A behavioural study in runtime analysis environments and drive-by download attacks

Puttaroo, Mohammad Ally Rehaz

January 2017

In the information age, the growth in availability of both technology and exploit kits have continuously contributed in a large volume of websites being compromised or set up with malicious intent. The issue of drive-by-download attacks formulate a high percentage (77%) of the known attacks against client systems. These attacks originate from malicious web-servers or compromised web-servers and attack client systems by pushing malware upon interaction. Within the detection and intelligence gathering area of research, high-interaction honeypot approaches have been a longstanding and well-established technology. These are however not without challenges: analysing the entirety of the world wide web using these approaches is unviable due to time and resource intensiveness. Furthermore, the volume of data that is generated as a result of a run-time analysis of the interaction between website and an analysis environment is huge, varied and not well understood. The volume of malicious servers in addition to the large datasets created as a result of run-time analysis are contributing factors in the difficulty of analysing and verifying actual malicious behaviour. The work in this thesis attempts to overcome the difficulties in the analysis process of log files to optimise malicious and anomaly behaviour detection. The main contribution of this work is focused on reducing the volume of data generated from run-time analysis to reduce the impact of noise within behavioural log file datasets. This thesis proposes an alternate approach that uses an expert lead approach to filtering benign behaviour from potentially malicious and unknown behaviour. Expert lead filtering is designed in a risk-averse method that takes into account known benign and expected behaviours before filtering the log file. Moreover, the approach relies upon behavioural investigation as well as potential for 5 system compromisation before filtering out behaviour within dynamic analysis log files. Consequently, this results in a significantly lower volume of data that can be analysed in greater detail. The proposed filtering approach has been implemented and tested in real-world context using a prudent experimental framework. An average of 96.96% reduction in log file size has been achieved which is transferable to behaviour analysis environments. The other contributions of this work include the understanding of observable operating system interactions. Within the study of behaviour analysis environments, it was concluded that run-time analysis environments are sensitive to application and operating system versions. Understanding key changes in operating systems behaviours within Windows is an unexplored area of research yet Windows is currently one of the most popular client operating system. As part of understanding system behaviours for the creation of behavioural filters, this study undertakes a number of experiments to identify the key behaviour differences between operating systems. The results show that there are significant changes in core processes and interactions which can be taken into account in the development of filters for updated systems. Finally, from the analysis of 110,000 potentially malicious websites, typical attacks are explored. These attacks actively exploited the honeypot and offer knowledge on a section of the active web-based attacks faced in the world wide web. Trends and attack vectors are identified and evaluated.

Cyber security ; Computing

A Virtual Hydroelectric Power System for Distributable Industrial Control System Security Research

Mudd, David Brian

15 August 2014

Cyber security for industrial control systems (ICS) has been a rapidly growing area of interest and research for the last several years. The lack of an easily distributable platform on which ICS components can be built for use in security testing and result comparison among researchers presents a major issue. This thesis details the use of a virtual testbed environment to build a representative virtual hydroelectric power system (VHPS). The VHPS generates realistic Modbus/TCP network traffic between two separate ICS devices, a Master and a Slave, located on separate VMs. For security testing purposes, a method of session hijacking has been implemented as well as a Function Code Scan attack and a Setpoint Manipulation attack. The virtual environment, the VHPS, and the attacks have been packaged into an LXDE-based Fedora Spin VM for easy distribution.

cyber security

SCADA

A discrete event simulation-based approach for managing cyber vulnerabilities in a full-service deep waterway port

Mimesh, Hebah Mohammed

13 December 2019

Deepwater sea ports are considered to be gateways for global trade and susceptible to a diverse range of risks, including natural disasters such as hurricane, storm, drought, as well as a course of events ranging from human error to malicious cyber-attack. To deal with cyber vulnerabilities, this study examines how cyber-attack to a given technology (e.g., Programmable Logic Controllers (PLC), Radio Frequency Identification Tags (RFID), Navigation Technologies, and others) impacts the overall port operations. We use Port of Pascagoula as testbed to visualize and validate the modeling results utilizing FlexSim software. Several sets of experiments are conducted to provide important managerial insights for decision makers. Results indicate that cyber-attack on technologies used by the port may significantly impact the port operations. In overall, cyber-attack has meaningful impacts on ports systems that may result in significant economic and operational loss as well as long-term security and sustainability for overall ports performances.

cyber-attack

vulnerabilities

ports

The Effects of Experienced Cyber-Aggression on Subsequent Aggressive Behavior among College Students

Sedlar, Aaron Edward

13 August 2019

No description available.

