt Lichtsteuerung sowie Ätzen der selbstentworfenen Platinen.
Language: Deutsch, Pages: 93