Anomaly-Based Detection of Malicious Activity in In-Vehicle Networks

Taylor, Adrian

January 2017

Modern automobiles have been proven vulnerable to hacking by security researchers. By exploiting vulnerabilities in the car's external interfaces, attackers can access a car's controller area network (CAN) bus and cause malicious effects. We seek to detect these attacks on the bus as a last line of defence against automotive cyber attacks. The CAN bus standard defines a low-level message structure, upon which manufacturers layer their own proprietary command protocols; attacks must similarly be tailored for their target. This variability makes intrusion detection methods difficult to apply to the automotive CAN bus. Nevertheless, the bus traffic is generated by machines; thus we hypothesize that it can be characterized with machine learning, and that attacks produce anomalous traffic. Our goals are to show that anomaly detection trained without understanding of the message contents can detect attacks, and to create a framework for understanding how the characteristics of a novel attack can be used to predict its detectability. We developed a model that describes attacks based on their effect on bus traffic, informed by a review of published material on car hacking in combination with analysis of CAN traffic from a 2012 Subaru Impreza. The model specifies three high-level categories of effects: attacks that insert foreign packets, attacks that affect packet timing, and attacks that only modify data within packets. Foreign packet attacks are trivially detectable. For timing-based anomalies, we developed features suitable for one-class classification methods. For packet stream data word anomalies, we adapted recurrent neural networks and multivariate Markov model methods to sequence anomaly detection and compared their performance. We conducted experiments to evaluate our detection methods with special attention to the trade-off between precision and recall, given that a practical system requires a very low false alarm rate. The methods were evaluated by synthesizing anomalies within each attack category, parameterized to adjust their covertness. We generalize from the results to enable prediction of detection rates for new attacks using these methods.

anomaly detection

cyber security

intrusion detection

recurrent neural network

Optimal Cyber Security Placement Schemes for Smart City Infrastructures

Hasan, Md Mahmud

January 2017

The conceptual evolution of smart cities is highly motivated by the advancement of information and communication technologies (ICTs). The purpose of a smart city is to facilitate the best quality of life to its inhabitants. Its implementation has to be supported by the compliant utilities and networked infrastructures. In the current world, it can only be achieved by applying ICTs in an extensive manner. The move towards the smart city's seamless connectivity widens the scope of cyber security concerns. Smart city infrastructures to face a high risk of targeted attacks due to extended cyber-physical vulnerabilities. This creates many challenging research issues relevant to the design and implementation of cyber security solutions. Networks associated with city infrastructures vary from a small indoor one to a large geographically distributed one. The context of a network is an essential consideration for security solutions. This thesis investigates a set of optimal security placement problems for enhancing monitoring in smart city infrastructures. It develops solutions to such placement problems from a resource management perspective. Economy and quality-of-security service (QoSS) are two major design goals. Such goals are translated into three basic performance metrics: (i) coverage, (ii) tolerance, and (iii) latency. This thesis studies security placement problems pertaining to three different types of networks: (i) wireless sensor network (WSN), (ii) supervisory control and data acquisition (SCADA) backbone, and (iii) advanced metering infrastructure (AMI) wide area network (WAN). In a smart city, WSNs are deployed to support real time monitoring and safety alert (RTMSA) applications. They are highly resource constrained networks. For WSNs, placement problems for an internally configured security monitor named watchdog have been studied. On the other hand, a smart grid is a key driver for smart cities. SCADA and AMI are two major components of a smart grid. They are associated with two different types of geographically distributed networks. For SCADA backbones, placement problems for a specially designed security device named trust system have been studied. For AMI-WANs, placement problems for a cloud-based managed security service have been studied. This thesis proposes a number of promising solution schemes to such placement problems. It includes evaluation results that demonstrate the enhancements of the proposed schemes.

Security Monitoring

Smart City

Cyber-Physical Systems

Optimal Placement

Due Diligence in Cyberspace : An Assessment of Rule 6 in the Tallinn Manual 2.0

Bergwik, Maja

January 2020

No description available.

international law

cyberspace

cyber

due diligence

Tallinn Manual

Law

Juridik

Improving Model Performance with Robust PCA

Bennett, Marissa A.

15 May 2020

As machine learning becomes an increasingly relevant field being incorporated into everyday life, so does the need for consistently high performing models. With these high expectations, along with potentially restrictive data sets, it is crucial to be able to use techniques for machine learning that increase the likelihood of success. Robust Principal Component Analysis (RPCA) not only extracts anomalous data, but also finds correlations among the given features in a data set, in which these correlations can themselves be used as features. By taking a novel approach to utilizing the output from RPCA, we address how our method effects the performance of such models. We take into account the efficiency of our approach, and use projectors to enable our method to have a 99.79% faster run time. We apply our method primarily to cyber security data sets, though we also investigate the effects on data sets from other fields (e.g. medical).