Psychology

aggression

cyber-aggression

cyber-bullying

cyber aggression

cyber bullying

online aggression

online bullying

online experiments

internet usage

college students

cyber victimization

cyber-victimization

I'm from everywhere : articulations of queer identity in online spaces

Hill, Erica Ruth

26 October 2010

This thesis is an exploration of the various ways in which queer identity has been subsumed within an urban sensibility by mainstream culture, and how mediated articulations of queerness have subsequently been impacted. Highlighting the influence of late capitalism within the creation of a categorical “queer” identity, this work connects the history of the gentrified gayborhood to televisual and filmic representations of urban and rural queers. Interrogating legacy media representations opens up a conversation about how new media articulations of queerness might operate in the digital age. Examinations of popular queer websites, Downelink, GLEE and I’m From Driftwood illustrate the reification of common LGBTQ identity tropes, as well as highlight the spaces where queer affect theory might perform a critical intervention in how new media scholars might approach future research of online sources. / text

Queer

LGBTQ studies

Cyber studies

Cyber culture

New media

Collaborative cyber security situational awareness

Almualla, Mohammed Humaid

January 2017

Situational awareness is often understood as the perception of environmental elements and comprehension of their meaning, and the projection of future status. The advancements in cyberspace technology have fuelled new business and opportunities, but also brought an element of risk to valued assets. Today, the growing gap between different types of cyber-attacks threatens governments and organisations, from individuals to highly organized sponsored teams capable of breaching the most sophisticated systems and the inability to cope with these emerging threats. There is a strong case to be made for effective Collaborative Cyber-Security Situational Awareness (CCSA) that is designed to protect valuable assets, making them more resilient to cybersecurity threats. Cybersecurity experts today must rethink the nature of security, and shift from a conventional approach that stresses protecting vulnerable assets to a larger, more effective framework with the aim of strengthening cyber assets, making them more resilient and part of a cybersecurity process that delivers greater value against cyber threats. This study introduces a new approach to understanding situational awareness of information sharing and collaboration using knowledge from existing situational awareness models. However, current situational awareness models lack resilience in supporting information systems infrastructure, addressing various vulnerabilities, identifying high priority threats and selecting mitigation techniques for cyber threats. The use of exploratory and explanatory analysis techniques executed by Structure Equation Modelling (SEM) allowed the examination of CCSA, in this study. Data from 377 cyber security practitioners affiliated to cybersecurity expert groups including computer emergency response team (CERT) and computer security incident response team (CSIRT) was gathered in the form of an electronic survey and analysed to discover insights and understand the mental model of those cybersecurity experts. Also, a finding from the SEM was the CSSA model aligned perfectly with the second-order Cybernetics model to test the theory in practice, confirming the possibility of using the proposed model in a practical application for this research. Furthermore, the SEM informed the design of the CCSA Environment where an empirical study was employed to verify and validate the CCSA theory in practice. In addition, the SEM informed the design of a behavioural anchor rating scale to measure participant situational awareness performance. The experiment results proved that when using the CCSA model and replicating real-world cyber-attack scenarios that the outcome of situational awareness performance was 61% more than those who did not employ the use of the CCSA model and associated dashboard tool. Further, it was found that both timeliness and accuracy are important in influencing the outcome of information sharing and collaboration in enhancing cyber situational awareness and decision-making. This thesis for the first time presents a novel CCSA theory which has been confirmed in practice. Firstly, this research work improves the outcome of effectiveness in cyber SA by identifying important variables related with the CCSA model. Second, it provides a new technique to measure operators' cyber SA performance. Secondly, it provides the necessary steps to employ information sharing in order to improve cyber security incorporated in the CCSA model. Finally, cybersecurity experts should collaborate to identify and close the gap between cybersecurity threats and execution capacity. The novel CCSA model validated in this research can be considered an effective solution in fighting and preventing cyber-attacks. Attainment of cyber security is driven by how information is both secured and presented between members to encourage the use of information sharing and collaboration to resolve cyber security threats in a timely and accurate manner. This research helps researchers and practitioners alike gain an understanding of key aspects of information sharing and collaboration in CSSA which is informed by the CCSA theory and new capability that the implementation of this theory has shown to deliver in practice.

Better Safe than Sorry: The Relationship Between Locus of Control, Perception of Risk, and Cyber Misbehaviors

Johnson, Kim

22 March 2018

Information security is of vital importance to organizations. Breaches in security very often stem from behaviors of the system operator. Cyber misbehaviors on the part of employees can have devastating repercussions on the well-being of an organization. Up to now, research has mainly focused on how to protect information systems from outside attack, and only recently have researchers turned to the part the operator plays in keeping the systems safe. The present study investigated some individual differences that may play a role in people’s cyber behavior. The purpose of the study was to determine if locus of control was related to an individual’s perception of cyber risk and likelihood of engaging in cyber misbehaviors. Internal locus of control was found to be associated with higher perception of cyber risk, and higher cyber risk perception was found to lead to fewer cyber misbehaviors. The trait sensation seeking was also explored but no firm conclusions could be drawn from those results. Gaining an understanding of some of the differences between individuals that make some more likely to commit cyber misbehaviors-- as well as the dynamics behind these relationships—should be greatly beneficial in helping develop deterrents to cyber misbehavior and keeping information systems safer.

