A Context Aware Anomaly Behavior Analysis Methodology for Building Automation Systems

Pan, Zhiwen, Pan, Zhiwen

January 2017

Advances in mobile and pervasive computing, electronics technology, and the exponential growth in Internet of Things (IoT) applications and services has led to Building Automation System (BAS) that enhanced the buildings we live by delivering more energy-saving, intelligent, comfortable, and better utilization. Through the use of integrated protocols, a BAS can interconnects a wide range of building assets so that the control and management of asset operations and their services can be performed in one protocol. Moreover, through the use of distributed computing and IP based communication, a BAS can implement remote monitor and control in adaptive and real-time manner. However, the use of IoT and distributed computing techniques in BAS are leading to challenges to secure and protect information and services due to the significant increase in the attack surface and the inherent vulnerabilities of BAS integrated protocols. Since there is no intrusion detection and prevention available for BAS network, proposing a reliable security mechanism which can monitor the behavior of BAS assets becomes a major design issue. Anomaly Based Intrusion Detection is a security mechanism that uses baseline model to describe the normal behaviors of a system, so that malicious behaviors occurred in a system can be detected by comparing the observed behavior to the baseline model. With its ability of detecting novel and new attacks, Anomaly based Behavior Analysis (ABA) has been actively pursued by researchers for designing Intrusion Detection Systems. Since the information acquired from a BAS system can be from a variety of sources (e.g. sensors, network protocols, temporal and spatial information), the traditional ABA methodology which merely focuses on analyzing the behavior of communication protocols will not be effective in protecting BAS networks. In this dissertation we aim at developing a general methodology named Context Aware Anomaly based Behavior Analysis (CAABA) which combines Context Awareness technique with Anomaly based Behavior Analysis in order to detect any type of anomaly behaviors occurred in Building Automation Systems. Context Awareness is a technique which is widely used in pervasive computing and it aims at gathering information about a system's environment so it can accurately characterize the current operational context of the BAS network and its services. The CAABA methodology can be used to protect a variety of BAS networks in a sustainable and reliable way. To handle the heterogeneous BAS information, we developed a novel Context Aware Data Structure to represent the information acquired from the sensors and resources during execution of the BAS system which can explicitly describe the system's behavior. By performing Anomaly based Behavior Analysis over the set of context arrays using either data mining algorithm or statistical functions, the BAS baseline models are generated. To validate our methodology, we have applied it to two different building application scenarios: a smart building system which is usually implemented in industrial and commercial office buildings and a smart home system which is implemented in residential buildings, where we have achieved good detection results with low detection errors.

Building Automation Systems

Context Awareness

Cyber Security

Internet of Things

Intrusion Detection System

Smart Buildings

The What, When, and How of Strategic Movement in Adversarial Settings: A Syncretic View of AI and Security

January 2020

abstract: The field of cyber-defenses has played catch-up in the cat-and-mouse game of finding vulnerabilities followed by the invention of patches to defend against them. With the complexity and scale of modern-day software, it is difficult to ensure that all known vulnerabilities are patched; moreover, the attacker, with reconnaissance on their side, will eventually discover and leverage them. To take away the attacker's inherent advantage of reconnaissance, researchers have proposed the notion of proactive defenses such as Moving Target Defense (MTD) in cyber-security. In this thesis, I make three key contributions that help to improve the effectiveness of MTD. First, I argue that naive movement strategies for MTD systems, designed based on intuition, are detrimental to both security and performance. To answer the question of how to move, I (1) model MTD as a leader-follower game and formally characterize the notion of optimal movement strategies, (2) leverage expert-curated public data and formal representation methods used in cyber-security to obtain parameters of the game, and (3) propose optimization methods to infer strategies at Strong Stackelberg Equilibrium, addressing issues pertaining to scalability and switching costs. Second, when one cannot readily obtain the parameters of the game-theoretic model but can interact with a system, I propose a novel multi-agent reinforcement learning approach that finds the optimal movement strategy. Third, I investigate the novel use of MTD in three domains-- cyber-deception, machine learning, and critical infrastructure networks. I show that the question of what to move poses non-trivial challenges in these domains. To address them, I propose methods for patch-set selection in the deployment of honey-patches, characterize the notion of differential immunity in deep neural networks, and develop optimization problems that guarantee differential immunity for dynamic sensor placement in power-networks. / Dissertation/Thesis / Doctoral Dissertation Computer Science 2020

Artificial intelligence

Cyber-security

Equilibrium Computation

Equilibrium Learning

Game Theory

Leader-Follower Games

Moving Target Defense

Masquerader Detection via 2fa Honeytokens

Wiklund, Anton

January 2021

Detection of insider threats is vital within cybersecurity. Techniques for detection include honeytokens, which most often are resources that, through deception, seek to expose intruders. One kind of insider that is detectable via honeytokens is the masquerader. This project proposes implementing a masquerader detection technique where honeytokens are placed within users’ filesystems in such a way that they also provide Two Factor Authentication(2fa) functionality. If a user’s second factor – the honeytoken –is not accessed within a specified timeframe after login, this indicates a potential intrusion, and only a “fake” filesystem will remain available. An alert is also triggered. The intention is to deter insiders from masquerading since they are aware that they must access a uniquely located honeytokena fter logging in to the legitimate user’s account. The technique was evaluated via user-testing that included interviews, a checklist with requirements for feasibility, and a cyber-security expert’s opinion on the technique’s feasibility. The main question evaluated during the project was the feasibility of adding the proposed technique to a computer system’s protective capabilities. The results of the project indicated that the proposed technique is feasible. The project’s results were also compared with the results of prior related research. The project’s scope was limited to a Linux system accessed via SSH into a Bash terminal(non-GUI-compatible), and the implemented technique was also evaluated within such an environment.