Machine Learning

Robust PCA

Feature Engineering

Cyber Security

Projectors

PCA

Towards Advanced Malware Classification: A Reused Code Analysis of Mirai Bonnet and Ransomware

January 2020

abstract: Due to the increase in computer and database dependency, the damage caused by malicious codes increases. Moreover, gravity and the magnitude of malicious attacks by hackers grow at an unprecedented rate. A key challenge lies on detecting such malicious attacks and codes in real-time by the use of existing methods, such as a signature-based detection approach. To this end, computer scientists have attempted to classify heterogeneous types of malware on the basis of their observable characteristics. Existing literature focuses on classifying binary codes, due to the greater accessibility of malware binary than source code. Also, for the improved speed and scalability, machine learning-based approaches are widely used. Despite such merits, the machine learning-based approach critically lacks the interpretability of its outcome, thus restricts understandings of why a given code belongs to a particular type of malicious malware and, importantly, why some portions of a code are reused very often by hackers. In this light, this study aims to enhance understanding of malware by directly investigating reused codes and uncovering their characteristics. To examine reused codes in malware, both malware with source code and malware with binary code are considered in this thesis. For malware with source code, reused code chunks in the Mirai botnet. This study lists frequently reused code chunks and analyzes the characteristics and location of the code. For malware with binary code, this study performs reverse engineering on the binary code for human readers to comprehend, visually inspects reused codes in binary ransomware code, and illustrates the functionality of the reused codes on the basis of similar behaviors and tactics. This study makes a novel contribution to the literature by directly investigating the characteristics of reused code in malware. The findings of the study can help cybersecurity practitioners and scholars increase the performance of malware classification. / Dissertation/Thesis / Masters Thesis Computer Science 2020

Computer science

Cyber-security

Mirai Botnet

Ransomware

Reused-code

CYBER-PHYSICAL SYSTEMS: BUILDING A SECURITY REFERENCE ARCHITECTURE FOR CARGO PORTS

Unknown Date

Cyber-Physical Systems (CPS) are physical entities whose operations are monitored, coordinated, and controlled by a computing and communication core. These systems are highly heterogeneous and complex. Their numerous components and cross domain complexity make attacks easy to propagate and security difficult to implement. Consequently, to secure these systems, they need to be built in a systematic and holistic way, where security is an integral part of the development lifecycle and not just an activity after development. These systems present a multitude of implementation details in their component units, so it is fundamental to use abstraction in the analysis and construction of their architecture. In particular, we can apply abstraction through the use of patterns. Pattern-based architectural modeling is a powerful way to describe the system and analyze its security and the other non-functional aspects. Patterns also have the potential to unify the design of their computational, communication, and control aspects. Architectural modeling can be performed through UML diagrams to show the interactions and dependencies between different components and its stakeholders. Also, it can be used to analyze security threats and describe the possible countermeasures to mitigate these threats. An important type of CPS is a maritime container terminal, a facility where cargo containers are transported between ships and land vehicles; for example, trains or trucks, for onward transportation, and vice versa. Every cargo port performs four basic functions: receiving, storing, staging and loading for both, import and export containers. We present here a set of patterns that describe the elements and functions of a cargo port system, and a Reference Architecture (RA) built using these patterns. We analyze and systematically enumerate the possible security threats to a container terminal in a cargo port using activity diagrams derived from selected use cases of the system. We describe these threats using misuse patterns, and from them select security patterns as defenses. The RA provides a framework to determine where to add these security mechanisms to stop or mitigate these threats and build a Security Reference Architecture (SRA) for CPS. An SRA is an abstract architecture describing a conceptual model of security that provides a way to specify security requirements for a wide range of concrete architectures. The analysis and design are given using a cargo port as our example, but the approach can be used in other domains as well. This is the first work we know where patterns and RAs are used to represent cargo ports and analyze their security. / Includes bibliography. / Dissertation (PhD)--Florida Atlantic University, 2021. / FAU Electronic Theses and Dissertations Collection

Cyber-physical systems

Cooperating objects (Computer systems)

Container terminals

Systém prevence průniků využívající Raspberry Pi / Intrusion prevention system based on Raspberry Pi

Hirš, David

January 2021

The number of discovered vulnerabilities rapidly increases. For example in 2019 there were discovered 20 362 vulnerabilities. The probability of cyber-attacks realization is high. Therefore it is necessary to propose and implement automated and low-cost Intrusion Prevention or Intrusion Detection Systems (IPS/IDS). This implemetation can focus on home use or small corporate networks. The main goal of the system is to detect or mitigate cyber-attack impact as fast as possible. The master's thesis proposes IPS/IDS based on Raspberry Pi that can detect and prevent various cyber-attacks. Contents of this thesis are focus on description of cyber-attacks based on ISO/OSI model's Link and Network layers. Then there is description of IPS/IDS systems and theirs open source representatives. The practical part is focus on experimental workspace, hardware consumption of choosen detection systems, cyber-attacks scenarios and own implementation of detection program. Detection program is based on these chosen systems and puts them together to be easily manageable.