cyber risk

cyber safety

cybersecurity

information security

Psychology

Internet and Cyber behaviors among youngsters in China

Meng, Jingyuan, Xie, Qian

January 2014

The purposes of this research are to explore the relationship between Internet addiction and cyber behaviors and to explore whether youths who are more addicted to Internet are easier to experience negative cyber behaviors. / <p>Examinier was late. We postponed our seminar. </p>

Internet addiction

cyber behavior

cyber abuse

quantitative method

relationship

Gendered Nature of Cyber Victimization as a Mechanism of Social Control

Hill, Cassandra

January 2016

This research used a deductive post-hoc statistical design and Statistics Canada’s 2009 General Social Survey on victimization to explore the social control function of cyber victimization and determine whether this is gendered. Social control was operationalized as a composite measure of self-responsibilization. A multiple regression analysis identified predictors of social control and additional multiple regression models were used for a gender specific examination of social control. A total of 14 predictor variables were entered into three blocks: cyber victimization; sociodemographic characteristics; and violent victimization in physical space. The results reveal that cyber victimization remains a significant predictor of social control in addition to gender, a number of other sociodemographic characteristics of respondents, and physical space victimization types. The findings suggest that the theory of social control, which has been applied to violence against women in physical space, can also be applied to cyber space victimizations. This study also provides insights into the compound effects of physical space and cyber space victimizations on women and identifies implications for policy, methods, and theories for addressing and examining violence against women in cyberspace.

Social Control

Feminist theory

Cyber harassment

Cyber misogyny

Simulation d'activités et d'attaques : application à la cyberdéfense / Simulation of activities and attacks : application to cyberdefense

Bajan, Pierre-Marie

05 July 2019

Alors que l'importance des infrastructures ne fait que croître, les systèmes de détections et de traitements des attaques sont majoritairement faits pour remonter un seul type des deux grands formats d'attaques : les attaques de masses. Les attaques ciblées quant à elle, bien que d'une grande dangerosité de par leur spécificité et des profondeurs atteintes dans les systèmes, restent traités avec une certaine inefficacité par les systèmes informatiques. Pourtant il y a des équipements remontants des informations et des alertes mais les opérateurs souvent peu entraînés à la gestion des incidents se retrouvent engloutis par la quantité d'informations qu'ils leur sont remontés. Le principe de cette thèse serait de fournir des outils permettant la formation des opérateurs et un meilleur traitement des informations remontées. On approcherait le problème de la manière suivante : on va tout d'abord émuler le système informatique d'une petite entreprise avec ces différents utilisateurs et ces services informatiques. Cela servira à générer les données d'un comportement normal et régulier du système mais également le comportement d'une attaque. Une fois le système est émulé et les données sont générées on va se servir de ces données pour simuler le système selon les besoins que nous avons de la simulation. Cette simulation sera plus légère que l'émulation et sera capable de passage à l'échelle et une modification plus dynamique de l'architecture et du comportement du système. Le but étant d'avoir un outil léger et adaptable capable de simuler différents comportements et conditions d'un système d'entreprise pour être utiliser pour faire des formations d'opérateurs et des tests d'utilisation plus complet d'outil de sécurité. Le tout sera supervisé par la console de contrôle de simulation qui va gérer la simulation mais également recevoir les informations de chaque composant et de la console opérateur. Le contrôle de la simulation inclue la capacité de créer des incidents et problèmes dans le système mais également de créer des attaques à l'encontre du système. / The concern over the security of the infrastructure of a company is only growing deeper and became a source of worries for companies. They use different systems to detect and deal with attack but those systems are usually made to detect one type only of the two main type of attack: attacks made to target the largest amount of people possible. Targeted attacks are rarer but more dangerous as it penetrates deep into a system and are very specifics. However the systems used to deal with it are proved of limited efficiency. Even when they send alerts and news to the operator, there is just to much information going along with it making the often ill-trained operators unable to react and overwhelm by massive information. The goal of this thesis is to create a tool that would help to form operator but also help to test more efficiently security systems. We'll approach the problem by first emulating the infrastructure and services of a small company with its different users and services. It will be use to create the data of the regular operations and interactions of a company during normal activity but also under attack. Once the system is emulated and we collected the necessary data, we will start to simulate the system according to what we need the simulation for. This simulation would need less resources than the emulation and will be scalable and capable to be dynamically change according to the needs. The aim is to have a light tool capable to simulate different behaviors and different type of realist simulation of a system to help improve the formation of operators and also test security devices more fully. The whole would be supervised by a console of control of the simulation who will receive the information of the simulated elements and the simulated operator console. It would have the capacity to create incidents and problems into the systems along with attacks.

Simulation

Attaques

Activité

Cyber-défense

Simulation

Attacks

Activity

Cyber-defence