Cyber security deception

two-factor authentication(2fa)

honeytoken

misinformation

intrusion detection

Other Engineering and Technologies

Annan teknik

Implementing Honeypots to Build Risk Profiles for IoT Devices in a Home-Based Environment

Kula, Michal Damian

January 2021

Honeypots have been implemented in network security for years now, from the simplesystems where they could only mimic one vulnerable service and gather information aboutan intruder they have morphed in to advanced and complicated environments.Unfortunately, hackers have not left that untouched, and constantly try to detect honeypotsbefore being caught. This ongoing battle can be damaging to unexperienced internet users,who have no idea about securing devices in their small home-based network environment.The purpose of this research is to perform a technical study using IoT devices placed in a homeenvironment in a specially separated segment, and capture traffic between them and externalagents. This data is then analysed and used to build risk profiles of tested IoT devices aimingto provide security recommendations.The results indicate creating risk profiles for IoT devices could be used to gather more preciseinformation about external attacks and provide instant answer to what type of attacks couldbe generated against a selected IoT device. More development would be required to improvethis process, this includes redesign of the network and an automatic software-based toolcapable of generating risk profiles.

IoT

Honeypots

Cyber Security

Home-Based Honeypots

Security Profiles

Information Systems

A Novel Approach for Analyzing and Classifying Malicious Web Pages

Hiremath, Panchakshari N

18 May 2021

No description available.

Computer Science

Computer Engineering

Information Science

Information Technology

Informační bezpečnost jako ukazatel výkonnosti podniku / Information Security as an Indicator of Business Performance

Gancarčik, Rastislav

January 2017

The content of this thesis is a proposal of methodology for evaluating company's performance in areas of information security, while their performance will be judged based on compliance with standard ISO/IEC 27001:2013, Act no. 181/2014 Coll., Regulation 2016/679 of European Parliament and Directive 2016/1148 of the European Parliament. The proposal of this methodology is designed in a particular company which operates in the Czech Republic.

Návrh monitoringu kritické komunikační infrastruktury pro energetickou společnost / A concept of monitoring critical information infrastructure for energetic company

Ševčík, Michal

January 2018

Diploma thesis deals with monitoring critical infrastructure, critical information infrastructure and network monitoring in energetic industry. The goal is to create analytical environment for processing logs from the network, to map the most critical segments of the network and implementation of monitoring and network devices, that increase security and mitigate risks of security events or security incidents

Informační a kybernetické hrozby v roce 2019 / Information and Cyber Threats in 2019

Bača, Jonatán

January 2020

Diploma thesis focuses on information and cyber threats in 2019. It comprises theoretical basis for better understanding of the issue. Afterward the thesis describes the analysis of the current situation which combined several analyses primarily aimed on Czech companies. In the last part draft measures is created which contain predictions and preventive actions and recommendations for companies.

Zavedení standardu ISO 27701 do firmy využitím Gap analýzy / Implementation of standard ISO 27701 in the company using Gap analysis

Vicen, Šimon

January 2020

This thesis analyses current state of the system for implementation of standard ISO 27701: 2019 extention. This standard extends already established standard ISO 27001. The thesis evaluates set of controls to the requirements of standard ISO 27701: 2019. Theoretical part contains information regarding the information security, describes a set of ISO 27000 standards as well as European and Czech legal acts related to information security. Following analysis of the company is performed with the application of security measures while implementing the extension standard ISO 27701. Contribution of this thesis is evaluation of the analysis which results from implementation of recommended standard to address the increased number of security threats and the protection of security information.

Technika SQL injection - její metody a způsoby ochrany / SQL Injection Technique - its Methods and Methods of Protection

Bahureková, Beáta

January 2020

SQL injection is a technique directed against web applications using an SQL database, which can pose a huge security risk. It involves inserting code into an SQL database, and this attack exploits vulnerabilities in the database or application layer. The main goal of my thesis is to get acquainted with the essence of SQL injection, to understand the various methods of this attack technique and to show ways to defend against it. The work can be divided into these main parts, which I will discuss as follows.In the introductory part of the work I mention the theoretical basis concerning SQL injection issues. The next chapter is focused on individual methods of this technique. The analytical part is devoted to mapping the current state of test subjects, scanning tools, which form the basis for optimal research and testing of individual SQL methods, which are discussed in this part from a practical point of view along with the analysis of commands. In the last part I will implement SQL methods on selected subjects and based on the outputs I will create a universal design solution how to defend against such attacks.