Návrh, tvorba a implementace softwarové aplikace ve firemním prostředí / Design, Creation and Implementation of Software Application in the Corporate Environment

Zavadilová, Patrícia

January 2021

The master’s thesis is focused on the design and creation of a solution for converting company’s software application into the mobile and web form. The main goal is make business processes more efficient and maintain information and cyber security. The result should be a system that brings an innovative and convenient solution, time and financial savings.

Použitelnost Deepfakes v oblasti kybernetické bezpečnosti / Applicability of Deepfakes in the Field of Cyber Security

Firc, Anton

January 2021

Deepfake technológia je v poslednej dobe na vzostupe. Vzniká mnoho techník a nástrojov pre tvorbu deepfake médií a začínajú sa používať ako pre nezákonné tak aj pre prospešné činnosti. Nezákonné použitie vedie k výskumu techník pre detekciu deepfake médií a ich neustálemu zlepšovaniu, takisto ako k potrebe vzdelávať širokú verejnosť o nástrahách, ktoré táto technológia prináša. Jedna z málo preskúmaných oblastí škodlivého použitia je používanie deepfake pre oklamanie systémov hlasovej autentifikácie. Názory spoločnosti na vykonateľnosť takýchto útokov sa líšia, no existuje len málo vedeckých dôkazov. Cieľom tejto práce je preskúmať aktuálnu pripravenosť systémov hlasovej biometrie čeliť deepfake nahrávkam. Vykonané experimenty ukazujú, že systémy hlasovej biometrie sú zraniteľné pomocou deepfake nahrávok. Napriek tomu, že skoro všetky verejne dostupné nástroje a modely sú určené pre syntézu anglického jazyka, v tejto práci ukazujem, že syntéza hlasu v akomkoľvek jazyku nie je veľmi náročná. Nakoniec navrhujem riešenie pre zníženie rizika ktoré deepfake nahrávky predstavujú pre systémy hlasovej biometrie, a to používať overenie hlasu závislé na texte, nakoľko som ukázal, že je odolnejšie proti deepfake nahrávkam.

Robust model predictive control of resilient cyber-physical systems: security and resource-awareness

Sun, Qi

20 September 2021

Cyber-physical systems (CPS), integrating advanced computation, communication, and control technologies with the physical process, are widely applied in industry applications such as smart production and manufacturing systems, robotic and automotive control systems, and smart grids. Due to possible exposure to unreliable networks and complex physical environments, CPSs may simultaneously face multiple cyber and physical issues including cyber threats (e.g., malicious cyber attacks) and resource constraints (e.g., limited networking resources and physical constraints). As one of the essential topics in designing efficient CPSs, the controller design for CPSs, aiming to achieve secure and resource-aware control objectives under such cyber and physical issues, is very significant yet challenging. Emphasizing optimality and system constraint handling, model predictive control (MPC) is one of the most widely used control paradigms, notably famous for its successful applications in chemical process industry. However, the conventional MPC methods are not specifically tailored to tackle cyber threats and resource constraints, thus the corresponding theory and tools to design the secure and resource-aware controller are lacking and need to be developed. This dissertation focuses on developing MPC-based methodologies to address the i) secure control problem and ii) resource-aware control problem for CPSs subject to cyber threats and resource constraints. In the resource-aware control problem of CPSs, the nonlinear system with additive disturbance is considered. By using an integral-type event-triggered mechanism and an improved robustness constraint, we propose an integral-type event-triggered MPC so that smaller sampling frequency and robustness to the additive disturbance can be obtained. The sufficient conditions for guaranteeing the recursive feasibility and the closed-loop stability are established. For the secure control problem of CPSs, two aspects are considered. Firstly, to achieve the secure control objective, we design a secure dual-mode MPC framework, including a modified initial feasible set and a new positively invariant set, for constrained linear systems subject to Denial-of-Service (DoS) attacks. The exponential stability of the closed-loop system is guaranteed under several conditions. Secondly, to deal with cyber threats and take advantage of the cloud-edge computing technology, we propose a model predictive control as a secure service (MPCaaSS) framework, consisting of a double-layer controller architecture and a secure data transmission protocol, for constrained linear systems in the presence of both cyber threats and external disturbances. The rigorous recursive feasibility and robust stability conditions are established. To simultaneously address the secure and resource-aware control problems, an event-triggered robust nonlinear MPC framework is proposed, where a new robustness constraint is introduced to deal with additive disturbances, and a packet transmission strategy is designed to tackle DoS attacks. Then, an event-triggered mechanism, which accommodates DoS attacks occurring in the communication network, is proposed to reduce the communication cost for resource-constrained CPSs. The recursive feasibility and the closed-loop stability in the sense of input-to-state practical stable (ISpS) are guaranteed under the established sufficient conditions. / Graduate

Cyber-physical systems

model predictive control

security

resource-awareness